Analysis Report
Overview
General Information |
---|
Joe Sandbox Version: | 17.0.0 |
Analysis ID: | 213966 |
Start time: | 13:20:54 |
Joe Sandbox Product: | Cloud |
Start date: | 03.02.2017 |
Overall analysis duration: | 0h 3m 57s |
Report type: | full |
Sample file name: | form.doc |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43) |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies |
|
Detection: | MAL |
Classification: | mal100.evad.expl.winDOC@5/18@9/6 |
HCA Information: |
|
EGA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 100 | 0 - 100 | Report FP / FN |
Confidence |
---|
Strategy | Score | Range | Further Analysis Required? | Confidence | |
---|---|---|---|---|---|
Threshold | 5 | 0 - 5 | false |
Classification |
---|
Analysis Advice |
---|
Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook |
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis |
Signature Overview |
---|
Click to jump to signature section
Software Vulnerabilities: |
---|
Potential document exploit detected (performs DNS queries) | Show sources |
Source: global traffic | DNS query: |
Potential document exploit detected (performs HTTP gets) | Show sources |
Source: global traffic | TCP traffic: |
Potential document exploit detected (unknown TCP traffic) | Show sources |
Source: global traffic | TCP traffic: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: |
Document exploit detected (creates forbidden files) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Networking: |
---|
Urls found in memory or binary data | Show sources |
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: 8059E9A0D314877E40FE93D8CCFB3C69_4A5995ABF71FDF7B853EF246F7E4900C.3052.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, form.doc, sig1C0F.tmp.3052.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, form.doc, sig1C0F.tmp.3052.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: 23B523C9E7746F715D33C6527C18EB9D.3052.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE, form.doc, sig1C0F.tmp.3052.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, form.doc, sig1C0F.tmp.3052.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: 828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62.3052.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: sig1C0F.tmp.3052.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe, TransbaseOdbcDriver.js.3052.dr | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: sig1C0F.tmp.3052.dr, TransbaseOdbcDriver.js.3052.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: wscript.exe, TransbaseOdbcDriver.js.3052.dr | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: wscript.exe, TransbaseOdbcDriver.js.3052.dr | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE, form.doc, sig1C0F.tmp.3052.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: |
Downloads files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Downloads files from webservers via HTTP | Show sources |
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: |
Found strings which match to known social media urls | Show sources |
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, wscript.exe | String found in binary or memory: |
Performs DNS lookups | Show sources |
Source: unknown | DNS traffic detected: |
Uses HTTPS | Show sources |
Source: unknown | Network traffic detected: | ||
Source: unknown | Network traffic detected: | ||
Source: unknown | Network traffic detected: | ||
Source: unknown | Network traffic detected: | ||
Source: unknown | Network traffic detected: | ||
Source: unknown | Network traffic detected: |
Boot Survival: |
---|
Creates an autostart registry key | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Registry value created or modified: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Registry value created or modified: |
Creates an autostart registry key pointing to binary in C:\Windows | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Registry value created or modified: |
Uses schtasks.exe or at.exe to add and modify task schedules | Show sources |
Source: unknown | Process created: |
Stealing of Sensitive Information: |
---|
Steals Internet Explorer cookies | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File read: |
Data Obfuscation: |
---|
Document contains an embedded VBA with many string operations indicating source code obfuscation | Show sources |
Source: form.doc | Stream path 'Macros/VBA/NewMacros' : | |||
Source: VBA code instrumentation | OLE, VBA macro, High number of string operations: | Name: NewMacros |
Spreading: |
---|
Creates COM task schedule object (often to register a task for autostart) | Show sources |
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: |
System Summary: |
---|
Checks whether correct version of .NET is installed | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: |
Found graphical window changes (likely an installer) | Show sources |
Source: Window Recorder | Window detected: |
Checks if Microsoft Office is installed | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: |
Uses new MSVCR Dlls | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File opened: |
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Binary contains paths to development resources | Show sources |
Source: WINWORD.EXE | Binary or memory string: |
Classification label | Show sources |
Source: classification engine | Classification label: |
