Windows Analysis Report inquiry[2021.09.23_12-51].xlsb
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Ursnif |
---|
{"lang_id": "RU, CN", "RSA Public Key": "fvJh27FBcY4iDmo8nCK4tyEyXBN1k8EH6mQMtoi0dnoRhrc5m5vdusHgV3SXuoUGMa23szx8nbXoW/YvU6GtHhAvUSB3G4U1Ylw/Xh1SVuQ+LO6TJ5FDzvuvlg0YXcMX9mvaGnH4pn1OZPle0xacxTcEDOgypVqvi4iEgedhkhwkB6rnz9dTsvjARpuFSu5o8A6JPynuxJxchr9FkN/Fno9flLeQF+/qdSiPrlYIV9RsCbTSD+mr7xqZf1jQtWFzbzSlTV418QgPx2KC/w2jRtHZz8hTGrwmHwLbEbIJliSiQj5HSTV5xJYqQZZ7Zy9GbDv8RU+OXsPiONzK+XPKFqwVzJ1/d6Y0ElMnzCE6P84=", "c2_domain": ["apt.updateffboruse.com", "app.updatebrouser.com"], "botnet": "1500", "server": "580", "serpent_key": "H5PUPU7SQqXa0MEJ", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XlsWithMacro4 | Yara detected Xls With Macro 4.0 | Joe Security |
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Regsvr32 Anomaly | Show sources |
Source: | Author: Florian Roth, oscd.community: |
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Sigma detected: Suspicious WMI Execution | Show sources |
Source: | Author: Michael Haag, Florian Roth, juju4, oscd.community: |
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Multi AV Scanner detection for dropped file | Show sources |
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Code function: | 6_2_001A3FAB |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: |
Source: | Binary string: |
Source: | Code function: | 6_2_6E2C77FF |
Software Vulnerabilities: |
---|
Document exploit detected (drops PE files) | Show sources |
Source: | File created: | Jump to dropped file |
Document exploit detected (creates forbidden files) | Show sources |
Source: | File created: | Jump to behavior |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: | Jump to behavior |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Domain query: | ||
Source: | Domain query: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File created: | Jump to behavior |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 6_2_001A3FAB |
System Summary: |
---|
Office process drops PE file | Show sources |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Writes or reads registry keys via WMI | Show sources |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Writes registry values via WMI | Show sources |
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Contains functionality to create processes via WMI | Show sources |
Source: | Binary or memory string: |
Source: | Code function: | 6_2_6E2A2274 | |
Source: | Code function: | 6_2_001A7E30 | |
Source: | Code function: | 6_2_001A2654 | |
Source: | Code function: | 6_2_001A4FA7 | |
Source: | Code function: | 6_2_6E2CC841 |
Source: | Code function: | 6_2_6E2A121F | |
Source: | Code function: | 6_2_6E2A1A1C | |
Source: | Code function: | 6_2_6E2A2013 | |
Source: | Code function: | 6_2_6E2A2495 | |
Source: | Code function: | 6_2_001A22EC | |
Source: | Code function: | 6_2_001A8055 |
Source: | Process Stats: |
Source: | Dropped File: | ||
Source: | Dropped File: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 6_2_001A4D62 |
Source: | File read: | Jump to behavior |
Source: | Code function: | 6_2_001A11B8 |
Source: | Joe Sandbox Cloud Basic: | Perma Link |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Binary string: |
Source: | Code function: | 6_2_6E2A2219 | |
Source: | Code function: | 6_2_6E2A2273 | |
Source: | Code function: | 6_2_001A7E2F | |
Source: | Code function: | 6_2_001A7AB9 | |
Source: | Code function: | 6_2_6E2AF622 | |
Source: | Code function: | 6_2_6E2AFE34 | |
Source: | Code function: | 6_2_6E2B024C | |
Source: | Code function: | 6_2_6E2B429F | |
Source: | Code function: | 6_2_6E2B2B56 | |
Source: | Code function: | 6_2_6E2AF7CF | |
Source: | Code function: | 6_2_6E2B0B49 | |
Source: | Code function: | 6_2_6E2B536D | |
Source: | Code function: | 6_2_6E2AF7CF | |
Source: | Code function: | 6_2_6E2B2876 | |
Source: | Code function: | 6_2_6E2B209D | |
Source: | Code function: | 6_2_6E2B209D | |
Source: | Code function: | 6_2_6E2C3DF9 | |
Source: | Code function: | 6_2_6E2F914E | |
Source: | Code function: | 6_2_6E2FAF17 | |
Source: | Code function: | 6_2_6E2FA16D | |
Source: | Code function: | 6_2_6E2FAA51 | |
Source: | Code function: | 6_2_6E2FA0BD |
Source: | Code function: | 6_2_6E2A1552 |
Source: | Process created: |
Persistence and Installation Behavior: |
---|
Creates processes via WMI | Show sources |
Source: | WMI Queries: |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Drops PE files to the user root directory | Show sources |
Source: | File created: | Jump to dropped file |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Evasive API call chain: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Check user administrative privileges: |
Source: | Code function: | 6_2_6E2C77FF |
Source: | Code function: | 6_2_6E2C7327 |
Source: | Code function: | 6_2_6E2A1552 |
Source: | Code function: | 6_2_6E2C5D2F | |
Source: | Code function: | 6_2_6E2F85B0 | |
Source: | Code function: | 6_2_6E2F80E6 | |
Source: | Code function: | 6_2_6E2F84DF |
Source: | Code function: | 6_2_6E2C36F2 | |
Source: | Code function: | 6_2_6E2C7327 | |
Source: | Code function: | 6_2_6E2C3C18 |
HIPS / PFW / Operating System Protection Evasion: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Domain query: | ||
Source: | Domain query: |
Source: | File source: |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 6_2_6E2A105E |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 6_2_001A2E33 |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 6_2_6E2A109B |
Source: | Code function: | 6_2_6E2A1C6F |
