Play interactive tourEdit tour
Windows Analysis Report SWIFT - Copy - Copy.xlsx
Overview
General Information
Detection
FormBook
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
.NET source code contains method to dynamically call methods (often used by packers)
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: FormBook |
---|
{"C2 list": ["www.healingandhealthy.com/i6ro/"], "decoy": ["annahve.xyz", "636851.com", "cngm7e.com", "iloveapple62.com", "zdbhl.com", "becu84ts.com", "buongpuso.com", "qhwl2017.com", "savarsell.com", "anentbottskeen.com", "vyounglighting.com", "executive-air.net", "elaish.com", "ilmarijuanadispensary.com", "online-bolgar18.com", "qubtantoys.com", "tkspoboys.com", "hackensackfitness.com", "bitcointradel.com", "nightcanteen.com", "skillga.com", "luckyfandom.com", "tonghetaiye.com", "victoriajayde.com", "domainsraj.com", "campervan.love", "sumiyoshiku-inoitami.xyz", "gpawidegroup.com", "potserve.com", "sdunifiednursingcollege.com", "nutcrackernoww.com", "australishomes.com", "salonautostock.com", "carbsupplements.com", "zj7aszamjwe3.biz", "bundesfinanzeministerium-de.com", "petips.xyz", "woodstor.com", "common-criteria-isac.com", "kidskarateonline.com", "fisioletsgo.com", "thelukeliu.com", "boxedwallconsepts.net", "nvgso.com", "hanssuter.com", "proceam.com", "sehatherba.online", "goldenconcept.art", "zaar.solutions", "turmoilgomkww.xyz", "subritulandoando.com", "rashil.digital", "airlesscondimentdispenser.com", "eygtogel021.com", "freeadakahamazon.com", "sahumeriosartesanales.com", "tackle.tools", "sharifulmer.online", "rushpcbtest.info", "epilepsycolorado.online", "birdy3000.com", "aracsozluk.com", "air-watches.com", "xiexingyu.top"]}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
| |
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Click to see the 31 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
| |
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Click to see the 25 entries |
Sigma Overview |
---|
Exploits: |
---|
Sigma detected: EQNEDT32.EXE connecting to internet | Show sources |
Source: | Author: Joe Security: |
Sigma detected: File Dropped By EQNEDT32EXE | Show sources |
Source: | Author: Joe Security: |
System Summary: |
---|
Sigma detected: Droppers Exploiting CVE-2017-11882 | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Execution from Suspicious Folder | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Windows Processes Suspicious Parent Directory | Show sources |
Source: | Author: vburov: |
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Yara detected FormBook | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Exploits: |
---|
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) | Show sources |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Process created: |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | DNS query: |
Source: | Code function: | 5_2_00406AB6 | |
Source: | Code function: | 5_2_0040C3FB | |
Source: | Code function: | 5_2_0041565B | |
Source: | Code function: | 7_2_000EC3FB | |
Source: | Code function: | 7_2_000F565B | |
Source: | Code function: | 7_2_000E6AB6 |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Domain query: | |||
Source: | Domain query: | |||
Source: | Network Connect: | Jump to behavior | ||
Source: | Domain query: | |||
Source: | Network Connect: | Jump to behavior | ||
Source: | Domain query: | |||
Source: | Domain query: | |||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior |
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: |
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File created: | Jump to behavior |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: |
E-Banking Fraud: |
---|
Yara detected FormBook | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Malicious sample detected (through community Yara rule) | Show sources |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Office equation editor drops PE file | Show sources |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 4_2_00356226 | |
Source: | Code function: | 4_2_00354368 | |
Source: | Code function: | 4_2_00356C00 | |
Source: | Code function: | 4_2_00356479 | |
Source: | Code function: | 4_2_00356720 | |
Source: | Code function: | 4_2_00354968 | |
Source: | Code function: | 4_2_00358990 | |
Source: | Code function: | 4_2_00358980 | |
Source: | Code function: | 4_2_009E11AB | |
Source: | Code function: | 5_2_0041C001 | |
Source: | Code function: | 5_2_00401030 | |
Source: | Code function: | 5_2_0041B8C3 | |
Source: | Code function: | 5_2_0041C948 | |
Source: | Code function: | 5_2_00408C80 | |
Source: | Code function: | 5_2_0041BD22 | |
Source: | Code function: | 5_2_00402D8A | |
Source: | Code function: | 5_2_00402D90 | |
Source: | Code function: | 5_2_00402FB0 | |
Source: | Code function: | 5_2_0085E0C6 | |
Source: | Code function: | 5_2_0088D005 | |
Source: | Code function: | 5_2_00863040 | |
Source: | Code function: | 5_2_0087905A | |
Source: | Code function: | 5_2_008DD06D | |
Source: | Code function: | 5_2_0085E2E9 | |
Source: | Code function: | 5_2_00901238 | |
Source: | Code function: | 5_2_009063BF | |
Source: | Code function: | 5_2_0085F3CF | |
Source: | Code function: | 5_2_008863DB | |
Source: | Code function: | 5_2_00862305 | |
Source: | Code function: | 5_2_00867353 | |
Source: | Code function: | 5_2_008AA37B | |
Source: | Code function: | 5_2_00895485 | |
Source: | Code function: | 5_2_00871489 | |
Source: | Code function: | 5_2_008E443E | |
Source: | Code function: | 5_2_0089D47D | |
Source: | Code function: | 5_2_008E05E3 | |
Source: | Code function: | 5_2_0087C5F0 | |
Source: | Code function: | 5_2_0086351F | |
Source: | Code function: | 5_2_008A6540 | |
Source: | Code function: | 5_2_00864680 | |
Source: | Code function: | 5_2_0086E6C1 | |
Source: | Code function: | 5_2_00902622 | |
Source: | Code function: | 5_2_008AA634 | |
Source: | Code function: | 5_2_008E579A | |
Source: | Code function: | 5_2_0086C7BC | |
Source: | Code function: | 5_2_008957C3 | |
Source: | Code function: | 5_2_008DF8C4 | |
Source: | Code function: | 5_2_008FF8EE | |
Source: | Code function: | 5_2_0086C85C | |
Source: | Code function: | 5_2_0088286D | |
Source: | Code function: | 5_2_0090098E | |
Source: | Code function: | 5_2_008629B2 | |
