Play interactive tourEdit tour
Analysis Report Attached_File_898318.xlsb
Overview
General Information
Detection
Ursnif
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for domain / URL
Yara detected Ursnif
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found API chain indicative of debugger detection
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Queries the installation date of Windows
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Ursnif |
---|
{"server": "730", "os": "10.0_0_17134_x64", "version": "250171", "uptime": "300", "system": "7d20f8f4847cb6a63944d316a102ff61", "size": "201282", "crc": "2", "action": "00000000", "id": "2200", "time": "1612925042", "user": "3d11f4f58695dc15e71ab15cd7543d9b", "hash": "0xcf6ed071", "soft": "3"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Compliance: |
---|
Uses new MSVCR Dlls | Show sources |
Source: | File opened: |
Uses secure TLS version for HTTPS connections | Show sources |
Source: | HTTPS traffic detected: |
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: |
Source: | Code function: |
Software Vulnerabilities: |
---|
Document exploit detected (creates forbidden files) | Show sources |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Document exploit detected (drops PE files) | Show sources |
Source: | File created: | Jump to dropped file |
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Office process drops PE file | Show sources |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Writes registry values via WMI | Show sources |
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Classification label: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Process created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: |
Source: | File opened: |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Evasive API call chain: |
Source: | Check user administrative privileges: |
Source: | Last function: |
Source: | Code function: |
Source: | API call chain: |
Anti Debugging: |
---|
Found API chain indicative of debugger detection | Show sources |
Source: | Debugger detection routine: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: |
Source: | Key value queried: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation1 | Path Interception | Process Injection2 | Masquerading1 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API2 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion1 | LSASS Memory | Security Software Discovery13 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer3 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Exploitation for Client Execution4 | Logon Script (Windows) | Logon Script (Windows) | Process Injection2 | Security Account Manager | Virtualization/Sandbox Evasion1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol3 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information1 | NTDS | Process Discovery2 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol4 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Rundll321 | LSA Secrets | Account Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | System Owner/User Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | File and Directory Discovery2 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | System Information Discovery34 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
11% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
urbandancecity.com | 192.185.16.102 | true | false |
| unknown |
api10.laptok.at | 35.228.31.40 | true | true |
| unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
35.228.31.40 | unknown | United States | 15169 | GOOGLEUS | true | |
139.162.190.91 | unknown | Netherlands | 63949 | LINODE-APLinodeLLCUS | false | |
192.185.16.102 | unknown | United States | 46606 | UNIFIEDLAYER-AS-1US | false |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 350713 |
Start date: | 09.02.2021 |
Start time: | 18:40:43 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 44s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | Attached_File_898318.xlsb |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 27 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.expl.evad.winXLSB@6/10@4/3 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
No context |
---|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
api10.laptok.at | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
LINODE-APLinodeLLCUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
GOOGLEUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
UNIFIEDLAYER-AS-1US | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 292864 |
Entropy (8bit): | 6.716033334198825 |
Encrypted: | false |
SSDEEP: | 3072:7m3Ztpl9Lpeyx09/34JOs7npgMJTVyMKN71TzjmDExUQQsP9+izoQiQ8QWQtQuQc:6pR+cTnylZPjmJQQsVj/Tmcss+l/ |
MD5: | B6F4155A945D241F4E5228571C2AB39C |
SHA1: | 2F4C7FD261CCFE3C4E3DE686A056251035DE489E |
SHA-256: | CE7F1D11DD7BEC82B96DC9472AB1D36CBA5E1C99F0480DBA6DD60CD3090DE320 |
SHA-512: | 5E973F8C2168CBFB3C476703FAD6C5F2E90E65C39C7CB6828F759437BDE42A1718EEC9F1BC53874326D14C4F778FCE7FA30A48065B2E36618A202921CDA98642 |
Malicious: | true |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 21592 |