Source: | Code function: | 6_2_001A2E33 |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation41 | Path Interception | Process Injection112 | Masquerading121 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Encrypted Channel21 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Data Encrypted for Impact1 |
Default Accounts | Native API3 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion1 | LSASS Memory | Security Software Discovery11 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer2 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Exploitation for Client Execution43 | Logon Script (Windows) | Logon Script (Windows) | Process Injection112 | Security Account Manager | Virtualization/Sandbox Evasion1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information1 | NTDS | Process Discovery2 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol13 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Regsvr321 | LSA Secrets | Account Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Software Packing1 | Cached Domain Credentials | System Owner/User Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | Remote System Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | File and Directory Discovery2 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | System Information Discovery36 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
37% | Metadefender | Browse | ||
68% | ReversingLabs | Win32.Trojan.Ursnif | ||
37% | Metadefender | Browse | ||
68% | ReversingLabs | Win32.Trojan.Ursnif |
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1108168 | Download File |
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
7% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
iqwasithealth.com | 50.87.248.41 | true | true |
| unknown |
app.updatebrouser.com | unknown | unknown | true | unknown | |
apt.updateffboruse.com | unknown | unknown | true | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| low | ||
false | high | |||
false |
| unknown | ||
false |
| low |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
50.87.248.41 | iqwasithealth.com | United States | 46606 | UNIFIEDLAYER-AS-1US | true |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 507191 |
Start date: | 21.10.2021 |
Start time: | 19:39:47 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 0s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | inquiry[2021.09.23_12-51].xlsb |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.expl.evad.winXLSB@6/4@4/1 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
19:41:21 | API Interceptor | |
19:42:22 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
50.87.248.41 | Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
iqwasithealth.com | Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
UNIFIEDLAYER-AS-1US | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
7dcce5b76c8b17472d024758970a406b | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a435gfhs109[1].cms | Get hash | malicious | Browse | ||
C:\Users\Public\codec.dll | Get hash | malicious | Browse |
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 353792 |
Entropy (8bit): | 6.649926576275444 |
Encrypted: | false |
SSDEEP: | 6144:8ufHKG+wtMydWttXtUxIhYD+BHi1RN5CA9fc0C5Na5uMt/bL22P:JqG+aMydWXX6Jqi1RJVcfN4pRLhP |
MD5: | E7AC180E8217A97505FEE5B06709D331 |
SHA1: | 85B078B46C648EC00DE6E1952E4D165EDBBC878E |
SHA-256: | D5FE3F6846CA1F5E09E94D66A816C3FC00634013CA7BF9E35361BD185A27C395 |
SHA-512: | CBDAB6A7E967CCCB6B5CD2E611B479B367EE3B160936EC697A6C929F8AD47F767A7C427AFEA04E192421F1C064B00773CD53344981755BD56A6448280AC09FE5 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | low |
IE Cache URL: | https://iqwasithealth.com/wp-content/uploads/2019/06/a435gfhs109.cms |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 560141 |
Entropy (8bit): | 7.998249179675146 |
Encrypted: | true |
SSDEEP: | 12288:mQIo6UHg7xFXSW6ydUO0+EeL6p2cX3O15YhlN:mQwXtRGT+EeLe255y |
MD5: | 0D3A3E5416D7684E6A71C0F665F43363 |
SHA1: | A43A631379852A4371F1EFDBFCA94B2520BCBA46 |
SHA-256: | 4B24CDA7EEC1834B1AF96DB036FE46B49EDC76802693ACDF4F10001627CB099D |
SHA-512: | 913CBE348B8B44B653A68A17FECCC0D4EDA567A8600F2C4C979F4D728E143008B3D279D7CFE558107F60E40119E01F124EB37B6DD2423D5CC11F34F974E19499 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fV:vBFFGS |
MD5: | 797869BB881CFBCDAC2064F92B26E46F |
SHA1: | 61C1B8FBF505956A77E9A79CE74EF5E281B01F4B |
SHA-256: | D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185 |
SHA-512: | 1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 353792 |
Entropy (8bit): | 6.649926576275444 |
Encrypted: | false |
SSDEEP: | 6144:8ufHKG+wtMydWttXtUxIhYD+BHi1RN5CA9fc0C5Na5uMt/bL22P:JqG+aMydWXX6Jqi1RJVcfN4pRLhP |
MD5: | E7AC180E8217A97505FEE5B06709D331 |
SHA1: | 85B078B46C648EC00DE6E1952E4D165EDBBC878E |
SHA-256: | D5FE3F6846CA1F5E09E94D66A816C3FC00634013CA7BF9E35361BD185A27C395 |
SHA-512: | CBDAB6A7E967CCCB6B5CD2E611B479B367EE3B160936EC697A6C929F8AD47F767A7C427AFEA04E192421F1C064B00773CD53344981755BD56A6448280AC09FE5 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.997293747708592 |
TrID: |
|
File name: | inquiry[2021.09.23_12-51].xlsb |
File size: | 591445 |
MD5: | d5dedf5221391bc183c80173ed5f4279 |
SHA1: | bc48802d095a79a9fb8196d35506c4862c937936 |
SHA256: | f2be1c567425b843b8deec064cd9f747d74f4ae5e15d026fcb5b26549ae3fba9 |
SHA512: | a5897ef999acb94b6badecac604832f9bd9537bac95172b4ae8b8e832d42d1cdb7107b5d1de84f1e4ec64357d9f3c5b63b3ad2393c9e5bf9b9e4b2979d011b52 |
SSDEEP: | 12288:XJo6Chb0c7x1XSW6qdUO0+geLAo63jashmq4jBz:Xq9XtHGT+geLqaFZ |