Source: | Code function: | 5_2_008769FE | |
Source: | Code function: | 5_2_008E394B | |
Source: | Code function: | 5_2_008E5955 | |
Source: | Code function: | 5_2_00913A83 | |
Source: | Code function: | 5_2_0090CBA4 | |
Source: | Code function: | 5_2_008E6BCB | |
Source: | Code function: | 5_2_0085FBD7 | |
Source: | Code function: | 5_2_008EDBDA | |
Source: | Code function: | 5_2_00887B00 | |
Source: | Code function: | 5_2_008FFDDD | |
Source: | Code function: | 7_2_025D1238 | |
Source: | Code function: | 7_2_0252E2E9 | |
Source: | Code function: | 7_2_02537353 | |
Source: | Code function: | 7_2_0257A37B | |
Source: | Code function: | 7_2_02532305 | |
Source: | Code function: | 7_2_025563DB | |
Source: | Code function: | 7_2_0252F3CF | |
Source: | Code function: | 7_2_025D63BF | |
Source: | Code function: | 7_2_0254905A | |
Source: | Code function: | 7_2_02533040 | |
Source: | Code function: | 7_2_0255D005 | |
Source: | Code function: | 7_2_0252E0C6 | |
Source: | Code function: | 7_2_0257A634 | |
Source: | Code function: | 7_2_025D2622 | |
Source: | Code function: | 7_2_0253E6C1 | |
Source: | Code function: | 7_2_02534680 | |
Source: | Code function: | 7_2_025657C3 | |
Source: | Code function: | 7_2_025B579A | |
Source: | Code function: | 7_2_0253C7BC | |
Source: | Code function: | 7_2_0256D47D | |
Source: | Code function: | 7_2_025B443E | |
Source: | Code function: | 7_2_02565485 | |
Source: | Code function: | 7_2_02541489 | |
Source: | Code function: | 7_2_02576540 | |
Source: | Code function: | 7_2_0253351F | |
Source: | Code function: | 7_2_0254C5F0 | |
Source: | Code function: | 7_2_025E3A83 | |
Source: | Code function: | 7_2_02557B00 | |
Source: | Code function: | 7_2_025BDBDA | |
Source: | Code function: | 7_2_0252FBD7 | |
Source: | Code function: | 7_2_025DCBA4 | |
Source: | Code function: | 7_2_0253C85C | |
Source: | Code function: | 7_2_0255286D | |
Source: | Code function: | 7_2_025CF8EE | |
Source: | Code function: | 7_2_025B5955 | |
Source: | Code function: | 7_2_025B394B | |
Source: | Code function: | 7_2_025469FE | |
Source: | Code function: | 7_2_025D098E | |
Source: | Code function: | 7_2_025329B2 | |
Source: | Code function: | 7_2_0254EE4C | |
Source: | Code function: | 7_2_02562E2F | |
Source: | Code function: | 7_2_0255DF7C | |
Source: | Code function: | 7_2_02540F3F | |
Source: | Code function: | 7_2_025A2FDC | |
Source: | Code function: | 7_2_025CCFB1 | |
Source: | Code function: | 7_2_0253CD5B | |
Source: | Code function: | 7_2_02560D3B | |
Source: | Code function: | 7_2_025CFDDD | |
Source: | Code function: | 7_2_000FC948 | |
Source: | Code function: | 7_2_000E8C80 | |
Source: | Code function: | 7_2_000E2D8A | |
Source: | Code function: | 7_2_000E2D90 | |
Source: | Code function: | 7_2_000E2FB0 |
Source: | Code function: | 5_2_004185E0 | |
Source: | Code function: | 5_2_00418690 | |
Source: | Code function: | 5_2_00418710 | |
Source: | Code function: | 5_2_004187C0 | |
Source: | Code function: | 5_2_004185DA | |
Source: | Code function: | 5_2_0041870B | |
Source: | Code function: | 5_2_008500C4 | |
Source: | Code function: | 5_2_00850048 | |
Source: | Code function: | 5_2_00850078 | |
Source: | Code function: | 5_2_008507AC | |
Source: | Code function: | 5_2_0084F9F0 | |
Source: | Code function: | 5_2_0084F900 | |
Source: | Code function: | 5_2_0084FAD0 | |
Source: | Code function: | 5_2_0084FAE8 | |
Source: | Code function: | 5_2_0084FBB8 | |
Source: | Code function: | 5_2_0084FB68 | |
Source: | Code function: | 5_2_0084FC90 | |
Source: | Code function: | 5_2_0084FC60 | |
Source: | Code function: | 5_2_0084FD8C | |
Source: | Code function: | 5_2_0084FDC0 | |
Source: | Code function: | 5_2_0084FEA0 | |
Source: | Code function: | 5_2_0084FED0 | |
Source: | Code function: | 5_2_0084FFB4 | |
Source: | Code function: | 5_2_008510D0 | |
Source: | Code function: | 5_2_00850060 | |
Source: | Code function: | 5_2_008501D4 | |
Source: | Code function: | 5_2_0085010C | |
Source: | Code function: | 5_2_00851148 | |
Source: | Code function: | 5_2_0084F8CC | |
Source: | Code function: | 5_2_00851930 | |
Source: | Code function: | 5_2_0084F938 | |
Source: | Code function: | 5_2_0084FAB8 | |
Source: | Code function: | 5_2_0084FA20 | |
Source: | Code function: | 5_2_0084FA50 | |
Source: | Code function: | 5_2_0084FBE8 | |
Source: | Code function: | 5_2_0084FB50 | |
Source: | Code function: | 5_2_0084FC30 | |
Source: | Code function: | 5_2_00850C40 | |
Source: | Code function: | 5_2_0084FC48 | |
Source: | Code function: | 5_2_00851D80 | |
Source: | Code function: | 7_2_025200C4 | |
Source: | Code function: | 7_2_025207AC | |
Source: | Code function: | 7_2_0251FAD0 | |
Source: | Code function: | 7_2_0251FAE8 | |
Source: | Code function: | 7_2_0251FAB8 | |
Source: | Code function: | 7_2_0251FB50 | |
Source: | Code function: | 7_2_0251FB68 | |
Source: | Code function: | 7_2_0251FBB8 | |
Source: | Code function: | 7_2_0251F900 | |
Source: | Code function: | 7_2_0251F9F0 | |
Source: | Code function: | 7_2_0251FED0 | |
Source: | Code function: | 7_2_0251FFB4 | |
Source: | Code function: | 7_2_0251FC60 | |
Source: | Code function: | 7_2_0251FDC0 | |
Source: | Code function: | 7_2_0251FD8C | |
Source: | Code function: | 7_2_02520048 | |
Source: | Code function: | 7_2_02520078 | |
Source: | Code function: | 7_2_02520060 | |
Source: | Code function: | 7_2_025210D0 | |
Source: | Code function: | 7_2_02521148 | |
Source: | Code function: | 7_2_0252010C | |
Source: | Code function: | 7_2_025201D4 | |
Source: | Code function: | 7_2_0251FA50 | |
Source: | Code function: | 7_2_0251FA20 | |
Source: | Code function: | 7_2_0251FBE8 | |
Source: | Code function: | 7_2_0251F8CC | |
Source: | Code function: | 7_2_02521930 | |
Source: | Code function: | 7_2_0251F938 | |
Source: | Code function: | 7_2_0251FE24 | |
Source: | Code function: | 7_2_0251FEA0 | |
Source: | Code function: | 7_2_0251FF34 | |
Source: | Code function: | 7_2_0251FFFC | |
Source: | Code function: | 7_2_02520C40 | |
Source: | Code function: | 7_2_0251FC48 | |
Source: | Code function: | 7_2_0251FC30 | |
Source: | Code function: | 7_2_0251FC90 | |
Source: | Code function: | 7_2_0251FD5C | |
Source: | Code function: | 7_2_02521D80 | |
Source: | Code function: | 7_2_000F85E0 | |