Creates files inside the program directory | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Creates files inside the user directory | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Creates temporary files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Document contains an OLE Word Document stream indicating a Microsoft Word file | Show sources |
Source: form.doc | OLE indicator, Word Document stream: |
Document contains summary information with irregular field values | Show sources |
Source: form.doc | OLE document summary: |
Executes visual basic scripts | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: |
Found command line output | Show sources |
Source: C:\Windows\System32\schtasks.exe | Console Write: | ||
Source: C:\Windows\System32\schtasks.exe | Console Write: | ||
Source: C:\Windows\System32\schtasks.exe | Console Write: |
Queries process information (via WMI, Win32_Process) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | WMI Queries: | ||
Source: C:\Windows\System32\wscript.exe | WMI Queries: |
Reads ini files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File read: |
Reads software policies | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: |
Spawns processes | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: |
Uses an in-process (OLE) Automation server | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key value queried: |
Document contains embedded VBA macros | Show sources |
Source: form.doc | OLE indicator, VBA macros: |
Reads the hosts file | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File read: | ||
Source: C:\Windows\System32\wscript.exe | File read: |
Document contains an embedded VBA macro which executes code when the document is opened / closed | Show sources |
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: VBA code instrumentation | OLE, VBA macro: | Name: AutoOpen | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: Workbook_Open |
Document contains an embedded VBA macro which may execute processes | Show sources |
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: VBA code instrumentation | OLE, VBA macro: | Name: ggl_hex | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: SetRegData | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: BH5qxufh333W99fghjplkWrtqzzY | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: AutoOpen |
Document contains an embedded VBA macro with suspicious strings | Show sources |
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: form.doc | OLE, VBA macro line: | |||
Source: VBA code instrumentation | OLE, VBA macro: | Name: AL8vhpb5hk3w | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: AP6fuezipn4 | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: AR4ql6nqd | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: AV0kftndmk | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: clearStr | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: cuid | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: GetUserData | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: sendFormData | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: folderInit | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: folderInit | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: folderInit | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: ggl_runer | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: ggl_runer | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: ggl_runer | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: ggl_starter | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: ggl_starter | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: ggl_starter | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: ggl_hex | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: ggl_hex | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: ggl_hex | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: ggl_hex | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: SetRegData | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: SetRegData | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: SetRegData | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: SetRegData | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: SetRegData | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: SetRegData | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: SetRegData |
Document contains an embedded VBA with base64 encoded strings | Show sources |
Source: VBA code instrumentation | OLE, VBA macro: | ||
Source: VBA code instrumentation | OLE, VBA macro: | ||
Source: VBA code instrumentation | OLE, VBA macro: |
Document contains an embedded VBA with functions possibly related to ADO stream file operations | Show sources |
Source: form.doc | Stream path 'Macros/VBA/NewMacros' : | |||
Source: VBA code instrumentation | OLE, VBA macro: | Name: AR4ql6nqd | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: AV0kftndmk | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: AV0kftndmk | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: AV0kftndmk | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: AV0kftndmk | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: AV0kftndmk | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: sendFormData | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: AR4ql6nqd | ||
Source: VBA code instrumentation | OLE, VBA macro: | Name: AV0kftndmk |
Document contains an embedded VBA with functions possibly related to HTTP operations | Show sources |
Source: form.doc | Stream path 'Macros/VBA/NewMacros' : | |||
Source: VBA code instrumentation | OLE, VBA macro: | Name: sendFormData |
