Windows Analysis Report Doc2.xlsx
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Agenttesla |
---|
{"Exfil Mode": "SMTP", "Username": "account@jiqdyi.com", "Password": "Emotion22", "Host": "mail.spamora.net"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 19 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 13 entries |
Sigma Overview |
---|
Exploits: |
---|
Sigma detected: EQNEDT32.EXE connecting to internet | Show sources |
Source: | Author: Joe Security: |
Sigma detected: File Dropped By EQNEDT32EXE | Show sources |
Source: | Author: Joe Security: |
System Summary: |
---|
Sigma detected: Droppers Exploiting CVE-2017-11882 | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Execution from Suspicious Folder | Show sources |
Source: | Author: Florian Roth: |
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: |
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for dropped file | Show sources |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Exploits: |
---|
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) | Show sources |
Source: | Process created: | ||
Source: | Process created: |
Source: | Process created: |
Source: | File opened: |
Source: | Binary string: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | Memory has grown: |
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Window created: |
System Summary: |
---|
.NET source code contains very large strings | Show sources |
Source: | Long String: |
Office equation editor drops PE file | Show sources |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Source: | Dropped File: | ||
Source: | Dropped File: | ||
Source: | Dropped File: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Console Write: | ||
Source: | Console Write: | ||
Source: | Console Write: | ||
Source: | Console Write: | ||
Source: | Console Write: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Window detected: |
Source: | File opened: |
Source: | Key opened: |
Source: | Static file information: |
Source: | File opened: |
Source: | Binary string: |
Source: | Initial sample: |
Source: | Initial sample: |
Data Obfuscation: |
---|
.NET source code contains potential unpacker | Show sources |
Source: | .Net Code: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Drops PE files to the user root directory | Show sources |
Source: | File created: | Jump to dropped file |
Uses schtasks.exe or at.exe to add and modify task schedules | Show sources |
Source: | Process created: |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection: |
---|
Hides that the sample has been downloaded from the Internet (zone.identifier) | Show sources |
Source: | File opened: |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Stream path 'EncryptedPackage' entropy: |
Malware Analysis System Evasion: |
---|
Yara detected AntiVM3 | Show sources |
Source: | File source: |
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Last function: | ||
Source: | Last function: |
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: |
Source: | Process token adjusted: | ||
Source: | Process token adjusted: | ||
Source: | Process token adjusted: |
Source: | Memory allocated: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Injects a PE file into a foreign processes | Show sources |
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Key value queried: |
Source: | Registry key created or modified: | Jump to behavior |
Stealing of Sensitive Information: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation211 | Scheduled Task/Job1 | Extra Window Memory Injection1 | Disable or Modify Tools11 | OS Credential Dumping | File and Directory Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Ingress Tool Transfer2 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution13 | Registry Run Keys / Startup Folder1 | Process Injection112 | Obfuscated Files or Information21 | LSASS Memory | System Information Discovery114 | Remote Desktop Protocol | Clipboard Data1 | Exfiltration Over Bluetooth | Encrypted Channel1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Command and Scripting Interpreter1 | Logon Script (Windows) | Scheduled Task/Job1 | Software Packing12 | Security Account Manager | Query Registry1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Standard Port1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | Scheduled Task/Job1 | Logon Script (Mac) | Registry Run Keys / Startup Folder1 | Extra Window Memory Injection1 | NTDS | Security Software Discovery311 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Non-Application Layer Protocol2 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Masquerading111 | LSA Secrets | Process Discovery2 | SSH | Keylogging | Data Transfer Size Limits | Application Layer Protocol22 | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Virtualization/Sandbox Evasion131 | Cached Domain Credentials | Virtualization/Sandbox Evasion131 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Process Injection112 | DCSync | Application Window Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Hidden Files and Directories1 | Proc Filesystem | Remote System Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
