Analysis Report
Overview
General Information |
---|
Joe Sandbox Version: | 18.0.0 |
Analysis ID: | 223569 |
Start time: | 19:45:48 |
Joe Sandbox Product: | Cloud |
Start date: | 22.02.2017 |
Overall analysis duration: | 0h 9m 36s |
Report type: | full |
Sample file name: | huuliin-tusul-offsh-20160918.doc |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43) |
Number of analysed new started processes analysed: | 13 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies |
|
Detection: | MAL |
Classification: | mal100.evad.expl.troj.winDOC@13/14@4/3 |
HCA Information: |
|
EGA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 100 | 0 - 100 | Report FP / FN |
Confidence |
---|
Strategy | Score | Range | Further Analysis Required? | Confidence | |
---|---|---|---|---|---|
Threshold | 5 | 0 - 5 | false |
Classification |
---|
Analysis Advice |
---|
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook |
Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook |
Sample tries to load a library which is not present or installed on the analysis machine, update the analysis machine |
Signature Overview |
---|
Click to jump to signature section
Software Vulnerabilities: |
---|
Potential document exploit detected (performs DNS queries) | Show sources |
Source: global traffic | DNS query: |
Potential document exploit detected (performs HTTP gets) | Show sources |
Source: global traffic | TCP traffic: |
Potential document exploit detected (unknown TCP traffic) | Show sources |
Source: global traffic | TCP traffic: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: |
Networking: |
---|
Contains functionality to download additional files from the internet | Show sources |
Source: C:\Windows\System32\userinit.exe | Code function: | 10_2_000613CD |
Downloads compressed data via HTTP | Show sources |
Source: global traffic | HTTP traffic detected: |
Downloads files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Downloads files from webservers via HTTP | Show sources |
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: |
Found strings which match to known social media urls | Show sources |
Source: regsvr32.exe | String found in binary or memory: | ||
Source: regsvr32.exe | String found in binary or memory: | ||
Source: regsvr32.exe, powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: regsvr32.exe | String found in binary or memory: |
Performs DNS lookups | Show sources |
Source: unknown | DNS traffic detected: |
Urls found in memory or binary data | Show sources |
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: regsvr32.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE, powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: regsvr32.exe | String found in binary or memory: | ||
Source: regsvr32.exe | String found in binary or memory: | ||
Source: regsvr32.exe | String found in binary or memory: | ||
Source: regsvr32.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: |
HTTP GET or POST without a user agent | Show sources |
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: |
Uses a known web browser user agent for HTTP communication | Show sources |
Source: global traffic | HTTP traffic detected: |
Detected non-DNS traffic on DNS port | Show sources |
Source: global traffic | TCP traffic: |
Boot Survival: |
---|
Creates an autostart registry key | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Registry value created or modified: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Registry value created or modified: |
Creates autostart registry keys with suspicious values (likely registry only malware) | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Registry value created or modified: |
Data Obfuscation: |
---|
Registers a DLL | Show sources |
Source: unknown | Process created: |
Document contains an embedded VBA with many string operations indicating source code obfuscation | Show sources |
Source: huuliin-tusul-offsh-20160918.doc | Stream path 'Macros/VBA/ThisDocument' : | |||
Source: VBA code instrumentation | OLE, VBA macro, High number of string operations: | Name: ThisDocument |
System Summary: |
---|
Checks whether correct version of .NET is installed | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: |
Found graphical window changes (likely an installer) | Show sources |
Source: Window Recorder | Window detected: |
Uses Microsoft Silverlight | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: |
Checks if Microsoft Office is installed | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: |
Uses new MSVCR Dlls | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File opened: |
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Document has a 'bytes' value indicative for goodware | Show sources |
Source: huuliin-tusul-offsh-20160918.doc | Initial sample: |
