Analysis Report
Overview
General Information |
---|
Joe Sandbox Version: | 20.0.0 |
Analysis ID: | 44908 |
Start time: | 19:02:57 |
Joe Sandbox Product: | CloudBasic |
Start date: | 03.02.2018 |
Overall analysis duration: | 0h 4m 20s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | a.xlsx |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies |
|
Detection: | MAL |
Classification: | mal64.evad.expl.winXLSX@1/7@2/2 |
HCA Information: |
|
EGA Information: | Failed |
HDC Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 64 | 0 - 100 | Report FP / FN |
Confidence |
---|
Strategy | Score | Range | Further Analysis Required? | Confidence | |
---|---|---|---|---|---|
Threshold | 5 | 0 - 5 | false |
Classification |
---|
Analysis Advice |
---|
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus detection for domain / URL | Show sources |
Source: www.dylboiler.co.kr | virustotal: | Perma Link |
Antivirus detection for submitted file | Show sources |
Source: a.xlsx | virustotal: | Perma Link |
Exploits: |
---|
Microsof Office program loads Macromedia Flash Player | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Creates a DirectInput object (often for capturing keystrokes) | Show sources |
Source: EXCEL.EXE | Binary or memory string: |
Installs a global mouse hook | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Windows user hook set: |
Software Vulnerabilities: |
---|
Potential document exploit detected (performs DNS queries) | Show sources |
Source: global traffic | DNS query: |
Potential document exploit detected (performs HTTP gets) | Show sources |
Source: global traffic | TCP traffic: |
Potential document exploit detected (unknown TCP traffic) | Show sources |
Source: global traffic | TCP traffic: |
Networking: |
---|
Downloads files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: |
Downloads files from webservers via HTTP | Show sources |
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: |
Performs DNS lookups | Show sources |
Source: unknown | DNS traffic detected: |
Urls found in memory or binary data | Show sources |
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE, activeX1.bin | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE, crossdomain[1].xml.2.dr | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: | ||
Source: EXCEL.EXE | String found in binary or memory: |
Uses a known web browser user agent for HTTP communication | Show sources |
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: |
System Summary: |
---|
Checks whether correct version of .NET is installed | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Key opened: |
Found graphical window changes (likely an installer) | Show sources |
Source: Window Recorder | Window detected: |
Checks if Microsoft Office is installed | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Key opened: |
Uses new MSVCR Dlls | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: |
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Binary contains paths to development resources | Show sources |
Source: EXCEL.EXE | Binary or memory string: |
Classification label | Show sources |
Source: classification engine | Classification label: |
Creates files inside the user directory | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: |
Creates temporary files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: |