28% | ReversingLabs | Document-OLE.Exploit.CVE-2018-0802 |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
13% | ReversingLabs | ByteCode-MSIL.Trojan.AgentTesla | ||
13% | ReversingLabs | ByteCode-MSIL.Trojan.AgentTesla | ||
13% | ReversingLabs | ByteCode-MSIL.Trojan.AgentTesla | ||
13% | ReversingLabs | ByteCode-MSIL.Trojan.AgentTesla |
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1138205 | Download File | ||
100% | Avira | HEUR/AGEN.1138205 | Download File | ||
100% | Avira | HEUR/AGEN.1138205 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
100% | Avira URL Cloud | malware | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
mail.spamora.net | 185.26.106.194 | true | true | unknown | |
arkemagrup.com | 185.26.106.165 | true | true | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| low | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| low | ||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.26.106.194 | mail.spamora.net | France | 24935 | ATE-ASFR | true | |
185.26.106.165 | arkemagrup.com | France | 24935 | ATE-ASFR | true |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 452692 |
Start date: | 22.07.2021 |
Start time: | 18:11:08 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 13m 5s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | Doc2.xlsx |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 17 |
Number of new started drivers analysed: | 2 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.expl.evad.winXLSX@18/28@7/2 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
18:12:08 | API Interceptor | |
18:12:10 | API Interceptor | |
18:12:45 | API Interceptor | |
18:13:05 | Autostart | |
18:13:13 | Autostart | |
18:13:14 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
185.26.106.194 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
185.26.106.165 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
mail.spamora.net | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
arkemagrup.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
ATE-ASFR | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
ATE-ASFR | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe | Get hash | malicious | Browse | ||
C:\Users\user\AppData\Roaming\WzyRXCWtdGSdEA.exe | Get hash | malicious | Browse | ||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Doc_87654334567[1].exe | Get hash | malicious | Browse |
Created / dropped Files |
---|
Process: | C:\Users\Public\vbc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 61020 |
Entropy (8bit): | 7.994886945086499 |
Encrypted: | true |
SSDEEP: | 1536:IZ/FdeYPeFusuQszEfL0/NfXfdl5lNQbGxO4EBJE:0tdeYPiuWAVtlLBGm |
MD5: | 2902DE11E30DCC620B184E3BB0F0C1CB |
SHA1: | 5D11D14A2558801A2688DC2D6DFAD39AC294F222 |
SHA-256: | E6A7F1F8810E46A736E80EE5AC6187690F28F4D5D35D130D410E20084B2C1544 |
SHA-512: | EFD415CDE25B827AC2A7CA4D6486CE3A43CDCC1C31D3A94FD7944681AA3E83A4966625BF2E6770581C4B59D05E35FF9318D9ADADDADE9070F131076892AF2FA0 |
Malicious: | false |
Preview: |
|
Process: | C:\Users\Public\vbc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 326 |
Entropy (8bit): | 3.1392054451166236 |
Encrypted: | false |
SSDEEP: | 6:kKjafqdoW+N+SkQlPlEGYRMY9z+4KlDA3RUeIlD1Ut:OG5kPlE99SNxAhUe0et |
MD5: | 73D434F5661B6D463F837080EA943642 |
SHA1: | 2CD8845DF98F90DB4BF2DD9209A13437A63DB3B0 |
SHA-256: | EF803AE8B228F3D5EEF8B4DB9F65942A0F90D72579AF0470F87DD1A5AA8A06D6 |
SHA-512: | 88D5DFB03A5EE72A3D41877CB900AE4160BE6D70A8EEE75D9F6C6601B6D0AC1FD8356CDFF075ECE6FCD3A3F63B04C14471C507BBDC3C79E41D29F7165883EDA5 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 479232 |
Entropy (8bit): | 7.4170903584629215 |
Encrypted: | false |
SSDEEP: | 12288:NUdeni+TLedHTiw3CzfM5B2OR0GU4V24TfWOQCs/I:KciCqdziw3KeRHtJHs/I |
MD5: | 6733D5E8934EAFF7C0087E7DE2C8E62A |
SHA1: | 6C0B89DC4C773E51D660780450CBD148F2FF3211 |
SHA-256: | 3441D4122B712A32E1C0518F02903A632ECBF557FBAB71C510C732474D326CD1 |
SHA-512: | B6804A6968FA7A6F68D1A8F6161A0C69584DBFEB88EFF5F7784C259F2886FE1B444438576D47AB5DDA24496A619DFBFFE02050BC679A3F3E13DD6BC82F61C3C1 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
IE Cache URL: | http://arkemagrup.com/Doc_87654334567.exe |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 11303 |
Entropy (8bit): | 7.909402464702408 |
Encrypted: | false |
SSDEEP: | 192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN |
MD5: | 9513E5EF8DDC8B0D9C23C4DFD4AEECA2 |
SHA1: | E7FC283A9529AA61F612EC568F836295F943C8EC |
SHA-256: | 88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C |
SHA-512: | 81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 648132 |
Entropy (8bit): | 2.8123789386507605 |
Encrypted: | false |
SSDEEP: | 3072:z34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:74UcLe0JOcXuunhqcS |
MD5: | 6CB928BE3E67F24A61029E293EF3D385 |
SHA1: | 2026D18C43EC013CCABD05193648ED51F11723D6 |