Binary contains paths to development resources | Show sources |
Source: WINWORD.EXE | Binary or memory string: |
Classification label | Show sources |
Source: classification engine | Classification label: |
Contains functionality to adjust token privileges (e.g. debug / backup) | Show sources |
Source: C:\Windows\System32\userinit.exe | Code function: | 10_2_00560000 |
Creates files inside the user directory | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Creates temporary files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Document contains an OLE Word Document stream indicating a Microsoft Word file | Show sources |
Source: huuliin-tusul-offsh-20160918.doc | OLE indicator, Word Document stream: |
Document contains summary information with irregular field values | Show sources |
Source: huuliin-tusul-offsh-20160918.doc | OLE document summary: |
Found command line output | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: |
Parts of this applications are using the .NET runtime (Probably coded in C#) | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: |
Reads ini files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File read: |
Reads software policies | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: |
Spawns processes | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: | ||
Source: C:\Windows\System32\regsvr32.exe | Process created: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: |
Uses an in-process (OLE) Automation server | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key value queried: |
Creates mutexes | Show sources |
Source: C:\Windows\System32\userinit.exe | Mutant created: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Mutant created: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Mutant created: |
Document contains embedded VBA macros | Show sources |
Source: huuliin-tusul-offsh-20160918.doc | OLE indicator, VBA macros: |
Reads the hosts file | Show sources |
Source: C:\Windows\System32\regsvr32.exe | File read: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File read: | ||
Source: C:\Windows\System32\userinit.exe | File read: |
Tries to load missing DLLs | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: |
Blacklisted process start detected (Windows program) | Show sources |
Source: C:\Windows\System32\regsvr32.exe | Process created: |
Document contains an embedded VBA macro which executes code when the document is opened / closed | Show sources |
Source: huuliin-tusul-offsh-20160918.doc | OLE, VBA macro line: | |||
Source: VBA code instrumentation | OLE, VBA macro: | Name: Document_Open |
Document contains an embedded VBA macro which may execute processes | Show sources |
Source: huuliin-tusul-offsh-20160918.doc | OLE, VBA macro line: | |||
Source: VBA code instrumentation | OLE, VBA macro: | Name: Execute |
HIPS / PFW / Operating System Protection Evasion: |
---|
May try to detect the Windows Explorer process (often used for injection) | Show sources |
Source: userinit.exe | Binary or memory string: | ||
Source: userinit.exe | Binary or memory string: | ||
Source: userinit.exe | Binary or memory string: |
Very long cmdline option found, this is very uncommon (may be encrypted or packed) | Show sources |
Source: unknown | Process created: | ||
Source: C:\Windows\System32\regsvr32.exe | Process created: |
Allocates memory in foreign processes | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Memory allocated: |
Bypasses PowerShell execution policy | Show sources |
Source: unknown | Process created: |
Encrypted powershell cmdline option found | Show sources |
Source: unknown | Process created: | ||
Source: C:\Windows\System32\regsvr32.exe | Process created: |
Executes SCT (Windows Script Component) via regsvr32 | Show sources |
Source: unknown | Process created: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: |
Modifies the context of a thread in another process (thread injection) | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Thread register set: |
Writes to foreign memory regions | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Memory written: |
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: C:\Windows\System32\userinit.exe | Network Connect: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Network Connect: |
Anti Debugging: |
---|
Creates guard pages, often used to prevent reverse engineering and debugging | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Memory allocated: |
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) | Show sources |
Source: C:\Windows\System32\regsvr32.exe | System information queried: |
Contains functionality for execution timing, often used to detect debuggers | Show sources |
Source: C:\Windows\System32\userinit.exe | Code function: | 10_2_00060DFA |