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes) | Show sources |
Source: form.doc | Stream path 'Macros/VBA/NewMacros' : |
Potential malicious VBS script found (suspicious strings) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Dropped file: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Dropped file: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Dropped file: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Dropped file: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Dropped file: |
HIPS / PFW / Operating System Protection Evasion: |
---|
May try to detect the Windows Explorer process (often used for injection) | Show sources |
Source: WINWORD.EXE, wscript.exe | Binary or memory string: | ||
Source: WINWORD.EXE, wscript.exe | Binary or memory string: | ||
Source: WINWORD.EXE, wscript.exe | Binary or memory string: |
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Network Connect: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Network Connect: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Network Connect: | ||
Source: C:\Windows\System32\wscript.exe | Network Connect: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Network Connect: |
Anti Debugging: |
---|
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) | Show sources |
Source: C:\Windows\System32\wscript.exe | System information queried: |
Malware Analysis System Evasion: |
---|
Found WSH timer for Javascript or VBS script (likely evasive script) | Show sources |
Source: C:\Windows\System32\wscript.exe | Window found: |
May sleep (evasive loops) to hinder dynamic analysis | Show sources |
Source: C:\Windows\System32\wscript.exe TID: 3264 | Thread sleep time: | ||
Source: C:\Windows\System32\wscript.exe TID: 3264 | Thread sleep time: |
Hooking and other Techniques for Hiding and Protection: |
---|
Disables application error messsages (SetErrorMode) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: |
Document contains OLE streams with high entropy indicating encrypted embedded content | Show sources |
Source: form.doc | Stream path 'Data' entropy: |
Language, Device and Operating System Detection: |
---|
Queries the cryptographic machine GUID | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key value queried: |
Queries the volume information (name, serial number etc) of a device | Show sources |
Source: C:\Windows\System32\wscript.exe | Queries volume information: |
Behavior Graph |
---|
Yara Overview |
---|
No Yara matches |
---|
Screenshot |
---|
Startup |
---|
|
Created / dropped Files |
---|
File Path | Type and Hashes |
---|---|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
|
Contacted Domains/Contacted IPs |
---|
Contacted Domains |
---|
Name | IP | Active |
---|---|---|
docs.google.com | 216.58.206.14 | true |
clients1.google.com | 74.125.232.238 | true |
script.google.com | 172.217.22.46 | true |
crl.geotrust.com | 23.51.117.163 | true |
g.symcd.com | 23.43.139.27 | true |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Country | Flag | ASN | ASN Name |
---|---|---|---|---|
23.43.139.27 | United States | 20940 | AkamaiInternationalBV | |
216.58.206.14 | United States | 15169 | GoogleInc | |
8.8.8.8 | United States | 15169 | GoogleInc | |
23.51.117.163 | United States | 3257 | TinetSpA | |
172.217.22.46 | United States | 15169 | GoogleInc | |
74.125.232.238 | United States | 15169 | GoogleInc |
Static File Info |
---|
General | |
---|---|
File type: | 0 |
TrID: |
|
File name: | form.doc |
File size: | 322560 |
MD5: | cb25eb3053cc9b5dd6a3beedb04bb734 |
SHA1: | 3fc3e1a0385ff0f494a8a5f764bcf00f555ebac3 |
SHA256: | 111fc266692af396a0db176c49455acef907bb6d16715f5a6a3517362e218658 |
SHA512: | 6116c475fa24df1f3b707e7e8ff8a49978a822149754b10ed588df9a8d1d66d0409bc1c6265b4fc8f6311004e15967820e8a1f60453698d1013b93f245074fab |
File Content Preview: | ........................>.......................q...............................s...........r.................................................................................................................................................................. |
File Icon |
---|
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OLE | |
Number of OLE Files: | 1 |
OLE File "form.doc" |
---|
Indicators | |
---|---|
Has Summary Info: | True |
Application Name: | Microsoft Office Word |
Encrypted Document: | False |
Contains Word Document Stream: | True |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | True |
Summary | |
---|---|
Code Page: | 1252 |
Title: | |
Subject: | |
Author: | Lara |
Keywords: | |
Comments: | |
Template: | Normal |
Last Saved By: | test |
Revion Number: | 17 |
Total Edit Time: | 540 |
Create Time: | 2016-06-30 22:51:00 |
Last Saved Time: | 2016-08-30 18:44:00 |
Number of Pages: | 1 |
Number of Words: | 0 |
Number of Characters: | 2 |
Creating Application: | Microsoft Office Word |
Security: | 0 |
Document Summary | |
---|---|
Document Code Page: | 1252 |
Number of Lines: | 1 |
Number of Paragraphs: | 1 |
Thumbnail Scaling Desired: | False |
Company: | |
Contains Dirty Links: | False |
Shared Document: | False |
Changed Hyperlinks: | False |
Application Version: | 983040 |
Streams with VBA |
---|
VBA File Name: NewMacros.bas, Stream Size: 113240 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/NewMacros |
VBA File Name: | NewMacros.bas |
Stream Size: | 113240 |
Data ASCII: | . . . . . . . . . $ J . . . . . . . . . . . . . . . K . . . i . . . . . . . . . . M ' . $ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . L . . . . . . . |