Reads ini files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File read: |
Reads software policies | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Key opened: |
Sample is known by Antivirus (Virustotal or Metascan) | Show sources |
Source: a.xlsx | Virustotal: |
Uses an in-process (OLE) Automation server | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Key value queried: |
Hooking and other Techniques for Hiding and Protection: |
---|
Disables application error messsages (SetErrorMode) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: |
Stores large binary data to the registry | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Key value created or modified: |
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Network Connect: |
Behavior Graph |
---|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
19:03:29 | API Interceptor | 2x Sleep call for process: EXCEL.EXE modified from: 30000ms to: 100ms |
19:03:29 | API Interceptor | 657x Sleep call for process: EXCEL.EXE modified from: 60000ms to: 100ms |
Antivirus Detection |
---|
Initial Sample |
---|
Source | Detection | Cloud | Link |
---|---|---|---|
22% | virustotal | Browse |
Dropped Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Cloud | Link |
---|---|---|---|
4% | virustotal | Browse |
Yara Overview |
---|
Initial Sample |
---|
No yara matches |
---|
PCAP (Network Traffic) |
---|
No yara matches |
---|
Dropped Files |
---|
No yara matches |
---|
Memory Dumps |
---|
No yara matches |
---|
Unpacked PEs |
---|
No yara matches |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
No context |
---|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
LGDACOMLGDACOMCorporationKR | ecb0852024820c4b3426c5e10570e9397e887a959d1a5827578a07200f51afff | malicious | Browse |
| |
2161c4f303c9b5f38a58fa1dedf3f70329c6009a273d6be0a2b4a945f2114b02 | malicious | Browse |
| ||
d750ac2061df6fd607d901ad918e9e1f0693e044e399c863d8d09eb0c866100a | malicious | Browse |
| ||
1356d7bc326b6b2837a6a3fd6a740487d8493cf7336275567bbf7be5be541505 | malicious | Browse |
| ||
malicious | Browse |
| |||
1ce0ee9bd5ba5662d8d18b2e43c2a98a790bcd541fd56ec85c3be7db1e0636f0 | malicious | Browse |
| ||
1ce0ee9bd5ba5662d8d18b2e43c2a98a790bcd541fd56ec85c3be7db1e0636f0 | malicious | Browse |
| ||
1d8730fb8718b3e9765cf8146c71da54d853fc5da73065a7bfd3509ec8ec261b | malicious | Browse |
| ||
33da905c31916f6c8f457eba354991f2018e7d7c888f160843b42a229aa078c0 | malicious | Browse |
|
Dropped Files |
---|
No context |
---|
Screenshot |
---|
Startup |
---|
|
Created / dropped Files |
---|
File Type: | |
Size (bytes): | 21924 |
Entropy (8bit): | 4.478695190024331 |
Encrypted: | false |
MD5: | 8C56941EA80A352B16BD341E2046A970 |
SHA1: | 98D20CEC9D7B5DA66240C3F395037EA3C5C5B577 |
SHA-256: | 57AA3EFA4FC50266B2EA550F1343CCAA752C0C2DA47B027AC4BD7067EA60BF9B |
SHA-512: | DAF052F898D70886DABA4B5103AEB7DC5022C463AE6CE6916BE6CCBE59AC1BA5E2E6786EEA57237E4F899D9B769DD7867CDA58484E28E9BCC81D3B248B6CC6C9 |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 342 |
Entropy (8bit): | 4.9086478647208605 |
Encrypted: | false |
MD5: | D57E6FC37DE0EB06DF4AA8A77231B2E5 |
SHA1: | 57EAC9A330F041B0716186941A15E572F42D8EED |
SHA-256: | 16BC92C38028721B6AFF0852158ECFBB66852D2F5F79380A5152E5F25AD30C2E |
SHA-512: | C763166C6FBB088A608181B81C03DA9E4AF9C1D7E7633FA72DC906B5053BF172C54613E71F1A48087299A0DA70371E6200BFAC1D50E3942EBE9C4DBBDD335BAF |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 940 |