Entropy (8bit): | 1.7491965235907891 |
Encrypted: | false |
SSDEEP: | 48:IwJhGcpr+GwpL6G/ap8AcrGIpcmLAGvnZpvmJWGouuRqp9meGo4SuMVu1pmmuGWz:rJXZ2Zg2Ac9WaZtAyAfiFMo1MVkoP |
MD5: | B0E851D33A85E070D007195391C2B6C5 |
SHA1: | F689A186486EAE7A083F1AE20FEE7767C3365F8D |
SHA-256: | 559660D69D5A3ADEEE51476F9593B0D87B067953461A095DB492962D6D0BE876 |
SHA-512: | 15D491E6808891392A1F26CB0DC568C7E8C204029F68B8BFADBEA1A735DBA9D3A86BA341FBFB2DF6BF9619C5C53BF81A77D8B0B34E6ADA3F2707FC96330D5940 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 16984 |
Entropy (8bit): | 1.5680702315474737 |
Encrypted: | false |
SSDEEP: | 48:Iw+hGcprHGwpakJhG4pQSdGrapbSOrGQpBeGHHpcAsTGUpG:r+XZRQcz6OBSOFjt2AkA |
MD5: | 25487A3F830AB47E33C53E7A483219DF |
SHA1: | 3C370BE7D4101FEC94D3274E5713254C9B3ACCCC |
SHA-256: | 2B24C29AC46623096123DE95A310F0C6BA2424BB07B93C9E7E38EE4F38BF336D |
SHA-512: | AD81FD30AF4EB42136ED9205ADD26BE42CDD5E809EC7D954A3BD84EEFEFAF162218EC44ABFAA8C22F5E66503CBCCA81FB52427D9A39D3C4DBA1C42BF53C58189 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 133103 |
Entropy (8bit): | 5.376512326572846 |
Encrypted: | false |
SSDEEP: | 1536:ucQceNqaBtA3gZw+pQ9DQW+zAUH34ZldpKWXboOilXPErLLPEh:OrQ9DQW+zBX84 |
MD5: | E74EE03EC77033FFBC44F9D0E3150C17 |
SHA1: | 2AEB424ABD664F8C29D3632C086CBA4B0C0AEA1E |
SHA-256: | 64430C437AA94991F105822F91761FC5D002C6EC4E880D4DF8F0A46D4C8DFE9B |
SHA-512: | E2DD772D1BC7CBC4F5F82797BD9C8F2B5F12D3752D8F3D2F8179C47454512D5FB0ACB7913B9497836252ACDB775DFA300655B65B47032073E5ACB6ACF85428B5 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 33923 |
Entropy (8bit): | 7.68545544084692 |
Encrypted: | false |
SSDEEP: | 384:/bJTVSjT1t05IO4gCdzJ22tjSKKSYkIfE8taQO30pTVuClvHzwCFGP4yQaf5dMlU:7w1C5GjhjjRgkNOLOkyPM4rM+H |
MD5: | 4A3975F458CA57A2E7A2139AD0B1F6AC |
SHA1: | 2D39BBE49EE7AA36EE363BF8113543A8CFD45FF5 |
SHA-256: | D1A22C76ABC644665B92855CD734250DD3B3E26E5CA40A9B1D5F4AD3367F9B69 |
SHA-512: | D12F9A21000241BC04CAD957667993C2AC12F5A9B2DABA5F64D5BC1023C16FBB5E43FBF9B6A1A8B8D7444AF7C26BD2F377CEC9E7A3E2F8DE9D73F3A979EBE044 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 292864 |
Entropy (8bit): | 6.716033334198825 |
Encrypted: | false |
SSDEEP: | 3072:7m3Ztpl9Lpeyx09/34JOs7npgMJTVyMKN71TzjmDExUQQsP9+izoQiQ8QWQtQuQc:6pR+cTnylZPjmJQQsVj/Tmcss+l/ |
MD5: | B6F4155A945D241F4E5228571C2AB39C |
SHA1: | 2F4C7FD261CCFE3C4E3DE686A056251035DE489E |
SHA-256: | CE7F1D11DD7BEC82B96DC9472AB1D36CBA5E1C99F0480DBA6DD60CD3090DE320 |
SHA-512: | 5E973F8C2168CBFB3C476703FAD6C5F2E90E65C39C7CB6828F759437BDE42A1718EEC9F1BC53874326D14C4F778FCE7FA30A48065B2E36618A202921CDA98642 |
Malicious: | true |
Reputation: | low |
IE Cache URL: | https://urbandancecity.com/wp-content/cache/stats/5fe/5bc/2200.dll |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 76147 |
Entropy (8bit): | 7.741958925688105 |
Encrypted: | false |
SSDEEP: | 1536:ech4kJGZj1jky04V4Tbit7iI5DzxbPoOwP8X0oZA+vy:Th4Sqj1I4miRiI5fhoOG+6b |
MD5: | 2B61B6A837C03211466E67332F663740 |
SHA1: | F15AE7179ED30FF735DD7E2B289D1E53C570A96E |
SHA-256: | 456DF6BFF51D037FCF08E77E32A9315E2162C70030F6CE8CD90575028288E4FF |
SHA-512: | D96E89F27A1898B3451B04555B7E85DC66D57C4F45581CE0612F509BB514CF99CDDB3DC9BC18ACE995095FE0522AE10D3ED7E554CEA1EEA008CF9A10BF4CFEEA |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 25657 |
Entropy (8bit): | 0.3135785170840025 |
Encrypted: | false |
SSDEEP: | 24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwO9lwe9l2R:kBqoxKAuvScS+hfR |
MD5: | B40C408BF1C042CC61D461CA11CB65FF |
SHA1: | 44E8763B9A53CD3535EBC904CB72180BE60F46AC |
SHA-256: | 01A7246DC1C070145F217EB19AF41FDB477A3B64F67E46EEE878C1572F76C7F6 |
SHA-512: | A45C01B6DCA983E52C5339C2234E60B9B822E0BA339C4CC44403CF4D949458D03B46369541BC45E64840A8637D51552D925260D04DC4A6B723D659BB24C0B0C1 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12917 |
Entropy (8bit): | 0.39569477813375487 |
Encrypted: | false |
SSDEEP: | 24:c9lLh9lLh9lIn9lIn9lo69loq9lWdHZHC:kBqoIlTd5i |
MD5: | CDC89AAA216BCDA2BF23D81FE673B308 |
SHA1: | D8EE470B27E5594E45F96F4D7DBF10F327A65BC1 |
SHA-256: | B60FB7172EF3C0EC2AE5871D1E71A09045EF2893B812D51B56B35F917E963B92 |
SHA-512: | 5CF2F6DD31F40F8E6C46614B7F4826127C785421B64356746D93C35AD99573123C9B1B42054A924BF450C42D7E29562AC02D3CEAB4EB01CC1D95F618264B2C6B |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.6081032063576088 |
Encrypted: | false |
SSDEEP: | 3:RFXI6dtt:RJ1 |
MD5: | 7AB76C81182111AC93ACF915CA8331D5 |
SHA1: | 68B94B5D4C83A6FB415C8026AF61F3F8745E2559 |
SHA-256: | 6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF |
SHA-512: | A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.781038613841343 |
TrID: |
|
File name: | Attached_File_898318.xlsb |
File size: | 100969 |
MD5: | a8532cadcdc6aa2ca92e78352727bd50 |
SHA1: | de9a89b9a1ac2778660695a982b9f34641fd3608 |
SHA256: | 8c54fb4a33fef841a472e5c7d92b49c1d589a8af374e510331f72fb5a4189c4a |
SHA512: | ac11ab0d7b4534584ef34e7d217f43592298f89f0d6f230fc1ab30471d99aaac1dd5e170f0097d760d9c0d7c51a1f6012b29b3ba2f4a356b2c8587a8de2af261 |
SSDEEP: | 3072:W6GiXh/woPcEMuYM76xbTD3xbqj1I4TpFFEJ/:FGix/bkJMmxP7xbkIGz2J/ |