Enables debug privileges | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process token adjusted: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process token adjusted: | ||
Source: C:\Windows\System32\userinit.exe | Process token adjusted: |
Malware Analysis System Evasion: |
---|
Queries a list of all running processes | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information queried: |
Contains functionality for execution timing, often used to detect debuggers | Show sources |
Source: C:\Windows\System32\userinit.exe | Code function: | 10_2_00060DFA |
Contains long sleeps (>= 3 min) | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Thread delayed: |
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) | Show sources |
Source: C:\Windows\System32\userinit.exe | Window / User API: |
May sleep (evasive loops) to hinder dynamic analysis | Show sources |
Source: C:\Windows\System32\regsvr32.exe TID: 3040 | Thread sleep time: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3228 | Thread sleep time: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3200 | Thread sleep time: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3316 | Thread sleep time: | ||
Source: C:\Windows\System32\userinit.exe TID: 3340 | Thread sleep time: | ||
Source: C:\Windows\System32\userinit.exe TID: 3336 | Thread sleep time: | ||
Source: C:\Windows\System32\userinit.exe TID: 3404 | Thread sleep count: | ||
Source: C:\Windows\System32\userinit.exe TID: 3404 | Thread sleep time: | ||
Source: C:\Windows\System32\userinit.exe TID: 3400 | Thread sleep time: | ||
Source: C:\Windows\System32\userinit.exe TID: 3404 | Thread sleep time: | ||
Source: C:\Windows\System32\userinit.exe TID: 3340 | Thread sleep time: |
Sample execution stops while process was sleeping (likely an evasion) | Show sources |
Source: C:\Windows\System32\userinit.exe | Last function: |
Hooking and other Techniques for Hiding and Protection: |
---|
Disables application error messsages (SetErrorMode) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Windows\System32\regsvr32.exe | Process information set: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: | ||
Source: C:\Windows\System32\userinit.exe | Process information set: |
Starts Microsoft Word (often done to prevent that the user detects that something wrong) | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: |
Creates and opens a fake document (probably a fake document to hide exploiting) | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: |
Language, Device and Operating System Detection: |
---|
Queries the cryptographic machine GUID | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key value queried: |
Queries the installation date of Windows | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Registry key value queried: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Registry key value queried: |
Queries the installation date of Windows | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Key value queried: |
Queries the volume information (name, serial number etc) of a device | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: |
Behavior Graph |
---|
Yara Overview |
---|
No Yara matches |
---|
Screenshot |
---|
Startup |
---|
|
Created / dropped Files |
---|
File Path | Type and Hashes |
---|---|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
|
Contacted Domains/Contacted IPs |
---|
Contacted Domains |
---|
Name | IP | Active |
---|---|---|
help.googleplusupport.com | 116.193.154.28 | true |
www.geocities.jp | 118.151.231.180 | true |
service.microsoft-onedrive.com | 116.193.154.28 | true |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Country | Flag | ASN | ASN Name |
---|---|---|---|---|
8.8.8.8 | United States | 15169 | GoogleInc | |
118.151.231.180 | Japan | 23816 | forassignmenttoJPNICmembers | |
116.193.154.28 | unknown | 37974 | NationalCommunicationsCorporationLimited |
Static File Info |
---|
General | |
---|---|
File type: | |
TrID: |
|
File name: | huuliin-tusul-offsh-20160918.doc |
File size: | 54784 |
MD5: | 614875cf37898562aa115a64f17b0117 |
SHA1: | 9c94d6b63913ed764484087e1c354dc9e48cf4b8 |
SHA256: | 06544bb3986468b1b37e861bd7e88f1ab48b64e7cd4664fcb3ef5eff7c08aeae |
SHA512: | 27c31efa177e0aa195fe42bc5b839db75bdef7a17e5afd380c7513409c13f887475e627e364a5147e8dcda3038432354aa9afe82b5da08e8877a5b4ec85bfbf2 |
File Content Preview: | ........................>.......................Y...........\...............X.................................................................................................................................................................................. |
File Icon |
---|
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OLE | |
Number of OLE Files: | 1 |
OLE File "huuliin-tusul-offsh-20160918.doc" |
---|
Indicators | |
---|---|
Has Summary Info: | True |