Entropy (8bit): | 2.2633111018826657 |
Encrypted: | false |
MD5: | 6D52F5DA335385F403FA9E08F25A8B27 |
SHA1: | 1CF4F6C52EE4DBDADC6D899CD0A54A2BB4DF4424 |
SHA-256: | FD7BBC4846622C73726859C1690532062089F281DC861D9E26F1AD32EA0DF6A7 |
SHA-512: | CC59A1EBAFCC069113FBCDAEC1F3FA4DD4C3EDFD105F22C154470E0B3065EBDB2A4818FE181F06CDE6CBB790260CD4DA1CEA5D6DCA688621B65F166F39A0CED6 |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 6400 |
Entropy (8bit): | 4.657281124034824 |
Encrypted: | false |
MD5: | 921E48048FCC60ED8C239FD98EA2FC01 |
SHA1: | AFEE82E25F73489BE3BF968E3C003981B8011038 |
SHA-256: | 1F393B9330DB706BE919A1DE20FBC757A4B112C2621E9DCD9AE6118665E29AAC |
SHA-512: | FE07FE875C4BAAE088DE733CA3B9E72809FB0B3C54ABD03D65473602C6DB7B68F818D128A27EB91681B75E062C9F2859A85980820E8655CC3D137678D4E9372E |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 1988 |
Entropy (8bit): | 4.524838333572448 |
Encrypted: | false |
MD5: | CE00AB1D185042B391947DB2E00A82FD |
SHA1: | 25944F91A1088FA08FDB6D91360555CB270F5FB5 |
SHA-256: | AEA8F91174753642F1493C8C798CF0B14C03E65687CAF082237ECF12BF4B5225 |
SHA-512: | 10F2154CEF3A86E4C967EAB7BFF5ECE533B5BB88FD6EFC2239384D8FAD3274A023E52C793D975483DF8EED61242E8DFACBDB8CDF2470CCBF723AC114630FBB59 |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 43 |
Entropy (8bit): | 3.83316025553889 |
Encrypted: | false |
MD5: | 5753A3F78C5A08A75A0011D513968E4E |
SHA1: | 4AC1A925251C9ECA83DB5FFBCA94B9A63C00E02A |
SHA-256: | 06FF635C0568C53B0037C9F1AEF47F52E3F35C248945F58C93085E995AE82BA0 |
SHA-512: | E5165765DF43A3539A7835B500905CB764C4E982693BB3A36E54E1FCB1E6041879FD5080FDB8CB0D86A43083DF21BC14758CD916E44B686EDDBA171C53D2CA38 |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 165 |
Entropy (8bit): | 1.8123539313128556 |
Encrypted: | false |
MD5: | 5D1C23E469CB1A62CFEFAF0D295D25B9 |
SHA1: | B542C97B9B9A5218AB7B362B565C387AB02454AD |
SHA-256: | 4A585BEF8FCF913E857F2B0AD28B665DD2329521901E23BF8527FD8F3BA13D15 |
SHA-512: | C8413843B39C086093DF545BF50FEF8C7200799D41E2D1A4C789C13A1C2277EFD85A7125EDDECCDA46219EAAFAEC17805553CDF3FDB02A6186B7B3D43AEBB3A9 |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Contacted Domains/Contacted IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection |
---|---|---|---|---|
www.dylboiler.co.kr | 114.108.131.63 | true | true | 4%, virustotal, Browse |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|
8.8.8.8 | United States | 15169 | GOOGLE-GoogleIncUS | false | |
114.108.131.63 | Korea Republic of | 3786 | LGDACOMLGDACOMCorporationKR | true |
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.961208356093016 |
TrID: |
|
File name: | a.xlsx |
File size: | 126305 |
MD5: | 5f97c5ea28c0401abc093069a50aa1f8 |
SHA1: | 15053a986dc12c9f353f4940d7d918871d337aed |
SHA256: | 14c58e3894258c54e12d52d0fba0aafa258222ce9223a1fdc8a946fd169d8a12 |
SHA512: | 94f5d406e822a9b9ff330d8046e56a8f76a24ba6745fd90e67458c7dea94363fe0900c1db5db87d1ee9d15ddfc8549d990cf791597ec57ebc59a200ffc3e14c3 |
File Content Preview: | PK..........!.................[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 3, 2018 19:03:45.458077908 CET | 63758 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 3, 2018 19:03:46.480983019 CET | 63758 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 3, 2018 19:03:47.413377047 CET | 53 | 63758 | 8.8.8.8 | 192.168.2.3 |
Feb 3, 2018 19:03:47.413408995 CET | 53 | 63758 | 8.8.8.8 | 192.168.2.3 |