File Content Preview: | PK..........!.._\.}...........[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | 74f0d0d2c6d6d0f4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "Attached_File_898318.xlsb" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 9, 2021 18:41:48.577832937 CET | 49727 | 80 | 192.168.2.6 | 139.162.190.91 |
Feb 9, 2021 18:41:48.619759083 CET | 80 | 49727 | 139.162.190.91 | 192.168.2.6 |
Feb 9, 2021 18:41:48.620371103 CET | 49727 | 80 | 192.168.2.6 | 139.162.190.91 |
Feb 9, 2021 18:41:48.621252060 CET | 49727 | 80 | 192.168.2.6 | 139.162.190.91 |
Feb 9, 2021 18:41:48.662097931 CET | 80 | 49727 | 139.162.190.91 | 192.168.2.6 |
Feb 9, 2021 18:41:48.785017967 CET | 80 | 49727 | 139.162.190.91 | 192.168.2.6 |
Feb 9, 2021 18:41:48.786403894 CET | 49727 | 80 | 192.168.2.6 | 139.162.190.91 |
Feb 9, 2021 18:41:49.003052950 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:49.161890030 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:49.163575888 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:49.165004015 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:49.323724985 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:49.324743986 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:49.324795961 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:49.324846983 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:49.324891090 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:49.324894905 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:49.324956894 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:49.324960947 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:49.324978113 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:49.329449892 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:49.329564095 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:49.755325079 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:49.916503906 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:49.916794062 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:49.918332100 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:50.119045019 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.207824945 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.207856894 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.207871914 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.207890987 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.207909107 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.207927942 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.207945108 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.207962036 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.207973957 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.207990885 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.207993984 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:50.208062887 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:50.366602898 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.366633892 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.366651058 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.366667986 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.366683006 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.366702080 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.366722107 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.366736889 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.366754055 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.366770029 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.366781950 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.366791964 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:50.366797924 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.366810083 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.366827011 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.366858006 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:50.366882086 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.366884947 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:50.366902113 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.366940022 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:50.366967916 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:50.366970062 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.366997004 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.367013931 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:50.367016077 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.367032051 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.367048979 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:50.367069960 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:50.367259979 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:50.527359009 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527385950 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527401924 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527419090 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527434111 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527450085 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527466059 