Data Raw: | 01 16 01 00 06 f0 00 00 00 24 4a 00 00 d4 00 00 00 c8 02 00 00 ff ff ff ff aa 4b 00 00 92 69 01 00 00 00 00 00 01 00 00 00 4d 27 2e 24 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code with Deobfuscations |
---|
|
VBA Code |
---|
|
VBA File Name: ThisDocument.cls, Stream Size: 1097 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/ThisDocument |
VBA File Name: | ThisDocument.cls |
Stream Size: | 1097 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . D . . . R . . . . . . . . . . . . . . . M ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . . f 1 . . 4 . @ . ^ . . . . I . B \\ c ! n . . C . K . . O p 4 . . . . . . . . . . . . . . . . . . . . . . . a . $ . . H . . . . w 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . a . $ . . H . . . . w 3 . . . f 1 . . 4 . @ . ^ . . . . I . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 01 00 06 00 01 00 00 16 03 00 00 e4 00 00 00 ea 01 00 00 44 03 00 00 52 03 00 00 a6 03 00 00 00 00 00 00 01 00 00 00 4d 27 05 df 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 c6 66 31 1d ae 34 f7 40 b3 5e a2 9f c2 1b 49 a9 42 5c 63 21 6e d1 d8 43 8b 4b bb 94 4f 70 34 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code with Deobfuscations |
---|
|
VBA Code |
---|
|
Streams |
---|
Stream Path: \x1CompObj, File Type: data, Stream Size: 114 |
---|
General | |
---|---|
Stream Path: | \x1CompObj |
File Type: | data |
Stream Size: | 114 |
Entropy: | 4.2359563651 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 280 |
---|
General | |
---|---|
Stream Path: | \x5DocumentSummaryInformation |
File Type: | data |
Stream Size: | 280 |
Entropy: | 2.38363343331 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00 |
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 408 |
---|
General | |
---|---|
Stream Path: | \x5SummaryInformation |
File Type: | data |
Stream Size: | 408 |
Entropy: | 3.1371856448 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . 0 . . . . . . . < . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . L a r a . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 68 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 e8 00 00 00 09 00 00 00 f8 00 00 00 |
Stream Path: 1Table, File Type: data, Stream Size: 16769 |
---|
General | |
---|---|
Stream Path: | 1Table |
File Type: | data |
Stream Size: | 16769 |
Entropy: | 6.46592721653 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . |
Data Raw: | 0a 06 11 00 12 00 01 00 73 01 0f 00 07 00 05 00 05 00 05 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 |
Stream Path: Data, File Type: data, Stream Size: 79536 |
---|
General | |
---|---|
Stream Path: | Data |
File Type: | data |
Stream Size: | 79536 |
Entropy: | 7.98136640998 |
Base64 Encoded: | True |
Data ASCII: | . 6 . . D . d . . . . . . . . . . . . . . . . . . . . . t # n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . U . n . t . i . t . l . e . d . . . P . i . c . t . u . r . e . . 3 . . . C . : . \\ . U . s . e . r . s . \\ . t . e . s . t . a . d . m . i . n . \\ . D . e . s . k . t . o . p . \\ . U . n . t . i . t . |
Data Raw: | b0 36 01 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 74 23 6e 1a e1 03 e1 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 de 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 93 00 0b f0 ac 00 00 00 7f 00 80 00 f9 01 04 41 01 00 00 00 05 c1 12 00 00 00 3f 01 00 00 06 00 bf 01 00 00 |
Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 430 |
---|
General | |
---|---|
Stream Path: | Macros/PROJECT |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 430 |
Entropy: | 5.38651703035 |
Base64 Encoded: | True |
Data ASCII: | I D = " { C C B 4 F 9 4 9 - 2 8 0 F - 4 4 2 3 - 9 B F 0 - 3 0 3 9 1 5 F 1 3 3 A A } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = N e w M a c r o s . . H e l p F i l e = " " . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 7 3 7 1 B 5 4 3 2 D 4 7 2 D 4 7 2 D 4 7 2 D 4 7 " . . D P B = " E 7 E 5 2 1 D F E 1 2 7 5 4 2 8 5 4 2 8 5 4 " . . G C = " 5 B 5 9 9 D 6 B 1 0 6 C |
Data Raw: | 49 44 3d 22 7b 43 43 42 34 46 39 34 39 2d 32 38 30 46 2d 34 34 32 33 2d 39 42 46 30 2d 33 30 33 39 31 35 46 31 33 33 41 41 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4e 65 77 4d 61 63 72 6f 73 0d 0a 48 65 6c 70 46 69 6c 65 3d 22 22 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 |
Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 71 |
---|
General | |
---|---|
Stream Path: | Macros/PROJECTwm |
File Type: | data |
Stream Size: | 71 |
Entropy: | 3.34859995248 |
Base64 Encoded: | False |
Data ASCII: | T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . N e w M a c r o s . N . e . w . M . a . c . r . o . s . . . . . |
Data Raw: | 54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4e 65 77 4d 61 63 72 6f 73 00 4e 00 65 00 77 00 4d 00 61 00 63 00 72 00 6f 00 73 00 00 00 00 00 |
Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4592 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 4592 |
Entropy: | 5.28689188874 |
Base64 Encoded: | False |
Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . |
Data Raw: | cc 61 a3 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00 |
Stream Path: Macros/VBA/__SRP_0, File Type: data, Stream Size: 54629 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/__SRP_0 |
File Type: | data |
Stream Size: | 54629 |
Entropy: | 3.94641189095 |
Base64 Encoded: | False |
Data ASCII: | . K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . 8 . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . l [ . . A . . . U 7 . 1 . . . . . . . . |