Application Name: | Microsoft Office Word |
Encrypted Document: | False |
Contains Word Document Stream: | True |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | True |
Summary | |
---|---|
Code Page: | 936 |
Title: | |
Subject: | |
Author: | Administrator |
Keywords: | |
Comments: | |
Template: | Normal |
Last Saved By: | Windows |
Revion Number: | 2 |
Total Edit Time: | 60 |
Create Time: | 2016-08-16 09:47:00 |
Last Saved Time: | 2016-09-21 14:26:00 |
Number of Pages: | 1 |
Number of Words: | 9 |
Number of Characters: | 54 |
Creating Application: | Microsoft Office Word |
Security: | 0 |
Document Summary | |
---|---|
Document Code Page: | 936 |
Category: | |
Presentation Target Format: | |
Number of Bytes: | 0 |
Number of Lines: | 1 |
Number of Paragraphs: | 1 |
Number of Slides: | 0 |
Number of Pages with Notes: | 0 |
Number of Hidden Slides: | 0 |
Number of Sound/Video Clips: | 0 |
Thumbnail Scaling Desired: | False |
Manager: | |
Company: | |
Contains Dirty Links: | False |
Shared Document: | False |
Changed Hyperlinks: | False |
Application Version: | 917504 |
Streams with VBA |
---|
VBA File Name: ThisDocument.cls, Stream Size: 2470 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/ThisDocument |
VBA File Name: | ThisDocument.cls |
Stream Size: | 2470 |
Data ASCII: | . . . . . . . . . F . . . . . . . . . . . . . . . M . . . . . . . . . . . . . . . . ? & 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 01 00 01 f0 00 00 00 46 03 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff 4d 03 00 00 d9 07 00 00 00 00 00 00 01 00 00 00 88 3f 26 32 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code with Deobfuscations |
---|
|
VBA Code |
---|
|
Streams |
---|
Stream Path: \x1CompObj, File Type: data, Stream Size: 110 |
---|
General | |
---|---|
Stream Path: | \x1CompObj |
File Type: | data |
Stream Size: | 110 |
Entropy: | 4.29316043672 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 . . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 ce c4 b5 b5 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: \x5DocumentSummaryInformation, File Type: Unicode text, UTF-32, big-endian, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5DocumentSummaryInformation |
File Type: | Unicode text, UTF-32, big-endian |
Stream Size: | 4096 |
Entropy: | 0.464781593891 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . D . . . . . . . . . . . . . . . + , . . | . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 7c 01 00 00 38 01 00 00 12 00 00 00 01 00 00 00 98 00 00 00 02 00 00 00 a0 00 00 00 03 00 00 00 ac 00 00 00 0e 00 00 00 b8 00 00 00 0f 00 00 00 c4 00 00 00 04 00 00 00 d0 00 00 00 05 00 00 00 |
Stream Path: \x5SummaryInformation, File Type: Unicode text, UTF-32, big-endian, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5SummaryInformation |
File Type: | Unicode text, UTF-32, big-endian |
Stream Size: | 4096 |
Entropy: | 0.492957224922 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A d m i n i s t r a t o r . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 78 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c8 00 00 00 06 00 00 00 d4 00 00 00 07 00 00 00 e0 00 00 00 08 00 00 00 f0 00 00 00 09 00 00 00 08 01 00 00 |
Stream Path: 1Table, File Type: data, Stream Size: 7581 |
---|
General | |
---|---|
Stream Path: | 1Table |
File Type: | data |
Stream Size: | 7581 |
Entropy: | 5.9559349027 |
Base64 Encoded: | True |
Data ASCII: | j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 4 . . . 4 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . |
Data Raw: | 6a 04 18 00 12 00 01 00 0b 01 0f 00 07 00 04 00 05 00 04 00 00 00 04 00 08 00 00 00 98 00 00 00 38 06 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 |
Stream Path: Data, File Type: data, Stream Size: 24902 |
---|
General | |
---|---|
Stream Path: | Data |
File Type: | data |
Stream Size: | 24902 |
Entropy: | 7.8542802009 |
Base64 Encoded: | True |
Data ASCII: | . . . . D . d . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . A . . . . . . . . . . . . ( . 8 . . . . . . . . . . . . . . . . . . . . . . . . . m . i . c . r . o . s . o . f . t . . . . V G r . 6 . . . m . i . c . r . o . s . o . f . t . . . p . n . g . . . 3 . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . |
Data Raw: | 10 05 00 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0a 28 02 e2 04 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 ae 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 93 00 0b f0 70 00 00 00 7f 00 80 00 80 00 bf 00 04 00 04 00 04 41 01 00 00 00 05 81 14 00 00 00 7f 01 28 00 |
Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF, CR line terminators, Stream Size: 379 |
---|
General | |
---|---|
Stream Path: | Macros/PROJECT |
File Type: | ASCII text, with CRLF, CR line terminators |
Stream Size: | 379 |