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527483940 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527502060 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527517080 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527533054 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527549028 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527564049 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527580023 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527579069 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:50.527595043 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527615070 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527631998 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527647018 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527669907 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:50.527707100 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527723074 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527734995 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:50.527761936 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:50.527779102 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527795076 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527800083 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:50.527829885 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:50.527853012 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
Feb 9, 2021 18:41:50.527867079 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527903080 CET | 443 | 49728 | 192.185.16.102 | 192.168.2.6 |
Feb 9, 2021 18:41:50.527909994 CET | 49728 | 443 | 192.168.2.6 | 192.185.16.102 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 9, 2021 18:41:28.503180027 CET | 56023 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:41:28.554065943 CET | 53 | 56023 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:41:29.436470032 CET | 58384 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:41:29.487951040 CET | 53 | 58384 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:41:30.384464979 CET | 60261 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:41:30.444377899 CET | 53 | 60261 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:41:31.674437046 CET | 56061 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:41:31.725266933 CET | 53 | 56061 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:41:33.007389069 CET | 58336 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:41:33.058994055 CET | 53 | 58336 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:41:36.943169117 CET | 53781 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:41:36.991944075 CET | 53 | 53781 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:41:39.044589996 CET | 54064 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:41:39.093472004 CET | 53 | 54064 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:41:40.322514057 CET | 52811 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:41:40.392273903 CET | 53 | 52811 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:41:40.402009964 CET | 55299 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:41:40.453510046 CET | 53 | 55299 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:41:40.869976044 CET | 63745 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:41:40.928534031 CET | 53 | 63745 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:41:41.876198053 CET | 63745 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:41:41.941788912 CET | 53 | 63745 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:41:42.891485929 CET | 63745 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:41:42.947746038 CET | 50055 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:41:43.001004934 CET | 53 | 50055 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:41:43.034580946 CET | 53 | 63745 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:41:44.907017946 CET | 63745 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:41:44.963862896 CET | 53 | 63745 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:41:48.799129009 CET | 61374 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:41:48.922972918 CET | 63745 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:41:48.980077982 CET | 53 | 63745 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:41:48.997062922 CET | 53 | 61374 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:41:57.623142004 CET | 50339 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:41:57.679775953 CET | 53 | 50339 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:42:04.881876945 CET | 63307 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:42:04.930968046 CET | 53 | 63307 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:42:06.345839977 CET | 49694 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:42:06.397499084 CET | 53 | 49694 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:42:11.857353926 CET | 54982 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:42:11.915786982 CET | 53 | 54982 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:42:17.922410011 CET | 50010 