File Content Preview: | PK........e.4S................docProps/PK..........!.................docProps/app.xml.S.n.0.....`.^.Z.*d\.(U.n.*.....x...g.`.~M........7y~.b..]Y...Z....K8.g|j.f._V.W..!i...;..= .S_..E.....,J8.......&.Rc/..2....X...Yf..{.-...N.....K!..ZA..8...ESo...u...... |
File Icon |
---|
Icon Hash: | e4e2ea8aa4b4b4b4 |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 21, 2021 19:40:38.022088051 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:38.022130966 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:38.022202015 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:38.031810999 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:38.031848907 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:38.378602028 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:38.378863096 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:38.396579027 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:38.396631956 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:38.396995068 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:38.397089005 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:38.647598982 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:38.691153049 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:38.820774078 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:38.820897102 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:38.820897102 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:38.820925951 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:38.821001053 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:38.821014881 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:38.821080923 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:38.982139111 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:38.982347965 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:38.982455015 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:38.982492924 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:38.982527018 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:38.982534885 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:38.982588053 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:38.982603073 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:38.982628107 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:38.982662916 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:38.983133078 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.144455910 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.144665956 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.144773960 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.144805908 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.144834995 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.144843102 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.144886017 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.144900084 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.144933939 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.144968987 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.145030022 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.145153046 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.145193100 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.145287037 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.145334005 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.145368099 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.145524025 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.145534992 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.145575047 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.145690918 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.147252083 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.148221016 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.306849003 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.307101965 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.307235956 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.307274103 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.307393074 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.307544947 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.307570934 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.307667017 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.307667971 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.307679892 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.307704926 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.307821035 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.307967901 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.308128119 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.308235884 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.308439016 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.308461905 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.308476925 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.308667898 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.308711052 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.308850050 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.308943987 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.309081078 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.309196949 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.309360027 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.309433937 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.309564114 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.309670925 