Windows Analysis Report instruct_11.21.doc.docm
Overview
General Information
Detection
Score: | 92 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Suspicious MSHTA Process Patterns | Show sources |
Source: | Author: Florian Roth: |
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: |
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File created: | Jump to behavior |
Source: | DNS traffic detected: |
Source: | Window created: | Jump to behavior |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Document contains an embedded VBA macro which may execute processes | Show sources |
Source: | OLE, VBA macro line: |
Document contains an embedded VBA macro with suspicious strings | Show sources |
Source: | OLE, VBA macro line: |
Source: | OLE indicator application name: | ||
Source: | OLE indicator application name: |
Source: | OLE, VBA macro line: |
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Source: | OLE indicator has summary info: | ||
Source: | OLE indicator has summary info: |
Source: | Key opened: | Jump to behavior |
Source: | OLE indicator, VBA macros: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Binary or memory string: |
Source: | OLE document summary: | ||
Source: | OLE document summary: | ||
Source: | OLE document summary: | ||
Source: | OLE document summary: | ||
Source: | OLE document summary: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Source: | Initial sample: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Memory protected: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting22 | Path Interception | Process Injection1 | Masquerading1 | OS Credential Dumping | Security Software Discovery1 | Remote Services | Email Collection1 | Exfiltration Over Other Network Medium | Ingress Tool Transfer1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution12 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion1 | LSASS Memory | Virtualization/Sandbox Evasion1 | Remote Desktop Protocol | Clipboard Data1 | Exfiltration Over Bluetooth | Non-Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Disable or Modify Tools11 | Security Account Manager | Remote System Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection1 | NTDS | File and Directory Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting22 | LSA Secrets | System Information Discovery14 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
49% | Virustotal | Browse | ||
43% | ReversingLabs | Document-Word.Trojan.Valyria | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
10% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
100% | Avira URL Cloud | malware |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
shoulderelliottd.com | 194.62.42.144 | true | true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
true |
| unknown | ||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
194.62.42.144 | shoulderelliottd.com | Russian Federation | 34464 | ZEISS-ASRU | true |
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 520837 |
Start date: | 12.11.2021 |
Start time: | 21:18:33 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 8s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | instruct_11.21.doc.docm |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Run name: | Without Instrumentation |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal92.expl.winDOCM@6/16@1/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
21:19:20 | API Interceptor | |
21:19:22 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