SHA-256: | 27BB1F6D2D0771E33EEABDC1A8884E798B802497B0ADD328EF2967BEC69481AA |
SHA-512: | FD5DC00F1513E2740D488D63B73D529279635D52BE9CEFD29B23018ABEF9776D602BB7C6644510E6731451B78C104F2B57DCC462C210CBF66B8B5EB919EFFC3B |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 94963 |
Entropy (8bit): | 7.9700481154985985 |
Encrypted: | false |
SSDEEP: | 1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB |
MD5: | 17EC925977BED2836071429D7B476809 |
SHA1: | 7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C |
SHA-256: | 83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9 |
SHA-512: | 3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 62140 |
Entropy (8bit): | 7.529847875703774 |
Encrypted: | false |
SSDEEP: | 1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF |
MD5: | 722C1BE1697CFCEAE7BDEFB463265578 |
SHA1: | 7D300A2BAB951B475477FAA308E4160C67AD93A9 |
SHA-256: | 2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE |
SHA-512: | 2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 94963 |
Entropy (8bit): | 7.9700481154985985 |
Encrypted: | false |
SSDEEP: | 1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB |
MD5: | 17EC925977BED2836071429D7B476809 |
SHA1: | 7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C |
SHA-256: | 83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9 |
SHA-512: | 3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 11303 |
Entropy (8bit): | 7.909402464702408 |
Encrypted: | false |
SSDEEP: | 192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN |
MD5: | 9513E5EF8DDC8B0D9C23C4DFD4AEECA2 |
SHA1: | E7FC283A9529AA61F612EC568F836295F943C8EC |
SHA-256: | 88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C |
SHA-512: | 81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 62140 |
Entropy (8bit): | 7.529847875703774 |
Encrypted: | false |
SSDEEP: | 1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF |
MD5: | 722C1BE1697CFCEAE7BDEFB463265578 |
SHA1: | 7D300A2BAB951B475477FAA308E4160C67AD93A9 |
SHA-256: | 2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE |
SHA-512: | 2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 7608 |
Entropy (8bit): | 5.0848395387371825 |
Encrypted: | false |
SSDEEP: | 96:+SpE1LSR5gs3iwiMO10VCVU7ckQadVDYM/PVfmhDqpH:5Sq+sW31RGtdVDYM3VfmkpH |
MD5: | 59A006365F7CA7E6809AEC593181D9BA |
SHA1: | DDBB1CBA3306CEC237FB6D0130AD72B7EFF610BC |
SHA-256: | 8C2E1E41CEB13848ADEA43DEA1382211D57B0C72B505D4E6054F7505ED624B4E |
SHA-512: | 187F9B65553198DF1B17083A86B5EF2D3610445094A2D29C77E1A142E1E8CBCD50F044DE3089509FFA43E7E1C41161FF1DB6E96620867666E0FB4B05C89652B4 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 85020 |
Entropy (8bit): | 7.2472785111025875 |
Encrypted: | false |
SSDEEP: | 768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip |
MD5: | 738BDB90A9D8929A5FB2D06775F3336F |
SHA1: | 6A92C54218BFBEF83371E825D6B68D4F896C0DCE |
SHA-256: | 8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB |
SHA-512: | 48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 85020 |
Entropy (8bit): | 7.2472785111025875 |
Encrypted: | false |
SSDEEP: | 768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip |
MD5: | 738BDB90A9D8929A5FB2D06775F3336F |
SHA1: | 6A92C54218BFBEF83371E825D6B68D4F896C0DCE |
SHA-256: | 8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB |
SHA-512: | 48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1254 |
Entropy (8bit): | 5.835900066445133 |
Encrypted: | false |
SSDEEP: | 24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3 |
MD5: | A3C62E516777C15BF216F12143693C61 |
SHA1: | 277BFA1F59B59276EF52EF39AE26D4DD3BDB285F |
SHA-256: | 616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408 |
SHA-512: | AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1254 |
Entropy (8bit): | 5.835900066445133 |
Encrypted: | false |
SSDEEP: | 24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3 |
MD5: | A3C62E516777C15BF216F12143693C61 |
SHA1: | 277BFA1F59B59276EF52EF39AE26D4DD3BDB285F |
SHA-256: | 616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408 |
SHA-512: | AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1254 |
Entropy (8bit): | 5.835900066445133 |
Encrypted: | false |
SSDEEP: | 24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3 |
MD5: | A3C62E516777C15BF216F12143693C61 |
SHA1: | 277BFA1F59B59276EF52EF39AE26D4DD3BDB285F |
SHA-256: | 616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408 |
SHA-512: | AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1254 |
Entropy (8bit): | 5.835900066445133 |
Encrypted: | false |
SSDEEP: | 24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3 |
MD5: | A3C62E516777C15BF216F12143693C61 |
SHA1: | 277BFA1F59B59276EF52EF39AE26D4DD3BDB285F |
SHA-256: | 616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408 |
SHA-512: | AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1254 |
Entropy (8bit): | 5.835900066445133 |
Encrypted: | false |
SSDEEP: | 24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3 |
MD5: | A3C62E516777C15BF216F12143693C61 |