Data Raw: | 93 4b 2a a3 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 02 00 01 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 80 38 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 |
Stream Path: Macros/VBA/__SRP_1, File Type: data, Stream Size: 203 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/__SRP_1 |
File Type: | data |
Stream Size: | 203 |
Entropy: | 3.57308788581 |
Base64 Encoded: | False |
Data ASCII: | r U . . . . . . . . . . . . . . . . . . . ~ } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . A O 3 o p b j n r p 9 . . . . . . . . A Q 4 i l b e v k 2 j . . . . . . . . T e x t . . . . . . . . B i n a r y . . . . . . . . V a l u e . . . . . . . . Y o u r P a t h [ . . . . . . . |
Data Raw: | 72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 09 00 00 00 00 00 04 00 03 00 00 09 d9 02 00 00 00 00 00 00 31 06 00 00 00 00 00 00 08 00 00 00 00 00 01 00 03 00 00 08 0b 00 00 00 41 4f 33 6f 70 62 6a 6e 72 70 39 03 00 00 08 0b 00 00 |
Stream Path: Macros/VBA/__SRP_2, File Type: data, Stream Size: 220 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/__SRP_2 |
File Type: | data |
Stream Size: | 220 |
Entropy: | 2.14975395637 |
Base64 Encoded: | False |
Data ASCII: | r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . . . 1 . . . . . . . a . . . . . . . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . |
Data Raw: | 72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 b9 05 00 00 00 00 00 00 e1 05 00 00 00 00 00 00 09 06 00 00 00 00 00 00 09 00 00 00 01 00 02 00 91 05 00 00 00 00 00 00 08 00 0d 00 34 00 00 00 31 06 00 00 00 00 00 00 61 00 00 00 00 00 |
Stream Path: Macros/VBA/__SRP_3, File Type: data, Stream Size: 66 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/__SRP_3 |
File Type: | data |
Stream Size: | 66 |
Entropy: | 1.75895870298 |
Base64 Encoded: | False |
Data ASCII: | r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . n . . . . . . . |
Data Raw: | 72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 00 00 00 00 00 00 6e 00 00 7f 00 00 00 00 |
Stream Path: Macros/VBA/__SRP_4, File Type: data, Stream Size: 832 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/__SRP_4 |
File Type: | data |
Stream Size: | 832 |
Entropy: | 2.48706696998 |
Base64 Encoded: | False |
Data ASCII: | r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . / ( . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . / ( . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . / $ . ! . . . . . . . . . . ` . . . . . . |
Data Raw: | 72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 05 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 28 00 81 00 00 00 00 00 05 00 00 00 00 60 04 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 81 00 00 00 00 00 01 00 00 00 00 00 0f 2f 28 00 a9 00 00 00 00 00 05 00 01 00 00 60 04 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00 |
Stream Path: Macros/VBA/__SRP_5, File Type: data, Stream Size: 18772 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/__SRP_5 |
File Type: | data |
Stream Size: | 18772 |
Entropy: | 4.88615379941 |
Base64 Encoded: | False |
Data ASCII: | r U . . . . . . . . . . . . . . . . . . . ~ | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . I . . . . . . . . . . . . . . . y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 04 00 08 00 00 00 00 00 05 00 13 00 00 00 b4 01 00 00 f1 09 00 00 00 00 00 00 01 0b 00 00 00 00 00 00 71 0b 00 00 00 00 00 00 09 0a 00 00 00 00 00 00 49 0a 00 00 00 00 00 00 d1 00 00 00 00 00 05 00 79 0a 00 00 00 00 00 00 c1 0a 00 00 00 00 |
Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 578 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/dir |
File Type: | data |
Stream Size: | 578 |
Entropy: | 6.3173414773 |
Base64 Encoded: | True |
Data ASCII: | . > . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . . Y . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . . . m . . |
Data Raw: | 01 3e b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 d4 e9 8e 59 1c 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30 |
Stream Path: WordDocument, File Type: data, Stream Size: 5166 |
---|
General | |
---|---|
Stream Path: | WordDocument |
File Type: | data |
Stream Size: | 5166 |
Entropy: | 3.45862834817 |
Base64 Encoded: | False |
Data ASCII: | . . . . [ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p a ! \\ p a ! \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | ec a5 c1 00 5b e0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 f0 11 00 00 0e 00 62 6a 62 6a 12 0b 12 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 14 00 00 70 61 21 5c 70 61 21 5c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d5 01 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 |
Stream Path: _xmlsignatures/30468, File Type: XML document text, Stream Size: 13897 |
---|
General | |
---|---|
Stream Path: | _xmlsignatures/30468 |
File Type: | XML document text |
Stream Size: | 13897 |
Entropy: | 5.97954736124 |
Base64 Encoded: | True |
Data ASCII: | < ? x m l v e r s i o n = " 1 . 0 " e n c o d i n g = " U T F - 8 " ? > < S i g n a t u r e x m l n s = " h t t p : / / w w w . w 3 . o r g / 2 0 0 0 / 0 9 / x m l d s i g # " I d = " i d P a c k a g e S i g n a t u r e " > < S i g n e d I n f o > < C a n o n i c a l i z a t i o n M e t h o d A l g o r i t h m = " h t t p : / / w w w . w 3 . o r g / T R / 2 0 0 1 / R E C - x m l - c 1 4 n - 2 0 0 1 0 3 1 5 " / > < S i g n a t u r e M e t h o d A l g o r i t h m = " h t t p : / / w w w . w 3 . o |