Entropy: | 5.33286442263 |
Base64 Encoded: | True |
Data ASCII: | I D = " { 6 4 7 4 A 9 E B - 1 9 6 0 - 4 8 3 0 - 9 2 2 3 - 1 3 3 7 A 9 E 1 A B 5 5 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 8 D 8 F 1 1 6 A 1 3 A F 1 7 A F 1 7 A F 1 7 A F 1 7 " . . D P B = " C E C C 5 2 2 9 D 2 2 B 1 2 2 C 1 2 2 C 1 2 " . . G C = " 0 F 0 D 9 3 E 8 9 5 6 8 D 7 6 9 D 7 6 9 2 8 " . . . . [ H o s t E x t e n d e r |
Data Raw: | 49 44 3d 22 7b 36 34 37 34 41 39 45 42 2d 31 39 36 30 2d 34 38 33 30 2d 39 32 32 33 2d 31 33 33 37 41 39 45 31 41 42 35 35 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69 |
Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41 |
---|
General | |
---|---|
Stream Path: | Macros/PROJECTwm |
File Type: | data |
Stream Size: | 41 |
Entropy: | 3.07738448508 |
Base64 Encoded: | False |
Data ASCII: | T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . . |
Data Raw: | 54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00 |
Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2369 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 2369 |
Entropy: | 3.99747599781 |
Base64 Encoded: | False |
Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . |
Data Raw: | cc 61 97 00 00 01 00 ff 04 08 00 00 09 04 00 00 a8 03 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00 |
Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 513 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/dir |
File Type: | data |
Stream Size: | 513 |
Entropy: | 6.25657588824 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . x . . Y . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ s y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . d . m . . |
Data Raw: | 01 fd b1 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 a8 03 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 78 81 ac 59 0c 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30 |
Stream Path: WordDocument, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | WordDocument |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 1.82763698532 |
Base64 Encoded: | False |
Data ASCII: | . . . . _ . . . . . . R . . . . . . . . . . . . . . . . ? . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . b . . . b . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . 8 . . . . . . . 8 . . . . . . . 8 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . L . . . . . . . L . . . . . . . L . . . . . . . L . . . . . |
Data Raw: | ec a5 c1 00 5f c0 09 04 00 00 f8 52 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 3f 08 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 08 16 00 32 0e 00 00 62 7f 00 00 62 7f 00 00 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 22, 2017 19:46:48.415251017 MEZ | 56191 | 53 | 192.168.1.81 | 8.8.8.8 |
Feb 22, 2017 19:46:48.488327980 MEZ | 53 | 56191 | 8.8.8.8 | 192.168.1.81 |
Feb 22, 2017 19:46:48.508593082 MEZ | 49166 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:48.508630037 MEZ | 80 | 49166 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:48.508702040 MEZ | 49166 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:48.509141922 MEZ | 49166 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:48.509155989 MEZ | 80 | 49166 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:48.978873968 MEZ | 80 | 49166 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:48.978897095 MEZ | 80 | 49166 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:48.979001999 MEZ | 49166 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:54.357111931 MEZ | 63856 | 53 | 192.168.1.81 | 8.8.8.8 |
Feb 22, 2017 19:46:54.396481991 MEZ | 53 | 63856 | 8.8.8.8 | 192.168.1.81 |
Feb 22, 2017 19:46:54.423484087 MEZ | 49167 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:54.423521042 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:54.423593044 MEZ | 49167 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:54.423964977 MEZ | 49167 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:54.423990965 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:54.905232906 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:54.905256033 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:54.905469894 MEZ | 49167 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:54.920655012 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:54.920687914 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:54.920697927 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:54.920727968 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:54.920748949 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:54.920839071 MEZ | 49167 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:54.920870066 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:54.997075081 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:54.997101068 