SHA1: | 277BFA1F59B59276EF52EF39AE26D4DD3BDB285F |
SHA-256: | 616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408 |
SHA-512: | AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1254 |
Entropy (8bit): | 5.835900066445133 |
Encrypted: | false |
SSDEEP: | 24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3 |
MD5: | A3C62E516777C15BF216F12143693C61 |
SHA1: | 277BFA1F59B59276EF52EF39AE26D4DD3BDB285F |
SHA-256: | 616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408 |
SHA-512: | AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2 |
Malicious: | false |
Preview: |
|
Process: | C:\Users\Public\vbc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 61020 |
Entropy (8bit): | 7.994886945086499 |
Encrypted: | true |
SSDEEP: | 1536:IZ/FdeYPeFusuQszEfL0/NfXfdl5lNQbGxO4EBJE:0tdeYPiuWAVtlLBGm |
MD5: | 2902DE11E30DCC620B184E3BB0F0C1CB |
SHA1: | 5D11D14A2558801A2688DC2D6DFAD39AC294F222 |
SHA-256: | E6A7F1F8810E46A736E80EE5AC6187690F28F4D5D35D130D410E20084B2C1544 |
SHA-512: | EFD415CDE25B827AC2A7CA4D6486CE3A43CDCC1C31D3A94FD7944681AA3E83A4966625BF2E6770581C4B59D05E35FF9318D9ADADDADE9070F131076892AF2FA0 |
Malicious: | false |
Preview: |
|
Process: | C:\Users\Public\vbc.exe |
File Type: | |
Category: | modified |
Size (bytes): | 158974 |
Entropy (8bit): | 6.311775051607851 |
Encrypted: | false |
SSDEEP: | 1536:ilqXley2pR737/99UF210gNucQodv+1//dMrYJntYyjCQx7s2t6OGP:iQXipR7O/gNuc/v+lXjCQ7sO0 |
MD5: | E4731F8A3E7352DBA44EC7D3DD15BAEA |
SHA1: | D5CA0025FBD356DEB8EDE35001F93039625562A5 |
SHA-256: | 6C78EF77ACEF978321CCD30EE126FB7D30285BC186DDBDBE8B3E8F6E69D01353 |
SHA-512: | E68BA11A73E28404A274F0EE4ECC97A8BEFEDB91A20BDC5B00C72AE8928DD63924E351BE8A88E40960D54CE07E21EA21710DB0DFA00A5558C4264490E27B6988 |
Malicious: | false |
Preview: |
|
Process: | C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1626 |
Entropy (8bit): | 5.159109128857439 |
Encrypted: | false |
SSDEEP: | 24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBntn:cbhZ7ClNQi/rydbz9I3YODOLNdq3z |
MD5: | 2A11DAC0B7306A104AFCC907AE492B39 |
SHA1: | CE842A57682BA01171DBBFB98C189DE9920B42CA |
SHA-256: | 92866CDA7C15EBE0904C2F5BB77D1764EBC9577E7ADE131AE9EECD0378EB9151 |
SHA-512: | 5187B3DBE1BF2E63A02B6F3263BC30F92C15EC04575E2FB4DBE6C5C837BA05C6A7FB091462D1FAA8C2ED8E646C82B4D7F5D88A2B3A94B3A05C6518197942FCCD |
Malicious: | false |
Preview: |
|
Process: | C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1626 |
Entropy (8bit): | 5.159109128857439 |
Encrypted: | false |
SSDEEP: | 24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBntn:cbhZ7ClNQi/rydbz9I3YODOLNdq3z |
MD5: | 2A11DAC0B7306A104AFCC907AE492B39 |
SHA1: | CE842A57682BA01171DBBFB98C189DE9920B42CA |
SHA-256: | 92866CDA7C15EBE0904C2F5BB77D1764EBC9577E7ADE131AE9EECD0378EB9151 |
SHA-512: | 5187B3DBE1BF2E63A02B6F3263BC30F92C15EC04575E2FB4DBE6C5C837BA05C6A7FB091462D1FAA8C2ED8E646C82B4D7F5D88A2B3A94B3A05C6518197942FCCD |
Malicious: | false |
Preview: |
|
Process: | C:\Users\Public\vbc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1626 |
Entropy (8bit): | 5.159109128857439 |
Encrypted: | false |
SSDEEP: | 24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBntn:cbhZ7ClNQi/rydbz9I3YODOLNdq3z |
MD5: | 2A11DAC0B7306A104AFCC907AE492B39 |
SHA1: | CE842A57682BA01171DBBFB98C189DE9920B42CA |
SHA-256: | 92866CDA7C15EBE0904C2F5BB77D1764EBC9577E7ADE131AE9EECD0378EB9151 |
SHA-512: | 5187B3DBE1BF2E63A02B6F3263BC30F92C15EC04575E2FB4DBE6C5C837BA05C6A7FB091462D1FAA8C2ED8E646C82B4D7F5D88A2B3A94B3A05C6518197942FCCD |
Malicious: | true |
Preview: |
|
Process: | C:\Users\Public\vbc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 479232 |
Entropy (8bit): | 7.4170903584629215 |
Encrypted: | false |
SSDEEP: | 12288:NUdeni+TLedHTiw3CzfM5B2OR0GU4V24TfWOQCs/I:KciCqdziw3KeRHtJHs/I |
MD5: | 6733D5E8934EAFF7C0087E7DE2C8E62A |
SHA1: | 6C0B89DC4C773E51D660780450CBD148F2FF3211 |
SHA-256: | 3441D4122B712A32E1C0518F02903A632ECBF557FBAB71C510C732474D326CD1 |
SHA-512: | B6804A6968FA7A6F68D1A8F6161A0C69584DBFEB88EFF5F7784C259F2886FE1B444438576D47AB5DDA24496A619DFBFFE02050BC679A3F3E13DD6BC82F61C3C1 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
|
Process: | C:\Users\Public\vbc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 479232 |
Entropy (8bit): | 7.4170903584629215 |
Encrypted: | false |
SSDEEP: | 12288:NUdeni+TLedHTiw3CzfM5B2OR0GU4V24TfWOQCs/I:KciCqdziw3KeRHtJHs/I |
MD5: | 6733D5E8934EAFF7C0087E7DE2C8E62A |
SHA1: | 6C0B89DC4C773E51D660780450CBD148F2FF3211 |
SHA-256: | 3441D4122B712A32E1C0518F02903A632ECBF557FBAB71C510C732474D326CD1 |
SHA-512: | B6804A6968FA7A6F68D1A8F6161A0C69584DBFEB88EFF5F7784C259F2886FE1B444438576D47AB5DDA24496A619DFBFFE02050BC679A3F3E13DD6BC82F61C3C1 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS |
MD5: | 96114D75E30EBD26B572C1FC83D1D02E |
SHA1: | A44EEBDA5EB09862AC46346227F06F8CFAF19407 |
SHA-256: | 0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523 |
SHA-512: | 52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0 |
Malicious: | true |
Preview: |
|