Source: | Code function: | 7_2_000F8690 | |
Source: | Code function: | 7_2_000F8710 | |
Source: | Code function: | 7_2_000F87C0 | |
Source: | Code function: | 7_2_000F85DA | |
Source: | Code function: | 7_2_000F870B |
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Source: | Section loaded: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Section loaded: | Jump to behavior |
Source: | Binary or memory string: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | File opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static file information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Initial sample: |
Data Obfuscation: |
---|
.NET source code contains potential unpacker | Show sources |
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
.NET source code contains method to dynamically call methods (often used by packers) | Show sources |
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | Code function: | 4_2_010E9A37 | |
Source: | Code function: | 4_2_010E976C | |
Source: | Code function: | 4_2_010EA151 | |
Source: | Code function: | 5_2_0041B828 | |
Source: | Code function: | 5_2_0041B892 | |
Source: | Code function: | 5_2_0041B892 | |
Source: | Code function: | 5_2_004153E9 | |
Source: | Code function: | 5_2_00415C57 | |
Source: | Code function: | 5_2_0041CD76 | |
Source: | Code function: | 5_2_00414EB0 | |
Source: | Code function: | 5_2_0041CF74 | |
Source: | Code function: | 5_2_0041B828 | |
Source: | Code function: | 5_2_010EA151 | |
Source: | Code function: | 5_2_010E9A37 | |
Source: | Code function: | 5_2_010E976C | |
Source: | Code function: | 7_2_0252DFB4 | |
Source: | Code function: | 7_2_000F53E9 | |
Source: | Code function: | 7_2_000FB828 | |
Source: | Code function: | 7_2_000FB892 | |
Source: | Code function: | 7_2_000FB828 | |
Source: | Code function: | 7_2_000FB892 | |
Source: | Code function: | 7_2_000F5C57 | |
Source: | Code function: | 7_2_000FCD76 | |
Source: | Code function: | 7_2_000F4EB0 | |
Source: | Code function: | 7_2_000FCF74 |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Drops PE files to the user root directory | Show sources |
Source: | File created: | Jump to dropped file |
Source: | Key value created or modified: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Yara detected AntiVM3 | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Tries to detect virtualization through RDTSC time measurements | Show sources |
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: |
Source: | Code function: | 5_2_004088D0 |
Source: | Thread delayed: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 5_2_004088D0 |
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 5_2_008626F8 | |
Source: | Code function: | 7_2_025326F8 |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 5_2_00409B40 |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Domain query: | |||
Source: | Domain query: | |||
Source: | Network Connect: | Jump to behavior | ||
Source: | Domain query: | |||
Source: | Network Connect: | Jump to behavior | ||
Source: | Domain query: | |||
Source: | Domain query: | |||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior |
Sample uses process hollowing technique | Show sources |
Source: | Section unmapped: | Jump to behavior |
Maps a DLL or memory area into another process | Show sources |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Injects a PE file into a foreign processes | Show sources |
Source: | Memory written: | Jump to behavior |
Queues an APC in another process (thread injection) | Show sources |
Source: | Thread APC queued: | Jump to behavior |
Modifies the context of a thread in another process (thread injection) | Show sources |
Source: | Thread register set: | Jump to behavior | ||
Source: | Thread register set: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information: |
---|
Yara detected FormBook | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected FormBook | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Shared Modules1 | DLL Side-Loading1 | Process Injection612 | Masquerading111 | OS Credential Dumping | Security Software Discovery221 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel11 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution13 | Boot or Logon Initialization Scripts | DLL Side-Loading1 | Modify Registry1 | LSASS Memory | Process Discovery2 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer4 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Disable or Modify Tools1 | Security Account Manager | Virtualization/Sandbox Evasion31 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol3 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Virtualization/Sandbox Evasion31 | NTDS | Remote System Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol114 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Process Injection612 | LSA Secrets | File and Directory Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Deobfuscate/Decode Files or Information1 | Cached Domain Credentials | System Information Discovery113 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Obfuscated Files or Information4 | DCSync | Network Sniffing | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Software Packing23 | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | DLL Side-Loading1 | /etc/passwd and /etc/shadow | System Network Connections Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
100% | Joe Sandbox ML |
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.ZPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.ZPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.ZPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.ZPACK.Gen | Download File |
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
3% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
www.luckyfandom.com | 118.67.131.217 | true | true | unknown | |
mikeloayza.com | 131.153.37.4 | true | true |
| unknown |
bitcointradel.com | 162.0.209.73 | true | true | unknown | |
executive-air.net | 34.102.136.180 | true | false | unknown | |
www.fisioletsgo.com | 216.239.34.21 | true | false | unknown | |
www.executive-air.net | unknown | unknown | true | unknown | |
www.bitcointradel.com | unknown | unknown | true | unknown | |