194.62.42.144 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
shoulderelliottd.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
ZEISS-ASRU | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\mshta.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 1062 |
Entropy (8bit): | 4.517838839626174 |
Encrypted: | false |
SSDEEP: | 12:z4ENetWsdvCMtkEFk+t2cd3ikIbOViGZVsMLfE4DMWUcC/GFvyVEZd6vcmadxVtS:nA/ag/QSi6/LKZzqKVQgJOexQkYfG6E |
MD5: | 124A9E7B6976F7570134B7034EE28D2B |
SHA1: | E889BFC2A2E57491016B05DB966FC6297A174F55 |
SHA-256: | 5F95EFF2BCAAEA82D0AE34A007DE3595C0D830AC4810EA4854E6526E261108E9 |
SHA-512: | EA1B3CC56BD41FC534AAC00F186180345CB2C06705B57C88C8A6953E6CE8B9A2E3809DDB01DAAC66FA9C424D517D2D14FA45FBEF9D74FEF8A809B71550C7C145 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
IE Cache URL: | res://ieframe.dll/warning.gif |
Preview: |
|
Process: | C:\Windows\SysWOW64\mshta.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 1706 |
Entropy (8bit): | 5.274543201400288 |
Encrypted: | false |
SSDEEP: | 48:NIAbzyYh8rRLkRVNaktqavP61GJZoF+SMy:xWqxztqaHO |
MD5: | B9BEC45642FF7A2588DC6CB4131EA833 |
SHA1: | 4D150A53276C9B72457AE35320187A3C45F2F021 |
SHA-256: | B0ABE318200DCDE42E2125DF1F0239AE1EFA648C742DBF9A5B0D3397B903C21D |
SHA-512: | C119F5625F1FC2BCDB20EE87E51FC73B31F130094947AC728636451C46DCED7B30954A059B24FEF99E1DB434581FD9E830ABCEB30D013404AAC4A7BB1186AD3A |
Malicious: | false |
Reputation: | moderate, very likely benign file |
IE Cache URL: | res://ieframe.dll/error.js |
Preview: |
|
Process: | C:\Windows\SysWOW64\mshta.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 3247 |
Entropy (8bit): | 5.459946526910292 |
Encrypted: | false |
SSDEEP: | 96:vKFlZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:C0pv+GkduSDl6LRa |
MD5: | 16AA7C3BEBF9C1B84C9EE07666E3207F |
SHA1: | BF0AFA2F8066EB7EE98216D70A160A6B58EC4AA1 |
SHA-256: | 7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754 |
SHA-512: | 245559F757BAB9F3D63FB664AB8F2D51B9369E2B671CF785A6C9FB4723F014F5EC0D60F1F8555D870855CF9EB49F3951D98C62CBDF9E0DC1D28544966D4E70F1 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
IE Cache URL: | res://ieframe.dll/error.dlg |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 14327 |
Entropy (8bit): | 7.959467120915826 |
Encrypted: | false |
SSDEEP: | 384:3j0EEYpcVhE1ltmTV/YZO4NSCWl822TnU0:w02VWnZdw9822zv |
MD5: | 76DA3E2154587DD3D69A81FCDB0C7364 |
SHA1: | 0F23E27B3A456B22A11D3FBC3132397B0DDC9357 |
SHA-256: | F9299AB3483A8F729B2ACA2111B46E9952D4491AC66124FEC22C1C789EBC3139 |
SHA-512: | A20BA525941043701E8DA5234A286FF2AF0A5F4C45998F1BA3BD59785FF4CDDAA72DE316D0BC651C68F30A6587741539B51D356BF5D6FEEAFCAE492AB277BB45 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 29696 |
Entropy (8bit): | 3.76975546525641 |
Encrypted: | false |
SSDEEP: | 384:/UtzuhEb67dfN0j3i89tE6hEb6+dfN0j3i8:S+Eb67facCEb6+fa |
MD5: | 323E9246AFCBA8C21E774047CC81C04F |
SHA1: | 8FAF9515396E488653F701D1772C385C031F0D2D |
SHA-256: | 2D583EDB0A65E385529729AE3A9F8B53F0341C69E6303AEC354DCB7DD5C91D60 |
SHA-512: | 0D269334C6A456E477F5C72A85648E941D135586DA9D6AB231F5ADABD4A57FB754F3541925CB83F10FA11138565317F33E037C90966181321BB76B13F2A5BB6E |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 21166 |
Entropy (8bit): | 2.690771718216997 |
Encrypted: | false |
SSDEEP: | 384:IcAAooAAsM3V+oTpArJltBu+UaGmXfKfUiwvXv7vUo6s1w6:IcAAooAAsM3V+oTpArJltBu+UaGmXfKS |
MD5: | DEDC6320F5E8B7E7877C43BB5618EA55 |