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.309787035 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.309886932 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.310008049 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.311685085 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.319472075 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.469398022 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.469507933 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.469605923 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.469824076 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.469855070 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.469882011 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.469958067 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.469983101 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.470026970 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.470108032 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.470129013 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.470133066 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.470200062 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.470258951 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.470263958 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.470295906 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.470334053 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.470402956 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.470413923 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.470474958 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.470525980 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.470529079 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.470534086 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.470540047 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.470609903 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.470618963 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.470630884 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.470725060 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.470727921 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.470741987 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.470838070 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.470839977 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.470860958 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.470936060 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.470957994 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.471002102 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.471045017 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.471060991 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.471065044 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.471147060 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.471158028 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.471178055 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.471189022 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.471220970 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.471271038 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.471299887 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.471313953 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.471329927 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.471334934 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.471389055 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.471416950 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.471438885 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.471455097 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.471461058 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.471463919 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.471522093 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.471681118 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.496195078 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.496234894 CEST | 443 | 49165 | 50.87.248.41 | 192.168.2.22 |
Oct 21, 2021 19:40:39.496251106 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
Oct 21, 2021 19:40:39.496311903 CEST | 49165 | 443 | 192.168.2.22 | 50.87.248.41 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 21, 2021 19:40:37.892031908 CEST | 52167 | 53 | 192.168.2.22 | 8.8.8.8 |
Oct 21, 2021 19:40:38.001221895 CEST | 53 | 52167 | 8.8.8.8 | 192.168.2.22 |
Oct 21, 2021 19:41:50.414472103 CEST | 50591 | 53 | 192.168.2.22 | 8.8.8.8 |
Oct 21, 2021 19:41:50.437865973 CEST | 53 | 50591 | 8.8.8.8 | 192.168.2.22 |
Oct 21, 2021 19:42:10.523245096 CEST | 57805 | 53 | 192.168.2.22 | 8.8.8.8 |
Oct 21, 2021 19:42:10.546617985 CEST | 53 | 57805 | 8.8.8.8 | 192.168.2.22 |
Oct 21, 2021 19:42:30.637613058 CEST | 59030 | 53 | 192.168.2.22 | 8.8.8.8 |
Oct 21, 2021 19:42:30.666851044 CEST | 53 | 59030 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Oct 21, 2021 19:40:37.892031908 CEST | 192.168.2.22 | 8.8.8.8 | 0x2a3d | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 21, 2021 19:41:50.414472103 CEST | 192.168.2.22 | 8.8.8.8 | 0x4f8b | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 21, 2021 19:42:10.523245096 CEST | 192.168.2.22 | 8.8.8.8 | 0xa13a | Standard query (0) | A (IP address) | IN (0x0001) | |
Oct 21, 2021 19:42:30.637613058 CEST | 192.168.2.22 | 8.8.8.8 | 0xb209 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Oct 21, 2021 19:40:38.001221895 CEST | 8.8.8.8 | 192.168.2.22 | 0x2a3d | No error (0) | 50.87.248.41 | A (IP address) | IN (0x0001) | ||