www.freeadakahamazon.com | unknown | unknown | true | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
false |
| unknown | |
true |
| unknown | |
true |
| low | |
false |
| unknown | |
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| low | ||
false |
| low | ||
false | high | |||
false | high | |||
false |
| low |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
162.0.209.73 | bitcointradel.com | Canada | 35893 | ACPCA | true | |
216.239.34.21 | www.fisioletsgo.com | United States | 15169 | GOOGLEUS | false | |
118.67.131.217 | www.luckyfandom.com | Korea Republic of | 24395 | CLEAR-AS-APClearNetworksPtyLtdAU | true | |
34.102.136.180 | executive-air.net | United States | 15169 | GOOGLEUS | false | |
131.153.37.4 | mikeloayza.com | United States | 20454 | SSASN2US | true |
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 553293 |
Start date: | 14.01.2022 |
Start time: | 16:03:14 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 11m 7s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | SWIFT - Copy - Copy.xlsx |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 10 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 1 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.expl.evad.winXLSX@9/6@6/5 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
16:03:46 | API Interceptor | |
16:03:51 | API Interceptor | |
16:04:12 | API Interceptor | |
16:04:57 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
118.67.131.217 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CLEAR-AS-APClearNetworksPtyLtdAU | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
SSASN2US | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
ACPCA | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
7dcce5b76c8b17472d024758970a406b | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 601600 |
Entropy (8bit): | 7.208019029819951 |
Encrypted: | false |
SSDEEP: | 12288:VK777777777777N7sPip0jsXSEf2V3SVP5AmeTZVYclQ3eRrYtf:VK777777777777lsKp0A3MC7CxS3YrY |
MD5: | 25EE51200E7D86AB2C531748E5C01C72 |
SHA1: | 6BE3C75759C1F9428299B82394DEAFAD3B165D57 |
SHA-256: | 33BB2954B5EFD072D71B4D7BF79EB609E4143A01023C15F8239F3A93561052E0 |
SHA-512: | B90110F86236C04D92405B7931606FFB82533863F7A141115A545C5C1949115298F4D1296C950D176CF33B1EB0A1489D76548A8E186168ADA03E1B25A420EA4F |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
IE Cache URL: | https://mikeloayza.com/E9/i4L.exe |
Preview: |
|
Process: | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 241 |
Entropy (8bit): | 5.144431573763422 |
Encrypted: | false |
SSDEEP: | 6:pn0+Dy9xwol6hEr6VX16hu9nPfV8Ni+KqD:J0+ox0RJWWP98zT |
MD5: | 5C1BF763B986387E9E117DABF2FB37BC |
SHA1: | 29F8142D2580878381BBB0DFD7D333C924C24093 |
SHA-256: | 9A0E4DD90EF8EFA0B54BBF9C1A810F227A9C4BA08AD315470A2BC519023F5DB0 |
SHA-512: | 48397E5342820C32752A23EFC6D6776784ADA4950C591A21373B06DABA50467B489761C6018660D518B448A6B6F7121382DA33F916AC06905C1005952361B176 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1536 |
Entropy (8bit): | 1.1464700112623651 |
Encrypted: | false |
SSDEEP: | 3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X |
MD5: | 72F5C05B7EA8DD6059BF59F50B22DF33 |
SHA1: | D5AF52E129E15E3A34772806F6C5FBF132E7408E |
SHA-256: | 1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164 |
SHA-512: | 6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1708032 |
Entropy (8bit): | 7.361455956824453 |
Encrypted: | false |
SSDEEP: | 49152:+QKkr5BOPqqENGfJbDan2Kmg6RsOEX0q:+Q7sNEYNDw |
MD5: | 1A8EF3975ACA5EEFAE5D35CFA752A22B |
SHA1: | D4400575CB198B054E2FEED616010C57AD07525F |
SHA-256: | 17026E92707F76D3A8BE214E3EEA223A2A7630E162923B159DF6193837E0F91F |
SHA-512: | B14A70C0BA99CDA8231C3419AC1B5F0EDB1AD3C451BE2B9E449E5FBA5C771FE0E24604F61DBA8D107088DFAE67C3A213B5017CE59AC2F1EBEA452E9B0FEFAB45 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fV:vBFFGS |
MD5: | 797869BB881CFBCDAC2064F92B26E46F |
SHA1: | 61C1B8FBF505956A77E9A79CE74EF5E281B01F4B |
SHA-256: | D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185 |
SHA-512: | 1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 601600 |
Entropy (8bit): | 7.208019029819951 |
Encrypted: | false |
SSDEEP: | 12288:VK777777777777N7sPip0jsXSEf2V3SVP5AmeTZVYclQ3eRrYtf:VK777777777777lsKp0A3MC7CxS3YrY |
MD5: | 25EE51200E7D86AB2C531748E5C01C72 |
SHA1: | 6BE3C75759C1F9428299B82394DEAFAD3B165D57 |
SHA-256: | 33BB2954B5EFD072D71B4D7BF79EB609E4143A01023C15F8239F3A93561052E0 |
SHA-512: | B90110F86236C04D92405B7931606FFB82533863F7A141115A545C5C1949115298F4D1296C950D176CF33B1EB0A1489D76548A8E186168ADA03E1B25A420EA4F |
Malicious: | true |
Antivirus: |
|
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.998825501408383 |
TrID: |
|
File name: | SWIFT - Copy - Copy.xlsx |
File size: | 1400294 |
MD5: | 338cbe8a882d7c941afe2cf895055bd5 |
SHA1: | f081a9d12054b2e1a59d3eae4fa65059db634268 |
SHA256: | 097ce13d935a168aa627794fce83fb57b3ad39989c46b574acb13820edbafe4a |
SHA512: | 544deb29896756b4391cd46cd0e76154c837530a5e2512ef03c6dc90145f98d43b6c7469625ad082bfc0929940177808e62d3deafd6412a626f1c0301adc32d6 |
SSDEEP: | 24576:Ggp3MkrfAEnTlQdzPqdACoEh1GxdIGbHXMFxPrt/Qe6KxwfqI+WSKbjqRJc3satR:/Mkr1ZsPqkEDGbfbH4L2sESKbCc3Ptek |
File Content Preview: | PK...........T>...............[Content_Types].xmlUT...C..aC..aC..a.U.N.0..#.....q........7.......m<...=...............3.xx.h\1..6.J...(..`..T....w".$..r.C%....|.o......=V.&.gR...QX.....Cj..k....TM@....R.O..G.C....@...{..V5.#.N....9(.O..+`.....Y.....7....x |
File Icon |
---|
Icon Hash: | e4e2aa8aa4b4bcb4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "/opt/package/joesandbox/database/analysis/553293/sample/SWIFT - Copy - Copy.xlsx" |
---|
Indicators | |
---|---|
Has Summary Info: | False |
Application Name: | unknown |
Encrypted Document: | False |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | False |
Summary | |
---|---|
Author: | |
Last Saved By: | |
Create Time: | 2006-09-16T00:00:00Z |
Last Saved Time: | 2021-04-20T13:49:29Z |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 12.0000 |
Streams |
---|
Stream Path: \x1oLe10nAtiVE, File Type: data, Stream Size: 1687673 |
---|
General | |
---|---|
Stream Path: | \x1oLe10nAtiVE |
File Type: | data |
Stream Size: | 1687673 |
Entropy: | 7.35599527556 |
Base64 Encoded: | True |