Process: | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 479232 |
Entropy (8bit): | 7.4170903584629215 |
Encrypted: | false |
SSDEEP: | 12288:NUdeni+TLedHTiw3CzfM5B2OR0GU4V24TfWOQCs/I:KciCqdziw3KeRHtJHs/I |
MD5: | 6733D5E8934EAFF7C0087E7DE2C8E62A |
SHA1: | 6C0B89DC4C773E51D660780450CBD148F2FF3211 |
SHA-256: | 3441D4122B712A32E1C0518F02903A632ECBF557FBAB71C510C732474D326CD1 |
SHA-512: | B6804A6968FA7A6F68D1A8F6161A0C69584DBFEB88EFF5F7784C259F2886FE1B444438576D47AB5DDA24496A619DFBFFE02050BC679A3F3E13DD6BC82F61C3C1 |
Malicious: | true |
Antivirus: |
|
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.994513765705169 |
TrID: |
|
File name: | Doc2.xlsx |
File size: | 1239552 |
MD5: | 7848697a2cff990710c69e8d97e55c13 |
SHA1: | 9af272f7dedd808c48b03d98d7eb75356b74f6ee |
SHA256: | ef17f47bcdb067d712661ddadff8ebee2924282c7fe21edd237e8094cc4ebdb0 |
SHA512: | ec702b7110b6bebb405442a297221a20e4339cd5997323b7fd86bf6ee58cd68d8fe14f4156cc13e482734ff849686fe0bd3c23674ad4b61b76bd3d26714c27ff |
SSDEEP: | 24576:552SgH474uoQ5xCHB+kXRPewR/LK9TevVGPYQuboKULGA:55us4hQS+khvRDKdGVG6kKG |
File Content Preview: | ........................>.......................................................................................................|.......~...................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e2aa8aa4b4bcb4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OLE | |
Number of OLE Files: | 1 |
OLE File "Doc2.xlsx" |
---|
Indicators | |
---|---|
Has Summary Info: | False |
Application Name: | unknown |
Encrypted Document: | True |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | False |
Streams |
---|
Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64 |
---|
General | |
---|---|
Stream Path: | \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace |
File Type: | data |
Stream Size: | 64 |
Entropy: | 2.73637206947 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . |
Data Raw: | 08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00 |
Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112 |
---|
General | |
---|---|
Stream Path: | \x6DataSpaces/DataSpaceMap |
File Type: | data |
Stream Size: | 112 |
Entropy: | 2.7597816111 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . . |
Data Raw: | 08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00 |
Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200 |
---|
General | |
---|---|
Stream Path: | \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary |
File Type: | data |
Stream Size: | 200 |
Entropy: | 3.13335930328 |
Base64 Encoded: | False |
Data ASCII: | X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 |
Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76 |
---|
General | |
---|---|
Stream Path: | \x6DataSpaces/Version |
File Type: | data |
Stream Size: | 76 |
Entropy: | 2.79079600998 |
Base64 Encoded: | False |
Data ASCII: | < . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . . |
Data Raw: | 3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00 |
Stream Path: EncryptedPackage, File Type: data, Stream Size: 1225928 |
---|
General | |
---|---|
Stream Path: | EncryptedPackage |
File Type: | data |
Stream Size: | 1225928 |
Entropy: | 7.99880681599 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . H . . T . . . . t . . . 4 . . . . T , . . . . k \\ . . . 0 . . 8 . A . . . . . . . . . o . . . * . . . ( . ( 1 . . . S j . f E . v % q . Z p ) \\ u . . . . . . . v % q . Z p ) \\ u . . . . . . . v % q . Z p ) \\ u . . . . . . . v % q . Z p ) \\ u . . . . . . . v % q . Z p ) \\ u . . . . . . . v % q . Z p ) \\ u . . . . . . . v % q . Z p ) \\ u . . . . . . . v % q . Z p ) \\ u . . . . . . . v % q . Z p ) \\ u . . . . . . . v % q . Z p ) \\ u . . . . . . . v % q . Z p ) \\ u . . . . . . . v % q . Z p ) |
Data Raw: | b5 b4 12 00 00 00 00 00 dd 48 dc b9 54 cd c0 13 14 74 b8 08 e8 34 d1 2e 1e b4 54 2c de c6 d5 c6 6b 5c f4 0b f5 30 01 d1 38 07 41 c8 f4 b2 fe e6 1f b2 d0 d6 6f 93 09 e1 2a ca 95 f9 28 93 28 31 f0 9a de 53 6a fb 66 45 0a 76 25 71 c0 5a 70 29 5c 75 cf 02 11 1a f9 f7 0a 76 25 71 c0 5a 70 29 5c 75 cf 02 11 1a f9 f7 0a 76 25 71 c0 5a 70 29 5c 75 cf 02 11 1a f9 f7 0a 76 25 71 c0 5a 70 29 |
Stream Path: EncryptionInfo, File Type: data, Stream Size: 224 |
---|
General | |
---|---|
Stream Path: | EncryptionInfo |
File Type: | data |
Stream Size: | 224 |
Entropy: | 4.51936765196 |
Base64 Encoded: | False |
Data ASCII: | . . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . - . [ n . . . U & . . 1 . # . 9 . _ 6 . S e . . . = . . k . . . . . . . L . $ G $ . h f . . C . . . e . . . | . e . . y o . . . . . |