Data Raw: | 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 53 69 67 6e 61 74 75 72 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 39 2f 78 6d 6c 64 73 69 67 23 22 20 49 64 3d 22 69 64 50 61 63 6b 61 67 65 53 69 67 6e 61 74 75 72 65 22 3e 3c 53 69 67 6e 65 64 49 6e 66 6f 3e |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 3, 2017 13:21:30.046524048 CET | 52380 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:30.322197914 CET | 53 | 52380 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:30.339765072 CET | 49162 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:30.339813948 CET | 443 | 49162 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:30.339890003 CET | 49162 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:30.350121021 CET | 49162 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:30.350151062 CET | 443 | 49162 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:31.061212063 CET | 443 | 49162 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:31.061237097 CET | 443 | 49162 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:31.061249971 CET | 443 | 49162 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:31.061343908 CET | 49162 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:31.082077980 CET | 443 | 49162 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:31.082222939 CET | 49162 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:31.118853092 CET | 49162 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:31.118871927 CET | 443 | 49162 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:31.466020107 CET | 443 | 49162 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:31.466111898 CET | 49162 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:31.885040998 CET | 58054 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:32.240303040 CET | 53 | 58054 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:32.244097948 CET | 55399 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:32.477293968 CET | 53 | 55399 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:33.041954041 CET | 53010 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:33.390506029 CET | 53 | 53010 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:33.401477098 CET | 52401 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:33.641087055 CET | 53 | 52401 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:33.644304037 CET | 49164 | 80 | 192.168.1.16 | 23.51.117.163 |
Feb 3, 2017 13:21:33.644361019 CET | 80 | 49164 | 23.51.117.163 | 192.168.1.16 |
Feb 3, 2017 13:21:33.644537926 CET | 49164 | 80 | 192.168.1.16 | 23.51.117.163 |
Feb 3, 2017 13:21:33.645129919 CET | 49164 | 80 | 192.168.1.16 | 23.51.117.163 |
Feb 3, 2017 13:21:33.645164013 CET | 80 | 49164 | 23.51.117.163 | 192.168.1.16 |
Feb 3, 2017 13:21:34.076262951 CET | 80 | 49164 | 23.51.117.163 | 192.168.1.16 |
Feb 3, 2017 13:21:34.183749914 CET | 53278 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:34.276438951 CET | 80 | 49164 | 23.51.117.163 | 192.168.1.16 |
Feb 3, 2017 13:21:34.276707888 CET | 49164 | 80 | 192.168.1.16 | 23.51.117.163 |
Feb 3, 2017 13:21:34.466198921 CET | 53 | 53278 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:34.475553989 CET | 64052 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:34.707212925 CET | 53 | 64052 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:34.708375931 CET | 49165 | 80 | 192.168.1.16 | 23.43.139.27 |
Feb 3, 2017 13:21:34.708429098 CET | 80 | 49165 | 23.43.139.27 | 192.168.1.16 |
Feb 3, 2017 13:21:34.708523035 CET | 49165 | 80 | 192.168.1.16 | 23.43.139.27 |
Feb 3, 2017 13:21:34.708909988 CET | 49165 | 80 | 192.168.1.16 | 23.43.139.27 |
Feb 3, 2017 13:21:34.708930969 CET | 80 | 49165 | 23.43.139.27 | 192.168.1.16 |
Feb 3, 2017 13:21:35.102711916 CET | 80 | 49165 | 23.43.139.27 | 192.168.1.16 |
Feb 3, 2017 13:21:35.102744102 CET | 80 | 49165 | 23.43.139.27 | 192.168.1.16 |
Feb 3, 2017 13:21:35.102998018 CET | 49165 | 80 | 192.168.1.16 | 23.43.139.27 |
Feb 3, 2017 13:21:35.220506907 CET | 58256 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:35.456484079 CET | 53 | 58256 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:35.462969065 CET | 49178 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:35.694485903 CET | 53 | 49178 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:35.696316957 CET | 49166 | 80 | 192.168.1.16 | 74.125.232.238 |
Feb 3, 2017 13:21:35.696408987 CET | 80 | 49166 | 74.125.232.238 | 192.168.1.16 |
Feb 3, 2017 13:21:35.696583986 CET | 49166 | 80 | 192.168.1.16 | 74.125.232.238 |
Feb 3, 2017 13:21:35.697237968 CET | 49166 | 80 | 192.168.1.16 | 74.125.232.238 |
Feb 3, 2017 13:21:35.697273970 CET | 80 | 49166 | 74.125.232.238 | 192.168.1.16 |
Feb 3, 2017 13:21:36.214596987 CET | 80 | 49166 | 74.125.232.238 | 192.168.1.16 |
Feb 3, 2017 13:21:36.233733892 CET | 49162 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:36.233757973 CET | 443 | 49162 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:36.234179020 CET | 49162 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:36.234194994 CET | 443 | 49162 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:36.416430950 CET | 80 | 49166 | 74.125.232.238 | 192.168.1.16 |
Feb 3, 2017 13:21:36.416605949 CET | 49166 | 80 | 192.168.1.16 | 74.125.232.238 |
