Edit tour
Windows
Analysis Report
iwjvkEAIQa.rtf
Overview
General Information
Sample name: | iwjvkEAIQa.rtfrenamed because original name is a hash value |
Original sample name: | 390887d6627a4de66aac8349c57a495a.rtf |
Analysis ID: | 1430801 |
MD5: | 390887d6627a4de66aac8349c57a495a |
SHA1: | aec3c18736f1ab675276c7b21076b0b48c3251a7 |
SHA256: | 4aefad6748025172503bac223b804d8de0dc741483409c7f19bc29b1859ba0bb |
Tags: | rtf |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
System process connects to network (likely due to code injection or exploit)
Connects to a pastebin service (likely for C&C)
Document exploit detected (process start blacklist hit)
Installs new ROOT certificates
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Shellcode detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Document misses a certain OLE stream usually present in this Microsoft Office document type
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w7x64
- WINWORD.EXE (PID: 2752 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5) - EQNEDT32.EXE (PID: 784 cmdline:
"C:\Progra m Files\Co mmon Files \Microsoft Shared\EQ UATION\EQN EDT32.EXE" -Embeddin g MD5: A87236E214F6D42A65F5DEDAC816AEC8) - wscript.exe (PID: 1432 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\Inter netMonkeyl overkissof f.vbs" MD5: 979D74799EA6C8B8167869A68DF5204A)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_RTF_MalVer_Objects | Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. | ditekSHen |
|
Exploits |
---|
Source: | Author: Joe Security: |
Source: | Author: Joe Security: |
System Summary |
---|
Source: | Author: Max Altgelt (Nextron Systems): |
Source: | Author: frack113, Florian Roth: |
Source: | Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: |
Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: |
Source: | Author: frack113: |
Source: | Author: Michael Haag: |
Source: | Author: frack113: |
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Exploits |
---|
Source: | Network connect: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Process created: |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: |
Software Vulnerabilities |
---|
Source: | Process created: |
Source: | Code function: | 2_2_035706C1 | |
Source: | Code function: | 2_2_03570766 | |
Source: | Code function: | 2_2_03570794 | |
Source: | Code function: | 2_2_035707B9 | |
Source: | Code function: | 2_2_035706DB | |
Source: | Code function: | 2_2_0357077F |
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Networking |
---|
Source: | Network Connect: | Jump to behavior | ||
Source: | Domain query: |
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: |
Source: | Code function: | 2_2_035706C1 |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Code function: | 2_2_035706C1 |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Matched rule: |
Source: | COM Object queried: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Source: | Matched rule: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Process created: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | LNK file: |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Source: | Code function: | 2_2_03570385 |
Persistence and Installation Behavior |
---|
Source: | Registry value created: | Jump to behavior | ||
Source: | Registry value created: | Jump to behavior | ||
Source: | Registry value created: | Jump to behavior | ||
Source: | Registry value created: | Jump to behavior | ||
Source: | Registry value created: | Jump to behavior | ||
Source: | Registry value created: | Jump to behavior | ||
Source: | Registry value created: | Jump to behavior |
Source: | Code function: | 2_2_035706C1 |
Source: | Key value created or modified: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Window found: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Code function: | 2_2_035707B9 |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Network Connect: | Jump to behavior | ||
Source: | Domain query: |
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | 111 Scripting | Valid Accounts | 33 Exploitation for Client Execution | 111 Scripting | 111 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Virtualization/Sandbox Evasion | Remote Services | Data from Local System | 1 Web Service | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Modify Registry | LSASS Memory | 1 Remote System Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Virtualization/Sandbox Evasion | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 25 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 111 Process Injection | NTDS | 3 System Information Discovery | Distributed Component Object Model | Input Capture | 3 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | 14 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Install Root Certificate | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
55% | ReversingLabs | Document-RTF.Exploit.CVE-2017-11882 | ||
57% | Virustotal | Browse | ||
100% | Avira | HEUR/Rtf.Malformed |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
4% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
paste.ee | 172.67.187.200 | true | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