SHA1: | 2143954452A74AA00B077664B82544E1DAA51AC2 |
SHA-256: | 37EDEA11F289D8863015712C82ADF36A17584793B49D6222F70D4BD0B9DF8A8C |
SHA-512: | 030B6F931B4424DB621348E4089F5F69D50BA13B34772E611ADA4A20B5DF67582EB4959C5FD5B45BAFDA90E8965BEE5AAA3926ACB89A22C6403CC502A83B45D3 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 802 |
Entropy (8bit): | 4.420291052447701 |
Encrypted: | false |
SSDEEP: | 12:8cJ0hgXg/XAlCPCHemkWYCACmWicvbKXplgbNv/Z3YilMMEpxRljK/bTd+8/Td+l:8cJc/XRlenvB3qY/R7m |
MD5: | F2942107F46F0AC879802626FD3CF96C |
SHA1: | A3131CA267F9CE36063D36F7CE19A5E6D6446931 |
SHA-256: | FFB5DDDF55F64BC01442B745B4EC622449E65E58F1BD451D7D4D6A71E89C817B |
SHA-512: | 882E5E6889D9D9EA36F161A6ED8FC5C3569ECB36D8E0A1075459336FFA2CE8E4184D81F078D7881D5B973C1D62051FFC4B4D05DF6C2CA1DF0DA9F9FDBFBF5ED0 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 138 |
Entropy (8bit): | 4.79454253036153 |
Encrypted: | false |
SSDEEP: | 3:bDuMJlULQwXULXLpzCtYrSN7lAdRLUlmxWHixwXULXLpzCN7lAdRLUlv:bCjxXUZzUYrkOTAZNXUZz0OTA1 |
MD5: | 82F13A5A135511405BAA26408509C708 |
SHA1: | 6ACBF5652F9A7735E8EF40DFA3B2511AB8CADD99 |
SHA-256: | FE50645E8F45D4FDA888CA2CED1DFC0177DF03AE6F4AF64904B38FF61BE5FCAC |
SHA-512: | C186BC9A116CE0D834F6B9A2BB2AFF2712A3D0D6367C7DE423A6A43FF7C404D640D873828E89B19EF7E65F3559FAE4116BA6C52DFCA77F9C24950CB436B2B9BD |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1059 |
Entropy (8bit): | 4.499979446869528 |
Encrypted: | false |
SSDEEP: | 12:8LjgXg/XAlCPCHaXeBhB/OW9qX+WkNQRUREjuicvbKkALNoDtZ3YilMMEpxRljKc:8h/XTuzLIqNoNe7ACDv3qY/Qd7Qy |
MD5: | C871D7E92C9CF7FA6C9CBA6677348C54 |
SHA1: | 431F808CEAFF80A5DD981D7BE212A3399CE46B7D |
SHA-256: | F6DF5B82021060D1D7BFCE30171B88FE24CFEF1B3A59F7715310EDAAC69C3BF1 |
SHA-512: | 8AFF5C75502C906B8284037ABCC5D14535D87AE4A0E2DB202AC919458E668153C644209581F18730FA1EB83FB6D8D700A15B68D4E1FB8EC8A5BB89D0585C2B0D |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 949 |
Entropy (8bit): | 4.519048962779398 |
Encrypted: | false |
SSDEEP: | 12:8VULDgXg/XAlCPCHeQjD7YCACmC8bcnsfDdusaUCicvbKZ9UflAsnlgbNv/Z3Yi4:8VUB/XhCzUD8N2e4UqOWvB3qY/87l |
MD5: | 1C058852EC0794DE5D513871B5E22A82 |
SHA1: | D52C52370A82FE6680663E1328D6291C5568EDD2 |
SHA-256: | 90EF71EF566B1DC32FD57272EBE33AD6D5B03185F70FA03665D159E904D4BDBC |
SHA-512: | DCFA76B8749CEF47B750571B546FAA8D2BD9D86F460B060BA7C1A24C5BAB7113ABEDAB550F7909D05AE279033C60E8520AC8A6D11B6E19BEEDBB5DBBC47190F2 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.5038355507075254 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyDFH5UKycWT5yAi/lln:vdsCkWtgZ2YAyll |
MD5: | 6525B5171CE36A6D7EDB3E4DFD5CB579 |
SHA1: | 70AFC3864539BCF8F1C4CD336F6096534A6268FA |
SHA-256: | 617E1415F4483DAE29072F8E5A042E9EB3446F53F9AC2F26180AECD1D93151CF |
SHA-512: | 700AEAE11F026EDE01A59B5CC1166D041E1B100E91F84F984D072CDB154251AD15A11C629B8CD7314CB0B2FF8669C3C52EB592020FBA2502CB35BDE6D1EA8322 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.5038355507075254 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyDFH5UKycWT5yAi/lln:vdsCkWtgZ2YAyll |
MD5: | 6525B5171CE36A6D7EDB3E4DFD5CB579 |
SHA1: | 70AFC3864539BCF8F1C4CD336F6096534A6268FA |
SHA-256: | 617E1415F4483DAE29072F8E5A042E9EB3446F53F9AC2F26180AECD1D93151CF |
SHA-512: | 700AEAE11F026EDE01A59B5CC1166D041E1B100E91F84F984D072CDB154251AD15A11C629B8CD7314CB0B2FF8669C3C52EB592020FBA2502CB35BDE6D1EA8322 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.5038355507075254 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyDFH5UKycWT5yAi/lln:vdsCkWtgZ2YAyll |