Data Raw: | 04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00 |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 22, 2021 18:12:31.099260092 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.153753996 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.153879881 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.154568911 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.208879948 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.209455013 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.209490061 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.209507942 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.209523916 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.209538937 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.209558010 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.209579945 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.209603071 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.209620953 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.209633112 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.209645987 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.209700108 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.209747076 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.217502117 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264138937 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264224052 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264271975 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264272928 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264297009 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264302969 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264308929 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264341116 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264357090 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264373064 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264374018 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264408112 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264409065 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264444113 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264463902 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264477015 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264492989 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264513016 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264518023 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264549971 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264553070 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264585018 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264586926 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264620066 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264621973 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264657021 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264689922 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264693975 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264695883 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264731884 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264733076 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264765978 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264767885 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264802933 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264805079 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264839888 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264863014 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264874935 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.264950037 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.264955044 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.267203093 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.323107958 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.323168039 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.323250055 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.324438095 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.324722052 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.324742079 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.324757099 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.324786901 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.324807882 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.324830055 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.324832916 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.324851990 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.324870110 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.324873924 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.324877024 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.324877024 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.324896097 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.324898958 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.324920893 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.324938059 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.324942112 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.324944019 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.324959040 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.324964046 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.324985027 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.324985027 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.325006962 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.325027943 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.325031042 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.325052023 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.325073957 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.325094938 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.325114965 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.325119019 CEST | 49165 | 80 | 192.168.2.22 | 185.26.106.165 |