172.67.187.200 | paste.ee | United States | 13335 | CLOUDFLARENETUS | false | |
139.162.255.78 | unknown | Netherlands | 63949 | LINODE-APLinodeLLCUS | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1430801 |
Start date and time: | 2024-04-24 07:46:08 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 34s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | iwjvkEAIQa.rtfrenamed because original name is a hash value |
Original Sample Name: | 390887d6627a4de66aac8349c57a495a.rtf |
Detection: | MAL |
Classification: | mal100.troj.expl.evad.winRTF@4/9@3/2 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
- HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
07:46:54 | API Interceptor | |
07:46:57 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
172.67.187.200 | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
139.162.255.78 | Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
paste.ee | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | XWorm | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
LINODE-APLinodeLLCUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Phisher | Browse |
| ||
CLOUDFLARENETUS | Get hash | malicious | Babuk, Djvu, Vidar | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer, RedLine | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | GuLoader, Remcos | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
7dcce5b76c8b17472d024758970a406b | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
⊘No context
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\IEinternetMonkeycallpdf[1].htm
Download File
Process: | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 88260 |
Entropy (8bit): | 3.7431301318716317 |
Encrypted: | false |
SSDEEP: | 1536:L+thAYsU1lBHFcJUJI+YZb5bJ9Gmgz/+rtfRDFqz:L9YsU1DHFUGmgURDFs |
MD5: | F298CC29054BC56D193E76414D436B2C |
SHA1: | F521A11C9E63022AE0A7228117CA6AEA51A23F82 |
SHA-256: | B0E22909BEA588CE8AB5DFB7D8A624B2E262DAB70D4EACED092060872AA44A6E |
SHA-512: | 882AA14F083185E624198B4ADE4C2A972305E2062928C2363EC14C3AACC6AA0902E98ADAF63D8C641D3A015629601A9940B230826328D250ED788D2A744F536C |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{EB3F2147-CCBB-4479-BA10-F1F3E60F45F7}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 6144 |
Entropy (8bit): | 4.37676458821995 |
Encrypted: | false |
SSDEEP: | 48:reTyYUhcTD6ixaQ59Kox5ZfmpHB9i6V5tkOrzRzspsVYlNSmwoma:y56yn5QyZfmp3i6vtk8zRIpvwpa |
MD5: | 74D2AACDEBAA93122E115C1958F1D719 |
SHA1: | 4B43EFF97197F9D3C2429D865ECE07CC43B5392E |
SHA-256: | 8067E46B5BD7A5B3C747D70AC730E5595430336C37F38C13C2DA1CB22AC25B32 |
SHA-512: | 3C23A1CC18BFB3F52E7CD90D6AB5721C5F422C81BE8AA91E03F429313E10B42A1B645662DF3BDA571603D59476D5A32E1B76E09F863FEDED6BCBA55816D13406 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{764778E7-D35D-481E-83CF-84286AB00826}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F7B89536-1F7D-4934-B8D9-8369D0798EF0}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 15360 |
Entropy (8bit): | 3.5876777825940853 |
Encrypted: | false |
SSDEEP: | 384:0TSaZVK11vv5ROV6KQAevZLB6jtOziD2Pwy/Z:0TSaZVc1vHBK9evlB9ziDzy/Z |
MD5: | 070EBB3AB80855C08BCB5AA2A0EA6EB2 |
SHA1: | C87722408BA7BA85E121771AAFCB5F393ADFF6CB |
SHA-256: | D17C5E97E6D40A69AA07C57B036022407453CAF4604E523EB1A5C15F6F403036 |
SHA-512: | A43B459146C52D893D38A1ABDCBD744B9CD51E55B040ADD45366F58D7141734825DBE58774B2939D88E63B594FC967E3E4B34F7B82C688EDE7E3D11BF390C7A7 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 88260 |
Entropy (8bit): | 3.7431301318716317 |
Encrypted: | false |
SSDEEP: | 1536:L+thAYsU1lBHFcJUJI+YZb5bJ9Gmgz/+rtfRDFqz:L9YsU1DHFUGmgURDFs |
MD5: | F298CC29054BC56D193E76414D436B2C |
SHA1: | F521A11C9E63022AE0A7228117CA6AEA51A23F82 |
SHA-256: | B0E22909BEA588CE8AB5DFB7D8A624B2E262DAB70D4EACED092060872AA44A6E |
SHA-512: | 882AA14F083185E624198B4ADE4C2A972305E2062928C2363EC14C3AACC6AA0902E98ADAF63D8C641D3A015629601A9940B230826328D250ED788D2A744F536C |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 55 |
Entropy (8bit): | 4.749452668030777 |
Encrypted: | false |
SSDEEP: | 3:HHc0iFSm4N0iFSv:HHc0iK0i2 |
MD5: | CD0BE1F735178EC5217F20DB14258908 |
SHA1: | A747B8117D5288161EFB5E58972C9CA5967EF899 |
SHA-256: | 3D5B673AA0A39D89DDBDD833CA3772B4DEE6B1E0F408FAAE651FF6A0BCB5F1C0 |
SHA-512: | A33A0DCEEF899BE06D2C183E897C8A761A7F01D8FFB0BCD39D80F539A95BA7CCBCA6399AC440E99C9A6336FF0924A6426570E81706E0766B776CA86889D21F02 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1014 |
Entropy (8bit): | 4.572888639392753 |
Encrypted: | false |
SSDEEP: | 12:8/+3/sFgXg/XAlCPCHaXWgzBDgB/Dr8xX+WIbRsOC+CcMoicvbvBb4G+CcMkDtZS:8z/XTJ9gxOSbqiVMberBOVMkDv3q0k7N |
MD5: | BD9DF90E01CB43614E35DEDB8838C6B5 |
SHA1: | 99D832479C4D52C79B306AE2692F892C1344D976 |
SHA-256: | 6457F6D3B84DD0B88DB2E54FB069BC9E5682D4EDF9F1D14937ADE6A116D0C5CF |
SHA-512: | A2098D30076D71F5441E0FAB8C6F00B38832C09FE653C9C5382643385B1FA2DB19D4D3E5FC8F1ED61E49C1B1ABF95765414A83E2245CF5124FB065B743ADA705 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.4797606462020307 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l |
MD5: | 2CF7D3B8DED3F1D5CE1AC92F3E51D4ED |
SHA1: | 95E13378EA9CACA068B2687F01E9EF13F56627C2 |
SHA-256: | 60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1 |