Data ASCII: | . ) ; . . 5 & . { . . . . . . . . . c % ~ . M . . 8 . . . . . . 5 . . . . 0 . . 2 Q . . . . . # . . . | . . . . . . . . E . u . V . / B ~ . . . . e S . z . . Q M p . & 5 . . . . . x . w v z . . W w . . . s . n . . 7 _ . . . . . . . < . . . / . . . . . . . k . K $ . B A h N . g . 4 . < s . . A # . . F A . . . . . . + . % . . . . ! . % . . J . . ! . . . P . . . T . B . v J d . . . . . V J g v . a . . . . . g . \\ t i ` . . K ) / . . v . . 4 . . . . . . ; . . = . . . . . . . 4 % . i d . w . . N c e . . . " . |
Data Raw: | d0 29 3b 06 02 35 26 e3 7b ee 01 08 f7 a0 b8 bd bf e7 63 25 7e bd 4d 8c 8b 38 8b 0f ba b3 e6 15 35 81 c2 fd 80 30 cb 8b 32 51 ff d6 05 8d c2 23 01 05 02 7c e7 fe ff e0 e4 82 dd 0c 45 00 75 cc 56 d8 2f 42 7e a4 01 c7 20 b6 65 53 c3 7a f4 cc 51 4d 70 0d 26 35 fe b8 06 9c a4 78 89 77 76 7a e1 2e 57 77 06 a4 03 73 ff 6e bd 1a 37 5f 1b d5 a6 7f fe 8c ef 3c d1 a2 dc 2f b0 9d 9e f4 e8 ad |
Stream Path: HDsuMKhCbfmuqyxLqNuKc, File Type: empty, Stream Size: 0 |
---|
General | |
---|---|
Stream Path: | HDsuMKhCbfmuqyxLqNuKc |
File Type: | empty |
Stream Size: | 0 |
Entropy: | 0.0 |
Base64 Encoded: | False |
Data ASCII: | |
Data Raw: |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
01/14/22-16:06:04.365376 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49172 | 34.102.136.180 | 192.168.2.22 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 14, 2022 16:04:33.911838055 CET | 49167 | 80 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:34.100852013 CET | 80 | 49167 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:34.100967884 CET | 49167 | 80 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:34.101399899 CET | 49167 | 80 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:34.290345907 CET | 80 | 49167 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:34.291004896 CET | 80 | 49167 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:34.291089058 CET | 49167 | 80 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:34.481738091 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:34.481784105 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:34.481870890 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:34.489912987 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:34.489944935 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:34.890429974 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:34.890625954 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:34.906006098 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:34.906070948 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:34.906405926 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:34.906527042 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.145149946 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.185965061 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.331522942 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.331724882 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.515368938 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.515399933 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.515492916 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.515561104 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.515573978 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.515604973 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.515619040 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.515795946 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.697778940 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.698010921 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.698127985 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.698180914 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.698206902 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.698276043 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.698321104 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.698429108 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.698492050 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.698589087 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.698719978 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.880594015 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.880655050 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.880733013 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.880759001 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.880779982 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.880796909 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.880805016 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.880819082 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.880861044 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.880877972 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.880930901 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.880981922 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.881046057 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.881048918 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.881058931 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:35.881093979 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:35.881150961 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.063811064 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.063884020 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.064023972 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.064043999 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.064068079 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.064124107 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.064136028 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.064156055 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.064169884 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.064194918 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.064238071 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.064457893 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.064536095 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.064630985 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.064646006 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.064656973 