Feb 3, 2018 19:03:47.467498064 CET | 49172 | 80 | 192.168.2.3 | 114.108.131.63 |
Feb 3, 2018 19:03:47.467519999 CET | 80 | 49172 | 114.108.131.63 | 192.168.2.3 |
Feb 3, 2018 19:03:47.467619896 CET | 49172 | 80 | 192.168.2.3 | 114.108.131.63 |
Feb 3, 2018 19:03:47.468636990 CET | 49172 | 80 | 192.168.2.3 | 114.108.131.63 |
Feb 3, 2018 19:03:47.468648911 CET | 80 | 49172 | 114.108.131.63 | 192.168.2.3 |
Feb 3, 2018 19:03:48.668015957 CET | 80 | 49172 | 114.108.131.63 | 192.168.2.3 |
Feb 3, 2018 19:03:48.668052912 CET | 80 | 49172 | 114.108.131.63 | 192.168.2.3 |
Feb 3, 2018 19:03:48.668133974 CET | 49172 | 80 | 192.168.2.3 | 114.108.131.63 |
Feb 3, 2018 19:03:48.668344975 CET | 49172 | 80 | 192.168.2.3 | 114.108.131.63 |
Feb 3, 2018 19:03:48.668359995 CET | 80 | 49172 | 114.108.131.63 | 192.168.2.3 |
Feb 3, 2018 19:03:48.710907936 CET | 49173 | 80 | 192.168.2.3 | 114.108.131.63 |
Feb 3, 2018 19:03:48.710928917 CET | 80 | 49173 | 114.108.131.63 | 192.168.2.3 |
Feb 3, 2018 19:03:48.710992098 CET | 49173 | 80 | 192.168.2.3 | 114.108.131.63 |
Feb 3, 2018 19:03:48.711327076 CET | 49173 | 80 | 192.168.2.3 | 114.108.131.63 |
Feb 3, 2018 19:03:48.711335897 CET | 80 | 49173 | 114.108.131.63 | 192.168.2.3 |
Feb 3, 2018 19:03:49.615161896 CET | 80 | 49173 | 114.108.131.63 | 192.168.2.3 |
Feb 3, 2018 19:03:49.615183115 CET | 80 | 49173 | 114.108.131.63 | 192.168.2.3 |
Feb 3, 2018 19:03:49.615437984 CET | 49173 | 80 | 192.168.2.3 | 114.108.131.63 |
Feb 3, 2018 19:03:49.615576982 CET | 49173 | 80 | 192.168.2.3 | 114.108.131.63 |
Feb 3, 2018 19:03:49.615593910 CET | 80 | 49173 | 114.108.131.63 | 192.168.2.3 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 3, 2018 19:03:45.458077908 CET | 63758 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 3, 2018 19:03:46.480983019 CET | 63758 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 3, 2018 19:03:47.413377047 CET | 53 | 63758 | 8.8.8.8 | 192.168.2.3 |
Feb 3, 2018 19:03:47.413408995 CET | 53 | 63758 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Feb 3, 2018 19:03:45.458077908 CET | 192.168.2.3 | 8.8.8.8 | 0xc29e | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 3, 2018 19:03:46.480983019 CET | 192.168.2.3 | 8.8.8.8 | 0xc29e | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Replay Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Feb 3, 2018 19:03:47.413377047 CET | 8.8.8.8 | 192.168.2.3 | 0xc29e | No error (0) | 114.108.131.63 | A (IP address) | IN (0x0001) | ||
Feb 3, 2018 19:03:47.413408995 CET | 8.8.8.8 | 192.168.2.3 | 0xc29e | No error (0) | 114.108.131.63 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49172 | 114.108.131.63 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Feb 3, 2018 19:03:47.468636990 CET | 1 | OUT | |
Feb 3, 2018 19:03:48.668015957 CET | 1 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.3 | 49173 | 114.108.131.63 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Feb 3, 2018 19:03:48.711327076 CET | 2 | OUT | |
Feb 3, 2018 19:03:49.615161896 CET | 3 | IN |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
System Behavior |
---|
General |
---|
Start time: | 19:03:26 |
Start date: | 03/02/2018 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x2fb40000 |
File size: | 20392608 bytes |
MD5 hash: | 716335EDBB91DA84FC102425BFDA957E |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Disassembly |
---|
Code Analysis |
---|