MD5: | 6525B5171CE36A6D7EDB3E4DFD5CB579 |
SHA1: | 70AFC3864539BCF8F1C4CD336F6096534A6268FA |
SHA-256: | 617E1415F4483DAE29072F8E5A042E9EB3446F53F9AC2F26180AECD1D93151CF |
SHA-512: | 700AEAE11F026EDE01A59B5CC1166D041E1B100E91F84F984D072CDB154251AD15A11C629B8CD7314CB0B2FF8669C3C52EB592020FBA2502CB35BDE6D1EA8322 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 3346 |
Entropy (8bit): | 5.726896594481782 |
Encrypted: | false |
SSDEEP: | 96:bGotzrVgMR61CQB7MGxag4hE8h9LU9fLtrlv:yCrVnuPMGByEkmp |
MD5: | FA2B89027304712FB8366C1F6B4F2827 |
SHA1: | 6F851332C08998D25D839112A5C9D3CA8E57FCC0 |
SHA-256: | 6E1338E07405A9B14DB254B9769767EA824CF3AC1C8DFECB3513E95135ECEAEE |
SHA-512: | 8C1705A8165C062D9413F6FC00A697F6E62D038A04D5A347D036B73A97A64FE1831038C8007A1F29F80A2F765C5428463CEAE9EAF53FAED558752F24A32744CD |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 3346 |
Entropy (8bit): | 5.726896594481782 |
Encrypted: | false |
SSDEEP: | 96:bGotzrVgMR61CQB7MGxag4hE8h9LU9fLtrlv:yCrVnuPMGByEkmp |
MD5: | FA2B89027304712FB8366C1F6B4F2827 |
SHA1: | 6F851332C08998D25D839112A5C9D3CA8E57FCC0 |
SHA-256: | 6E1338E07405A9B14DB254B9769767EA824CF3AC1C8DFECB3513E95135ECEAEE |
SHA-512: | 8C1705A8165C062D9413F6FC00A697F6E62D038A04D5A347D036B73A97A64FE1831038C8007A1F29F80A2F765C5428463CEAE9EAF53FAED558752F24A32744CD |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.793957028458385 |
TrID: |
|
File name: | instruct_11.21.doc.docm |
File size: | 34817 |
MD5: | a9490d94cf547e27dcc0d52dc72e74e7 |
SHA1: | a00e440eb13f84c8b8faba5b81a7d85fce2a4074 |
SHA256: | ee103f8d64cd8fa884ff6a041db2f7aa403c502f54e26337c606044c2f205394 |
SHA512: | 43dddc14679f16735c6f74c1b3d40b0be23bf995e9dd9a49ab9cd780cac6314a15ce73ab3943cf3346bbc77be2b2355ac6a8723c56d1ebe6872c9697f5048bc4 |
SSDEEP: | 384:xS6JqYxSJTvfpHhx/gFj0EEYpcVhE1ltmTV/YZO4NSCWl822TnUCSdQQUfwliiid:ZJqY0phb4a02VWnZdw9822zAEhXd |
File Content Preview: | PK..........!...O.............[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e6a2a2acbcbcac |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "/opt/package/joesandbox/database/analysis/520837/sample/instruct_11.21.doc.docm" |
---|
Indicators | |
---|---|
Has Summary Info: | False |
Application Name: | unknown |
Encrypted Document: | False |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Summary | |
---|---|
Title: | |
Subject: | |
Author: | |
Keywords: | |
Template: | |
Last Saved By: | |
Revion Number: | 2 |
Total Edit Time: | 0 |
Create Time: | 2021-11-10T09:34:00Z |
Last Saved Time: | 2021-11-10T09:34:00Z |
Number of Pages: | 1 |
Number of Words: | 116 |
Number of Characters: | 9917 |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Number of Lines: | 42 |
Number of Paragraphs: | 1 |
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 16.0000 |
Streams with VBA |
---|
VBA File Name: ThisDocument.cls, Stream Size: 2271 |
---|
General | |
---|---|
Stream Path: | VBA/ThisDocument |
VBA File Name: | ThisDocument.cls |
Stream Size: | 2271 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . L / . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . l . m . E . , l R . . . D . m 7 ^ e . . F . s 2 Z . g w . . . . . . . . . . . . . . . . . . . . . | . . K . . . K . . ; . > . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . | . . K . . . K . . ; . > . | . . . . l . m . E . , l R . . . D . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 06 00 01 00 00 b4 04 00 00 e4 00 00 00 ea 01 00 00 e2 04 00 00 f0 04 00 00 e4 06 00 00 03 00 00 00 01 00 00 00 4c 2f ec fa 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 d6 0d 8e 6c a5 6d c7 45 97 2c 6c 52 13 2e a9 44 06 6d 37 5e 65 13 f2 46 b7 73 32 5a ed 67 77 90 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code |