SHA-512: | 2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.4797606462020307 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l |
MD5: | 2CF7D3B8DED3F1D5CE1AC92F3E51D4ED |
SHA1: | 95E13378EA9CACA068B2687F01E9EF13F56627C2 |
SHA-256: | 60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1 |
SHA-512: | 2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 3.1404549903653267 |
TrID: |
|
File name: | iwjvkEAIQa.rtf |
File size: | 81'327 bytes |
MD5: | 390887d6627a4de66aac8349c57a495a |
SHA1: | aec3c18736f1ab675276c7b21076b0b48c3251a7 |
SHA256: | 4aefad6748025172503bac223b804d8de0dc741483409c7f19bc29b1859ba0bb |
SHA512: | b0a8fc3d7d833d972c9b63d79725ec72cbce81ddcbd2d0f4106ca7c626ae6749b989128533f022638e2b7cb71719e5d9ad0038fc93f63e9fb2bab584df903c5a |
SSDEEP: | 1536:pcRtvbj0t9HSA0bWlK1X1Rd4sB6E1c8nchY9OIn4lOUoxemkQiQTVQpeqttSWs7L:qRFbj0t9VK1X1Rd4sBXc8ncS9OIn4l6h |
TLSH: | FF83CB2AE74F0965DF55A67B434A4B4909FCB33DB38540B179AC973437ACC2E462287C |
File Content Preview: | {\rtf1........{\*\colorshememapping617761309 \%}.{\834376866-)18?7@=2`805?@#5%?0.|=.._;?1-.3`3&_'*?%/.85%*5@:&^.:8*(3582?+3?#7?1'2_0&:'1`.0:.?~,?.54-[$.?3.2-?+'??`~.:,[|&9+%`.`.~(~?.#7??6.:8@6|:6*!5%;58?~7?;%==><+8>)606*..~?>$?-?<*..([]$30/81#.?6?-.|[;|2? |
Icon Hash: | 2764a3aaaeb7bdbf |
Id | Start | Format ID | Format | Classname | Datasize | Filename | Sourcepath | Temppath | Exploit |
---|---|---|---|---|---|---|---|---|---|
0 | 00001D0Fh | no |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 24, 2024 07:46:57.303046942 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:57.592551947 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:57.592667103 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:57.592988014 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:57.884700060 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:57.884759903 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:57.884799957 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:57.884838104 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:57.884850979 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:57.884877920 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:57.884907961 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:57.884907961 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:57.884917974 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:57.884943008 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:57.884967089 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:57.885027885 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:57.885068893 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:57.885072947 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:57.885114908 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:57.885210991 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:57.885248899 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:57.885268927 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:57.885283947 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:57.885297060 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:57.889729977 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.174472094 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.174560070 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.174586058 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.174601078 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.174632072 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.174642086 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.174690962 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.174766064 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.174804926 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.174814939 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.174843073 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.174868107 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.174875975 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.174902916 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.174921036 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.174962997 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.174978971 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.175004005 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.175014973 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.175043106 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.175061941 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.175081015 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.175098896 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.175120115 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.175137997 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.175158024 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.175177097 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.175205946 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.175234079 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.175282955 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.175339937 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.175389051 