Feb 3, 2017 13:21:36.859767914 CET | 443 | 49162 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:36.859987020 CET | 49162 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:36.874950886 CET | 49162 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:36.875072956 CET | 443 | 49162 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:36.875163078 CET | 49162 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:36.879256010 CET | 49167 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:36.879291058 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:36.879375935 CET | 49167 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:36.880064964 CET | 49167 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:36.880084991 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:37.316308975 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:37.316502094 CET | 49167 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:37.317208052 CET | 49167 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:37.317241907 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:37.341294050 CET | 49167 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:37.341317892 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:38.426789999 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:38.427006006 CET | 49167 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:38.428414106 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:38.428456068 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:38.428467035 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:38.428574085 CET | 49167 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:38.440733910 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:38.440758944 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:38.440768957 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:38.440890074 CET | 49167 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:38.440915108 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:38.441035986 CET | 49167 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:38.524521112 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:38.524549961 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:38.524791002 CET | 49167 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:38.538294077 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:38.538326979 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:38.538569927 CET | 49167 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:38.554888964 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:38.554913998 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:38.554923058 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:38.555155039 CET | 49167 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:38.627758026 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:38.627785921 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:38.627795935 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:21:38.628140926 CET | 49167 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:21:39.809606075 CET | 54872 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:40.109858990 CET | 53 | 54872 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:40.216468096 CET | 65034 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:40.448889971 CET | 53 | 65034 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:40.449740887 CET | 49168 | 443 | 192.168.1.16 | 172.217.22.46 |
Feb 3, 2017 13:21:40.449780941 CET | 443 | 49168 | 172.217.22.46 | 192.168.1.16 |
Feb 3, 2017 13:21:40.449893951 CET | 49168 | 443 | 192.168.1.16 | 172.217.22.46 |
Feb 3, 2017 13:21:40.469163895 CET | 49168 | 443 | 192.168.1.16 | 172.217.22.46 |
Feb 3, 2017 13:21:40.469191074 CET | 443 | 49168 | 172.217.22.46 | 192.168.1.16 |
Feb 3, 2017 13:21:40.794019938 CET | 443 | 49168 | 172.217.22.46 | 192.168.1.16 |
Feb 3, 2017 13:21:40.794051886 CET | 443 | 49168 | 172.217.22.46 | 192.168.1.16 |
Feb 3, 2017 13:21:40.794068098 CET | 443 | 49168 | 172.217.22.46 | 192.168.1.16 |
Feb 3, 2017 13:21:40.794212103 CET | 49168 | 443 | 192.168.1.16 | 172.217.22.46 |
Feb 3, 2017 13:21:40.892060995 CET | 443 | 49168 | 172.217.22.46 | 192.168.1.16 |
Feb 3, 2017 13:21:40.907182932 CET | 49168 | 443 | 192.168.1.16 | 172.217.22.46 |
Feb 3, 2017 13:21:40.907217979 CET | 443 | 49168 | 172.217.22.46 | 192.168.1.16 |
Feb 3, 2017 13:21:41.148633003 CET | 443 | 49168 | 172.217.22.46 | 192.168.1.16 |
Feb 3, 2017 13:21:41.352432966 CET | 443 | 49168 | 172.217.22.46 | 192.168.1.16 |
Feb 3, 2017 13:21:41.352523088 CET | 49168 | 443 | 192.168.1.16 | 172.217.22.46 |
Feb 3, 2017 13:21:41.573354006 CET | 49168 | 443 | 192.168.1.16 | 172.217.22.46 |
Feb 3, 2017 13:21:41.573376894 CET | 443 | 49168 | 172.217.22.46 | 192.168.1.16 |
Feb 3, 2017 13:21:41.962523937 CET | 443 | 49168 | 172.217.22.46 | 192.168.1.16 |
Feb 3, 2017 13:21:41.962548018 CET | 443 | 49168 | 172.217.22.46 | 192.168.1.16 |
Feb 3, 2017 13:21:41.962557077 CET | 443 | 49168 | 172.217.22.46 | 192.168.1.16 |
Feb 3, 2017 13:21:41.962634087 CET | 49168 | 443 | 192.168.1.16 | 172.217.22.46 |
Feb 3, 2017 13:21:42.019470930 CET | 443 | 49168 | 172.217.22.46 | 192.168.1.16 |
Feb 3, 2017 13:21:42.220429897 CET | 443 | 49168 | 172.217.22.46 | 192.168.1.16 |
Feb 3, 2017 13:21:42.220552921 CET | 49168 | 443 | 192.168.1.16 | 172.217.22.46 |
Feb 3, 2017 13:21:57.420198917 CET | 80 | 49165 | 23.43.139.27 | 192.168.1.16 |
Feb 3, 2017 13:21:57.420351028 CET | 49165 | 80 | 192.168.1.16 | 23.43.139.27 |
Feb 3, 2017 13:21:57.420552969 CET | 49165 | 80 | 192.168.1.16 | 23.43.139.27 |
Feb 3, 2017 13:21:57.420586109 CET | 80 | 49165 | 23.43.139.27 | 192.168.1.16 |
Feb 3, 2017 13:22:14.934688091 CET | 80 | 49164 | 23.51.117.163 | 192.168.1.16 |
Feb 3, 2017 13:22:14.934828043 CET | 49164 | 80 | 192.168.1.16 | 23.51.117.163 |
Feb 3, 2017 13:22:14.934962034 CET | 49164 | 80 | 192.168.1.16 | 23.51.117.163 |