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.064711094 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.065083027 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.065138102 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.065174103 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.065182924 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.065238953 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.065263987 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.065325022 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.101618052 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.101684093 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.101718903 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.101737022 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.101748943 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.101754904 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.101772070 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.101780891 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.248202085 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.248265028 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.248383999 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.248436928 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.248467922 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.248492002 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.248526096 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.248541117 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.248564959 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.248634100 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.248655081 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.248713970 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.248836040 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.249326944 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.249375105 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.249403954 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.249427080 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.249447107 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.249466896 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.249478102 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.249494076 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.249509096 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.249521971 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.249561071 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.249577999 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.249593973 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.249615908 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.249628067 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.249639034 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.249677896 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.249680042 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.249690056 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.249762058 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.249779940 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.249824047 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.249845028 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.249898911 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.249916077 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.249974966 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.265113115 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.287471056 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.287612915 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.287668943 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.287688971 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.287722111 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.287761927 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.287765980 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.287897110 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.287983894 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.288053036 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.288129091 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.288590908 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.432569981 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.432648897 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.432656050 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.432672977 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.432713985 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.432811975 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.432873011 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.432888985 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.432892084 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.432945967 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.433195114 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.433269024 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.433274031 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.433288097 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.433330059 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.433718920 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.433813095 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.433875084 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.433945894 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.434010983 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.434338093 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.434437990 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.434472084 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.434484959 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.434494019 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.434520006 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.434773922 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.434839010 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.434870005 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.434947968 