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:42:17.982613087 CET | 53 | 50010 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:42:18.745208979 CET | 63718 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:42:18.793952942 CET | 53 | 63718 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:42:26.550574064 CET | 62116 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:42:26.609859943 CET | 53 | 62116 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:42:36.924678087 CET | 63816 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:42:36.991856098 CET | 53 | 63816 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:42:37.584804058 CET | 55014 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:42:37.648559093 CET | 53 | 55014 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:42:38.275429010 CET | 62208 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:42:38.336774111 CET | 53 | 62208 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:42:38.821417093 CET | 57574 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:42:38.881702900 CET | 53 | 57574 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:42:39.590432882 CET | 51818 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:42:39.641513109 CET | 53 | 51818 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:42:39.780750036 CET | 56628 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:42:39.856774092 CET | 53 | 56628 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:42:40.199032068 CET | 60778 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:42:40.260950089 CET | 53 | 60778 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:42:40.870405912 CET | 53799 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:42:40.927604914 CET | 53 | 53799 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:42:41.654792070 CET | 54683 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:42:41.714569092 CET | 53 | 54683 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:42:42.520677090 CET | 59329 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:42:42.578167915 CET | 53 | 59329 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:42:43.036566973 CET | 64021 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:42:43.085257053 CET | 53 | 64021 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:42:59.064851046 CET | 56129 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:42:59.113509893 CET | 53 | 56129 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:43:02.161782980 CET | 58177 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:43:02.213485956 CET | 53 | 58177 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:43:03.909801960 CET | 50700 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:43:03.970237970 CET | 53 | 50700 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:43:19.830799103 CET | 54069 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:43:19.884351969 CET | 53 | 54069 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:43:58.118815899 CET | 61178 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:43:58.177479029 CET | 53 | 61178 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:43:59.474664927 CET | 57017 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:43:59.782507896 CET | 53 | 57017 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:44:01.800584078 CET | 56327 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:44:02.176213980 CET | 53 | 56327 | 8.8.8.8 | 192.168.2.6 |
Feb 9, 2021 18:44:04.188833952 CET | 50243 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 9, 2021 18:44:04.250488043 CET | 53 | 50243 | 8.8.8.8 | 192.168.2.6 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Feb 9, 2021 18:41:48.799129009 CET | 192.168.2.6 | 8.8.8.8 | 0x2d88 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 9, 2021 18:43:59.474664927 CET | 192.168.2.6 | 8.8.8.8 | 0xf710 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 9, 2021 18:44:01.800584078 CET | 192.168.2.6 | 8.8.8.8 | 0x46a2 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 9, 2021 18:44:04.188833952 CET | 192.168.2.6 | 8.8.8.8 | 0xa66d | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Feb 9, 2021 18:41:48.997062922 CET | 8.8.8.8 | 192.168.2.6 | 0x2d88 | No error (0) | 192.185.16.102 | A (IP address) | IN (0x0001) | ||
Feb 9, 2021 18:43:59.782507896 CET | 8.8.8.8 | 192.168.2.6 | 0xf710 | No error (0) | 35.228.31.40 | A (IP address) | IN (0x0001) | ||
Feb 9, 2021 18:44:02.176213980 CET | 8.8.8.8 | 192.168.2.6 | 0x46a2 | No error (0) | 35.228.31.40 | A (IP address) | IN (0x0001) | ||
Feb 9, 2021 18:44:04.250488043 CET | 8.8.8.8 | 192.168.2.6 | 0xa66d | No error (0) | 35.228.31.40 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.6 | 49727 | 139.162.190.91 | 80 | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Feb 9, 2021 18:41:48.621252060 CET | 145 | OUT | |
Feb 9, 2021 18:41:48.785017967 CET | 145 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.6 | 49755 | 35.228.31.40 | 80 | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Feb 9, 2021 18:43:59.877289057 CET | 5422 | OUT | |
Feb 9, 2021 18:44:00.279098034 CET | 5423 | IN |