Jul 22, 2021 18:12:31.325138092 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.325159073 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.325180054 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.325201988 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.325225115 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
Jul 22, 2021 18:12:31.325247049 CEST | 80 | 49165 | 185.26.106.165 | 192.168.2.22 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 22, 2021 18:12:30.965214014 CEST | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Jul 22, 2021 18:12:31.022859097 CEST | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
Jul 22, 2021 18:12:31.023108959 CEST | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Jul 22, 2021 18:12:31.081767082 CEST | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
Jul 22, 2021 18:13:36.833220005 CEST | 53099 | 53 | 192.168.2.22 | 8.8.8.8 |
Jul 22, 2021 18:13:36.891352892 CEST | 53 | 53099 | 8.8.8.8 | 192.168.2.22 |
Jul 22, 2021 18:13:37.990926981 CEST | 52838 | 53 | 192.168.2.22 | 8.8.8.8 |
Jul 22, 2021 18:13:38.042025089 CEST | 53 | 52838 | 8.8.8.8 | 192.168.2.22 |
Jul 22, 2021 18:13:38.055355072 CEST | 61200 | 53 | 192.168.2.22 | 8.8.8.8 |
Jul 22, 2021 18:13:38.113610983 CEST | 53 | 61200 | 8.8.8.8 | 192.168.2.22 |
Jul 22, 2021 18:13:38.116096020 CEST | 61200 | 53 | 192.168.2.22 | 8.8.8.8 |
Jul 22, 2021 18:13:38.174209118 CEST | 53 | 61200 | 8.8.8.8 | 192.168.2.22 |
Jul 22, 2021 18:13:38.998492956 CEST | 49548 | 53 | 192.168.2.22 | 8.8.8.8 |
Jul 22, 2021 18:13:39.056665897 CEST | 53 | 49548 | 8.8.8.8 | 192.168.2.22 |
Jul 22, 2021 18:13:39.065907955 CEST | 49548 | 53 | 192.168.2.22 | 8.8.8.8 |
Jul 22, 2021 18:13:39.122867107 CEST | 53 | 49548 | 8.8.8.8 | 192.168.2.22 |
Jul 22, 2021 18:13:40.309792995 CEST | 55627 | 53 | 192.168.2.22 | 8.8.8.8 |
Jul 22, 2021 18:13:40.369712114 CEST | 53 | 55627 | 8.8.8.8 | 192.168.2.22 |
Jul 22, 2021 18:13:40.370260000 CEST | 55627 | 53 | 192.168.2.22 | 8.8.8.8 |
Jul 22, 2021 18:13:40.433701992 CEST | 53 | 55627 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jul 22, 2021 18:12:30.965214014 CEST | 192.168.2.22 | 8.8.8.8 | 0xe4c3 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 22, 2021 18:12:31.023108959 CEST | 192.168.2.22 | 8.8.8.8 | 0xe4c3 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 22, 2021 18:13:36.833220005 CEST | 192.168.2.22 | 8.8.8.8 | 0xca08 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 22, 2021 18:13:38.998492956 CEST | 192.168.2.22 | 8.8.8.8 | 0x97f4 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 22, 2021 18:13:39.065907955 CEST | 192.168.2.22 | 8.8.8.8 | 0x97f4 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 22, 2021 18:13:40.309792995 CEST | 192.168.2.22 | 8.8.8.8 | 0xbefa | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 22, 2021 18:13:40.370260000 CEST | 192.168.2.22 | 8.8.8.8 | 0xbefa | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jul 22, 2021 18:12:31.022859097 CEST | 8.8.8.8 | 192.168.2.22 | 0xe4c3 | No error (0) | 185.26.106.165 | A (IP address) | IN (0x0001) | ||
Jul 22, 2021 18:12:31.081767082 CEST | 8.8.8.8 | 192.168.2.22 | 0xe4c3 | No error (0) | 185.26.106.165 | A (IP address) | IN (0x0001) | ||
Jul 22, 2021 18:13:36.891352892 CEST | 8.8.8.8 | 192.168.2.22 | 0xca08 | No error (0) | 185.26.106.194 | A (IP address) | IN (0x0001) | ||
Jul 22, 2021 18:13:39.056665897 CEST | 8.8.8.8 | 192.168.2.22 | 0x97f4 | No error (0) | 185.26.106.194 | A (IP address) | IN (0x0001) | ||
Jul 22, 2021 18:13:39.122867107 CEST | 8.8.8.8 | 192.168.2.22 | 0x97f4 | No error (0) | 185.26.106.194 | A (IP address) | IN (0x0001) | ||
Jul 22, 2021 18:13:40.369712114 CEST | 8.8.8.8 | 192.168.2.22 | 0xbefa | No error (0) | 185.26.106.194 | A (IP address) | IN (0x0001) | ||
Jul 22, 2021 18:13:40.433701992 CEST | 8.8.8.8 | 192.168.2.22 | 0xbefa | No error (0) | 185.26.106.194 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49165 | 185.26.106.165 | 80 | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jul 22, 2021 18:12:31.154568911 CEST | 0 | OUT | |
Jul 22, 2021 18:12:31.209455013 CEST | 1 | IN |
SMTP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Jul 22, 2021 18:13:37.027579069 CEST | 587 | 49166 | 185.26.106.194 | 192.168.2.22 | 220-mail.spamora.net ESMTP Postfix (Debian/GNU) |
Jul 22, 2021 18:13:37.028069973 CEST | 49166 | 587 | 192.168.2.22 | 185.26.106.194 | EHLO 760639 |