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:54.997251987 MEZ | 49167 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:54.997287035 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:55.089315891 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:55.089330912 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:55.089482069 MEZ | 49167 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:55.089504004 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:55.296228886 MEZ | 49167 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:55.603379011 MEZ | 49167 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:55.603416920 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:55.955823898 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:55.955856085 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:55.955872059 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:55.956047058 MEZ | 49167 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:55.971149921 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:55.971173048 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:55.971180916 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:55.971303940 MEZ | 49167 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:55.974004030 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:55.974028111 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:55.974036932 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:55.974102020 MEZ | 49167 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:56.046535015 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:56.046566963 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:56.046582937 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:56.046663046 MEZ | 49167 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:56.046684027 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:56.113277912 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:56.113305092 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:56.113313913 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:56.113410950 MEZ | 49167 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:56.113440990 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:56.113643885 MEZ | 49167 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:56.137038946 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:56.137067080 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:56.137074947 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:56.137156963 MEZ | 49167 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:56.152416945 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:56.388406992 MEZ | 80 | 49167 | 118.151.231.180 | 192.168.1.81 |
Feb 22, 2017 19:46:56.388564110 MEZ | 49167 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:57.228106976 MEZ | 49167 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:46:58.619321108 MEZ | 49166 | 80 | 192.168.1.81 | 118.151.231.180 |
Feb 22, 2017 19:47:01.010507107 MEZ | 55149 | 53 | 192.168.1.81 | 8.8.8.8 |
Feb 22, 2017 19:47:01.362941980 MEZ | 53 | 55149 | 8.8.8.8 | 192.168.1.81 |
Feb 22, 2017 19:47:01.369384050 MEZ | 49168 | 80 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:47:01.369425058 MEZ | 80 | 49168 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:01.369601965 MEZ | 49168 | 80 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:47:01.369748116 MEZ | 49168 | 80 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:47:01.369762897 MEZ | 80 | 49168 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:01.966017962 MEZ | 80 | 49168 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:01.966322899 MEZ | 49168 | 80 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:47:01.966453075 MEZ | 49168 | 80 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:47:01.966475010 MEZ | 80 | 49168 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:32.027132034 MEZ | 57187 | 53 | 192.168.1.81 | 8.8.8.8 |
Feb 22, 2017 19:47:32.313257933 MEZ | 53 | 57187 | 8.8.8.8 | 192.168.1.81 |
Feb 22, 2017 19:47:32.313761950 MEZ | 49169 | 53 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:47:32.313807011 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:32.316354990 MEZ | 49169 | 53 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:47:32.316510916 MEZ | 49169 | 53 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:47:32.316545963 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:33.078656912 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:33.078684092 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:33.078929901 MEZ | 49169 | 53 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:47:33.394757986 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:33.394787073 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:33.394793034 