---|
|
VBA File Name: main.bas, Stream Size: 1122 |
---|
General | |
---|---|
Stream Path: | VBA/main |
VBA File Name: | main.bas |
Stream Size: | 1122 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . L / . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 9a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff a1 02 00 00 a1 03 00 00 00 00 00 00 01 00 00 00 4c 2f 2e e2 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code |
---|
|
Streams |
---|
Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 394 |
---|
General | |
---|---|
Stream Path: | PROJECT |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 394 |
Entropy: | 5.28471344287 |
Base64 Encoded: | True |
Data ASCII: | I D = " { A A 3 4 7 5 E 1 - 1 0 B 7 - 4 6 7 2 - 9 5 8 4 - C 9 3 4 8 5 4 D 1 D 0 2 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = m a i n . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " B 1 B 3 2 C 5 4 3 0 5 4 3 0 5 4 3 0 5 4 3 0 " . . D P B = " 6 2 6 0 F F 4 C B 1 4 D B 1 4 D B 1 " . . G C = " 1 3 1 1 8 E 1 F 3 E 2 0 3 E 2 0 C 1 " . . . . [ H o s t E x t e n d e |
Data Raw: | 49 44 3d 22 7b 41 41 33 34 37 35 45 31 2d 31 30 42 37 2d 34 36 37 32 2d 39 35 38 34 2d 43 39 33 34 38 35 34 44 31 44 30 32 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 6d 61 69 6e 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 |
Stream Path: PROJECTwm, File Type: data, Stream Size: 56 |
---|
General | |
---|---|
Stream Path: | PROJECTwm |
File Type: | data |
Stream Size: | 56 |
Entropy: | 3.05665670746 |
Base64 Encoded: | False |
Data ASCII: | T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . m a i n . m . a . i . n . . . . . |
Data Raw: | 54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 6d 61 69 6e 00 6d 00 61 00 69 00 6e 00 00 00 00 00 |
Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3229 |
---|
General | |
---|---|
Stream Path: | VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 3229 |
Entropy: | 4.37746268314 |
Base64 Encoded: | False |
Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . |
Data Raw: | cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00 |
Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 1874 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_0 |
File Type: | data |
Stream Size: | 1874 |
Entropy: | 3.57587931409 |
Base64 Encoded: | False |
Data ASCII: | . K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ V . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . O . ) . 2 . . X + . . . |
Data Raw: | 93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 |
Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 209 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_1 |
File Type: | data |
Stream Size: | 209 |
Entropy: | 2.03643843122 |
Base64 Encoded: | False |
Data ASCII: | r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . d o w G i r l L o a d \\ . . . . . . . . . . . . . . . |
Data Raw: | 72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 06 00 00 00 00 00 |
Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 835 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_2 |
File Type: | data |
Stream Size: | 835 |
Entropy: | 2.00768639044 |
Base64 Encoded: | False |