Jul 22, 2021 18:13:37.085000038 CEST | 587 | 49166 | 185.26.106.194 | 192.168.2.22 | 220 mail.spamora.net ESMTP Postfix (Debian/GNU) |
Jul 22, 2021 18:13:37.085051060 CEST | 587 | 49166 | 185.26.106.194 | 192.168.2.22 | 250-mail.spamora.net 250-PIPELINING 250-SIZE 80000000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN |
Jul 22, 2021 18:13:37.086252928 CEST | 49166 | 587 | 192.168.2.22 | 185.26.106.194 | STARTTLS |
Jul 22, 2021 18:13:37.140757084 CEST | 587 | 49166 | 185.26.106.194 | 192.168.2.22 | 220 2.0.0 Ready to start TLS |
Jul 22, 2021 18:13:37.767450094 CEST | 587 | 49167 | 185.26.106.194 | 192.168.2.22 | 220-mail.spamora.net ESMTP Postfix (Debian/GNU) |
Jul 22, 2021 18:13:37.767843962 CEST | 49167 | 587 | 192.168.2.22 | 185.26.106.194 | EHLO 760639 |
Jul 22, 2021 18:13:37.824126959 CEST | 587 | 49167 | 185.26.106.194 | 192.168.2.22 | 220 mail.spamora.net ESMTP Postfix (Debian/GNU) |
Jul 22, 2021 18:13:37.824220896 CEST | 587 | 49167 | 185.26.106.194 | 192.168.2.22 | 250-mail.spamora.net 250-PIPELINING 250-SIZE 80000000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN |
Jul 22, 2021 18:13:37.824469090 CEST | 49167 | 587 | 192.168.2.22 | 185.26.106.194 | STARTTLS |
Jul 22, 2021 18:13:37.879425049 CEST | 587 | 49167 | 185.26.106.194 | 192.168.2.22 | 220 2.0.0 Ready to start TLS |
Jul 22, 2021 18:13:39.233465910 CEST | 587 | 49169 | 185.26.106.194 | 192.168.2.22 | 220-mail.spamora.net ESMTP Postfix (Debian/GNU) |
Jul 22, 2021 18:13:40.547199011 CEST | 587 | 49170 | 185.26.106.194 | 192.168.2.22 | 220-mail.spamora.net ESMTP Postfix (Debian/GNU) |
Jul 22, 2021 18:13:40.547725916 CEST | 49170 | 587 | 192.168.2.22 | 185.26.106.194 | EHLO 760639 |
Jul 22, 2021 18:13:40.603985071 CEST | 587 | 49170 | 185.26.106.194 | 192.168.2.22 | 220 mail.spamora.net ESMTP Postfix (Debian/GNU) |
Jul 22, 2021 18:13:40.604139090 CEST | 587 | 49170 | 185.26.106.194 | 192.168.2.22 | 250-mail.spamora.net 250-PIPELINING 250-SIZE 80000000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN |
Jul 22, 2021 18:13:40.604568005 CEST | 49170 | 587 | 192.168.2.22 | 185.26.106.194 | STARTTLS |
Jul 22, 2021 18:13:40.659290075 CEST | 587 | 49170 | 185.26.106.194 | 192.168.2.22 | 220 2.0.0 Ready to start TLS |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 18:11:46 |
Start date: | 22/07/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13ff10000 |
File size: | 27641504 bytes |
MD5 hash: | 5FB0A0F93382ECD19F5F499A5CAA59F0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:12:08 |
Start date: | 22/07/2021 |
Path: | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 543304 bytes |
MD5 hash: | A87236E214F6D42A65F5DEDAC816AEC8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:12:10 |
Start date: | 22/07/2021 |
Path: | C:\Users\Public\vbc.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x10720000 |
File size: | 479232 bytes |
MD5 hash: | 6733D5E8934EAFF7C0087E7DE2C8E62A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | low |
General |
---|
Start time: | 18:12:44 |
Start date: | 22/07/2021 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb70000 |
File size: | 179712 bytes |
MD5 hash: | 2003E9B15E1C502B146DAD2E383AC1E3 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:12:46 |
Start date: | 22/07/2021 |
Path: | C:\Users\Public\vbc.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x10720000 |
File size: | 479232 bytes |
MD5 hash: | 6733D5E8934EAFF7C0087E7DE2C8E62A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 18:13:14 |
Start date: | 22/07/2021 |
Path: | C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x10fc0000 |
File size: | 479232 bytes |
MD5 hash: | 6733D5E8934EAFF7C0087E7DE2C8E62A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | low |
General |
---|
Start time: | 18:13:22 |
Start date: | 22/07/2021 |
Path: | C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x10fc0000 |
File size: | 479232 bytes |
MD5 hash: | 6733D5E8934EAFF7C0087E7DE2C8E62A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 18:13:34 |
Start date: | 22/07/2021 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x280000 |
File size: | 179712 bytes |
MD5 hash: | 2003E9B15E1C502B146DAD2E383AC1E3 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:13:34 |
Start date: | 22/07/2021 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x280000 |
File size: | 179712 bytes |
MD5 hash: | 2003E9B15E1C502B146DAD2E383AC1E3 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 18:13:35 |
Start date: | 22/07/2021 |
Path: | C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x10fc0000 |
File size: | 479232 bytes |
MD5 hash: | 6733D5E8934EAFF7C0087E7DE2C8E62A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
General |
---|
Start time: | 18:13:35 |
Start date: | 22/07/2021 |
Path: | C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x10fc0000 |
File size: | 479232 bytes |
MD5 hash: | 6733D5E8934EAFF7C0087E7DE2C8E62A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Disassembly |
---|
Code Analysis |
---|