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:33.395004034 MEZ | 49169 | 53 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:47:33.484566927 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:33.688391924 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:33.688484907 MEZ | 49169 | 53 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:47:33.711220026 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:33.711242914 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:33.711247921 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:33.711397886 MEZ | 49169 | 53 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:47:33.801858902 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:33.801896095 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:33.801913023 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:33.802058935 MEZ | 49169 | 53 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:47:33.817068100 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:34.014661074 MEZ | 49169 | 53 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:47:34.014692068 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:34.233447075 MEZ | 49169 | 53 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:47:34.608549118 MEZ | 49169 | 53 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:47:34.608593941 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:35.134898901 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:35.171036959 MEZ | 49169 | 53 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:47:35.171072006 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:49.577888012 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:47:49.592581034 MEZ | 49169 | 53 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:47:49.592606068 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:48:34.720197916 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:48:34.795778036 MEZ | 49169 | 53 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:48:34.795836926 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:49:20.093182087 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:49:20.170919895 MEZ | 49169 | 53 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:49:20.170958996 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:50:05.054382086 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
Feb 22, 2017 19:50:05.124583960 MEZ | 49169 | 53 | 192.168.1.81 | 116.193.154.28 |
Feb 22, 2017 19:50:05.124610901 MEZ | 53 | 49169 | 116.193.154.28 | 192.168.1.81 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 22, 2017 19:46:48.415251017 MEZ | 56191 | 53 | 192.168.1.81 | 8.8.8.8 |
Feb 22, 2017 19:46:48.488327980 MEZ | 53 | 56191 | 8.8.8.8 | 192.168.1.81 |
Feb 22, 2017 19:46:54.357111931 MEZ | 63856 | 53 | 192.168.1.81 | 8.8.8.8 |
Feb 22, 2017 19:46:54.396481991 MEZ | 53 | 63856 | 8.8.8.8 | 192.168.1.81 |
Feb 22, 2017 19:47:01.010507107 MEZ | 55149 | 53 | 192.168.1.81 | 8.8.8.8 |
Feb 22, 2017 19:47:01.362941980 MEZ | 53 | 55149 | 8.8.8.8 | 192.168.1.81 |
Feb 22, 2017 19:47:32.027132034 MEZ | 57187 | 53 | 192.168.1.81 | 8.8.8.8 |
Feb 22, 2017 19:47:32.313257933 MEZ | 53 | 57187 | 8.8.8.8 | 192.168.1.81 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Feb 22, 2017 19:46:48.415251017 MEZ | 192.168.1.81 | 8.8.8.8 | 0x439f | Standard query (0) | www.geocities.jp | A (IP address) | IN (0x0001) |
Feb 22, 2017 19:46:54.357111931 MEZ | 192.168.1.81 | 8.8.8.8 | 0xa93b | Standard query (0) | www.geocities.jp | A (IP address) | IN (0x0001) |
Feb 22, 2017 19:47:01.010507107 MEZ | 192.168.1.81 | 8.8.8.8 | 0x1ffe | Standard query (0) | service.microsoft-onedrive.com | A (IP address) | IN (0x0001) |
Feb 22, 2017 19:47:32.027132034 MEZ | 192.168.1.81 | 8.8.8.8 | 0x8dfd | Standard query (0) | help.googleplusupport.com | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Replay Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Feb 22, 2017 19:46:48.488327980 MEZ | 8.8.8.8 | 192.168.1.81 | 0x439f | No error (0) | www.geocities.jp | 118.151.231.180 | A (IP address) | IN (0x0001) | |
Feb 22, 2017 19:46:54.396481991 MEZ | 8.8.8.8 | 192.168.1.81 | 0xa93b | No error (0) | www.geocities.jp | 118.151.231.180 | A (IP address) | IN (0x0001) | |
Feb 22, 2017 19:47:01.362941980 MEZ | 8.8.8.8 | 192.168.1.81 | 0x1ffe | No error (0) | service.microsoft-onedrive.com | 116.193.154.28 | A (IP address) | IN (0x0001) | |
Feb 22, 2017 19:47:32.313257933 MEZ | 8.8.8.8 | 192.168.1.81 | 0x8dfd | No error (0) | help.googleplusupport.com | 116.193.154.28 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Header | Total Bytes Transfered (KB) |
---|---|---|---|---|---|---|
Feb 22, 2017 19:46:48.509141922 MEZ | 49166 | 80 | 192.168.1.81 | 118.151.231.180 | 0 | |
Feb 22, 2017 19:46:48.978873968 MEZ | 80 | 49166 | 118.151.231.180 | 192.168.1.81 |