Feb 3, 2017 13:22:14.934988022 CET | 80 | 49164 | 23.51.117.163 | 192.168.1.16 |
Feb 3, 2017 13:22:36.220221043 CET | 49166 | 80 | 192.168.1.16 | 74.125.232.238 |
Feb 3, 2017 13:23:29.721219063 CET | 49167 | 443 | 192.168.1.16 | 216.58.206.14 |
Feb 3, 2017 13:23:29.721396923 CET | 443 | 49167 | 216.58.206.14 | 192.168.1.16 |
Feb 3, 2017 13:23:29.721539021 CET | 49167 | 443 | 192.168.1.16 | 216.58.206.14 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 3, 2017 13:21:30.046524048 CET | 52380 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:30.322197914 CET | 53 | 52380 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:31.885040998 CET | 58054 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:32.240303040 CET | 53 | 58054 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:32.244097948 CET | 55399 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:32.477293968 CET | 53 | 55399 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:33.041954041 CET | 53010 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:33.390506029 CET | 53 | 53010 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:33.401477098 CET | 52401 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:33.641087055 CET | 53 | 52401 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:34.183749914 CET | 53278 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:34.466198921 CET | 53 | 53278 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:34.475553989 CET | 64052 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:34.707212925 CET | 53 | 64052 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:35.220506907 CET | 58256 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:35.456484079 CET | 53 | 58256 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:35.462969065 CET | 49178 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:35.694485903 CET | 53 | 49178 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:39.809606075 CET | 54872 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:40.109858990 CET | 53 | 54872 | 8.8.8.8 | 192.168.1.16 |
Feb 3, 2017 13:21:40.216468096 CET | 65034 | 53 | 192.168.1.16 | 8.8.8.8 |
Feb 3, 2017 13:21:40.448889971 CET | 53 | 65034 | 8.8.8.8 | 192.168.1.16 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Feb 3, 2017 13:21:30.046524048 CET | 192.168.1.16 | 8.8.8.8 | 0x42e3 | Standard query (0) | docs.google.com | A (IP address) | IN (0x0001) |
Feb 3, 2017 13:21:33.041954041 CET | 192.168.1.16 | 8.8.8.8 | 0xe092 | Standard query (0) | crl.geotrust.com | A (IP address) | IN (0x0001) |
Feb 3, 2017 13:21:33.401477098 CET | 192.168.1.16 | 8.8.8.8 | 0xcd35 | Standard query (0) | crl.geotrust.com | A (IP address) | IN (0x0001) |
Feb 3, 2017 13:21:34.183749914 CET | 192.168.1.16 | 8.8.8.8 | 0x1de9 | Standard query (0) | g.symcd.com | A (IP address) | IN (0x0001) |
Feb 3, 2017 13:21:34.475553989 CET | 192.168.1.16 | 8.8.8.8 | 0x81ac | Standard query (0) | g.symcd.com | A (IP address) | IN (0x0001) |
Feb 3, 2017 13:21:35.220506907 CET | 192.168.1.16 | 8.8.8.8 | 0xee5 | Standard query (0) | clients1.google.com | A (IP address) | IN (0x0001) |
Feb 3, 2017 13:21:35.462969065 CET | 192.168.1.16 | 8.8.8.8 | 0xfe43 | Standard query (0) | clients1.google.com | A (IP address) | IN (0x0001) |
Feb 3, 2017 13:21:39.809606075 CET | 192.168.1.16 | 8.8.8.8 | 0x4669 | Standard query (0) | script.google.com | A (IP address) | IN (0x0001) |
Feb 3, 2017 13:21:40.216468096 CET | 192.168.1.16 | 8.8.8.8 | 0x41cc | Standard query (0) | script.google.com | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Replay Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Feb 3, 2017 13:21:30.322197914 CET | 8.8.8.8 | 192.168.1.16 | 0x42e3 | No error (0) | docs.google.com | 216.58.206.14 | A (IP address) | IN (0x0001) | |
Feb 3, 2017 13:21:33.390506029 CET | 8.8.8.8 | 192.168.1.16 | 0xe092 | No error (0) | crl.geotrust.com | 23.51.117.163 | A (IP address) | IN (0x0001) | |
Feb 3, 2017 13:21:33.641087055 CET | 8.8.8.8 | 192.168.1.16 | 0xcd35 | No error (0) | crl.geotrust.com | 23.51.117.163 | A (IP address) | IN (0x0001) | |
Feb 3, 2017 13:21:34.466198921 CET | 8.8.8.8 | 192.168.1.16 | 0x1de9 | No error (0) | g.symcd.com | 23.43.139.27 | A (IP address) | IN (0x0001) | |
Feb 3, 2017 13:21:34.707212925 CET | 8.8.8.8 | 192.168.1.16 | 0x81ac | No error (0) | g.symcd.com | 23.43.139.27 | A (IP address) | IN (0x0001) | |
Feb 3, 2017 13:21:35.456484079 CET | 8.8.8.8 | 192.168.1.16 | 0xee5 | No error (0) | clients1.google.com | 74.125.232.238 | A (IP address) | IN (0x0001) | |
Feb 3, 2017 13:21:35.694485903 CET | 8.8.8.8 | 192.168.1.16 | 0xfe43 | No error (0) | clients1.google.com | 74.125.232.238 | A (IP address) | IN (0x0001) | |
Feb 3, 2017 13:21:40.109858990 CET | 8.8.8.8 | 192.168.1.16 | 0x4669 | No error (0) | script.google.com | 172.217.22.46 | A (IP address) | IN (0x0001) | |
Feb 3, 2017 13:21:40.448889971 CET | 8.8.8.8 | 192.168.1.16 | 0x41cc | No error (0) | script.google.com | 172.217.22.46 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Header | Total Bytes Transfered (KB) |
---|---|---|---|---|---|---|
Feb 3, 2017 13:21:33.645129919 CET | 49164 | 80 | 192.168.1.16 | 23.51.117.163 | 7 | |
Feb 3, 2017 13:21:34.076262951 CET | 80 | 49164 | 23.51.117.163 | 192.168.1.16 | 8 | |
Feb 3, 2017 13:21:34.276438951 CET | 80 | 49164 | 23.51.117.163 | 192.168.1.16 | 8 | |
Feb 3, 2017 13:21:34.708909988 CET | 49165 | 80 | 192.168.1.16 | 23.43.139.27 | 9 | |
Feb 3, 2017 13:21:35.102711916 CET | 80 | 49165 | 23.43.139.27 | 192.168.1.16 |