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.435249090 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.435309887 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.435323954 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.435380936 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.435676098 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.435748100 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.435750008 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.435762882 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.435803890 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.436230898 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.436317921 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.436326027 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.436342955 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.436388016 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.441907883 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.471496105 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.471570969 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.471681118 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.471705914 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.471729994 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.471740961 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.471770048 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.471851110 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.471901894 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.471914053 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.471965075 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.472717047 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.617836952 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.617923021 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.618017912 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.618058920 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.618083000 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.618094921 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.618153095 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.618432999 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.620714903 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.620768070 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.620882034 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.620888948 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.620908022 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.620985031 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.621057034 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.621068001 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.621084929 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.621098042 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.621129990 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.621150017 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.621157885 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.621221066 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.621268988 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.621279955 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.621298075 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.621320963 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.621325970 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:36.621361971 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.621411085 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.629693031 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.640779972 CET | 49168 | 443 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:04:36.640815020 CET | 443 | 49168 | 131.153.37.4 | 192.168.2.22 |
Jan 14, 2022 16:04:38.035305023 CET | 49167 | 80 | 192.168.2.22 | 131.153.37.4 |
Jan 14, 2022 16:05:43.605257988 CET | 49169 | 80 | 192.168.2.22 | 216.239.34.21 |
Jan 14, 2022 16:05:43.622224092 CET | 80 | 49169 | 216.239.34.21 | 192.168.2.22 |
Jan 14, 2022 16:05:43.622328043 CET | 49169 | 80 | 192.168.2.22 | 216.239.34.21 |
Jan 14, 2022 16:05:43.622512102 CET | 49169 | 80 | 192.168.2.22 | 216.239.34.21 |
Jan 14, 2022 16:05:43.639312029 CET | 80 | 49169 | 216.239.34.21 | 192.168.2.22 |
Jan 14, 2022 16:05:43.705197096 CET | 80 | 49169 | 216.239.34.21 | 192.168.2.22 |
Jan 14, 2022 16:05:43.705229998 CET | 80 | 49169 | 216.239.34.21 | 192.168.2.22 |
Jan 14, 2022 16:05:43.705254078 CET | 80 | 49169 | 216.239.34.21 | 192.168.2.22 |
Jan 14, 2022 16:05:43.705276012 CET | 80 | 49169 | 216.239.34.21 | 192.168.2.22 |
Jan 14, 2022 16:05:43.705297947 CET | 80 | 49169 | 216.239.34.21 | 192.168.2.22 |
Jan 14, 2022 16:05:43.705321074 CET | 80 | 49169 | 216.239.34.21 | 192.168.2.22 |
Jan 14, 2022 16:05:43.705343008 CET | 80 | 49169 | 216.239.34.21 | 192.168.2.22 |
Jan 14, 2022 16:05:43.705363989 CET | 80 | 49169 | 216.239.34.21 | 192.168.2.22 |
Jan 14, 2022 16:05:43.705384970 CET | 80 | 49169 | 216.239.34.21 | 192.168.2.22 |
Jan 14, 2022 16:05:43.705406904 CET | 80 | 49169 | 216.239.34.21 | 192.168.2.22 |
Jan 14, 2022 16:05:43.705429077 CET | 49169 | 80 | 192.168.2.22 | 216.239.34.21 |
Jan 14, 2022 16:05:43.705467939 CET | 49169 | 80 | 192.168.2.22 | 216.239.34.21 |
Jan 14, 2022 16:05:43.705574036 CET | 49169 | 80 | 192.168.2.22 | 216.239.34.21 |
Jan 14, 2022 16:05:43.724138975 CET | 80 | 49169 | 216.239.34.21 | 192.168.2.22 |
Jan 14, 2022 16:05:43.724184990 CET | 80 | 49169 | 216.239.34.21 | 192.168.2.22 |
Jan 14, 2022 16:05:43.724282026 CET | 49169 | 80 | 192.168.2.22 | 216.239.34.21 |
Jan 14, 2022 16:05:43.724307060 CET | 49169 | 80 | 192.168.2.22 | 216.239.34.21 |
Jan 14, 2022 16:05:43.724663973 CET | 80 | 49169 | 216.239.34.21 | 192.168.2.22 |
Jan 14, 2022 16:05:43.724688053 CET | 80 | 49169 | 216.239.34.21 | 192.168.2.22 |
Jan 14, 2022 16:05:43.724720955 CET | 49169 | 80 | 192.168.2.22 | 216.239.34.21 |
Jan 14, 2022 16:05:43.724736929 CET | 49169 | 80 | 192.168.2.22 | 216.239.34.21 |
Jan 14, 2022 16:05:53.746768951 CET | 49171 | 80 | 192.168.2.22 | 162.0.209.73 |
Jan 14, 2022 16:05:53.933163881 CET | 80 | 49171 | 162.0.209.73 | 192.168.2.22 |