Data ASCII: | r U . . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` i . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 72 55 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 03 00 03 00 00 00 00 00 01 00 01 00 00 00 01 00 d1 08 00 00 00 00 00 00 00 00 00 00 01 09 00 00 00 00 00 00 00 00 00 00 31 09 |
Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 290 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_3 |
File Type: | data |
Stream Size: | 290 |
Entropy: | 2.16919875755 |
Base64 Encoded: | False |
Data ASCII: | r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . P . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . O . 8 . . . . . . . . . . . . . . . . ` . . . . 8 . . . . . . . . . . . . . . . |
Data Raw: | 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 40 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 04 60 04 01 e1 0d ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 |
Stream Path: VBA/dir, File Type: data, Stream Size: 711 |
---|
General | |
---|---|
Stream Path: | VBA/dir |
File Type: | data |
Stream Size: | 711 |
Entropy: | 6.38404585368 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . @ Y . c . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . ? . m . . |
Data Raw: | 01 c3 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 40 59 83 63 0e 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30 |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 12, 2021 21:19:29.305022955 CET | 49165 | 80 | 192.168.2.22 | 194.62.42.144 |
Nov 12, 2021 21:19:32.307112932 CET | 49165 | 80 | 192.168.2.22 | 194.62.42.144 |
Nov 12, 2021 21:19:38.313657045 CET | 49165 | 80 | 192.168.2.22 | 194.62.42.144 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 12, 2021 21:19:28.889834881 CET | 52167 | 53 | 192.168.2.22 | 8.8.8.8 |
Nov 12, 2021 21:19:28.937772989 CET | 53 | 52167 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Nov 12, 2021 21:19:28.889834881 CET | 192.168.2.22 | 8.8.8.8 | 0x6451 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Nov 12, 2021 21:19:28.937772989 CET | 8.8.8.8 | 192.168.2.22 | 0x6451 | No error (0) | 194.62.42.144 | A (IP address) | IN (0x0001) |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 21:19:16 |
Start date: | 12/11/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f2e0000 |
File size: | 1423704 bytes |
MD5 hash: | 9EE74859D22DAE61F1750B3A1BACB6F5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 21:19:20 |
Start date: | 12/11/2021 |
Path: | C:\Windows\explorer.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffa10000 |
File size: | 3229696 bytes |
MD5 hash: | 38AE1B3C38FAEF56FE4907922F0385BA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 21:19:20 |
Start date: | 12/11/2021 |
Path: | C:\Windows\explorer.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffa10000 |
File size: | 3229696 bytes |
MD5 hash: | 38AE1B3C38FAEF56FE4907922F0385BA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 21:19:21 |
Start date: | 12/11/2021 |
Path: | C:\Windows\SysWOW64\mshta.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd40000 |
File size: | 13312 bytes |
MD5 hash: | ABDFC692D9FE43E2BA8FE6CB5A8CB95A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 02B00FB7, Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02B00FA7, Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02B00FAF, Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02B00FE7, Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02B00FDF, Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|