Oct 21, 2021 19:41:50.437865973 CEST | 8.8.8.8 | 192.168.2.22 | 0x4f8b | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Oct 21, 2021 19:42:10.546617985 CEST | 8.8.8.8 | 192.168.2.22 | 0xa13a | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Oct 21, 2021 19:42:30.666851044 CEST | 8.8.8.8 | 192.168.2.22 | 0xb209 | Name error (3) | none | none | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTPS Proxied Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49165 | 50.87.248.41 | 443 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-10-21 17:40:38 UTC | 0 | OUT | |
2021-10-21 17:40:38 UTC | 0 | IN | |
2021-10-21 17:40:38 UTC | 0 | IN | |
2021-10-21 17:40:38 UTC | 8 | IN | |
2021-10-21 17:40:38 UTC | 16 | IN | |
2021-10-21 17:40:38 UTC | 23 | IN | |
2021-10-21 17:40:39 UTC | 31 | IN | |
2021-10-21 17:40:39 UTC | 39 | IN | |
2021-10-21 17:40:39 UTC | 47 | IN | |
2021-10-21 17:40:39 UTC | 55 | IN | |
2021-10-21 17:40:39 UTC | 63 | IN | |
2021-10-21 17:40:39 UTC | 70 | IN | |
2021-10-21 17:40:39 UTC | 78 | IN | |
2021-10-21 17:40:39 UTC | 86 | IN | |
2021-10-21 17:40:39 UTC | 94 | IN | |
2021-10-21 17:40:39 UTC | 102 | IN | |
2021-10-21 17:40:39 UTC | 109 | IN | |
2021-10-21 17:40:39 UTC | 117 | IN | |
2021-10-21 17:40:39 UTC | 125 | IN | |
2021-10-21 17:40:39 UTC | 133 | IN | |
2021-10-21 17:40:39 UTC | 141 | IN | |
2021-10-21 17:40:39 UTC | 148 | IN | |
2021-10-21 17:40:39 UTC | 156 | IN | |
2021-10-21 17:40:39 UTC | 164 | IN | |
2021-10-21 17:40:39 UTC | 172 | IN | |
2021-10-21 17:40:39 UTC | 180 | IN | |
2021-10-21 17:40:39 UTC | 188 | IN | |
2021-10-21 17:40:39 UTC | 195 | IN | |
2021-10-21 17:40:39 UTC | 203 | IN | |
2021-10-21 17:40:39 UTC | 211 | IN | |
2021-10-21 17:40:39 UTC | 219 | IN | |
2021-10-21 17:40:39 UTC | 227 | IN | |
2021-10-21 17:40:39 UTC | 234 | IN | |
2021-10-21 17:40:39 UTC | 242 | IN | |
2021-10-21 17:40:39 UTC | 250 | IN | |
2021-10-21 17:40:39 UTC | 258 | IN | |
2021-10-21 17:40:39 UTC | 266 | IN | |
2021-10-21 17:40:39 UTC | 273 | IN | |
2021-10-21 17:40:39 UTC | 281 | IN | |
2021-10-21 17:40:39 UTC | 289 | IN | |
2021-10-21 17:40:39 UTC | 297 | IN | |
2021-10-21 17:40:39 UTC | 305 | IN | |
2021-10-21 17:40:39 UTC | 313 | IN | |
2021-10-21 17:40:39 UTC | 320 | IN | |
2021-10-21 17:40:39 UTC | 328 | IN | |
2021-10-21 17:40:39 UTC | 336 | IN | |
2021-10-21 17:40:39 UTC | 344 | IN |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 19:41:16 |
Start date: | 21/10/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13fdb0000 |
File size: | 28253536 bytes |
MD5 hash: | D53B85E21886D2AF9815C377537BCAC3 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 19:41:20 |
Start date: | 21/10/2021 |
Path: | C:\Windows\System32\wbem\WMIC.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff4a0000 |
File size: | 566272 bytes |
MD5 hash: | FD902835DEAEF4091799287736F3A028 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 19:41:22 |
Start date: | 21/10/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffda0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 19:41:23 |
Start date: | 21/10/2021 |
Path: | C:\Windows\SysWOW64\regsvr32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x3e0000 |
File size: | 14848 bytes |
MD5 hash: | 432BE6CF7311062633459EEF6B242FB5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Control-flow Graph |
---|
C-Code - Quality: 50% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2A1A1C, Relevance: 13.6, APIs: 9, Instructions: 107sleepnativesynchronizationCOMMON
Control-flow Graph |
---|
C-Code - Quality: 82% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 69% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 96% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 38% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2A2013, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
C-Code - Quality: 72% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2A105E, Relevance: 4.5, APIs: 3, Instructions: 23COMMON
C-Code - Quality: 58% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A4D62, Relevance: 3.1, APIs: 2, Instructions: 82comCOMMON
C-Code - Quality: 64% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2A121F, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
C-Code - Quality: 68% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 70% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 83% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 74% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 64% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A39E8, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
Control-flow Graph |
---|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A6632, Relevance: 10.6, APIs: 7, Instructions: 73sleepmemorytimeCOMMON
Control-flow Graph |
---|
C-Code - Quality: 73% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A637D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
Control-flow Graph |
---|
C-Code - Quality: 64% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2C9AA1, Relevance: 9.2, APIs: 6, Instructions: 216COMMON
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2A17C4, Relevance: 9.1, APIs: 6, Instructions: 71memoryCOMMON
C-Code - Quality: 86% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2C30D0, Relevance: 6.2, APIs: 4, Instructions: 188COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2A18A0, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96memoryCOMMON
C-Code - Quality: 86% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2C6F27, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2A1FC9, Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