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.175540924 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.175574064 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.175590038 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.175645113 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.175687075 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.175717115 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.175755978 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.175767899 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.175795078 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.175806999 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.175827980 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.175842047 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.176214933 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.463670969 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.463728905 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.463767052 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.463788033 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.463804007 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.463833094 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.463841915 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.463859081 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.463876009 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.463886023 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.463912010 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.463952065 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.464071035 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.464129925 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.464138985 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.464184046 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.464236021 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.464270115 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.464278936 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.464306116 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.464343071 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.464349031 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.464379072 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.464382887 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.464415073 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.464418888 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.464451075 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.464456081 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.464489937 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.464512110 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.464554071 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.464560032 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.464647055 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.464685917 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.464704990 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.464716911 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.464754105 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.464788914 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.464792967 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.464821100 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.464829922 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.464857101 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.464891911 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.464903116 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.464936018 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.464967966 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465014935 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.465037107 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465075016 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465079069 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.465110064 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465116978 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.465138912 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.465146065 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465159893 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.465182066 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465188026 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.465214014 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465231895 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.465281963 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465323925 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465328932 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.465362072 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.465452909 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465492964 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.465521097 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465564013 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.465589046 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465624094 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465629101 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.465660095 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465662956 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.465699911 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.465758085 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465795040 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465801001 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.465847015 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.465862989 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465893984 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465912104 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.465929985 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465940952 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.465967894 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.465976000 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.466002941 CEST | 80 | 49164 | 139.162.255.78 | 192.168.2.22 |
Apr 24, 2024 07:46:58.466006994 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.466042995 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:58.466468096 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:59.283389091 CEST | 49164 | 80 | 192.168.2.22 | 139.162.255.78 |
Apr 24, 2024 07:46:59.951088905 CEST | 49165 | 443 | 192.168.2.22 | 172.67.187.200 |
Apr 24, 2024 07:46:59.951142073 CEST | 443 | 49165 | 172.67.187.200 | 192.168.2.22 |
Apr 24, 2024 07:46:59.951261997 CEST | 49165 | 443 | 192.168.2.22 | 172.67.187.200 |
Apr 24, 2024 07:46:59.978286028 CEST | 49165 | 443 | 192.168.2.22 | 172.67.187.200 |
Apr 24, 2024 07:46:59.978300095 CEST | 443 | 49165 | 172.67.187.200 | 192.168.2.22 |
Apr 24, 2024 07:47:00.314070940 CEST | 443 | 49165 | 172.67.187.200 | 192.168.2.22 |
Apr 24, 2024 07:47:00.314142942 CEST | 49165 | 443 | 192.168.2.22 | 172.67.187.200 |
Apr 24, 2024 07:47:00.322590113 CEST | 49165 | 443 | 192.168.2.22 | 172.67.187.200 |
Apr 24, 2024 07:47:00.322602987 CEST | 443 | 49165 | 172.67.187.200 | 192.168.2.22 |
Apr 24, 2024 07:47:00.322930098 CEST | 443 | 49165 | 172.67.187.200 | 192.168.2.22 |
Apr 24, 2024 07:47:00.322974920 CEST | 49165 | 443 | 192.168.2.22 | 172.67.187.200 |
Apr 24, 2024 07:47:00.416712999 CEST | 49165 | 443 | 192.168.2.22 | 172.67.187.200 |
Apr 24, 2024 07:47:00.460163116 CEST | 443 | 49165 | 172.67.187.200 | 192.168.2.22 |
Apr 24, 2024 07:47:00.944133997 CEST | 443 | 49165 | 172.67.187.200 | 192.168.2.22 |
Apr 24, 2024 07:47:00.944190025 CEST | 49165 | 443 | 192.168.2.22 | 172.67.187.200 |
Apr 24, 2024 07:47:00.944197893 CEST | 443 | 49165 | 172.67.187.200 | 192.168.2.22 |
Apr 24, 2024 07:47:00.944240093 CEST | 49165 | 443 | 192.168.2.22 | 172.67.187.200 |
Apr 24, 2024 07:47:00.944536924 CEST | 49165 | 443 | 192.168.2.22 | 172.67.187.200 |
Apr 24, 2024 07:47:00.944556952 CEST | 443 | 49165 | 172.67.187.200 | 192.168.2.22 |
Apr 24, 2024 07:47:00.944575071 CEST | 49165 | 443 | 192.168.2.22 | 172.67.187.200 |
Apr 24, 2024 07:47:00.944610119 CEST | 49165 | 443 | 192.168.2.22 | 172.67.187.200 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 24, 2024 07:46:59.241009951 CEST | 54562 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 24, 2024 07:46:59.414525032 CEST | 53 | 54562 | 8.8.8.8 | 192.168.2.22 |
Apr 24, 2024 07:46:59.420968056 CEST | 54562 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 24, 2024 07:46:59.590903997 CEST | 53 | 54562 | 8.8.8.8 | 192.168.2.22 |
Apr 24, 2024 07:46:59.591190100 CEST | 54562 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 24, 2024 07:46:59.760960102 CEST | 53 | 54562 | 8.8.8.8 | 192.168.2.22 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Apr 24, 2024 07:46:59.241009951 CEST | 192.168.2.22 | 8.8.8.8 | 0xf7de | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 24, 2024 07:46:59.420968056 CEST | 192.168.2.22 | 8.8.8.8 | 0xf7de | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 24, 2024 07:46:59.591190100 CEST | 192.168.2.22 | 8.8.8.8 | 0xf7de | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Apr 24, 2024 07:46:59.414525032 CEST | 8.8.8.8 | 192.168.2.22 | 0xf7de | No error (0) | 172.67.187.200 | A (IP address) | IN (0x0001) | false | ||
Apr 24, 2024 07:46:59.414525032 CEST | 8.8.8.8 | 192.168.2.22 | 0xf7de | No error (0) | 104.21.84.67 | A (IP address) | IN (0x0001) | false | ||
Apr 24, 2024 07:46:59.590903997 CEST | 8.8.8.8 | 192.168.2.22 | 0xf7de | No error (0) | 172.67.187.200 | A (IP address) | IN (0x0001) | false | ||
Apr 24, 2024 07:46:59.590903997 CEST | 8.8.8.8 | 192.168.2.22 | 0xf7de | No error (0) | 104.21.84.67 | A (IP address) | IN (0x0001) | false | ||
Apr 24, 2024 07:46:59.760960102 CEST | 8.8.8.8 | 192.168.2.22 | 0xf7de | No error (0) | 172.67.187.200 | A (IP address) | IN (0x0001) | false | ||
Apr 24, 2024 07:46:59.760960102 CEST | 8.8.8.8 | 192.168.2.22 | 0xf7de | No error (0) | 104.21.84.67 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.22 | 49164 | 139.162.255.78 | 80 | 784 | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Apr 24, 2024 07:46:57.592988014 CEST | 339 | OUT | |
Apr 24, 2024 07:46:57.884700060 CEST | 1289 | IN |