Jan 14, 2022 16:05:53.933317900 CET | 49171 | 80 | 192.168.2.22 | 162.0.209.73 |
Jan 14, 2022 16:05:53.933439016 CET | 49171 | 80 | 192.168.2.22 | 162.0.209.73 |
Jan 14, 2022 16:05:54.111656904 CET | 80 | 49171 | 162.0.209.73 | 192.168.2.22 |
Jan 14, 2022 16:05:54.111696959 CET | 80 | 49171 | 162.0.209.73 | 192.168.2.22 |
Jan 14, 2022 16:05:54.111931086 CET | 49171 | 80 | 192.168.2.22 | 162.0.209.73 |
Jan 14, 2022 16:05:54.111978054 CET | 49171 | 80 | 192.168.2.22 | 162.0.209.73 |
Jan 14, 2022 16:05:54.279328108 CET | 80 | 49171 | 162.0.209.73 | 192.168.2.22 |
Jan 14, 2022 16:06:04.229212999 CET | 49172 | 80 | 192.168.2.22 | 34.102.136.180 |
Jan 14, 2022 16:06:04.249311924 CET | 80 | 49172 | 34.102.136.180 | 192.168.2.22 |
Jan 14, 2022 16:06:04.249404907 CET | 49172 | 80 | 192.168.2.22 | 34.102.136.180 |
Jan 14, 2022 16:06:04.249555111 CET | 49172 | 80 | 192.168.2.22 | 34.102.136.180 |
Jan 14, 2022 16:06:04.269602060 CET | 80 | 49172 | 34.102.136.180 | 192.168.2.22 |
Jan 14, 2022 16:06:04.365375996 CET | 80 | 49172 | 34.102.136.180 | 192.168.2.22 |
Jan 14, 2022 16:06:04.365398884 CET | 80 | 49172 | 34.102.136.180 | 192.168.2.22 |
Jan 14, 2022 16:06:04.365621090 CET | 49172 | 80 | 192.168.2.22 | 34.102.136.180 |
Jan 14, 2022 16:06:04.365680933 CET | 49172 | 80 | 192.168.2.22 | 34.102.136.180 |
Jan 14, 2022 16:06:04.384483099 CET | 80 | 49172 | 34.102.136.180 | 192.168.2.22 |
Jan 14, 2022 16:06:09.673098087 CET | 49173 | 80 | 192.168.2.22 | 118.67.131.217 |
Jan 14, 2022 16:06:12.678507090 CET | 49173 | 80 | 192.168.2.22 | 118.67.131.217 |
Jan 14, 2022 16:06:18.685014009 CET | 49173 | 80 | 192.168.2.22 | 118.67.131.217 |
Jan 14, 2022 16:06:19.047472954 CET | 80 | 49173 | 118.67.131.217 | 192.168.2.22 |
Jan 14, 2022 16:06:19.047573090 CET | 49173 | 80 | 192.168.2.22 | 118.67.131.217 |
Jan 14, 2022 16:06:19.047626972 CET | 49173 | 80 | 192.168.2.22 | 118.67.131.217 |
Jan 14, 2022 16:06:19.415909052 CET | 80 | 49173 | 118.67.131.217 | 192.168.2.22 |
Jan 14, 2022 16:06:19.428003073 CET | 80 | 49173 | 118.67.131.217 | 192.168.2.22 |
Jan 14, 2022 16:06:19.428040028 CET | 80 | 49173 | 118.67.131.217 | 192.168.2.22 |
Jan 14, 2022 16:06:19.428190947 CET | 49173 | 80 | 192.168.2.22 | 118.67.131.217 |
Jan 14, 2022 16:06:19.428250074 CET | 49173 | 80 | 192.168.2.22 | 118.67.131.217 |
Jan 14, 2022 16:06:19.793454885 CET | 80 | 49173 | 118.67.131.217 | 192.168.2.22 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 14, 2022 16:04:33.695847034 CET | 52167 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 14, 2022 16:04:33.875735044 CET | 53 | 52167 | 8.8.8.8 | 192.168.2.22 |
Jan 14, 2022 16:05:43.551692963 CET | 50591 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 14, 2022 16:05:43.590673923 CET | 53 | 50591 | 8.8.8.8 | 192.168.2.22 |
Jan 14, 2022 16:05:53.711869001 CET | 57805 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 14, 2022 16:05:53.744340897 CET | 53 | 57805 | 8.8.8.8 | 192.168.2.22 |
Jan 14, 2022 16:05:59.160648108 CET | 59030 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 14, 2022 16:05:59.182547092 CET | 53 | 59030 | 8.8.8.8 | 192.168.2.22 |
Jan 14, 2022 16:06:04.200428963 CET | 59185 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 14, 2022 16:06:04.228068113 CET | 53 | 59185 | 8.8.8.8 | 192.168.2.22 |
Jan 14, 2022 16:06:09.376717091 CET | 55616 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 14, 2022 16:06:09.671801090 CET | 53 | 55616 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jan 14, 2022 16:04:33.695847034 CET | 192.168.2.22 | 8.8.8.8 | 0x5e41 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 14, 2022 16:05:43.551692963 CET | 192.168.2.22 | 8.8.8.8 | 0x8eb8 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 14, 2022 16:05:53.711869001 CET | 192.168.2.22 | 8.8.8.8 | 0xc18c | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 14, 2022 16:05:59.160648108 CET | 192.168.2.22 | 8.8.8.8 | 0xfc43 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 14, 2022 16:06:04.200428963 CET | 192.168.2.22 | 8.8.8.8 | 0x9c63 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 14, 2022 16:06:09.376717091 CET | 192.168.2.22 | 8.8.8.8 | 0x30e0 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jan 14, 2022 16:04:33.875735044 CET | 8.8.8.8 | 192.168.2.22 | 0x5e41 | No error (0) | 131.153.37.4 | A (IP address) | IN (0x0001) | ||
Jan 14, 2022 16:05:43.590673923 CET | 8.8.8.8 | 192.168.2.22 | 0x8eb8 | No error (0) | 216.239.34.21 | A (IP address) | IN (0x0001) | ||
Jan 14, 2022 16:05:43.590673923 CET | 8.8.8.8 | 192.168.2.22 | 0x8eb8 | No error (0) | 216.239.32.21 | A (IP address) | IN (0x0001) | ||
Jan 14, 2022 16:05:43.590673923 CET | 8.8.8.8 | 192.168.2.22 | 0x8eb8 | No error (0) | 216.239.38.21 | A (IP address) | IN (0x0001) | ||
Jan 14, 2022 16:05:43.590673923 CET | 8.8.8.8 | 192.168.2.22 | 0x8eb8 | No error (0) | 216.239.36.21 | A (IP address) | IN (0x0001) | ||
Jan 14, 2022 16:05:53.744340897 CET | 8.8.8.8 | 192.168.2.22 | 0xc18c | No error (0) | bitcointradel.com | CNAME (Canonical name) | IN (0x0001) | ||
Jan 14, 2022 16:05:53.744340897 CET | 8.8.8.8 | 192.168.2.22 | 0xc18c | No error (0) | 162.0.209.73 | A (IP address) | IN (0x0001) | ||
Jan 14, 2022 16:05:59.182547092 CET | 8.8.8.8 | 192.168.2.22 | 0xfc43 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Jan 14, 2022 16:06:04.228068113 CET | 8.8.8.8 | 192.168.2.22 | 0x9c63 | No error (0) | executive-air.net | CNAME (Canonical name) | IN (0x0001) | ||
Jan 14, 2022 16:06:04.228068113 CET | 8.8.8.8 | 192.168.2.22 | 0x9c63 | No error (0) | 34.102.136.180 | A (IP address) | IN (0x0001) | ||
Jan 14, 2022 16:06:09.671801090 CET | 8.8.8.8 | 192.168.2.22 | 0x30e0 | No error (0) | 118.67.131.217 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49168 | 131.153.37.4 | 443 | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49167 | 131.153.37.4 | 80 | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 14, 2022 16:04:34.101399899 CET | 0 | OUT | |
Jan 14, 2022 16:04:34.291004896 CET | 1 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.22 | 49169 | 216.239.34.21 | 80 | C:\Windows\explorer.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 14, 2022 16:05:43.622512102 CET | 612 | OUT | |
Jan 14, 2022 16:05:43.705197096 CET | 614 | IN |