C-Code - Quality: 87% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 21% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A14C4, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2A1D96, Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
C-Code - Quality: 87% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 80% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 32% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2C809F, Relevance: 3.2, APIs: 2, Instructions: 168COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A18B7, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
C-Code - Quality: 75% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A2989, Relevance: 3.1, APIs: 2, Instructions: 51COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2C33AF, Relevance: 3.0, APIs: 2, Instructions: 32COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A695B, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2C4D88, Relevance: 3.0, APIs: 2, Instructions: 19COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2A1741, Relevance: 2.5, APIs: 2, Instructions: 48memoryCOMMON
C-Code - Quality: 84% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2C9DB4, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A5D1D, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
C-Code - Quality: 34% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2C7160, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2C75C0, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2C6FA2, Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2C4F91, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2A1344, Relevance: 1.4, APIs: 1, Instructions: 105COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2A1B55, Relevance: 1.3, APIs: 1, Instructions: 70COMMON
C-Code - Quality: 86% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A6A1E, Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A488A, Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
C-Code - Quality: 75% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 001A2654, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 225memoryCOMMONCrypto
C-Code - Quality: 95% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2A2495, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195nativeCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 68% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2A1C6F, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2C5D2F, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 50% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2A2274, Relevance: .1, Instructions: 77COMMONCrypto
C-Code - Quality: 71% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A7E30, Relevance: .1, Instructions: 77COMMONCrypto
C-Code - Quality: 71% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2F80E6, Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2F84DF, Relevance: .1, Instructions: 55COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 77% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2C8F41, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2C6C1C, Relevance: 15.1, APIs: 10, Instructions: 54COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 27% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A4BD9, Relevance: 13.6, APIs: 9, Instructions: 110librarymemoryloaderCOMMON
C-Code - Quality: 61% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2CA70F, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2C6D3C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2C4CF6, Relevance: 9.1, APIs: 6, Instructions: 60COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A5AFA, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
C-Code - Quality: 88% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 32% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A1ADC, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
C-Code - Quality: 22% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A4EEF, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 70stringCOMMON
C-Code - Quality: 58% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2C83D2, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A6707, Relevance: 7.5, APIs: 5, Instructions: 31COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 46% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A1D8C, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 152stringCOMMON
C-Code - Quality: 90% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A67C4, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
C-Code - Quality: 85% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2C9964, Relevance: 6.1, APIs: 4, Instructions: 110COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A4182, Relevance: 6.1, APIs: 4, Instructions: 108synchronizationCOMMON
C-Code - Quality: 56% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A56E3, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 87% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A1723, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
C-Code - Quality: 39% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 78% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 68% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A38BC, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 50% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 37% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2C7FFD, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A73AF, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001A7067, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |